Always On VPN and Autopilot Hybrid Azure AD Join

Always On VPN and Autopilot Hybrid Azure AD Join

Windows Autopilot is a cloud-based technology that administrators can use to configure new devices wherever they may be, whether on-premises or in the field. Devices provisioned with Autopilot are Azure AD joined by default and managed using Microsoft Endpoint Manager. Optionally, an administrator can enable hybrid Azure AD join by also joining the device to an on-premises Active Directory domain using a domain join configuration profile in conjunction with the offline domain-join connector. Although enabling hybrid Azure AD join might sound appealing, there are specific deployment scenarios that present some rather unique and challenging problems when using this option.

Offline Hybrid Azure AD Join

For field-based devices, the device must have connectivity to a domain controller to support the initial login when the user has no local cached credentials. The Always On VPN device tunnel can be deployed in this scenario to provide connectivity and allow the user to log in to a new device the first time without being on-premises. The Always On VPN device tunnel is easily deployed using a Microsoft Endpoint Manager configuration profile. Certificates required to support the device tunnel can be deployed with Microsoft Endpoint Manager and one of the certificate connectors for Microsoft Endpoint Manager.

Windows 10 Professional

If a Windows 10 Professional device is configured using Autopilot, and hybrid Azure AD joined is enabled, the Always On VPN device tunnel can still be provisioned, but it won’t start automatically because it requires Enterprise Edition to be fully functional. This prevents the user from being able to logon the first time. The device must be upgraded to Enterprise Edition before the first user logon. There are multiple ways to accomplish this depending on the deployment scenario and activation requirements.

Multiple Activation Key

The easiest way to upgrade Windows 10 Professional to Enterprise Edition is to obtain a Multiple Activation Key (MAK) and deploy that to clients using a Microsoft Endpoint Manager configuration profile. Follow the steps below to create a configuration profile to perform this upgrade.

  1. Open the Microsoft Endpoint Manager console and click on Devices > Configuration Profiles.
  2. Click Create profile.
  3. Select Windows 10 and later in the Platform drop-down list.
  4. Select Templates in the Profile type drop-down list.
  5. Select Edition upgrade and mode switch from the list of templates.
  6. Click Create.

Use the following steps to configure the settings for the configuration profile.

  1. Enter a descriptive name for the configuration profile in the Name field.
  2. Enter a description for the profile in the Description field (optional).
  3. Click Next.
  4. Expand the Edition Upgrade section and select Windows 10 Enterprise from the Edition to upgrade to drop-down list.
  5. Enter your multiple activation product key in the Product Key field.

    Always On VPN and Autopilot Hybrid Azure AD Join

Once complete, assign the configuration profile to the appropriate groups and click Create.

KMS Activation

If Key Management Service (KMS) activation is required, follow the steps listed previously for MAK. Enter the KMS client setup key for Windows 10 Enterprise which is NPPR9-FWDCX-D2C8J-H872K-2YT43. The device will complete KMS activation when it can connect to the on-premises KMS host.

Subscription Activation

Windows 10 Enterprise Edition licensing is included in some Microsoft 365 subscriptions. This poses a unique challenge for hybrid Azure AD join scenarios, however. Specifically, subscription activation is a “step-up” process that requires Windows 10 Professional to have been successfully activated previously. Also, this occurs after the user logs on, but the user cannot log on unless the device tunnel is active. Catch 22!


A multi-step process is required to address the limitations imposed by subscription activation. To begin, the device must be upgraded to Enterprise Edition, so the device tunnel is available for the initial user logon. This is a temporary, one-time upgrade to Enterprise Edition solely for the purpose of getting the device tunnel to connect and allow the user to authenticate.

To begin, download this PowerShell script and follow the steps below to deploy it to Windows 10 devices using Microsoft Endpoint Manager.

  1. Open the Microsoft Endpoint Manager console and click on Devices > Scripts.
  2. Click Add and select Windows 10.
  3. Enter a descriptive name for the configuration profile in the Name field.
  4. Enter a description for the profile in the Description field (optional).
  5. Click Next.
  6. Enter the location of the PowerShell script in the Script location field.
  7. Click Next, then assign the script to the appropriate device group(s) and click Add.

The PowerShell script will automatically install the KMS client setup key for Windows 10 Enterprise Edition, then restart the network interfaces to ensure the device tunnel starts. This will immediately upgrade the client device to Windows 10 Enterprise Edition and allow the user to authenticate.

Subscription activation with a step-up upgrade to Enterprise Edition still requires that Windows 10 Professional be activated first. To accomplish this, the embedded Windows 10 Professional key must be re-installed on the client. To do this, download this PowerShell script and follow the same steps listed previously to deploy a PowerShell script with Microsoft Endpoint Manager. However, this script should be assigned to users, not devices.

Once this script is run on the client it will be downgraded (temporarily) to Windows 10 Professional edition. After activation is successful, subscription activation will once again upgrade the client to Windows 10 Enterprise Edition.


As you can see, the process of getting a Windows 10 Professional edition client onboarded in a hybrid Azure AD joined scenario is somewhat complex. My advice is to avoid this scenario whenever possible. Access to on-premises resources with the Always On VPN user tunnel with full single sign-on support is still available for users on Windows 10 devices that are Azure AD joined only. Unless there is a specific requirement to manage client devices using on-premises Active Directory and group policy, consider choosing native Azure AD join with Autopilot and manage devices using Microsoft Endpoint Manager exclusively.

Special Thanks

I would like to extend a special thank you to everyone in the Microsoft Endpoint Manager community who provided valuable input and feedback for me on this topic, especially John Marcum, Michael Niehaus, and Sandy Zeng. Follow the #MEMCM hashtag on Twitter to keep up on all things Microsoft Endpoint Manager.

Additional Information

Overview of Windows Autopilot

Windows 10 Subscription Activation

Windows 10 Always On VPN Class-Based Default Route and Microsoft Endpoint Manager

Windows 10 Always On VPN Device Tunnel and Custom Cryptography in Microsoft Endpoint Manager

Leave a comment


  1. Dave

     /  April 19, 2021

    Thanks for the great summary and considerations. I have this mostly working, but had to set it aside due to a new issue which I couldn’t figure out. When the device tunnel makes its initial AOVPN connection, it gets a certificate error (credentials incorrect). I am providing a SCEP device cert via Intune which works fine outside of the whole Autopilot provisioning. Oddly, if I delete what looks to be the Intune MDM device certificate, it then connects. Have you seen this? I think if I solve this issue, my AOVPN and Autopilot Hybrid Azure AD Join will work.

    • So you have both certificates, a certificate issued by your PKI and one by Azure? Have you configured the RootCertificateNameToAccept value on the RRAS server?

  2. Philip Flint

     /  April 27, 2021

    Thanks for the article Richard

    The issue I have is that, if your machine is Hybrid joined and you don’t have a device tunnel over VPN then the user doesn’t truly log on to the network and so, in that scenario, updates to user group memberships are not applied and so polices / GPOs / share access driven by group membership simply don’t work (the do it you have a full device tunnel)

    Is this issue resolved by having the device Azure AD joined and having the user log on to the domain from there? I am assuming it is if the user can perform a first time logon to the domain from an Azure AD joined machine (or is the user logging on to Azure AD and GPOs and AD group membership are not applied?)

    Many thanks

    • Correct. Using hybrid Azure AD join, the user authenticates to the domain the first time (hence the requirement for device tunnel to provide domain controller connectivity).

  3. Adam Smith

     /  July 13, 2021

    Hi Richard, It’s always been an observation here – though I may be wrong – that the AutoPilot feature is a great way to directly send a machine from an OEM, get them to add the HWID’s to your Azure and it should just work. Though given that most of the machines sent are Pro – and MS has removed the ability to directly purchase Enterprise Keys unless KMS-ed, the logic that’s imposed here seems to run similar to a Joseph Heller novel:

    Receive Windows computer from manufacturer;
    Setup the device from outside the network;
    Upgrade to an Enterprise Key from a KMS (on network!)
    Need to the Enterprise Key to start the VPN to connect to the network.

    As always, your recommendation here is great; the workaround is getting me ever closer to a pandemic workaround for this, if only Microsoft listened to you!


    • Thanks, Adam! It is frustrating for sure. Using the KMS key temporarily is a clunky workaround, but it seems to work. 🙂

  4. Paddy Berger

     /  September 20, 2021

    Hi Richard, we currently have autopilot working with windows enterprise fine, however is there a way for a machine on pro already to upgrade to enterprise before autopilot and work? We tried to update the licence prior to OOBE through cmd and then go though the setup but still the machine does not allow the user to login. We noticed when it is installing certificates as part of the autopilot process it is saying 0 of 1 installed.

    The machine when reset and done again will work (if on enterprise)


    • The workaround described in this article should work (using the script to update temporarily to a KMS key). It certainly worked for me when I wrote this post, and for a few customers I’ve used it with.


Leave a Reply

%d bloggers like this: