Recently, I was investigating an issue with a customer where their Microsoft Always On VPN Device Tunnel was failing to deploy during Windows Autopilot Hybrid Join for remote devices.
Environment
SCEP profile configured for machine certificates in Microsoft Intune
NDES server configured to support SCEP
AoVPN Device Tunnel configured in Microsoft Intune
Trusted and intermediate certificates deployed via Microsoft Intune
Troubleshooting
First we validated that the device was issued a machine certificate by the issuing CA to the NDES service account and existed on the device via certlm.msc > Personal store. The device also had the Root and SubCA to form a full certificate chain which was delivered from Intune. So from a certificate authentication perspective we were happy.
Next, we checked the VPN server and no connection attempts where made. So we knew the device was not reaching the VPN server. Also, as this was a device tunnel, we knew the device did not need pass the NPS radius server.
Next, we connected the device to the internal network, logged in and noticed the Device Tunnel network profile in Network Settings. So the VPN profile successfully deployed with the right settings. After a period of 5-10 minutes we noticed the Device Tunnel connected. Weird.
So we rebuilt the machine and started the Windows Autopilot process on the internal network. The Device Tunnel did not connect at the login screen.
Root cause
Luckily i remembered to ask what edition of Windows the device was running, the customer confirmed the devices were running Pro then would use Subscription Activation to activate to Enterprise after login.
Eureka!
A Device Tunnel is explicitly an Enterprise feature. Which of course won't work with if a remote Hybrid domain joined device can't sign into to the device to activate to Enterprise.
The Solution
We deployed a MAK key from Intune which upgraded devices in a device context during Windows Autopilot. Once we deployed the MAK key, the Device Tunnel was present and connected at the Windows login screen.