top of page
Search
Writer's pictureSam Vokes

AoVPN Device Tunnel not deploying during Windows Autopilot deployment

Recently, I was investigating an issue with a customer where their Microsoft Always On VPN Device Tunnel was failing to deploy during Windows Autopilot Hybrid Join for remote devices.


Environment

  • SCEP profile configured for machine certificates in Microsoft Intune

  • NDES server configured to support SCEP

  • AoVPN Device Tunnel configured in Microsoft Intune

  • Trusted and intermediate certificates deployed via Microsoft Intune

Troubleshooting

First we validated that the device was issued a machine certificate by the issuing CA to the NDES service account and existed on the device via certlm.msc > Personal store. The device also had the Root and SubCA to form a full certificate chain which was delivered from Intune. So from a certificate authentication perspective we were happy.


Next, we checked the VPN server and no connection attempts where made. So we knew the device was not reaching the VPN server. Also, as this was a device tunnel, we knew the device did not need pass the NPS radius server.


Next, we connected the device to the internal network, logged in and noticed the Device Tunnel network profile in Network Settings. So the VPN profile successfully deployed with the right settings. After a period of 5-10 minutes we noticed the Device Tunnel connected. Weird.


So we rebuilt the machine and started the Windows Autopilot process on the internal network. The Device Tunnel did not connect at the login screen.


Root cause

Luckily i remembered to ask what edition of Windows the device was running, the customer confirmed the devices were running Pro then would use Subscription Activation to activate to Enterprise after login.


Eureka!


A Device Tunnel is explicitly an Enterprise feature. Which of course won't work with if a remote Hybrid domain joined device can't sign into to the device to activate to Enterprise.


The Solution

We deployed a MAK key from Intune which upgraded devices in a device context during Windows Autopilot. Once we deployed the MAK key, the Device Tunnel was present and connected at the Windows login screen.



113 views
bottom of page