Migrating from Always On VPN DPC Commercial to Open Source

Always On VPN Dynamic Profile Configurator (DPC) is a software solution that enables administrators to deploy and manage Always On VPN client configuration settings using Active Directory and Group Policy or Microsoft Intune. DPC began life as a commercial product. Recently, DPC has been released to the public via open source. DPC open source allows administrators everywhere to deploy the solution without cost. If you’re not using DPC today, I’d strongly recommend it. If you were previously a DPC commercial customer, you’ll want to migrate to DPC open source soon.

Migration

Migrating from DPC commercial to open source requires the administrator to deploy a Group Policy Object (GPO) and client software in a specific order to avoid disruption to end users. Perform the following steps to complete the migration.

GPO Files

Download the DPC v5.0 (open source) group policy settings file (ADMX) file here and the language definition (ADML) file here.

After downloading the files, copy dpc.admx to the following location.

\\<DC name>\sysvol\<domain name>\Policies\PolicyDefinitions

Next, copy dpc.adml to the following location.

\\<DC name>\sysvol\<domain name>\Policies\PolicyDefinitions\en-US

Once complete, allow domain controller replication to finish before deploying DPC group policy settings.

New GPO

Create a new GPO that will contain the VPN client configuration settings. Do NOT copy the original DPC commercial GPO. Starting with a blank GPO is best to ensure proper operation and prevent conflicts. Also, please note the location for DPC settings has changed. The new location for DPC v5.0 settings is:

Computer Configuration > Policies > Administrative Templates > DPC Client

You can now link the GPO to the applicable OU(s) or complete this task before deploying the new software.

Migration Tool

The easiest way to migrate from DPC commercial to open source is to migrate the settings from the current GPO to a new one. A PowerShell script is available to simplify this task. You can download the Migrate-DpcConfig.ps1 PowerShell script here.

Note: It is not strictly required to migrate your current settings from DPC commercial. Although this migration script makes importing settings easier, nothing prevents you from creating a new GPO for DPC open source and starting from scratch if you wish.

Prerequisites

The PowerShell migration script requires the installation of the Remote Server Administration Tools (RSAT). Specifically, the Group Policy Management tools are needed. Although it’s possible to run this script on a domain controller, it is not recommended. The best practice is to install the RSAT tools on an administrative workstation or server.

You can install the necessary RSAT feature on Windows 11 by opening an elevated PowerShell or command window and running the following command.

dism.exe /Online /add-capability /CapabilityName:Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0

On Windows Server, you can install the Group Policy Management tools by opening an elevated PowerShell command window and running the following command.

Install-WindowsFeature -Name GPMC

Once complete, restart the server to complete the installation process.

Import Settings

To migrate the DPC settings, open an elevated PowerShell command window and run the following command.

.\Migrate-DpcSetting.ps1 -PreviousGPOName <name of old DPC GPO> -NewGPOName <name of new DPC GPO>

For example,

.\Migrate-DpcSetting.ps1 -PreviousGPOName ‘Always On VPN DPC’ -NewGPOName ‘Always On VPN DPC – Open Source’

Apply GPO

If not done earlier, link the new DPC open-source GPO to the applicable OU(s). Do NOT unlink or delete the old GPO until all endpoints have been upgraded to the DPC v5.0 client.

Install Software

Once the new GPO has been configured and applied in Active Directory, the next step is to upgrade the DPC commercial client to the DPC open source client (v5.0). Software can be deployed via GPO using Active Directory software installation, SCCM, or any other method you use in your environment to deploy software. No switches or additional parameters are required to perform the upgrade. Simply run the .MSI file on the device, and the upgrade will occur automatically.

Important Note: Administrators must ensure that the new GPO settings are applied to the endpoint before installing the DPC v5.0 client.

Clean Up

After all endpoints have been upgraded to DPC v5.0, administrators can remove the DPC commercial GPO from AD. In addition, the commercial DPC ADMX and ADML files can be removed from domain controllers if desired.

Need Help?

If you’d like assistance migrating DPC commercial to open source, please don’t hesitate to reach out! I’m available to answer questions or provide remote assistance if necessary. You can reach me on the DPC-Chat channel on Discord here. Alternatively, you can fill out the form below, and I’ll provide more information.

Additional Information

PowerON Platforms Are No More

Always On VPN DPC Open Source

Always On VPN DPC Advanced Features

Always On VPN DPC with Microsoft Intune

Always On VPN DPC Open Source

Recently, I wrote about the demise of PowerON Platforms, the company behind the popular Always On VPN Dynamic Profile Configurator (DPC) software that allows administrators to deploy and manage Always On VPN client configuration settings using Active Directory Group Policy or Microsoft Intune with custom ADMX/ADML. Initially, the future of DPC was uncertain. However, I’m happy to announce that DPC will continue to be developed.

DPC Open Source

The lead developer of DPC and my good friend Leo D’Arcy retained the source code for the product and has been working diligently to decommercialize the software. That work has been completed, and Always On VPN DPC is now available via open source. You can find the source code for DPC on GitHub here.

DPC Features

This initial open-source release (version 5.0.0) contains no significant new features or functionality. Most of the development efforts focused on removing references to PowerON Platforms (registry paths, binary names, etc.).

Support

Today, DPC support is community-based. You can report issues on the GitHub issues page for DPC. In addition, you can ask questions about DPC on Discord in the Microsoft Remote Access UG. Leo and I will monitor the group closely and answer any questions you might have there.

Deployment

If you’re not a DPC user today, I encourage you to have a look at its impressive feature set. Not only does DPC make Always On VPN deployment and management easier, but it also includes many advanced capabilities that will make connections more stable and reliable. Here are some links to articles outlining some of those advanced features.

Migration

If you already have a previous commercial release of Always On VPN DPC deployed, migrating to the new open-source DPC is straightforward. You will find guidance for migrating your existing DPC configuration here.

Contribute

Now that DPC is open source, we encourage everyone to contribute. If you have development skills, feel free to help. If you have feedback or feature requests, don’t hesitate to submit them!

Learn More

Are you interested in learning more about Always On VPN DPC? Would you like a personal demonstration of DPC’s features and capabilities? Do you need help migrating from a previous release to the new open-source software? Fill out the form below and I’ll contact you with more information.

Additional Information

Always On VPN DPC Open Source on GitHub

PowerON Platforms Are No More

Delete A Cloud PKI for Intune Certificate Authority

Deleting an Always On VPN Device Tunnel

When Microsoft first introduced Cloud PKI for Intune, the solution did not allow administrators to delete a CA after it was created. As you are limited to just six Cloud PKI for Intune CAs, this was quite frustrating, especially during the testing and evaluation phase, where you may need to spin up a few instances before you decide on the features you need.

Are you interested in learning more about Cloud PKI for Intune? Register for my upcoming online training course, Mastering Certificates with Microsoft Intune. This three-day comprehensive, deep-dive course covers all aspects of issuing and managing certificates with Intune, including provisioning and managing Cloud PKI for Intune. Click here to learn more.

Delete Cloud PKI

Thankfully, Microsoft eventually realized this shortcoming and added this much needed feature a few months ago. However, removing an Intune Cloud PKI CA requires administrators to follow some specific steps to remove a CA successfully. Since Cloud PKI for Intune uses a two-tier deployment model, administrators must remove the issuing CA first and then the root CA if required.

Issuing CA

Follow the steps below to delete a Cloud PKI for Intune issuing CA.

Intune Policies

Be sure to delete any Intune device configuration policies relating to Cloud PKI for Intune before decommissioning a Cloud PKI for Intune CA. This includes trusted certificate policies, Wi-Fi policies, and VPN policies.

Pause CA

The first step of deleting a Cloud PKI for Intune CA is to pause the service. Pausing the service prevents new certificates from being issued while the administrator completes the remaining retirement tasks. Open the Intune portal (https://intune.microsoft.com), navigate to Tenant Administration > Cloud PKI, and click the CA to be deleted. Next, click Pause to pause the CA.

Revoke Certificates

Administrators must revoke all issued certificates before deleting the issuing CA. Click on any issued certificate to view its properties and then click the Revoke button, as shown here.

Complete this step for each certificate issued and active on the CA.

Note: It takes some time before the certificate status shows Revoked in the management console. Be patient!

Revoke CA Certificate

Once the administrator has revoked all issued certificates, click Revoke to revoke the issuing CA’s certificate.

Delete CA

Once the issuing CA certificate has been revoked the administrator will now have the option to delete the Cloud PKI for Intune issuing CA.

Root CA

After the administrator deletes the issuing CA, the root CA can be removed if necessary. Click on the root CA and click the Delete button.

Additional Information

Delete Microsoft Cloud PKI Certification Authority

Strong Certificate Mapping for Intune PKCS and SCEP Certificates

Microsoft Cloud PKI for Intune and Certificate Templates

Microsoft Cloud PKI for Intune and Active Directory

Microsoft Cloud PKI for Intune SCEP URL

Microsoft Cloud PKI for Intune on RunAs Radio