Wednesday, August 5, 2020

Azure AD Hybrid Join Over VPN Issues

Hello once again! Long time no

In this post I wanted to talk about the way Hybrid AAD Join works over VPN and an interesting communication I had with a Microsoft contact of mine recently.

I have covered Hybrid AADJ in the past, link here. Adding in the VPN adds a new wrinkle into the equation that is supposed to be solved by one of the HAADJ scheduled tasks. 

HAADJ creates a scheduled task that runs the dsregcmd.exe command. This command is built into the Win10 OS and this task is also built into the OS and have been running since day 1. These are located at Microsoft>Windows>WorkplaceJoin. This task has 2 defined triggers

The first trigger runs the dsregcmd at the initial logon. This does not help our VPN users at all unless you are deploying a prelogin VPN like Always-On VPN or Direct Access. The second scheduled trigger is supposed to kick off every hour after a reboot and generates a log in event viewer with ID 4096

This would allow a VPN user to reboot, login, and trigger the once an hour request, and if still connected to the VPN in an hour kick off the Hybrid Join process. This was not seeming to happen though. The timings of this event were very sporadic. I brought it up to a contact I have at Microsoft and it appears there was a bug that needed fixed! I have not validated with them what version/when/how this was going to be in place but if you are having issues with VPN+Hybrid Join hopefully it should be fixed in a future build.

Until next time fellow IT explorers


  1. Very interesting!! This behavior is pretty similar to mine, when i connect the device to the VPN the AAD join just disappears from the computer. But when I restart the computer it shows that it is joined... I will raise a support ticket in order to investigate trough it. Thanks!

  2. Hi, did you hear anything more about this issue? We have the same issue atm. Internal network work fluently for hybrid azure ad join but on vpn it doesn't work at all.

    1. I have not looked back into since I wrote this article. Worst case scenario you can trigger the scheduled task automatically over VPN and that should do the trick.