Always On VPN Device Tunnel – Intune

I was recently working with a client where devices would be deployed using Autopilot and Hybrid Azure AD Joined. This should be achieved from any location and not just the corporate network.

In order to join the domain we created the following:

Windows Autopilot deployment profile with the setting “Join to Azure AD as” Hybrid Azure AD Joined. The Intune Connector, On-Premises Active Directory Cert Services where in place and configured and the client PC’s met the pre-reqs for a device tunnel: Configure the VPN device tunnel in Windows 10 | Microsoft Learn

After building a machine through the autopilot process, on first logon (off the corporate network) we couldn’t logon as a user.

So to troubleshooting……
We placed the machine on the corporate network and logged on so we could check it over. The following had been pushed to the machine from Intune and present:

Root and intermediate certificates
User certificate (via AD Cert services)
Device certificate (again via AD Cert services)
AO VPN User Tunnel
AO VPN Device Tunnel

We connected to a Wifi not connected to the corporate network. I checked the profiles where installed and sure enough they were, but in a disconnected state.

The user VPN should be manual. On testing connected fine but the device tunnel should start automatically to enable the user to logon to the domain (without a cached credentials). Again on running rasdial “Always On VPN Device Tunnel” this changed from disconnected to connected.

If I then switched user i could then logon as a user not already cached.

A look over the Event logs, the ProfileXML config found no issues.

On assigning the device tunnel and user tunnel to the same devices group which was used for Autopilot deployment in Intune both tunnels appear on the machine at the same time. It somehow looked like the user profile was registered and stopping the device tunnel from automatically connecting. Not sure how.

The resolution

I changed the user tunnel to be assigned to a users group. Now when the device is built, the tunnel VPN is deployed to the machine during the Autopilot configuration but the user VPN is only deployed after a user logon. This allows the device tunnel to start and users connect to the domain and then manually bring up the user tunnel.

About the author