Support VPN Connectivity for Autopilot Hybrid Enrollment
From the requirements here:
"Have access to your Active Directory (VPN connection not supported)."
This requirement breaks the concept of having a device that could be shipped anywhere directly to a user. Large enterprises still have, and will continue to have applications that rely on domain connectivity for authentication. Many of these enterprises build their devices onsite and ship to users that never see the corporate network. Autopilot could never work in this scenario without users disclosing their credentials.
The feature we would like is a secure means of establishing an AAO VPN tunnel during enrollment that would allow enterprise users with domain applications to enroll their devices.
Alan Reagan commented
This feature is now working in public preview. Autopilot will completely configure machine without any connectivity to corporate lan. VPN is not even required for process to work, but without a pre-logon connection to corporate lan, there's no way to logon with domain account.
Any update on this?
Any update on this? From Ignite 2019, the hope was to have this in early 2020, Q2 is now almost over and no new news.
It feels like this may be possible with the addition of 'Bring Your Own VPN Support' but the complete absence of documentation makes it impossible to know.
Until we have confirmation of support and some documentation we are prevented from using this with our customers.. spoiler... a lot of them want to use AutoPilot like this!
Alan Reagan commented
Reset Windows 10 is huge improvement and time saver over OSD with SCCM, but if device has to be unboxed and connected to network with domain controller prior to shipping device to end user, the biggest potential of AutoPilot is lost.
Yes this is very needed! Please include this feature to truly unlock the potential of AutoPilot Hybrid model.
Given the current crisis, it would be really, really useful to get this feature.
Help speed this up
Mark DePalma commented
Eagerly waiting for the VPN support... Need this to complete my Autopilot project...
This is a must have for drop shipped auto pilot hybrid joined computers.
Without a VPN connnection back to the corporate domain, the Hybrid model is "stuck" if your client is connected via the cloud. Not much you can do if you can't logon with your domain credentials. I agree with Mustafa the video by Rachell Blanchard looks promising. Most interested in how this will work with 3rd Party vpn solution, specifically Cisco AnyConnect.
Mustafa Tuzovic commented
If you watch the video from the 8. minute, device provisioned is completed and the VPN icon is prensent for user to log in. :-)
Now the big question is, how can we set this up? I can not find any good documentation. We have all requirements but not a sight to DC, is that still requirement? I would really like to install our VPN so the user can use it to get domain join complete.
In my test it just times out with error 80004005.
In December 2019 this update has been released:
listing a new feature:
- Bring your own VPN support for Autopilot User driven mode with Hybrid Azure AD join.
But how can we use this feature? Obviously the docs article has not been updated accordingly:
It's still mentioned that:
...VPN connection not supported at this time).
- Perform Offline Domain Join
- VPN Support Preview in Q1 2020 with Windows 10 1903
I'd give a million votes to this if I could. I did hear at Ignite The Tour in Australia that this feature was already in private preview.
In a COVID-19 world with a bunch of staff suddenly working from home, this would be really, really useful. Having to have the laptops go into the office for initial setup to get hybrid joined is a significant hassle when all our offices are shut down and staff are 100% work from home.
I'd love to be able to push a machine wide VPN profile through Intune and have it applied early enough in the process that it could be used for the hybrid domain join process.
Andrew Moody commented
This is potentially a duplicate of this (worded differently):
Miguel Sanabia commented
Be great if during Ignite there was an announcement for supporting this soon.
"This is a significant issue IMO for AutoPilot option - handling of the Hybrid Domain Join process. Given that there is now this connector for carrying out the join, isn't it possible to route the join request through this to the on-prem AD, thereby only requiring internet access on the endpoint? Or using a deployed Machine VPN profile?"