Hi All. New to Intune. Trying to get my org moved over from Config Mgr. I have a question about Autopilot enrollment with a hybrid AD model and VPN connections (Cisco AnyConnect, specifically).
Is a VPN connection back to on-prem AD absolutely necessary to allow remote users to sign into an Autopilot laptop for the first time, or can they just authenticate with AAD over the internet, then establish a VPN connection after signing into Windows?
I’ve been trying to get AnyConnect’s “Start Before Logon” system working, to allow VPN authentication prior to a user signing into Windows, but it is proving less than 100% reliable. I had been under the impression that pre-logon VPN authentication was necessary for Autopilot, but I’m starting to both question that and lose my sanity working on it.
We are doing Hybrid AD join with offline domain join, using Intune Connector to pre-create computer account in on-prem Active Directory.
We install AnyConnect VPN client with multiple components, SBL included. We have a profile that unfortunately does not use certificate auth, but still 2FA with RSA requirement.
Users can perform a build from internet connection only as part of Autopilot, but all apps installed during Autopilot/ESP process are device assigned.
When finished, user then connects to VPN, then logs into windows. VPN provided line of sight to on prem AD.
the first interactive window logon in a hybrid AD join scenario does requires line of sight, but you can provision, install apps, join on-prem AD through autopilot without line of sight.
If the devices don’t have connectivity to the DC and they are built off the network remotely (for example from home), then you can configure Cisco Anyconnect to work with pre-logon, and package the VPN client up as a Win32 app and also deploy a machine certificate to the device from Intune. You also need the skip AD connectivity check in the Autopilot profile.
I have configured Intune as you require and have enrolled at least 2000 devices remotely (both user driven and pre provisioned). This was done with ODJ and Anyconnect with SBL to complete the domain join before the user logs on for the first time.
The biggest issue we had with Anyconnect was the profile we pushed with the app. It was configured to not allow internet access until the VPN was connected, this caused all sorts of issues with the ESP and devices got stuck in no man’s land.
To fix this we repackaged Anyconnect with a simple profile that only had the VPN endpoint. This allowed SBL connection the first time, then it pulls the full profile from the firewall so auto connect etc. are configured as standard.
Having done this it is possible and works, if you have any on prem servers it would be my preferred way. I dont use cisco anyconnect. I use zerotier instead. Zt is packaged on intune and is installed on autopilot sign in. Auth thru portal and onprem will work split tunnel or default routing.
Ive also deployed adcs and kerberos in the cloud/key trust. So win hello for biz works, face and pin sign in to pc and on prem servers/ts just works for everyone
I am also new to InTune and have 100% the same exact environment. We already had started before logon deployed but yes, it is required to connect back to the network to have line of sight of the domain controller before the user can login for the first time to create their windows profile We are currently testing Cisco AnyConnect’s management, VPN option, which is an always on VPN. Essentially, if the user didn’t specifically log into AnyConnect, whenever that tunnel is down, it automatically creates a management tunnel back that you would include domain controllers for.
To everyone saying don’t do HAADJ really need to consider what the environments are. Not everyone’s business is off domain. There are many companies still out there that have on-premises requirements for access to certain infra and internal resources. If anyone asking about how to work with HAADJ there is obviously a reason for it.
Here is the simplest explanation I can give you. If you want a hybrid join then it is absolutely necessary. If you don’t want hybrid join then it is not.
If you need to access on premise resources it is still possible but there will be a learning curve. Each time a user needs to access something on-prem then they may be prompted to authenticate.
We are in the last phases of migrating to autopilot. We made the decision to use hybrid for now while we figure out which LOB’s need on-prem resources. The next round of device refresh or future new hires may be only AAD joined but for our network admins, server admins and anyone else that needs to maintain our internal network will most likely remain as HAADJ.
Use the Intune AD connector to create blobs that can be sent through autopilot to the machine. This allows AAD join. My requirement on top of that is a machine cert as most pre logon requirements for an always on VPN is a machine certificate that can be revoked from say your ADCA.