Jump to content

Configuring Citrix AlwaysOn VPN in Service-Mode for Azure Hybrid Join with Autopilot

Marc Kuhn

Recommended Posts

Hi all


i'm trying to configure a Citrix AlwaysOn VPN in Service-Mode with an internal Device-Cert (SCEP) to be able to join a new device to the On-Prem AD outside of the company. For that i found this article:


Windows Autopilot Hybrid Azure AD join via Citrix Always On VPN (hmaslowski.com)


Also i was looking for the Citrix Documentation on that: Configure Always On VPN before Windows Logon (citrix.com)


I tried to have that working without Autopilot on my Windows 10 Enterprise device. In the Registry i have these settings:


AlwaysOn: 1

AlwaysOnService: 1

AlwaysOnURL: https://vpn.test.com


When i reboot my device, it shows me before i even login for a short time "connected in service mode", changes then after a couple of seconds to "Citrix Gateway plugin is connected in user mode". The version of the ADC is 13.0-71.44. Is somebody having a similar setup up and running or can help me, why the user-tunnel is connected?


Many thanks for your help


Best regards,


Link to comment
Share on other sites

  • 2 weeks later...
  • 9 months later...
On 4/2/2021 at 3:20 AM, Marc Kuhn said:

Hi guys

it turned out that this is a know issue in version 21.1 and 21.2. In the latest version the VPN is working as expected.


Best regards,



Were you able to get this set up?  We are trying to get autopilot set up with the always on vpn for autopilot, running into a lot of issues.  Also the above article was for classic polices and not advanced.  Our citrix resource is stating we need to install the Citrix EPA Plugin as well, which isn't stated in the article.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...