Always on VPN - Device Tunnel

Copper Contributor


 I have a customer who is migrating from on-premises to Azure. They currently use Direct Access for their on premises access. They wish to start using Always On VPN for its extra features until they have completed their migration to Azure and no longer require access to on-premises services.

 They were asking about device tunnels.

 One of the requirements for Device Tunnels is that the device is domain joined.  The assumption is that this is AD Domain joined and not Azure AD joined?  

 Would hybrid joined work ?

 Or does it need to be pure AD Domain joined? 

 Understand a user based tunnel can be established from an Azure AD Joined device.  

 This is only for the migration period as they move to Azure. Once in Azure they will no longer use the VPN. (Nothing will be on premises).

 They are using Intune now and want to build new laptops using autopilot going forward so want to AAD join the new laptops but still allow them access to on-premises. My assumption is that on these devices they will need to use a user based tunnel. 

They will still have hybrid joined laptops through the transition.  So will use Intune to manage all the laptops. 


Thanks and regards



3 Replies

Hi Bryan,


To support an Always On VPN device tunnel the endpoint must be domain joined. This can be exclusively on-premises Active Directory or hybird Azure AD joined. Either will work. Also, the endpoint must be running Windows Enterprise Edition. You can deploy a device tunnel to Professional Edition clients, but it won't connect automatically.


If you customer is moving from DirectAccess to Always On VPN, it is best to use the user tunnel for on-premises access. The device tunnel will work, but it isn't really designed for that. Details here.


Hope that helps!

Hi Richard,
thanks for the quick response. Yes on the way home I realised that a device tunnel for an AAD joined machine was not required really.
As the laptop is AAD joined and managed by Intune both these services are available with out having to establish the device tunnel. So we can manage out to teh device and teh logon services are available. So there is no real requirement for the device tunnel.
If the user requires access to on prem apps we can use a User based tunnel.
The hybrid join is a little more ambiguous. I'm going to suggest to the customer that we use user based tunnels for both case for consistency and see why they are so keen on device based tunnels.

Thanks again,


I agree. For your hybrid Azure AD joined devices you might consider using the device tunnel as a supplement to the user tunnel. It is helpful for domain-joined devices because it provides pre-logon connectivity to domain controllers, which is helpful for scenarios where user might need to logon without cached credentials. Commonly this occurs when users are provided a new device in the field (Autopilot, for example), but it can also be helpful to streamline password resets.


Have fun!