Microsoft Always On VPN is a beautiful thing. VPN profiles are assigned to the user (and, optionally, their device). When users power up their device and log on, they are automatically connected to the corporate network and can access all the applications and data they need on-premises. Until recently, though, end users could disconnect the VPN. Why they would do this is beyond comprehension, but sadly, it happens all too often. When it does, it presents a problem for Always On VPN administrators because they must now rely on the user to re-enable this feature. And until they do, they often suffer productivity loss, and their devices may fall out of compliance.
Connect Automatically
When an Always On VPN profile is provisioned to a user (or a device), the VPN profile has the option to ‘Connect automatically’ enabled by default. Unfortunately, this setting is cleared if a user terminates the VPN.
This setting will remain cleared until the user rechecks the box to enable it. Until then, the VPN will no longer connect automatically.
Workarounds
Instead of relying on the grace of the end user to restore Always On functionality, administrators have a few options to correct this problem programmatically.
Intune Remediation
Administrators can use Intune Remediations to deploy a set of detection and remediation scripts I’ve published to update this setting. Now, administrators can enforce ‘Always On’ VPN connections with the assurance that if the user turns off this feature, it will be quickly re-enabled.
You can find a standalone version of this script here if you use System Center Configuration Manager (SCCM) or another systems management solution to manage your endpoints.
To avoid this pain in the future, Always On VPN administrators can prevent users from disconnecting the VPN using the UI by leveraging the DisableDisconnectButton option in ProfileXML. This setting is supported for both user and device tunnels on Windows 11 and later devices.
A while back, I wrote about the monitoring and reporting options for Windows Server Routing and Remote Access (RRAS) servers supporting Microsoft Always On VPN. In that article, I outlined how administrators can use the Routing and Remote Access Management console (rrasmgmt.msc) or the Remote Access Management console (ramgmtui.exe) to perform configuration tasks and review current user and device activity. However, neither solution is ideal in a distributed environment with multiple RRAS servers. Thankfully, there’s a new option available to address this crucial limitation today.
Centralized Reporting
I’m excited to announce the availability of a cloud-based, centralized reporting solution for Windows Server RRAS and Always On VPN from the folks at PowerON Platforms. Created by the folks that brought us the Dynamic Profile Configurator (DPC) solution for managing Always On VPN client configuration settings, PowerON Platforms’ new reporting solution allows administrators to aggregate configuration, performance, and user activity data from multiple individual RRAS servers across their organization.
Important! I’ll be joining the folks at PowerON Platforms for a webinar on Thursday, January 18 to introduce and demonstrate this new Always On VPN reporting solution. Register now!
Summary View
The Summary view page provides a consolidated high-level look at the environment’s health status and capacity of VPN servers. Administrators can quickly see if any servers are unhealthy and view current usage details to assess the capacity of the deployment.
Server Overview
The Server Overview page provides a more detailed look at individual server health status and configuration. Here, you’ll find information about the number of active and available connections and the TLS certificate status. In addition, you’ll find detailed information about provisioned CPU and RAM, disk space utilization, and system uptime. You will also see information about the size of the reporting database on disk and the number of IKEv2 and SSTP VPN ports provisioned.
VPN Server Configuration
The VPN Server Configuration page looks into the IP address pool configuration and current utilization. In addition, this page provides an in-depth look at the VPN server TLS certificate health status. Currently, configured authentication and accounting servers are also shown.
Server Performance
The Server Performance page shows granular details about resource utilization on RRAS servers. This includes CPU and memory utilization, disk space usage, and database size. Administrators can view aggregated data or select individual servers. The view can be further customized by filtering by date.
Connection History
The Connection History page details concurrent connections observed on all VPN servers. Data can be filtered by date, individual server, and user or device name.
Client Distribution
The Client Distribution page provides an intuitive graphical display of client activity by server and tunnel type. In addition, it includes details about usage by individual clients and the number of connections made by individual endpoints.
Connection Detail
The Connection Detail page allows administrators to view user activity across all servers in the organization. Once again, data can be filtered by date, individual server, and user or device name. This view provides granular details on user activity, enabling the administrator to drill down to view specific resources accessed over the VPN for individual sessions.
Data Flow
The Data Flow page displays information about data transfer through the VPN server.
Summary
The Always On VPN cloud-based centralized reporting solution for Microsoft Always On VPN by PowerON Platforms is sure to be helpful for organizations managing distributed RRAS server deployments. The reporting solution aggregates data from all RRAS servers in the enterprise, providing a holistic view of configuration, health status, and user activity in one management console. This consolidated visibility is crucial for capacity planning and configuration maintenance, making the identification of performance bottlenecks or misconfigured servers easy. Also, the ability to view certificate expiration status for all servers in the organization is sure to prevent outages. Security administrators will find the solution helpful for forensic reporting and to identify sources of data leakage and exfiltration.
Are you interested in learning more about PowerON Platforms Always On VPN reporting? Would you like an interactive solution demonstration or an evaluation license to trial the product in your environment? Fill out the form below, and I’ll contact you with more details.
The Microsoft Intune Certificate Connector enables the provisioning and de-provisioning of on-premises PKI certificates for Intune-managed devices. Always On VPN administrators using Intune to deploy certificates with the Intune Certificate Connector using either PKCS or SCEP may encounter a scenario where certificates are no longer being provisioned to users or devices after working reliably previously.
Certificate Not Found
When this issue occurs, users will no longer be able to access the VPN and receive a “certificate could not be found that can be used with this Extensible Authentication Protocol” error message.
Connector Status
To determine the status of the Intune Certificate Connector, open the Microsoft Intune Admin Center (https://intune.microsoft.com) and navigate to Tenant Administration > Connectors and Tokens > Certificate Connectors. The status of the certificate connector server will be in Error.
Event Log
Open the event log on the server where the Intune Certificate Connector is installed. Navigate to Applications and Services Logs > Microsoft > Intune > CertificateConnectors > Operational. Here, you will find a variety of warning and error messages.
Event ID 5001
This is a warning from the CertificateConnectors source with event ID 5001 in the Task Category HealthMessageUploadFailedAttempt with the following details.
PKI Create Service:
Failed to upload health messages. Requeuing messages.
Event ID 1003
This is an error from the CertificateConnectors source with event ID 1003 in the Task Category PkcsDownloadFailure with the following details.
PKI Create Service:
Failed to download PKCS requests.
Event ID 2
This is an error from the CertificateConnectors source with event ID 2 in the Task Category Exception with the following details.
PKI Create Service:
Microsoft.Intune.Connectors.PkiCreateProcessor.Process threw an exception.
Expired Certificate
The warning and error messages recorded in the event log indicate an expired certificate on the Intune Certificate Connector server. Open the local computer certificate store (certlm.msc) on the server where the Intune Certificate Connector is installed. Review the expiration date of the certificate issued by Microsoft Intune ImportPFX Connector CA. It is most likely expired.
Click on the Certification Path tab to view the certificate status.
Renew Certificate
To renew this certificate, you must reinstall the Intune Certificate Connector. However, you do not have to uninstall it first. To renew the certificate, navigate to C:\Program Files\Microsoft Intune\PFXCertificateConnector\ConnectorUI and double-click on PFXCertificateConnectorUI.exe. Follow the prompts without making changes to the existing configuration. You’ll be prompted for the service account password (if using a domain account) and proxy credentials (if using a proxy server). In addition, you’ll be asked to sign in to Entra ID (formerly Azure AD). Be sure to provide credentials that are a global administrator and have an Intune license assigned. Once the process is complete, a new certificate will be installed in the local computer certificate store.
Intune Configuration
After updating the Intune Certificate Connector, a new certificate connector appears in the Intune Admin Center. You can now safely delete the old connector and rename the new one accordingly.
Redundancy
Deploying multiple instances of the Intune Certificate Connector is an excellent way to avoid future outages! It’s also a good idea to stagger their installation by a few months to ensure that a future certificate expiration doesn’t result in lost functionality. If you’ve deployed Intune Certificate Connectors recently, consider updating them at rotating intervals so certificates expire at different times.
