I'm going through a laptop refresh right now, upgrading older machines for our users. When everyone comes into the office, it's straightforward: they sign in as usual and everything works fine. But for our permanent remote workers, it's trickier. If they try to log into a new laptop without being connected to the VPN, they get an error because the domain isn't available. I considered signing them in once before shipping it out to cache their credentials, but that feels risky. How do others manage this process for remote users?
5 Answers
Intune is definitely the way to go. Setting it up can be tricky—Adobe products, for instance, can be a real pain. I’ve struggled with getting them to work properly, and it seems like they always end up breaking after updates.
If you're using Entra ID, you can get Kerberos tokens without being on the network. We manage everything through Intune, and the devices can still access on-prem servers without needing to be connected to the local network.
That's interesting. But does this work without a hybrid join setup? I only use Entra, so my computers are essentially in a workgroup.
During our refresh cycle, we used a hybrid join with Azure AD, allowing remote devices to log in with cloud credentials. We pre-provisioned them with Autopilot, which cached essential info. If they had issues, we created a temporary local admin account for them to log in via VPN and cache their domain credentials without needing to know their passwords.
That's a smart approach! We do something similar but also consider using RDP for setting up new laptops to solve connectivity issues.
My wife received her work laptop with simple instructions: power it on, connect to WiFi, and sign in with her EntraID. It took a while, but it provisioned itself without any issues! My company has a less elegant approach; we build machines manually, and we face mix-ups 50% of the time.
That's cool, but it's called AutoPilot when you set it up that way.
Using Azure AD with Autopilot is a great option. It allows for a smooth setup for remote users without needing them to connect to the VPN first.
Actually, it's called Entra now, so make sure you're using the right terminology!
Totally agree! It's like a constant battle trying to keep everything compatible.