Always On VPN DPC Open Source

Recently, I wrote about the demise of PowerON Platforms, the company behind the popular Always On VPN Dynamic Profile Configurator (DPC) software that allows administrators to deploy and manage Always On VPN client configuration settings using Active Directory Group Policy or Microsoft Intune with custom ADMX/ADML. Initially, the future of DPC was uncertain. However, I’m happy to announce that DPC will continue to be developed.

DPC Open Source

The lead developer of DPC and my good friend Leo D’Arcy retained the source code for the product and has been working diligently to decommercialize the software. That work has been completed, and Always On VPN DPC is now available via open source. You can find the source code for DPC on GitHub here.

DPC Features

This initial open-source release (version 5.0.0) contains no significant new features or functionality. Most of the development efforts focused on removing references to PowerON Platforms (registry paths, binary names, etc.).

Support

Today, DPC support is community-based. You can report issues on the GitHub issues page for DPC. In addition, you can ask questions about DPC on Discord in the Microsoft Remote Access UG. Leo and I will monitor the group closely and answer any questions you might have there.

Deployment

If you’re not a DPC user today, I encourage you to have a look at its impressive feature set. Not only does DPC make Always On VPN deployment and management easier, but it also includes many advanced capabilities that will make connections more stable and reliable. Here are some links to articles outlining some of those advanced features.

Migration

If you already have a previous commercial release of Always On VPN DPC deployed, migrating to the new open-source DPC is straightforward. You will find guidance for migrating your existing DPC configuration here.

Contribute

Now that DPC is open source, we encourage everyone to contribute. If you have development skills, feel free to help. If you have feedback or feature requests, don’t hesitate to submit them!

Learn More

Are you interested in learning more about Always On VPN DPC? Would you like a personal demonstration of DPC’s features and capabilities? Do you need help migrating from a previous release to the new open-source software? Fill out the form below and I’ll contact you with more information.

Additional Information

Always On VPN DPC Open Source on GitHub

PowerON Platforms Are No More

Intune Strong Certificate Mapping Error

Microsoft recently introduced support for strong certificate mapping in Intune to support changes introduced with the May 2022 security update KB5014754. Specifically, Intune now supports adding the SID for the principal in the subject name to the certificate for PKCS and SCEP device configuration policies.

Error

A few folks have contacted me about an error they encountered when configuring strong certificate mapping for Intune device configuration profiles using PKCS. Specifically, they would receive the following error message after specifying the URI value {{OnPremisesSecurityIdentifier}} in the Subject Alternative Name section of the PKCS policy.

A value is required for Value. Value can include allowed variables combined with static text. UPN and Email address should include an @, for example: “{{AAD_Device_ID}}@contoso.com”. DNS cannot end with a symbol or contain an @ sign, e.g. “{{DeviceName}}.contoso.com“ or “{{DeviceName}}”. See support variables here: https://go.microsoft.com/fwlink/?linkid=2104597

Resolution

Administrators will receive this message when adding the {{OnPremisesSecurityIdentifier}} variable to a PKCS device configuration policy. This error is expected because PKCS does not require (or support) the use of this value in this field. The {{OnPremisesSecurityIdentifier}} value is only required for SCEP Intune device configuration profiles.

To add the SID to a PKCS certificate, administrators must only define a registry value on the Intune Certificate Connector server as described here. No changes are required on the PKCS device configuration policy in Intune.

Additional Information

Strong Certificate Mapping for Intune PKCS and SCEP Certificates

Certificate-Based Authentication Changes for Always On VPN

Strong Certificate Mapping for Intune PKCS and SCEP Certificates

Always On VPN LockDown Mode

With the October 2024 Intune update, Microsoft introduced support for strong certificate mapping for certificates issued by Intune via the Intune Certificate Connector. Enabling strong certificate mapping support in Intune is an important change for those organizations using Microsoft Intune to issue and manage certificates for their users and devices, as it resolves a critical implementation blocker.

Note: This post was updated to clarify that adding the {{OnPremisesSecurityIdentifier}} for PKCS certificates is not required. This variable is only used for SCEP certificates.

Background

In May 2022, Microsoft released security update KB5014754, which added functionality to domain controllers and enterprise issuing certification authority (CA) servers, allowing the Kerberos Key Distribution Center (KDC) to enforce strong certificate mapping. Specifically, with KB5014754 installed, issuing CAs now add the requesting principal’s Security Identifier (SID) to the certificate in a new certificate extension. Domain controllers can be configured to reject authentication requests using certificates that do not include this information.

Today, DCs with KB5014754 installed will still allow authentication without strong certificate mapping. However, Microsoft has stated they will begin enforcing strong certificate mapping in February 2025, with an option to disable it via the registry. Starting in September 2025, full enforcement will be mandatory.

Reference: https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16

Limitation

The initial changes in KB5014754 applied only to online certificate templates, meaning those that build the subject name from Active Directory. However, deploying certificates with Intune using either PKCS or SCEP requires using an offline certificate template that allows the requestor to supply the subject name in the request. When using offline templates, a certificate is issued but does not embed the SID in the certificate. Using offline templates presents unique challenges to organizations moving to modern management with Intune and Entra ID.

Intune Changes

The October 2024 Intune update addresses this limitation by providing a method to include SID information in certificates using either SCEP or PKCS.

SCEP

To include the SID information in SCEP certificates, create or edit an existing SCEP device configuration policy and define a URI Subject Alternative Name (SAN) attribute with the value {{OnPremisesSecurityIdentifier}} as shown here.

PKCS

To include SID information in PKCS certificates, administrators must ensure the Intune Certificate Connector is updated to at least version 6.2406.0.1001. In addition, a registry setting must be enabled on the Intune Certificate Connector server.

On the server where the Intune Certificate Connector is installed, open the registry editor, navigate to HKLM\Software\Microsoft\MicrosoftIntune\PFXCertificateConnector, and change the value of EnableSidSecurityExtension to 1.

Optionally, administrators can update this setting at the command line by running the following PowerShell command.

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Microsoft\MicrosoftIntune\PFXCertificateConnector’ -Name EnableSidSecurityExtension -Value 1 -Force

Once complete, restart the Intune Certificate Connector server for the changes to take effect.

Certificates

SID information is added to certificates differently depending on which Intune device configuration policy type is used.

PCKS

PKCS certificates have the SID embedded in the certificate extension 1.3.6.1.4.1.311.25.2, as shown here.

SCEP

SCEP certificates have the SID embedded in the Subject Alternative Name (SAN) field in the format “tag:microsoft.com,2022-09-14:sid:<SID>” as shown here.

Migration

When making these changes to embed the SID in Intune-issued certificates in an existing Intune PKCS or SCEP configuration policy, the change will only affect certificates issued after the change is made. To update all certificate holders, you must create and deploy a new device configuration policy to targeted users or devices. Deleting the old profile (or ensuring it no longer applies) will remove the old certificate from the endpoint. If you’ve configured your Intune Certificate Connector to support revocation, the old certificate will also be revoked.

Entra Conditional Access

Entra Conditional Access certificates have included SID information since July 2023. More details here.

Intune Cloud PKI

The changes above will also work with certificates issued by Cloud PKI for Intune.

Other Cloud PKI Providers

Many other Cloud PKI providers, such as SCEPman and KEYTOS, already include the embedded SID in their certificates. Other cloud PKI providers may also include embedded SID. Consult your provider to confirm.

Additional Information

Microsoft Intune October 2024 Strong Certificate Mapping Update

Microsoft Intune Certificate Connector Strong Certificate Mapping Update for PKCS

Entra ID Conditional Access Certificates with SID Information Now Available

Implementing Strong Certificate Mapping in Microsoft Intune PKCS and SCEP Certificates

Certificate-Based Authentication Changes and Always On VPN