Autopilot with VPN
With Autopilot on Hybrid AD Join, Active Directory must be join by computer. With this scenario, the computer can be enrolled on Microsoft Autopilot without being connected to the local network
Requirements
A latest version of Windows 10 is supported. You must use the following version of Windows 10 :
- Windows 10 1903 + December 10 Cumulative update (KB4530684, OS build 18362.535) or higher
- Windows 10 1909 + December 10 Cumulative update (KB4530684, OS build 18363.535) or higher
- Windows 10 2004 or later
The option Skip domain connectivity check must be configured in the Hybrid Azure AD Join Autopilot profile.
Configure VPN Infrastructure
Create an Azure Virtual Network
From the Azure portal, click on Create a resource
Enter Virtual network and press Enter.
Click on Virtual Network then on Create.
Select Resource group or create a new one. Enter Name of the virtual network and select Region. Click on Next for configure IP Address.
IPv4 address space has been configured. You can use it or modify it. Click on Review + Create.
Virtual Network has been created.
Create an Azure Virtual Network Gateway
From the Azure portal, click on Create a resource
Enter Virtual Network Gateway and press Enter.
On the marketplace, click on Virtual Network Gateway and click on Create.
Enter the desired name and select Azure region. Leave the default value on Gateway type, VPN type, SKU and Generation. If you want setup express route, you need to change this parameter.
Select Virtual Network, you can create new Public IP address or use an existing IP address.
Leave the default value for Enable active-active mode and Configure BGB ASN. Click on Review + Create. then on Create.
This may take 20 minutes or up to create Virtual Network Gateway.
Create Local Network Gateway
Click on Create ressource from the Azure portal.
Enter Local network gateway and press enter. Click on Create.
Enter the name of the Local network gateway and enter Public IP address of your on-Premise Site. On the Address space, enter address range and select Resource group.
The Local Network Gateway has been deployed.
Create Connection
Click on Create ressource from the Azure portal.
Enter Connection and press enter. Click on Create.
On the connection type, select Site-to-site and select the desired Resource group. Click on OK.
Click on Virtual network gateway and select the previously virtual network gateway created.
Click on Local network gateway and select the local network gateway.
Enter Shared key (PSK) and click on OK.
Connections has been created.
Configure routing and remote access
Launch Routing and Remote Access console and right clic on the server. Select Configure and Enable Routing and Remote Access.
Click on Next in the wizard.
Select Custom configuration and click on Next.
Check VPN access and LAN routing. Click on Next and Finish.
Right click on Network Interfaces and select New Demand-dial Interface.
Enter the name of Interface name and click on Next.
Leave the default value Connect using virtual private networking and click on Next.
On VPN Type windows, select IKEv2 and click on Next.
Enter Hostname or IP Address of virtual network gateway.
Add static routes and click on Next.
Network interfaces has been created.
On the properties of Network interface, open Security tab and select Use preshared key for authentification. Enter the key configured previously on Azure.
Select Options and check Persistent connection. Click on OK.
Right click on Azure and select Connect

If connection can’t established, wait few minutes. When connection is established, status has been updated.
Configure DNS Server
Access to the properties of virtual network and click on DNS servers.
Check Custom and enter IP Address of your Active Directory DNS Server. Click on Save.

Configure Hybrid AD Join
The synchronisation between Active Directory and Azure Active Directory must be configured. You can use this link.
Hybrid AD Join must be activated. You can use this link.
Configure certificate features
Install NDES
Now NDSES must be installed. You cannot co-locate both NDES and CA so you need to install a server on Windows Server 2016 or 2019 and join to the domain. Before install NDES, you need create user account for NDES Server. From AD User and Computer, right click on Organizational Unit who will host the service account. Click on the button for create new user.
Configure attributes of the account and click on Next.
Enter the password and click on Next. User account is now created.
From the server who NDES will be installed, open the Computer Management console. Expand Local Users and Groups and double click on IIS_IUSRS group.
Add user previously created on the group.
Next, you must add the proper permissions for the ndes user account on your Enterprise CA. From the server, open Certification Authority console. Right click on the name of your CA and click on Properties.
Open Security tab and click on Add.
Add the service account previously created and check Request Certificates.
SPN must be set, from the NDES server open command prompt and run the following command :
setspn -s http/<computer name of NDES server> <domain name>\<NDES service account name>
From the NDES Server, open Server Manger console and click on Add roles and features.
Check Active Directory Certificate Services and click on Next.
Uncheck Certification Authority and check Network Device Enrollment Service and click on Next.
Click Install for launch installation.
A new notification is present, click on Configure Active Directory Certificate Services.
A new wizard appear, check Network Device Enrollment Service and click on Next.
Click on Select and select ndes service account.
Click on Next for validate the user account.
Check Computer name and select the CA Server with Select button. In production it’s recommended to not install Authority Certificates on Domain controller.
Leave RA Name set to the defaults and click on Next.
Configure Key length and click on Next. Click on Configure.
NDES Server has been installed. With Server Manager console install the following IIS features :
- Web Server / Security / Request Filtering
- Web Server / Application Development / ASP.NET 3.5
- Web Server / Application Development / ASP.NET 4.5
- Management Tools / IIS 6 Management Compatibility / IIS 6 Metabase Compatibility
- Management Tools / IIS 6 Management Compatibility / IIS 6 WMI Compatibility
On the features windows, select .NET Framework 3.5 / core .NET Framework 3.5 feature and .NET Framework 3.5 / HTTP Activation. It’s the same for .NET Framework 4.5 with .NET Framework 4.5 / core .NET Framework 4.5 feature, .NET Framework 4.5 / HTTP Activation and .NET Framework 4.5 / WCF Services
Open IIS Console on the Ndes server, select the Default Web Site and double click on Request Filtering.
Click on Edit Feature Settings.
Change the value to Maximum URL length and Maximum query string. Enter 65534 on the field.
Run iisreset on the command prompt.
Create certificate template
You can now create template certificate. This certificate is issued for member server. Before create Template certificate, create a group on Active Directory and add the server previously installed on the group.
From your Certification authority (Enterprise certificate only, CA standalone is not supported for NDES), right clic on
Right click on Web Server and select Duplicate Template.
Configure Compatibility Authority and Certificate recipient.
Click on General tab and enter the desired name. Check Publish certificate in Active Directory.
Open Request Handling and check Allow private key to be exported.
Click on Extension tab then select Application Policies. Click on Edit.
Add Client Authentification and click on OK.
On the security tab add the AD security group that contain the member server and check Enroll. Click on OK.
You can now create SCEP Certificate template for all devices. From the Certificate Templates Console, right click on User template and select Duplicate Template. Configure Compatibility Settings and click on General tab. Enter the desired name for the template.
Select Subject Name template and check that the Supply in the request option is enabled.
Click on Extensions and check that Description of Application Policies includes Client Authentification. If not, add the extension using the Edit button.
On the same tab, select Key Usage and click on Edit. Verify that the option Signature is proof of origin is not check.
Select Request Handing tab and un-check Allow private key to be exported.
Open Security tab and add NDES service account. This account requires Read and Enroll permissions.
On the Cryptography tab, verify that the Minimum key size is 2048.
Click on OK. Template has been added.
Close Certificate Template Console and right click on Certificate Template. Select Manage then Certificate Template to Issue.
Select the previously created certificate and click on OK.
The template is now available.
It is now necessary to indicate to the NDES server, the certificate template it must request from the certification authority. On the NDES Server, open registry key and access to the following key :
HKLM\Software\Microsoft\Cryptography\MSCEP
Modify the value of GeneralPurposeTemplate so that it has the value of the previously created certificate.
Restart the NDES server.
Azure AD Application Proxy
Configure AAD App Proxy Connector
Azure AD Application Proxy Connector permit to manage the outbound connection from on-premises server to application proxy in Azure AD. From the ndes server, add the following registry key
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
Restart the server.
From the AD portal, click on Azure Active Directory then on Application proxy.
Click on Download connector service for download the connector.
Click on Accept terms & Download.
On the member server, copy the file and run it. Check I agree to the licence terms and conditions and click on Install.
A windows appear, you need enter a credential of Azure ad Admin account. Do not use account with .onmicrosoft.com, I have a lot of problem when i use this account.
If setup is successful, click on Close. You need to run the PS1 script if you use proxy.
The windows service for the connector is running on the server.

From the Azure AD portal, click on Enable application proxy.
A windows appear, click on Yes. Restart the service on the server, the status is now Active.
Application proxy is now configured.
Add Proxy Application for NDES
You can now create an Azure AD Application, for the NDES server. On the Azure portal, click on Enterprise applications.
Click on New application then on Add an on-premises application.
Enter the desired name on Name field and Internal URL.
Select your Pre Authentification method then click on Add. I use Passthrough authentification on my lab.
Application is now been created.
Open application and click on Users and groups, add the user who have to apply for certificates.
Request NDES web certificate
From the NDES Server , open mmc console and add Computer Certificates.
Right click on Certificates nodes and select All Tasks / Request New Certificate.
A wizard appear, click twice on Next then select Autopilot – WebServer template and click on Enroll.
On the Subject Name select Common Name and enter internal address of NDES Server (srv-vpn.formation.local for me). Click on Add.
On the Alternative name select DNS and enter internal address of NDES Server. Click on Add.
Repeat the same operation with external address. You can found this address on Azure AD application.
Click OK then Enroll to generate certificate.
Repeat the same operation with
From the NDES Server, open IIS Console. Expand Sites and select Default Web Site. Click on Bindings for link certificate.
A new Windows appear, click on Add.
Select https on Type then the certificate previously generated. Restart the server when binding is correctly configured.
Run IISReset on the server .
Intune Certificate connector
From the NDES Server, install the following IIS features :
- ASP.NET 4.6 (Web Server / Application Development / ASP.NET 4.6)
- IIS 6 WMI Compatibility (Web Server / Management Tools / IIS 6 Management Compatibility)
From the Intune portal, click on Tenant administration then on Connectors and tokens. Click on then on Add.
Click on Download the certificate connector software.
Copy the file on the NDES Server and run it. A wizard appear, click on Next.
Check I accept the terms in the Licence Agreement and click on Next.
Select Destination Folder and click on Next.
Select SCEP and PFX Profile Distribution and click on Next.
Select the certificate previously generated (Template Autopilot – ClientAuthentification). Click on Select and click on the desired certificate
The following information of the certificate appear, click on Next.
Click on Install for launch installation of the connector.
Check Launch Intune Connector and click on Finish.
Click on Sign In and enter credential of Azure AD Admin.
Select Advanced tab and check Specify different account username and password. Enter username and password of NDES service account (svc_ndes for me). Click on Apply then on Close.
The connector has been installed and configured. From the Intune portal, click on
Windows 10 automatic enrollment
Set up automatic enrollment
From the intune portal, click on Devices then on Windows.
Click on Windows enrollment then on Automatic Enrollment.
Selet MDM on MDM User Scope and None on MAM user scope. Click on Save.
Delegate permission on AD
From the domain controller, open Active Directory Users and Computers. You need configure permission on the desired organizational unit. Right click on Organizational Unit and select Delegate control.
A new wizard appear, click Next.
Click on Addand enter the name of the computer where the Connector is installed.

Select Create a custom task to delegate and click on Next.
Select Only the following objects in the folder and check Computer objects. Check Create selected objects in this folder and Delete selected objects in this folder.
Select Full Control and click on Next.
Click on Finish Permission has been configured.
Install the Intune Connector
From the Intune portal, click on Devices then on Windows.
Click on Windows enrollment then on Intune Connector for Active Directory.
Click on Add.
Click on the link to download the tools.
Copy the file on the NDES server and run it. A wizard appear, accept the terms of the licence and click on Install.
When install finish, click on Configure now.
Click on Sign In and enter a credential of a user that has the Global Administrator role or Intune Service Administrator.
Server appear on the Intune portal.
Azure VPN Configuration
From the NDES Server, open mmc console and add Computer certificates snap-in. Select Trusted Root Certification Authorities and select the root CA.
Right click on the Root CA and select Export. A wizard appear, click on Next.
Select Base-64 encoded X.509 in the Export File Format Windows.
Select the destination folder and export the root ca certificate. Open with Notepad the previously exported certificate. Copy Value present on the txt file.

From the Azure portal, access Virtual Network Gateway previously created.
Click on Point-to-site configuration then on Configure Now.
Specify an Address pool for the VPN clients to connect. I choose an other ID network than my local area network ID or network ID on Azure. Select IKEv2 on Tunnel type. On Authentification type, select Azure Certificate.
Enter Root on the Name field and paste the value previously copied.
Click on Save.
Create dynamic group
From the Azure AD portal, click on Azure Active Directory then on Groups.
All groups appear, click on New Group.
Enter the name of the group and select Dynamic Device on Membership type. Click on Add dynamic query.
Click on Edit then on Rule Syntax.
Enter the following query and click on OK. Click on Save then on Create.
(device.devicePhysicalIDs -any (_ -contains "[ZTDId]"))

Configure Intune Automatic Enrollment
Enrollment Status Page can be configured. From the Windows Enrollment page, click on Enrollment Status Page.
Click on Create for create new Enrollment Status Page.
Enter the desired name and click on Next.
Configure Settings as you want and click on Next.
Select the groups previously created. Click on Next then on Create.
The profile has been created.
Create Deployment Profile
the deployment profiles permit to select the deployment mode and customize the OOBE windows. From the Intune portal, click on Windows enrollment then on Deployment Profiles.
Click on Create profile and select Windows PC.
Enter the desired name and click on Next.
Select Hybrid Azure AD Joined on Join to Azure AD as then select Yes for Skip AD connectivity check. Configure other option as you want. Click on Next.
Select dynamic group previously created and click on Next.
Click on Create, the profile has been created.
Import hash device
Capture hardware hash import device is must step before to configure device with Autopilot. On the device, install the powershell script with the following command. This script permit to recover the hash of the device.
Install-Script -Name Get-WindowsAutoPilotInfo
Capture hardware hash import device and add this device on the Azure AD Groups. with the following command. Configure Powershell script execution before to run the Get-WindowsAutopilotInfo CmdLets.
set-executionpolicy -executionpolicy bypass
Get-WindowsAutopilotInfo –online -AddToGroup "Intune - All Autopilot Devices" -Assign
Enter credential of Azure AD Global Admin or account with delegated permission.
Device has been imported.
Device has been added. If you have an access denied with Powershell, add the account on owners of the groups.
Configure configuration profile
Root Cert Configuration profile
You need to deploy on the device the certificates. Intune is used for this deployment. From the NDES server, open certificate previously deployed. Click on Certification Path.
Select Root CA and click on View Certificate. The Root CA appear, click on Details then on Copy to file.
A wizard appear, leave default values and export Root CA.
From the Intune portal, click on Devices then on Windows. Click on Configuration Profiles then on Create profile.
Select Windows 10 and later in the drop-down list then Trusted Certificate. Click on Create.
Enter the desired name and click on Next.
Select Root certificate and click on Next.
Assign the profile to the dynamic group previously created.
Click on Create for create the profile.
Configure SCEP Certificate Profile
From the Intune portal, click on Devices then on Windows. Click on Configuration Profiles then on Create profile. Select Windows 10 and later then chooseSCEP certificate.
Enter the desired name and click on Next.
Select Device on Certificate type dropdown list. Modify the value on Subject name format and enter the following value.
CN={{FullyQualifiedDomainName}}
Select the following value for the different fields.
- Key Storage provider : Enroll to Software KSP
- Key usage : Key encipherment
- Key size: 2048
- Hash algorithm: SHA-2
Click on Root Certificate and select the certificate.
Enter Client Authentification on Name then 1.3.6.1.5.5.7.3.2 on Object Identifier. Select Client Authentification on Predefined values.
From the SCEP Server URLs enter the external URL of your Azure AD Proxy application. Add on the end of the URL certsrv/mscep/mscep.dll.
Click on Next and assign the profile to the dynamic Azure AD groups. Click on Create for launch creation of the profile.
The profile has been created.
Configure Domain Join Profile
The domain join profile permit to join windows 10 computer. From the Microsoft Endpoint Manager admin center, click on Devices then on Configuration profiles. Click on Create Profile for create new profile.
Select Windows 10 and later on Platform dropdown list then Domain Join on Profile type dropdown list.
Enter the desired name and click on Next.
Configure Computer name prefix and Domain name then click on Next.
Assign the profile to the dynamic group previously created.
Configure VPN Profile
Before create VPN profile, you need to download xml file on Azure ressource. From the Azure portal, access to properties of the Virtual Network gateway previously created.
Click on Point-to-site configuration then on Download VPN client.
Unzip the download file. The XML file (VpnSettings.xml) present on Generic folder is used for the VPN Configuration step.
From the Intune portal, click on Devices then on Windows. Click on Configuration Profiles then on Create profile. Select Windows 10 and later then chooseVPN.
Enter the desired name and click on Next.
Expand Base VPN and enter Connection name. Enter VPN server address, you can found this address on the XML file previously downloaded. Enter a Description and set Default server to True.
Set Register IP addresses with internal DNS to Enable and select IKEv2 on Connection type.
Set Always On to Enable and configure Authentification method to use Machine Certificates. Click on Select a client authentification certificate to select the profile previously created.
Set to Enable device Tunnel.
Expand DNS Settings and enter DNS suffixes. Click on Add.
Enter Domain and IP address of the DNS Server.
Expand Split Tunneling and click Enable the parameter. You need configure Destination Prefix, this information is present on the XML file.
Assign the group to the dynamic azure ad group. and create the profile.
Configure Windows 10 computer
From the windows 10, previously imported on Autopilot, open Windows Settings. and click on Update & Security.
Select Recovery and click on Get started.
Click on Remove everything for delete all file.
Click on Next on Additional settings Windows.
Click on Reset to reset the computer.
When the compyter is restarted, OOBE screen appear. Select desired region and click on Yes.
Configure keyboard layout and click on Yes.
Enter username of user who intune licence has assigned and click on Next.
Set up device is in progress.