Enable New Users – Remotely – Using Windows Autopilot over VPN! 

by | Sep 8, 2020 | Collaboration

It’s today’s new normal – working from home is more than a temporary or optional choice for organizations.  This has resulted in a need for new and creative responses from IT on supporting users remotely.  Most organizations have methods to allow remote access for existing employees.  But how do you support new hires or handle computer replacements? 

Windows Autopilot works with Intune to allow IT staff to automatically configure devices from factory settings to domain driven configurations.  Originally created to work with on-premises computers, new features sets now provide the same functionality to your remote employees.  Now you can replace domain joined computers and turn up new devices over the Internet – and have the end-user control the process. 

 User-driven mode for hybrid Azure Active Directory (AAD) join with VPN support 

 Devices joined to Active Directory require connectivity to an Active Directory domain controller for many activities. These activities include user sign-in (validating the user’s credentials) and Group Policy application. As a result, the Windows Autopilot user-driven Hybrid Azure AD Join process would validate that the device is able to contact an Active Directory domain controller by pinging that domain controller. 

With the addition of VPN support for this scenario, you can configure the Hybrid Azure AD Join process to skip the connectivity check. This doesn’t eliminate the need for communicating with an Active Directory domain controller. Instead, to allow connection to the organization’s network, Intune delivers the needed VPN configuration before the user attempts to sign in to Windows. 


The following additional requirements apply for Hybrid Azure AD Join with VPN support: 

  • A supported version of Windows 10: 
  • Windows 10 1903 + December 10 Cumulative update (KB4530684, OS build 18362.535) or higher 
  • Windows 10 1909 + December 10 Cumulative update (KB4530684, OS build 18363.535) or higher 
  • Windows 10 2004 or later 
  • The new “Skip domain connectivity check” toggle in the Hybrid Azure AD Join Autopilot profile needs to be enabled. 
  • A VPN configuration that: 
  • Can be deployed with Intune and lets the user manually establish a VPN connection from the Windows logon screen 


  • One that automatically establishes a pre-logon VPN connection 

 When the end-user receives their device, all they need to do is: 

  • Confirm Internet access 
  • Power on the machine 
  • Login with Domain credentials 
  • Follow the prompts   

 The device will reboot a few times during the process, but when complete will have all security settings and access to the appropriate applications. 

Many of our clients have taken advantage of the Autopilot and AD join over VPN features to reduce time to deploy and minimize over-tasking IT support to great success.  Peters & Associates is available to work with your IT teams to review the prerequisites and to plan out an appropriate deployment.  If you would like more information on how we can help you plan for the unexpected, please contact us at info@peters.com.