topic Re: Microsoft Intune Out of Box Experience and Autopilot Hybrid AD Join in General Topics

Microsoft Intune Out of Box Experience and Autopilot Hybrid AD Join

inclusa-admin — Thu, 16 Jul 2020 00:55:53 GMT

We are in the development phase of deploying a large number of new laptops to our user base. Due to the current circumstances with COVID and the changes we have made for out employees we would like to allow our users to receive the devices directly and utilize Intune for the deployment along with GlobalProtect pre-logon functionality.

We currently have a working setup to utilize machine certificate based pre-logon along with SAML after Windows login. Our Intune profiles are successfully pushing the certificates and GlobalProtect Client before the end point attempts to join the domain, but the client never seems to attempt to connect to the portal.

I was hoping others have gone down this path and had some insight on how to get this to successfully work or if it is even possible. Any information would be helpful since Microsoft has no good information on the process. Our setup is as follows:

PANOS - 9.1.3

GlobalProtect Client - 5.1.5

Certificate Chain on both the Firewall as well as all clients

Portal Configuration - pre-logon configuration agent first then SAML authentication second with auto generated cookies to manipulate the configuration agent being used.

Gateway Configuration - both portal agents point to the same gateway and require a client certificate with the root and intermediate configured within a certificate profile.

As mentioned the pre-logon method works without any issue in production, but when we attempt to deploy a workstation using Microsoft Intune Windows 10 Out of Box or AutoPilot the process fails.

I see a lot of MS documentation about using UWP GlobalProtect and am not sure on if it is required.

Re: Microsoft Intune Out of Box Experience and Autopilot Hybrid AD Join

mdepalmaevr — Fri, 25 Sep 2020 15:16:40 GMT

I wrote up an article on getting GlobalProtect pre-login to work together with Windows Autopilot here: https://blog.markdepalma.com/?p=528. There was an issue pushing the client and getting pre-logon to kick in the first time that I had to work around. I go over all of this here.

Re: Microsoft Intune Out of Box Experience and Autopilot Hybrid AD Join

fatboy1607 — Wed, 02 Dec 2020 11:41:49 GMT

Looks like working solution but to integrate with existing environment ,where we are doing authentication of portal based on LDAP or Radius etc will not work in this case.

In such case we need OR case of Authentication if certificate authentication fails User authentication will work or viseversa

Re: Microsoft Intune Out of Box Experience and Autopilot Hybrid AD Join

tigeli — Mon, 21 Dec 2020 07:07:43 GMT

@mdepalmaevr you don't really need to set LogonFlag + LogonState on the registry if you do the installation with 'msiexec /i "GlobalProtect64-5.2.4.msi" /q PORTAL=fqdn.address PRELOGON=1'.

At least this works for me without additional hustle.

Re: Microsoft Intune Out of Box Experience and Autopilot Hybrid AD Join

Chris_S — Fri, 05 Mar 2021 15:31:59 GMT

Hello everyone,

I was also working on the GP setup with our desktop team over the past few months and we have seen very odd behavior with the task process via MS Intune and Autopilot even after we had GP working well via user and machine certificate auth. Yesterday, we had another meeting with MS Support and were told that Autopilot, specifically with Hybrid AD, is not supported and build sequences will fail. We had been troubleshooting this for a few months when MS dropped this on us. The MS engineer spent nearly 10 minutes telling us not to attempt Autopilot with a Hybrid AD environment. The MS engineer was also specific in stating that other MS reps will not be aware of this.

I hope this saves someone some time if trying to use Autopilot in a Hybrid AD environment.

Thanks,

Chris

Re: Microsoft Intune Out of Box Experience and Autopilot Hybrid AD Join

mdepalmaevr — Fri, 05 Mar 2021 16:02:34 GMT

When you say sequences, what are you using for that? Sounds like you are trying to use SCCM.

From an Intune perspective hybrid AD is 100% supported, the feature they released last year was literally to enable Autopilot for hybrid AD clients over VPN. The MS engineer you spoke to is very incorrect in saying that.

What issues were you actually having with this? I've had great success with hybrid Autopilot and GlobalProtect VPN. My configuration was documented here: https://blog.markdepalma.com/?p=528.

Re: Microsoft Intune Out of Box Experience and Autopilot Hybrid AD Join

Intuneforwork — Wed, 16 Jun 2021 19:00:48 GMT

Hi, Could you expain more in detail? ... where did you add this "msiexec /i "GlobalProtect64-5.2.4.msi" /q PORTAL=fqdn.address PRELOGON=1'." ? In the win32 installation command?

Also did you deploy the prerequiste registry changes using the PowerShell script?

Re: Microsoft Intune Out of Box Experience and Autopilot Hybrid AD Join

mdepalmaevr — Thu, 17 Jun 2021 19:30:42 GMT

All of this is explained in the blog post. There is a wrapper script running the setup and doing all of the registry changes. The blog post has GitHub links to all of the scripts.

Re: Microsoft Intune Out of Box Experience and Autopilot Hybrid AD Join

Intuneforwork — Sat, 19 Jun 2021 17:59:56 GMT

Hi @tigeli You said you used 'msiexec /i "GlobalProtect64-5.2.4.msi" /q PORTAL=fqdn.address PRELOGON=1'. for install command.

Didn't you use any other script PS1 file(For registry changes) along with the Global protect app while wrapping?

Re: Microsoft Intune Out of Box Experience and Autopilot Hybrid AD Join

Intuneforwork — Sat, 19 Jun 2021 18:04:05 GMT

Hi @mdepalmaevr

In the shared blog you are using the InstallGlobalProtect.cmd. for install command but @tigeli has used the following

msiexec /i "GlobalProtect64-5.2.4.msi" /q PORTAL=fqdn.address PRELOGON=1'."

I am looking for a solution without using the GPO.

Re: Microsoft Intune Out of Box Experience and Autopilot Hybrid AD Join

mdepalmaevr — Mon, 28 Jun 2021 12:28:12 GMT

InstallGlobalProtect.cmd launches InstallGlobalProtect.ps1. InstallGlobalProtect.ps1 then places all the correct registry values... GPO is not doing this.

Re: Microsoft Intune Out of Box Experience and Autopilot Hybrid AD Join

waple02 — Wed, 11 Aug 2021 16:34:56 GMT

Hi Tigeli,

I've tried this command msiexec.exe /i "GlobalProtect64-5.2.7.msi" /q into Intune and the installation of the app got failed.

Do you have any suggestions?

Thank you in advance.