Hybrid Windows Autopilot over VPN

With many more people working remotely, tools like Windows Autopilot that enable users to self-deploy corporate laptops without needing the corporate network or IT assistance are extremely powerful.

However, for organisations that use Active Directory and have their devices set-up as Hybrid Azure AD Joined devices, Windows Autopilot fell foul of VPN connectivity making Hybrid Windows Autopilot a missed opportunity.

Windows Autopilot until now has only worked 100% remotely for Azure AD Joined devices. For devices which are Hybrid Azure AD Joined via Active Directory, Windows Autopilot could fail as it required the device to have line-of-sight to a Domain Controller to perform the Domain Join operation. With the introduction of support for Hybrid Windows Autopilot over VPN (Bring Your Own VPN as the Microsoft documentation calls it) the game has changed.

The way it works, to get 100% remotely deployable Hybrid Windows Autopilot devices is like this; skip the check during the deployment for domain connectivity until the device is able to establish a VPN connection. How does it do the VPN connection you ask? Well through your Microsoft Intune Configuration Profiles of course.

Deploying VPN via Microsoft Intune

Deployment of a VPN connection, software package, or other type of VPN connection via Intune is not new: we’ve had this option for some time. I’m not going to dwell on that for this post as we have another one in the works talking about some of the Microsoft options for VPN focusing on security.

To work with Windows Autopilot, however, you need to make sure that the VPN solution being deployed is going to be compatible with Hybrid Windows Autopilot.

Hybrid Windows Autopilot VPN compatibility

To work, the solution must use device authentication and not user authentication. As a new machine, the user has never logged on before so we don’t have a cached credential for them to use. This is the reason for the VPN connection prior to the user logging in. We need to establish the connection from the Windows 10 login screen using the Network Sign-in option.

Microsoft doesn’t provide an exhaustive list of supported solutions but there are some third-party solutions that are expected to work.

  • Cisco AnyConnect
  • Pule Secure
  • GlobalProtect
  • Checkpoint
  • Citrix NetScaler
  • SonicWall
  • F5 BIG-IP Edge Client

Of course not included in this list but supported is Windows 10 Always On VPN. To re-iterate, the key to success is that the connection must both be set-up to perform device authentication and also to support Windows 10 Network Sign-in at the login screen.

In order to use device authentication, we require a way to authenticate the device which generally means certificates. To get certificates on to a brand new device deployed with Autopilot, that means we don’t have domain connectivity so we can’t rely on Group Policy to push Active Directory Certificate Services settings and auto-enrolment of certificates to the device.

Deploying certificates for Hybrid Windows Autopilot devices

In order to get a certificate to the device as part of the Hybrid Windows Autopilot build process, we need to use something designed for the cloud. That solution is called SCEP or Simple Certificate Enrolment Protocol.

By integrating an on-premises Active Directory Domain Services (ADCS) Public Key Infrastructure with Microsoft Intune, we can deploy certificates to these devices via Microsoft Intune using a Device Configuration Profile.

This sounds complex and like a security concern but honestly, once you are familiar with how it works, it is quite secure due to the way the connectors work using outbound connections and not inbound connections (*). So long as the environment is set-up correctly and the various steps are followed, it also doesn’t need to be that complicated.

* this is assuming that you use Azure AD Application Proxy to publish the Network Device Enrolment (NDES) service but you can publish it via Web Application Proxy and other routes too.

The only real challenge is dealing with certificate validation through the Certificate Revocation List (CRL) and even that’s easily solved with a bit of automation and an Azure Storage Account that costs pennies per month.

With everything set-up and working, Windows Autopilot devices will be able to request and retrieve a certificate via Microsoft Intune from your on-premises PKI, trust the certificate by trusting your Certificate Authority, install any VPN clients that are required even if they are Win32 app and not just using the native Windows VPN client.

You can even use the same methodology with SCEP to deploy certificates and a VPN connection to Android, iOS, and macOS devices too.

Device deployment nirvana

With everything set-up and working correctly, you can achieve what you always wanted with Endpoint Configuration Manager but never could quite manage. A device that you can literally hand to a user, fresh out the box, set-up exactly how your organisation needs it, apps and all, no matter where the user is so long as they have an Internet connection.

If you want to be able to achieve this level of self-service and hands-off machine deployment or you want to get started with Microsoft Intune and find out more about what you can do with Azure Active Directory to assist in device management, let us know and we’ll be happy to assist.