Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

VPN use is part of the general work scenario these days with the recent shift toward working from home. However, Windows Autopilot, Microsoft's service that lets end users provision or set up a new PC by themselves, has had a bit of a snag associated with VPNs, which Microsoft is now addressing.

The issue arises for organizations using so-called "hybrid" Azure Active Directory-joined devices, which means that an organization has connected its local Active Directory with Microsoft's cloud-based Active Directory service. For these hybrid Azure AD users, Windows Autopilot has needed to connect to the Active Directory domain controller in an organization's network to complete the provisioning process for remote workers. Microsoft now offers a toggle option, at the preview stage, that will let the self-provisioning process occur without going through that step.

Skip AD Connectivity Check Option
Here's how the new option was described by Michael Niehaus, a principal program manager on the modern deployment team at Microsoft, per the announcement:

To implement this, a new "Skip AD connectivity check" option has been added to the Windows Autopilot Hybrid Azure AD Join profile. When enabled, the device will go through the entire provisioning process, up to the point where the user needs to sign into Windows for the first time, without needing any corporate network connectivity.

Microsoft's documentation describing the skip AD connectivity check option makes it clear that it's just a workaround to address a sort of chicken-and-egg provisioning conundrum that exists when VPNs are used:

With the additional of VPN support for this scenario, it is now possible for you to specify to skip that connectivity check during the Hybrid Azure AD Join. This does not eliminate the need for communicating with an Active Directory domain controller, but rather enables the device to be first prepared with a needed VPN configuration delivered via Intune prior to the user attempting to sign into Windows, allowing connectivity to the organization's network.

Niehaus also described the ability to use Intune to add a VPN log-in interface to the device enrollment status page that end users see with the Windows Autopilot process. When it's set up, the device enrollment status page might initiate an automatic VPN log-in or it might require action from the end user, "depending on the VPN client's capabilities," he explained.

Intune is used to add this VPN log-in interface to the device enrollment status page, but only Win32-based VPNs are supported, per Microsoft's documentation:

For third-party (non-Microsoft) VPN solutions, this typically would involve deploying a Win32 app (containing the VPN client software itself as well as any specific connection information, e.g. VPN endpoint host names) via Intune Management Extensions.

Targeting Enrollment by Devices
Another Windows Autopilot enhancement is enabled by updates to Intune this month. IT pros can now use Intune to "target ESP [enrollment status page] profiles to groups containing devices." It's a new capability that addresses circumstances when users can't be assigned to groups.

IT pros needing technical details can find more information from Niehaus in his recent Out of Office Hours blog posts. He outlined how Windows Autopilot works with hybrid Azure AD joins and VPNs in this post. He described targeting enrollment status pages to devices in another post. Exactly which third-party (non-Microsoft) VPNs will work with this scenario is described here.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube