A Windows Server with the Network Device Enrollment Service (NDES) role can be provisioned on-premises to support certificate deployment for non-domain Windows 10 Always On VPN clients. In addition, the Microsoft Intune Connector must be installed and configured on the NDES server to allow Intune-managed clients to request and receive certificates from the on-premises Certification Authority (CA) server.
Setup Wizard Ended Prematurely
When installing the Microsoft Intune Connector, the administrator may encounter a scenario where the setup wizard fails with the following error message.
“Microsoft Intune Connector Setup Wizard ended prematurely because of an error. Your system has not been modified. To install this program at a later time, run Setup Wizard again. Click the Finish button to exit the Setup Wizard.”
Cryptographic Service Provider
This error can occur if the NDES server certificate template is configured to use the Key Storage Provider cryptography service provider (CSP). When configuring the certificate template for the NDES server, the Legacy Cryptography Service Provider must be used, as shown here.
Additional Information
Deploying Windows 10 Always On VPN with Intune using Custom ProfileXML
Windows 10 Always On VPN Device Tunnel Configuration using Microsoft Intune
Deploying Windows 10 Always On VPN with Microsoft Intune
Nat
/ November 11, 2019Yes, I’ve seen this exact same thing as well in my lab.
It was a long time ago, I had separate server and client certificates, and seem to recall when I changed the client certificate template back to legacy, re issued that cert and tried the install it all sprung to life and the connector install completed.
Richard M. Hicks
/ November 13, 2019Exactly. When I was searching for information on this particular error I wasn’t able to find any solid information on this. That’s what prompted this blog post. 🙂
Victor
/ November 11, 2019Hello Richard, thanks for your insight as always!!. referencing your statement “A Windows Server with the Network Device Enrollment Service (NDES) role can be provisioned on-premises to support certificate deployment for non-domain Windows 10 Always On VPN clients” i have these questions:
1. Can non-Microsoft Clients (E.g. Android Devices) be used with a Full Microsoft Stack AONVPN setup i.e. RRAS, NPS, ADCS? i have a client who is planning to roll out android devices but not sure if this will work with AONVPN.
2. If the above is possible, is the experience “Always On”?
I read somewhere where you state that Always ON VPN does not support any other clients except windows 10 (Not even windows 7), so this particular scenario you are describing seems a bit confusing. hope yo can help shed more light
Richard M. Hicks
/ November 13, 2019Windows 10 Always On VPN is strictly a Microsoft Windows 10 solution. However, if you’ve configured the VPN server to support IKEv2, which is a public standard, it is interoperable with many platforms including Android. However, the “Always On” bit is exclusive to Windows 10. While you can configure a non-Microsoft device to connect to the same VPN server as Windows 10 Always On VPN clients (assuming you are using the same authentication scheme) the non-Windows clients will not connect automatically (unless those platforms have something similar, of course).
Victor Bassey
/ November 14, 2019Thanks Richard. That Clarifies it!
erinmcdonald123
/ April 22, 2020I wanted to add something I found on reddit that fixed my issue. Even though my account is an admin on the server, when I right click ‘run as administrator’ it installed. Just regular running gave me the premature error.
Also, thank you Mr. Hicks for all the wonderful help. Your site is amazing.
Richard M. Hicks
/ April 22, 2020Thanks for the tip, Erin. And thanks also for the kind words! 🙂