What’s New with Autopilot Hybrid Azure AD Join Over VPN?

by | Sep 1, 2020 | Managed Services

Windows Autopilot now supports Hybrid Azure AD joining new Windows 10 devices while out of the office over 3rd party VPNs! This process not only joins devices to a Windows Server Active Directory domain, but also registers them with Azure AD. Previouslythe Autopilot Hybrid Azure AD join deployment over the internet would fail with the following errors 

  • 0x80070774 = domain controller not found 
  • 0x80004005 = Generic error 

 The announcement from Microsoft with additional details can be found here. 

Many organizations want to leverage Windows Autopilot to provision new devices into their existing Active Directory environments. This capability has been available beginning with Windows 10, version 1809, but with an important restriction: devices needed to have connectivity to the organization’s network in order to complete the provisioning process. 

Now, this restriction has been removed. By leveraging VPN clients (Win32 apps) delivered by Intune during device enrollment, devices can instead be sent directly to the end user, even when they are only connected to the internet, and they can still provision the device. 


An appropriate build of Windows 10 and a 3rd party VPN connection that supports pre-login connection are required.  The prerequisites also include: 

  • Windows 10 1903 with December 2019 cumulative update or later 
  • Windows 10 1909 with December 2019 cumulative update or later 
  • Windows 10 2004 
  • A VPN configuration that can be deployed via Intune that enables the user to manually establish a VPN connection from the Windows logon screen, or one that automatically establishes a VPN connection as needed. 
  • An Intune Domain Join configuration profile 
  • Enabling the new “Skip AD connectivity check” toggle in the Hybrid Azure AD Join Autopilot profile.


Many Always On or management VPN solutions require per machine certificates for authentication.  

Using an internal Windows Enterprise Certificate Authority with Autopilot Hybrid join over VPN requires some configuration. 

 The following connectors, roles and profiles require installation and or configuration. 

  •  Intune Connector for Active Directory installed on a Windows server 
  • Network Device Enrollment Service installed on a Windows server 
  • Intune Certificate Connector installed on a Windows server 
  • Azure application proxy connector installed on a Windows server to handle certificate CRLs 
  • Modified Certificate Authority attributes 
  • Certificate templates for NDES server and Windows clients 
  • Intune Trusted Certificate profile to deploy root certificates
  • Intune Simple Certificate Enrollment profile to deploy client certificates 
  • IntunWindows app (Win32) to deploy a VPN client, such as Cisco AnyConnect management VPN 

Need help deploying Hybrid Azure AD Joined computers to remote staff using Autopilot? Contact us at info@peters.com, we are happy to help.