Autopilot with VPN

Autopilot with VPN

With Autopilot on Hybrid AD Join, Active Directory must be join by computer. With this scenario, the computer can be enrolled on Microsoft Autopilot without being connected to the local network

Requirements

A latest version of Windows 10 is supported. You must use the following version of Windows 10 :

  • Windows 10 1903 + December 10 Cumulative update (KB4530684, OS build 18362.535) or higher
  • Windows 10 1909 + December 10 Cumulative update (KB4530684, OS build 18363.535) or higher
  • Windows 10 2004 or later

The option Skip domain connectivity check must be configured in the Hybrid Azure AD Join Autopilot profile.

Configure VPN Infrastructure

Create an Azure Virtual Network

From the Azure portal, click on Create a resource

Autopilot with VPN - create ressource on azure

Enter Virtual network and press Enter.

Autopilot with VPN - create ressource on azure

Click on Virtual Network then on Create.

Autopilot with VPN - Create virtual network

Select Resource group or create a new one. Enter Name of the virtual network and select Region. Click on Next for configure IP Address.

Autopilot with VPN - Create virtual network

IPv4 address space has been configured. You can use it or modify it. Click on Review + Create.

Autopilot with VPN - Configure IPv4 address space

Virtual Network has been created.

virtual network has been created

Create an Azure Virtual Network Gateway

From the Azure portal, click on Create a resource

Create azure ressource

Enter Virtual Network Gateway and press Enter.

Create VPN Gateway

On the marketplace, click on Virtual Network Gateway and click on Create.

Create Virtual network gateway

Enter the desired name and select Azure region. Leave the default value on Gateway type, VPN type, SKU and Generation. If you want setup express route, you need to change this parameter.

Configure Azure Gateway VPN

Select Virtual Network, you can create new Public IP address or use an existing IP address.

Configure Virtual Network

Leave the default value for Enable active-active mode and Configure BGB ASN. Click on Review + Create. then on Create.

Leave default value

This may take 20 minutes or up to create Virtual Network Gateway.

Deployment is finished

Create Local Network Gateway

Click on Create ressource from the Azure portal.

Create connection from azure portal

Enter Local network gateway and press enter. Click on Create.

Create Local network gateway

Enter the name of the Local network gateway and enter Public IP address of your on-Premise Site. On the Address space, enter address range and select Resource group.

Configure Local Network gateway

The Local Network Gateway has been deployed.

Local Network Gateway has been deployed.

Create Connection

Click on Create ressource from the Azure portal.

Create connection from azure portal

Enter Connection and press enter. Click on Create.

Create connection

On the connection type, select Site-to-site and select the desired Resource group. Click on OK.

Configure connection

Click on Virtual network gateway and select the previously virtual network gateway created.

Configure virtual network gateway

Click on Local network gateway and select the local network gateway.

Choose local network gateway

Enter Shared key (PSK) and click on OK.

Configure Shared Key

Connections has been created.

Connections has been created

Configure routing and remote access

Launch Routing and Remote Access console and right clic on the server. Select Configure and Enable Routing and Remote Access.

Configure Routing and remote access

Click on Next in the wizard.

Routing and Remote access wizard

Select Custom configuration and click on Next.

Configure Custom configuration

Check VPN access and LAN routing. Click on Next and Finish.

Enable configuration as you want

Right click on Network Interfaces and select New Demand-dial Interface.

Configure Network Interfaces

Enter the name of Interface name and click on Next.

Configure Interface name

Leave the default value Connect using virtual private networking and click on Next.

Connect using VPN

On VPN Type windows, select IKEv2 and click on Next.

Select IKEv2 VPN Type

Enter Hostname or IP Address of virtual network gateway.

Virtual Network gateway address ip
Enter Hostname or IP Address of virtual network gateway.

Add static routes and click on Next.

Add static routes for remote networks

Network interfaces has been created.

Network interfaces has created

On the properties of Network interface, open Security tab and select Use preshared key for authentification. Enter the key configured previously on Azure.

Configure Presharedkey

Select Options and check Persistent connection. Click on OK.

Configure persistent connection

Right click on Azure and select Connect

Right click on Azure and connect it

If connection can’t established, wait few minutes. When connection is established, status has been updated.

Connection has been established

Configure DNS Server

Access to the properties of virtual network and click on DNS servers.

Configure DNS Server

Check Custom and enter IP Address of your Active Directory DNS Server. Click on Save.

Enter 
 ip Address of DNS Server

Configure Hybrid AD Join

The synchronisation between Active Directory and Azure Active Directory must be configured. You can use this link.

Hybrid AD Join must be activated. You can use this link.

Configure certificate features

Install NDES

Now NDSES must be installed. You cannot co-locate both NDES and CA so you need to install a server on Windows Server 2016 or 2019 and join to the domain. Before install NDES, you need create user account for NDES Server. From AD User and Computer, right click on Organizational Unit who will host the service account. Click on the button for create new user.

Create user account for NDES

Configure attributes of the account and click on Next.

Create user account

Enter the password and click on Next. User account is now created.

Create user account

From the server who NDES will be installed, open the Computer Management console. Expand Local Users and Groups and double click on IIS_IUSRS group.

Select IIS_IUSRS groups

Add user previously created on the group.

Add user on the group

Next, you must add the proper permissions for the ndes user account on your Enterprise CA. From the server, open Certification Authority console. Right click on the name of your CA and click on Properties.

Access to the properties

Open Security tab and click on Add.

Configure security

Add the service account previously created and check Request Certificates.

Configure security

SPN must be set, from the NDES server open command prompt and run the following command :

setspn -s http/<computer name of NDES server> <domain name>\<NDES service account name>
Set SPN on NDES Server

From the NDES Server, open Server Manger console and click on Add roles and features.

Add roles and features

Check Active Directory Certificate Services and click on Next.

Install Active Directory Certificate Services

Uncheck Certification Authority and check Network Device Enrollment Service and click on Next.

Install Network Device Enrollment Service

Click Install for launch installation.

Install features

A new notification is present, click on Configure Active Directory Certificate Services.

Configure ADCS

A new wizard appear, check Network Device Enrollment Service and click on Next.

Check Network Device Enrollment Service

Click on Select and select ndes service account.

Select NDES account

Click on Next for validate the user account.

Select user account

Check Computer name and select the CA Server with Select button. In production it’s recommended to not install Authority Certificates on Domain controller.

Select CA Server

Leave RA Name set to the defaults and click on Next.

Configure RA Name

Configure Key length and click on Next. Click on Configure.

Configure key length

NDES Server has been installed. With Server Manager console install the following IIS features :

  • Web Server / Security / Request Filtering
  • Web Server / Application Development / ASP.NET 3.5
  • Web Server / Application Development / ASP.NET 4.5
  • Management Tools / IIS 6 Management Compatibility / IIS 6 Metabase Compatibility
  • Management Tools / IIS 6 Management Compatibility / IIS 6 WMI Compatibility

On the features windows, select .NET Framework 3.5 / core .NET Framework 3.5 feature and .NET Framework 3.5 / HTTP Activation. It’s the same for .NET Framework 4.5 with .NET Framework 4.5 / core .NET Framework 4.5 feature, .NET Framework 4.5 / HTTP Activation and .NET Framework 4.5 / WCF Services

Install .Net Framework

Open IIS Console on the Ndes server, select the Default Web Site and double click on Request Filtering.

Select Request filtering

Click on Edit Feature Settings.

Edit feature settings

Change the value to Maximum URL length and Maximum query string. Enter 65534 on the field.

Enter value on the field

Run iisreset on the command prompt.

Create certificate template

You can now create template certificate. This certificate is issued for member server. Before create Template certificate, create a group on Active Directory and add the server previously installed on the group.

Create group for request certificate

From your Certification authority (Enterprise certificate only, CA standalone is not supported for NDES), right clic on

Manage certificate template

Right click on Web Server and select Duplicate Template.

Suplicate Web Server

Configure Compatibility Authority and Certificate recipient.

Configure certification authority

Click on General tab and enter the desired name. Check Publish certificate in Active Directory.

Configure General tab

Open Request Handling and check Allow private key to be exported.

Allow export private key

Click on Extension tab then select Application Policies. Click on Edit.

Select Extension tab

Add Client Authentification and click on OK.

Add client authentification

On the security tab add the AD security group that contain the member server and check Enroll. Click on OK.

Add ad group and check enroll

You can now create SCEP Certificate template for all devices. From the Certificate Templates Console, right click on User template and select Duplicate Template. Configure Compatibility Settings and click on General tab. Enter the desired name for the template.

Create SCEP certificate

Select Subject Name template and check that the Supply in the request option is enabled.

Verify supply in the request is enabled

Click on Extensions and check that Description of Application Policies includes Client Authentification. If not, add the extension using the Edit button.

Verify extension Client authentification

On the same tab, select Key Usage and click on Edit. Verify that the option Signature is proof of origin is not check.

Verify extension

Select Request Handing tab and un-check Allow private key to be exported.

Uncheck private key to be exported

Open Security tab and add NDES service account. This account requires Read and Enroll permissions.

Configure security for user account

On the Cryptography tab, verify that the Minimum key size is 2048.

Verify minimum key size

Click on OK. Template has been added.

Template has been added

Close Certificate Template Console and right click on Certificate Template. Select Manage then Certificate Template to Issue.

Select certificate to issue

Select the previously created certificate and click on OK.

Select certificat

The template is now available.

It is now necessary to indicate to the NDES server, the certificate template it must request from the certification authority. On the NDES Server, open registry key and access to the following key :

HKLM\Software\Microsoft\Cryptography\MSCEP
select certificate template

Modify the value of GeneralPurposeTemplate so that it has the value of the previously created certificate.

Configure template that you need use

Restart the NDES server.

Azure AD Application Proxy

Configure AAD App Proxy Connector

Azure AD Application Proxy Connector permit to manage the outbound connection from on-premises server to application proxy in Azure AD. From the ndes server, add the following registry key

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
Enable TLS 1.2 on the server
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
Enable TLS 1.2
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
add registry key

Restart the server.

From the AD portal, click on Azure Active Directory then on Application proxy.

Access to Application proxy

Click on Download connector service for download the connector.

Download connector service

Click on Accept terms & Download.

Download Connector service

On the member server, copy the file and run it. Check I agree to the licence terms and conditions and click on Install.

Install connector service

A windows appear, you need enter a credential of Azure ad Admin account. Do not use account with .onmicrosoft.com, I have a lot of problem when i use this account.

Enter azure AD credential

If setup is successful, click on Close. You need to run the PS1 script if you use proxy.

install successful

The windows service for the connector is running on the server.

From the Azure AD portal, click on Enable application proxy.

Enable application proxy

A windows appear, click on Yes. Restart the service on the server, the status is now Active.

application proxy is now active

Application proxy is now configured.

Add Proxy Application for NDES

You can now create an Azure AD Application, for the NDES server. On the Azure portal, click on Enterprise applications.

Add Enterprise application

Click on New application then on Add an on-premises application.

Create new application
Add an on-premises application

Enter the desired name on Name field and Internal URL.

Enter configuration for the application

Select your Pre Authentification method then click on Add. I use Passthrough authentification on my lab.

Configure pre authentification method

Application is now been created.

application is now been created

Open application and click on Users and groups, add the user who have to apply for certificates.

Configure user

Request NDES web certificate

From the NDES Server , open mmc console and add Computer Certificates.

Add certificates snap-in

Right click on Certificates nodes and select All Tasks / Request New Certificate.

Request new certificate

A wizard appear, click twice on Next then select Autopilot – WebServer template and click on Enroll.

Select template and click on Enroll

On the Subject Name select Common Name and enter internal address of NDES Server (srv-vpn.formation.local for me). Click on Add.

Add Internal address on server

On the Alternative name select DNS and enter internal address of NDES Server. Click on Add.

Add internal address on the certificate of ndes server

Repeat the same operation with external address. You can found this address on Azure AD application.

Add external address on the certificate
Add external address on the certificate

Click OK then Enroll to generate certificate.

Generate certificate

Repeat the same operation with

From the NDES Server, open IIS Console. Expand Sites and select Default Web Site. Click on Bindings for link certificate.

Bindings certificate on IIS

A new Windows appear, click on Add.

Add new bindings

Select https on Type then the certificate previously generated. Restart the server when binding is correctly configured.

Add new bindings

Run IISReset on the server .

Intune Certificate connector

From the NDES Server, install the following IIS features :

  • ASP.NET 4.6 (Web Server / Application Development / ASP.NET 4.6)
  • IIS 6 WMI Compatibility (Web Server / Management Tools / IIS 6 Management Compatibility)
Install ASP.NET 4.6
Install WMI

From the Intune portal, click on Tenant administration then on Connectors and tokens. Click on then on Add.

Configure connectors

Click on Download the certificate connector software.

Add connector for certificate

Copy the file on the NDES Server and run it. A wizard appear, click on Next.

Install connector intune

Check I accept the terms in the Licence Agreement and click on Next.

Accept the terms in the licence agrreement

Select Destination Folder and click on Next.

Select destination folder

Select SCEP and PFX Profile Distribution and click on Next.

Choose SCEP profile

Select the certificate previously generated (Template Autopilot – ClientAuthentification). Click on Select and click on the desired certificate

Select certificate client authentification

The following information of the certificate appear, click on Next.

information of certificate

Click on Install for launch installation of the connector.

Install intune connector

Check Launch Intune Connector and click on Finish.

Install connector

Click on Sign In and enter credential of Azure AD Admin.

Configure NDES Connector

Select Advanced tab and check Specify different account username and password. Enter username and password of NDES service account (svc_ndes for me). Click on Apply then on Close.

Configure connector

The connector has been installed and configured. From the Intune portal, click on

Windows 10 automatic enrollment

Set up automatic enrollment

From the intune portal, click on Devices then on Windows.

Select Windows device

Click on Windows enrollment then on Automatic Enrollment.

Configure Windows Enrollment

Selet MDM on MDM User Scope and None on MAM user scope. Click on Save.

Configure Windows autoenrollment

Delegate permission on AD

From the domain controller, open Active Directory Users and Computers. You need configure permission on the desired organizational unit. Right click on Organizational Unit and select Delegate control.

Delegate permission

A new wizard appear, click Next.

Delegate permission

Click on Addand enter the name of the computer where the Connector is installed.

Select server 
 who connector is installed

Select Create a custom task to delegate and click on Next.

Create custom task to delegate

Select Only the following objects in the folder and check Computer objects. Check Create selected objects in this folder and Delete selected objects in this folder.

Configure delegation for computer

Select Full Control and click on Next.

Full control permission for server on OU

Click on Finish Permission has been configured.

Install the Intune Connector

From the Intune portal, click on Devices then on Windows.

Configure Windows devices

Click on Windows enrollment then on Intune Connector for Active Directory.

Download intune connector

Click on Add.

Add new connector

Click on the link to download the tools.

Add new connector

Copy the file on the NDES server and run it. A wizard appear, accept the terms of the licence and click on Install.

Accept the terms of the licence and click on Install

When install finish, click on Configure now.

Configure now the connector

Click on Sign In and enter a credential of a user that has the Global Administrator role or Intune Service Administrator.

Sign in with global admin

Server appear on the Intune portal.

Configure Intune connector for AD

Azure VPN Configuration

From the NDES Server, open mmc console and add Computer certificates snap-in. Select Trusted Root Certification Authorities and select the root CA.

Select Root CA

Right click on the Root CA and select Export. A wizard appear, click on Next.

Certificate has been exported

Select Base-64 encoded X.509 in the Export File Format Windows.

Select Base-64 certificate

Select the destination folder and export the root ca certificate. Open with Notepad the previously exported certificate. Copy Value present on the txt file.

Copy the value of the certificate

From the Azure portal, access Virtual Network Gateway previously created.

Access to the Virtual Network gateway

Click on Point-to-site configuration then on Configure Now.

Configure Point-to-site

Specify an Address pool for the VPN clients to connect. I choose an other ID network than my local area network ID or network ID on Azure. Select IKEv2 on Tunnel type. On Authentification type, select Azure Certificate.

Configure Authentification on Point-to-site configuration

Enter Root on the Name field and paste the value previously copied.

Paste value on the field

Click on Save.

Create dynamic group

From the Azure AD portal, click on Azure Active Directory then on Groups.

Configure Azure AD Groups

All groups appear, click on New Group.

New group

Enter the name of the group and select Dynamic Device on Membership type. Click on Add dynamic query.

Configure groups dynamic

Click on Edit then on Rule Syntax.

Enter rule syntax

Enter the following query and click on OK. Click on Save then on Create.

(device.devicePhysicalIDs -any (_ -contains "[ZTDId]"))
Rule for Dynamic group

Configure Intune Automatic Enrollment

Enrollment Status Page can be configured. From the Windows Enrollment page, click on Enrollment Status Page.

Configure Enrollment Status Page

Click on Create for create new Enrollment Status Page.

Configure Enrollment Status Page

Enter the desired name and click on Next.

Enter the name of the page

Configure Settings as you want and click on Next.

Configure settings on Autopilot

Select the groups previously created. Click on Next then on Create.

Configure assignment

The profile has been created.

Enrollment Status Page has been created

Create Deployment Profile

the deployment profiles permit to select the deployment mode and customize the OOBE windows. From the Intune portal, click on Windows enrollment then on Deployment Profiles.

Create deployment profiles

Click on Create profile and select Windows PC.

Create new autopilot deployment profile

Enter the desired name and click on Next.

Name of the deployment profile

Select Hybrid Azure AD Joined on Join to Azure AD as then select Yes for Skip AD connectivity check. Configure other option as you want. Click on Next.

Configure Autopilot for Hybrid AD Join

Select dynamic group previously created and click on Next.

Assign profile to Azure AD Groups

Click on Create, the profile has been created.

Import hash device

Capture hardware hash import device is must step before to configure device with Autopilot. On the device, install the powershell script with the following command. This script permit to recover the hash of the device.

Install-Script -Name Get-WindowsAutoPilotInfo
Install Autopilot script

Capture hardware hash import device and add this device on the Azure AD Groups. with the following command. Configure Powershell script execution before to run the Get-WindowsAutopilotInfo CmdLets.

set-executionpolicy -executionpolicy bypass
Get-WindowsAutopilotInfo –online -AddToGroup "Intune - All Autopilot Devices" -Assign
Configure execution policy for powershell script
Run autopilot command

Enter credential of Azure AD Global Admin or account with delegated permission.

Enter credential of azure ad global admin

Device has been imported.

Add device on Intune

Device has been added. If you have an access denied with Powershell, add the account on owners of the groups.

Add device on the groups

Configure configuration profile

Root Cert Configuration profile

You need to deploy on the device the certificates. Intune is used for this deployment. From the NDES server, open certificate previously deployed. Click on Certification Path.

Certifiction path for download root CA

Select Root CA and click on View Certificate. The Root CA appear, click on Details then on Copy to file.

Export Root CA

A wizard appear, leave default values and export Root CA.

Export Root CA

From the Intune portal, click on Devices then on Windows. Click on Configuration Profiles then on Create profile.

Create Windows Profile

Select Windows 10 and later in the drop-down list then Trusted Certificate. Click on Create.

Deploy trusted certificate

Enter the desired name and click on Next.

name of intune profile

Select Root certificate and click on Next.

Root Certificate

Assign the profile to the dynamic group previously created.

Assign profile to dynamic group

Click on Create for create the profile.

Configure SCEP Certificate Profile

From the Intune portal, click on Devices then on Windows. Click on Configuration Profiles then on Create profile. Select Windows 10 and later then chooseSCEP certificate.

Create SCEP Certificate profile

Enter the desired name and click on Next.

Enter the name of the profile

Select Device on Certificate type dropdown list. Modify the value on Subject name format and enter the following value.

CN={{FullyQualifiedDomainName}}
Modify SCEP profile

Select the following value for the different fields.

  • Key Storage provider : Enroll to Software KSP
  • Key usage : Key encipherment
  • Key size: 2048
  • Hash algorithm: SHA-2
Configure SCEP profile

Click on Root Certificate and select the certificate.

Add Root certificate
Select Root certificate

Enter Client Authentification on Name then 1.3.6.1.5.5.7.3.2 on Object Identifier. Select Client Authentification on Predefined values.

Select and configure extender key usage

From the SCEP Server URLs enter the external URL of your Azure AD Proxy application. Add on the end of the URL certsrv/mscep/mscep.dll.

Enter SCEP Server URLs

Click on Next and assign the profile to the dynamic Azure AD groups. Click on Create for launch creation of the profile.

Configure Groups assignment

The profile has been created.

Configure Domain Join Profile

The domain join profile permit to join windows 10 computer. From the Microsoft Endpoint Manager admin center, click on Devices then on Configuration profiles. Click on Create Profile for create new profile.

Select Windows 10 and later on Platform dropdown list then Domain Join on Profile type dropdown list.

Create Domain Join VPN

Enter the desired name and click on Next.

Create Domain Join VPN

Configure Computer name prefix and Domain name then click on Next.

Create Domain Join VPN

Assign the profile to the dynamic group previously created.

Configure VPN Profile

Before create VPN profile, you need to download xml file on Azure ressource. From the Azure portal, access to properties of the Virtual Network gateway previously created.

Virtual network gateways

Click on Point-to-site configuration then on Download VPN client.

Download VPN client

Unzip the download file. The XML file (VpnSettings.xml) present on Generic folder is used for the VPN Configuration step.

VpnSettings.xml file is downloaded

From the Intune portal, click on Devices then on Windows. Click on Configuration Profiles then on Create profile. Select Windows 10 and later then chooseVPN.

Create VPN profile

Enter the desired name and click on Next.

Enter the desired name

Expand Base VPN and enter Connection name. Enter VPN server address, you can found this address on the XML file previously downloaded. Enter a Description and set Default server to True.

Found VPN Server
Configure VPN Server Address

Set Register IP addresses with internal DNS to Enable and select IKEv2 on Connection type.

Configure register ip addresses and connection type

Set Always On to Enable and configure Authentification method to use Machine Certificates. Click on Select a client authentification certificate to select the profile previously created.

Configure VPN Connection

Set to Enable device Tunnel.

Enable Device tunnel

Expand DNS Settings and enter DNS suffixes. Click on Add.

Enter DNS suffixes and click on Add

Enter Domain and IP address of the DNS Server.

Add DNS Server name

Expand Split Tunneling and click Enable the parameter. You need configure Destination Prefix, this information is present on the XML file.

Configure Split Tunneling
Configure Split Tunneling

Assign the group to the dynamic azure ad group. and create the profile.

Create VPN Profile

Configure Windows 10 computer

From the windows 10, previously imported on Autopilot, open Windows Settings. and click on Update & Security.

open update & security parameter

Select Recovery and click on Get started.

Get started recovery

Click on Remove everything for delete all file.

Remove all file

Click on Next on Additional settings Windows.

Remove All file on Windows 10 computer

Click on Reset to reset the computer.

reset computer

When the compyter is restarted, OOBE screen appear. Select desired region and click on Yes.

select region

Configure keyboard layout and click on Yes.

Select keyboard layout

Enter username of user who intune licence has assigned and click on Next.

Configure username and password

Set up device is in progress.

Set up device is in progress

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.