In this post I wanted to talk about the way Hybrid AAD Join works over VPN and an interesting communication I had with a Microsoft contact of mine recently.
I have covered Hybrid AADJ in the past, link here. Adding in the VPN adds a new wrinkle into the equation that is supposed to be solved by one of the HAADJ scheduled tasks.
HAADJ creates a scheduled task that runs the dsregcmd.exe command. This command is built into the Win10 OS and this task is also built into the OS and have been running since day 1. These are located at Microsoft>Windows>WorkplaceJoin. This task has 2 defined triggers
The first trigger runs the dsregcmd at the initial logon. This does not help our VPN users at all unless you are deploying a prelogin VPN like Always-On VPN or Direct Access. The second scheduled trigger is supposed to kick off every hour after a reboot and generates a log in event viewer with ID 4096
This would allow a VPN user to reboot, login, and trigger the once an hour request, and if still connected to the VPN in an hour kick off the Hybrid Join process. This was not seeming to happen though. The timings of this event were very sporadic. I brought it up to a contact I have at Microsoft and it appears there was a bug that needed fixed! I have not validated with them what version/when/how this was going to be in place but if you are having issues with VPN+Hybrid Join hopefully it should be fixed in a future build.
Until next time fellow IT explorers
Very interesting!! This behavior is pretty similar to mine, when i connect the device to the VPN the AAD join just disappears from the computer. But when I restart the computer it shows that it is joined... I will raise a support ticket in order to investigate trough it. Thanks!
ReplyDeleteHi, did you hear anything more about this issue? We have the same issue atm. Internal network work fluently for hybrid azure ad join but on vpn it doesn't work at all.
ReplyDeleteI have not looked back into since I wrote this article. Worst case scenario you can trigger the scheduled task automatically over VPN and that should do the trick.
DeleteThe trigger as shown is triggered by event ID 4096, it does not create an event ID 4096, and is not triggered by a boot. We found this trigger useless to depend on and, as you mention, remote users without an always on VPN need a different way to get them enrolled in a timely manner. We force the task to run with a script to get devices enrolled into Intune.
ReplyDeleteYoure correct actually. I figured that out after writing this up and never went back to change the verbage. I also STILL have not been able to get it to trigger reliably and have done the same as you and advised my customers to do the same if they really need to kick off a remote hybrid join.
Delete