Autopilot Entra Hybrid Join with Always-On VPN – Part 1

While implementing Autopilot Entra Hybrid Join with Always-On VPN recently, I ended up doing way more trial and error than I would have expected.

A core part of that was due to documentation being very decentralized, at least in my opinion.

It was very hard to know where to start.  I ended up doing a ton of trial and error before nailing down all of the required components.

This will be a multi-part series done in an effort to help consolidate the steps of the process:

1. VPN Gateway Configuration
2. Always-On VPN Client Configuration
3. Group Configuration
4. Enrollment Status Page ESP
5. CSP Configuration

References:

1. Master:
   • https://learn.microsoft.com/en-us/autopilot/user-driven#user-driven-mode-for-microsoft-entra-hybrid-join-with-vpn-support
2. Always-On VPN Reference:
   • https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-always-on-device-tunnel
   • https://learn.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config
3. Always-On VPN Certificate:
   • https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-certificates-linux-openssl