Support VPN Connectivity for Autopilot Hybrid Enrollment
From the requirements here:
"Have access to your Active Directory (VPN connection not supported)."
This requirement breaks the concept of having a device that could be shipped anywhere directly to a user. Large enterprises still have, and will continue to have applications that rely on domain connectivity for authentication. Many of these enterprises build their devices onsite and ship to users that never see the corporate network. Autopilot could never work in this scenario without users disclosing their credentials.
The feature we would like is a secure means of establishing an AAO VPN tunnel during enrollment that would allow enterprise users with domain applications to enroll their devices.
Andrew Moody commented
This is potentially a duplicate of this (worded differently):
Miguel Sanabia commented
Be great if during Ignite there was an announcement for supporting this soon.
"This is a significant issue IMO for AutoPilot option - handling of the Hybrid Domain Join process. Given that there is now this connector for carrying out the join, isn't it possible to route the join request through this to the on-prem AD, thereby only requiring internet access on the endpoint? Or using a deployed Machine VPN profile?"
Windows Autopilot Hybrid domain joining computers is a fantastic feature, but I agree that needing line of sight to a domain controller and being on the corporate network makes Autopilot in general useless. My organization can benefit greatly from this, if utilizing a VPN connection some how to finish the domain controller communication is supported that is a great step forward. Microsoft should also provide alternative offline domain join scenarios, potentially utilizing domain controllers hosted in Azure to also complete this process.
Pieter Verbrugge commented
I have even seen this on a Microsoft presentation somewhere but they seem to have stripped it from the feature set. I hope they will add it in a newer realese.