cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Autopilot deployment - first login to on-premises AD with always on VPN

marcoorg
Copper Contributor

‎Jul 02 2021 03:22 AM

‎Jul 02 2021 03:22 AM

Autopilot deployment - first login to on-premises AD with always on VPN

Hey everyone, maybe someone could help. We have hybrid AD (on-premises + azure). I'm trying to configure always on VPN to work without user interaction during autopilot deployment. When user deploys his new notebook at home and autopilot just finished (it is offline domain-joined to on-premises AD), he need to login to the system using domain account. But unfortunately at home it is impossible without VPN. I found that it can be fixed with device tunnel - always on VPN (https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always...) and tried to configure NDES service (https://msendpointmgr.com/2018/06/19/certificate-deployment-for-mobile-devices-using-microsoft-intun... )

Unfortunately when autopilot has finished at the Intune side for this computer there are device configuration profiles in pending state: SCEP certification request and deploy always on VPN profile. 

When user goes to the office, autopilot finish the configuration (creates device certificate and deploys VPN profile), but at home there are two tasks always in pending state. Do you have any idea what could be wrong? 

Labels:
4,596 Views
0 Likes
6 Replies
Reply
6 Replies
Rudy_Ooms_MVP

‎Jul 02 2021 06:28 AM

‎Jul 02 2021 06:28 AM

Re: Autopilot deployment - first login to on-premises AD with always on VPN

Hi

I couldnt find information in your question (to be 100% sure) if this option is enabled: skip the AD connectivity check is enabled in the autopilot deployment profile

0 Likes
Reply
marcoorg

‎Jul 02 2021 06:33 AM

‎Jul 02 2021 06:33 AM

Re: Autopilot deployment - first login to on-premises AD with always on VPN

@Rudy_Ooms_MVP thank you for your response. In Windows Autopilot deployment profile the setting Skip AD connectivity check (preview) is set to Yes.

0 Likes
Reply
Nathan Blasac

‎Jul 03 2021 12:19 PM

‎Jul 03 2021 12:19 PM

Re: Autopilot deployment - first login to on-premises AD with always on VPN

Are you perhaps able to re-configure that pre-login VPN so that the user can initiate the tunnel and authenticate via User Name/Password whilst leveraging MFA? Then the user should be able to reach the DC, complete login, and continue the autopilot process.
0 Likes
Reply
marcoorg

‎Jul 08 2021 06:10 AM

‎Jul 08 2021 06:10 AM

Re: Autopilot deployment - first login to on-premises AD with always on VPN

Device tunnel is not displayed in the network icon. First login using domain account failed. I've tried to login to local admin account and checked that at this step there are no NDES cert and VPN profile configured yet. I've tried to push user VPN config but it's not deployed before first logon.
Now we have a workarround: third party VPN that is deployed correctly during Autopilot proces and allows to login to VPN and domain account together but finally we would like to switch this to MS Always On VPN.
0 Likes
Reply
Nathan Blasac

‎Jul 09 2021 06:41 AM

‎Jul 09 2021 06:41 AM

Re: Autopilot deployment - first login to on-premises AD with always on VPN

Thanks for the update. Which Third Party VPN did you go with? I'm aware of many using Cisco AnyConnect.
0 Likes
Reply
marcoorg

‎Jul 09 2021 01:09 PM

‎Jul 09 2021 01:09 PM

Re: Autopilot deployment - first login to on-premises AD with always on VPN

We use FortiClient.
0 Likes
Reply