Awards
Consulting
Newsletter
Subscribe today!
Connect
- Facebook
- Twitter
- LinkedIn
- YouTube
- GitHub
- Tumblr
My Tweets
RSS Feed
- RSS - Posts
- RSS - Comments
Archives
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- April 2021
- March 2021
- January 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- November 2014
- October 2014
- September 2014
- August 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- July 2012
- June 2012
- May 2012
- April 2012
Categories
Tag Cloud
0x2af9 0x274c 0x800b0101 0x800b0109 0x80090326 2FA 6to4 691 809 812 853 864 892 1803 1809 2012 R2 13801 13806 13868 20227 A10 access access denied ACL Activation active/passive Active Directory Active Directory Certificate Services active directory domain services AD ADC AD CS AD DS administration administrator advertise default route always on Always On VPN Always On VPN. VPN Always On VPN book Always On VPN device tunnel Amazon amazon.com Amazon Web Services anniversary update AOVPN aovpn Always On VPN aovpn book appliance application deliver controller application delivery application delivery controller Application Filter application policy Apress Apress Media ARP assurance attack attack surface audit authentication authenticity automation autopilot availability award AWS Azure Azure AD Azure AD Join Azure Application Gateway Azure Conditional Access Azure infrastructure Azure Load Balancer Azure MFA Azure Traffic Manager Azure Virtual WAN Azure VPN Azure VPN Gateway backup Belgium best practice best practice analyzer best practices BIG-IP BIGIP biometric Bomgar book BPA bug business BYOD CA ccertificate CDN certificate certificate 6to4 certificate authentication certificate authority certificate expiration certificate revocation certificate revocation list certificates certificate selection certificate server certificate template Certification Authority CERT_E_EXPIRED Checkpoint Check Point CIDR cipher cipher suite cipher suites Cisco Cisco Umbrella Citrix Citrix ADC Citrix NetScaler class-based default route class-based routing client client authentication client authentication certificate client deployment client operating system client provisioning clients cloud Cloudflare cloud infrastructure cluster clustering cmdlet CNG code codeplex command line Compliance component event log conditional access conference ConfigMgr configuration configuration error configuration manager Configuration Service Provider connect connected standby connecting connection failure connection status connectivity connectivity assistant consulting consulting services content filter control cookbook Core corporate resource COVID-19 CPU CRL CRL check cryptographic key cryptographic next generation cryptographic service provider cryptography CSP CSR custom cryptography custom IPsec policies custom IPsec policy custom policy DA database datacenter DCA DCA 2.0 DDoS decommission deep-packet inspection deep dive default route Dell demo demonstration denial of service deny access deployment deployment flexibility deployment guide deprecated deprecated feature design development Device Management device tunnel DFS DFS-R DHCP diagnostic log Direct Access DirectAccess DirectAccess. remote access DirectAccess 2012 DirectAccess 2012 R2 DirectAccess alternative DirectAccess alternatives DirectAccess Book DirectAccess clients DirectAccess Connectivity Assistant DirectAccess Deprecated DirectAccess End of Life DirectAccess EOL DirectAccess troubleshooting disaster recovery disconnect distributed file service DMZ DNAT DNS DNS64 DNS registration DNS suffix document management domain domain controller DomainNameInformation DoS DoS Protection Mode DPI DR drinks DTE Dual NIC dynamic password EAP EAP-TLS EC EC2 ECC ECDHE ECDSA education EKU elastic compute cloud elastic IP ELB elliptical curve elliptic curve cryptography. cryptography encapsulation encryption end of life endpoint management endpoint manager enhanced key usage enterprise enterprise edition enterprise mobility Enterprise Networking Enterprise Networking Magazine enterprise VPN entry point EOL error error 0x800b0101 error 619 error 691 error 801 error 809 error 829 Error 853 error 864 error 13806 error 13868 error code error code 809 error code 853 error code 858 error message ERROR_IPSEC_IKE_AUTH_FAIL ERROR_IPSEC_IKE_NO_CERTIFICATE ESTS_TOKEN_ERROR Europe event event ID 6 event ID 1000 event ID 7024 Event ID 20227 event log event viewer exception exceptions Exchange 2013 Exchange OWA Exchange OWA 2010 exclusion route exclusions expired certificate explorer export extensible authentication protocol external load balancer F5 F5 BIG-IP F5 Local Traffic Manager F5 LTM failover failure fallback feature file explorer file replication service file share financial FIPS firewall fix Florida force tunnel force tunneling Forefront Forefront TMG Forefront TMG 2010 Forefront UAG Forefront UAG 2010 Forefront UAG 2010 SP3 Forefront UAG 2010 SP4 Forefront UAG SP3 Forefront Unified Access Gateway formatting Fortinet FQDN fragmentation FRS full NAT Fully Qualified Domain Name future GCM GEO geographic redundancy getting started wizard GitHub Global Protect GlobalProtect global server load balancer Global Server Load Balancing GoToMyPC government GPMC GPO graphical user interface group membership group policy group policy object group policy preferences GSLB GSW GUI guidance guide happy hour hardening hardware load balancer hardware security module hashing health check hibernate high availability hostname hotfix hotfix rollup HP HSM HTTP http.sys HTTPS Hybrid Azure AD Join hybrid cloud Hyper-V hypervisor IaaS ICMP ICMPv6 Ignite Ignite conference IIS IKE IKE authentication credentials are unacceptable ikeext IKE failed to find a valid machine certificate IKEv2 IKEv2 fragmentation iManage iManage Work implementation implementing import Important Links index infrastructure infrastructure as a service insider preview installation integration integrity Internet Internet Information Services Internet Key Exchange Internet Key Exchange version 2 Internet Key Exchange version 2 (IKEv2) interview intrasite automatic tunnel addressing protocol InTune Intune certificate connector Intune Proactive Remediation inutne IP IP-HTTPS ipad IPHTTPS IPsec IPsec SA IPv4 IPv6 IPv6 transition IPv6 transition protocol IPv6 transition technologies IPv6 transition technology IPv6 transition tunnel IPv6 translation Iron Networks iRule ISATAP issue issuing CA issuing certification authority IT/Devconnections Kemp Kemp Load Balancer Kemp Load Master Kemp LoadMaster Kemp LoadMaster Load Balancer Kemp Technologies kerberos Kerberos proxy key storage provider KMS KMS activation known issue k security KSP L2TP L2TP/IPsec L7 Las Vegas layer 7 learn learning LMOS load balancer load balancing LoadMaster LoadMaster Load Balancer local traffic manager Lockdown Lockdown mode log log collection log file logging Logjam LogMeIn LTM M365 MAK malware management management pack Manage Out managing maximum transmission unit MDM MDX media disconnected meeting MEM MEMCM MFA Microsoft Microsoft 365 Microsoft Always On VPN Microsoft Azure Microsoft DirectAccess Microsoft Endpoint Manager Microsoft Ignite Microsoft Ignite conference Microsoft Intune Microsoft Most Valuable Professional Microsoft MVP Microsoft Office Microsoft Outlook Microsoft Surface Microsoft Surface Pro Microsoft Surface Pro 4 Microsoft Surface RT Microsoft System Center Microsoft System Center 2012 Microsoft TechDays Belgium 2013 Microsoft TechEd Microsoft TechEd 2013 Microsoft TechEd Europe 2013 Microsoft TechEd North America 2013 Microsoft VPN Microsoft Windows minimal server interface minimize network connections missing route mitigation mobile mobile device Mobile Device Management Mobility monitor monitoring MSCHAPv2 MTU multi-factor authentication multi-SAN multi-SAN certificate multi-site multicast multifactor authentication multihome multihomed multinetworking multisite multisite DirectAccess MVP NAC name resolution name resolution policy table namespace namespace proxy NAP NAT NAT64 NCA ncasvc NCSI NDES NDES connector NetMotion NetMotion Mobility NetMotion Software Netscaler netsh netsh.exe network Network Access Control Network Access Protection network adapter network address translation network administration network connectivity assistant network connectivity status indicator Network Device Enrollment Service Networking network interface network load balancer network load balancing network location server network policy network policy server Network Policy Server. powerhsell network prefix network security group network virtual appliance network virtualization Nevada next generation firewall NGFW NIC NLB NLS nmap Notes Notes Novell November Update NPS NPS Extension for Azure MFA NRPT NSG NSlookup NTAuth NTAuth Store null cipher null cipher suites NULL encryption NVA OCSP ODJ OEM Office office 365 offline offline domain join offload offloading OID OMA OMA-DM OMA-URI one-time password one-time passwords online responder OpenDNS open source openssl operating system Operational Support operations Operations Manager Ops Manager Orlando OS OTP Outlook PAC PAC file packet capture Packt Publishing PAL Palo Alto Palo Alto Networks partnership path MTU PC PEAP perfmon performance performance IPv6 performance monitor perimeter perimeter network persistence persistence profile persistency group Petri PFE PKI plug-in Pluralsight podcast point-to-site point-to-site connection point-to-site VPN PointSharp PointSharp ID policy policy mismatch POODLE portal portproxy PowerShell PowerShell remoting PPTP pre-order preauthentication prefix preorder prerequisites preview privacy private key Proactive Remediation Proactive Remediations probe productivity professional professional services ProfileXML ProfileXML. Intune protected extensible authentication protocol protection protocol provisioning proxy proxy autoconfiguration proxy server proxy settings psexec public certificate public cloud public key cryptography public key infrastructure public resolver public sector publishing publish route Pulse Secure purpose-built VPN putty QA QoS Quad9 Quad9 DNS Qualys Qualys SSL Labs RA RADIUS ransomware RAS rascient RasClient RasClient 20226 rasclient error 858 rasdial rasman rasmans.dll rasphone RasSstp RDC RDP RDS real server real server check method RealStuff Recommended Reading Redmond redundancy redundnacy reference registry remediation Remote Access remote access IPv6 remote access service remote access VPN remote assistance remote desktop remote desktop connection remote desktop services remote management remote PowerShell remote server administration tools remove remtoe access reporting resolver retail retired revocation revocation check risk roadmap rollup root CA root certificate RootCertificateNameToAccept root certification authority round robin DNS route router routes route table routing Routing and Remote Access Routing and Remote Acc ess Service routing and remote access service routing table RRAS RSA RSAT RunAs Radio SA SAN Satya Nadella scalability SCCM SCCM remote control SCEP schannel school script scripting script package scripts SDX Secure Socket Tunneling Protocol security security advisory security association security group security update selective tunneling self-service password reset self-signed certificates Server Server 2012 Server 2012 Core Server 2012 DirectAccess Server 2012 R2 server authentication Server Core server operating system service account service group service pack session SharePoint SharePoint 2010 SharePoint 2013 signing Simple Certificate Enrollment Protocol simplified deployment single NIC single sign-on site-to-site to VPN site-to-site VPN SKU Skype Skype for Business sleep smart card smart card logon SMB SNAT software SonicWALL SP3 speaking split DNS split tunnel split tunneling SQL SQL server SSD SSH SSL SSL/TLS SSL certificate SSl certificates SSL inspection SSL offload SSL termination SSL VPN SSO SSPR SSTP SSTP. SSL standby strong authentication strongSwan strong user authentication subject alternative name subnet subnet mask subnetting subscription activation support supportability supporting Surface Surface Pro Surface Pro 4 Surface RT svchost.exe Switzerland Symantec sysinternals System Center System Center 2012 System Center Configuration Manager System Center Operations Manager System Center Operations Manager 2012 systeminfo systems management tablet TCP TeamViewer TechDays TechDays 2013 Belgium TechDays San Francisco 2013 TechDaysSF TechDaysSF2014 TechEd TechEd 2012 TechEd 2013 TechEd Europe TechEd Europe 2012 TechEd Europe 2013 TechEd North America TechEd North America 2012 TechEd North America 2013 TechMentor TechMentor 2019 TechMentor Conference TechNet Teredo termination testing Threshold 2 throughput Thunder TLS TLS certificate TLS inspection TLS offload TMG TMG 2010 TND TPM Traffic Filter Traffic Manager traffic routing training TrainSignal transition protocol transition technologies transition technology transition tunnel transport layer security Troopers16 troubleshoot troubleshooting trusted network detection Trusted Platform Module trusted root CA trusted root certification authority tunnel tunnel adapter tunnel adapter IP-HTTPS interface tunnel endpoint tunneling two factor authentication UAG UAG 2010 UAG 2010 SP4 UAG DirectAccess UAG SP3 UAG SP4 UDP UI ULA Umbrella Umbrella Roaming Client unattended mode unicast unicode Unified Remote Access uninstall unique local address unsupported configuration update updates upgrade UseRasCredentials user defined route user interface user tunnel user tunnel authentication utilities utilization v6v4tunnel validation video video training VIP virtual appliance virtual IP address virtualization virtual machine virtual network adapter virtual networking virtual private netowrking virtual private network virtual private networking virtual server Virtual WAN visibility Visual Studio Visual Studio Code VM VMware VNC VPN VPN gateway VPN profile VPN server VpnStrategy VPX VS VS Code vserver vulnerabilities vulnerability WAF wake from hibernate wake from sleep WAN WAP warning Washington web application proxy web filter webinar webprobehost web proxy web proxy server web publishing web server WFAS WHFB whitepaper WID Widows Win10 Windows Windows 7 Windows7 Windows 7 Enterprise Windows 7 SP1 Windows 7 Ultimate Windows 8 Windows 8 Enterprise Windows 8 Pro Windows 8 Professional Windows 8.1 Windows 8.x Windows 8.x/10 Windows 10 Windows10 Windows 10 1803 Windows 10 1809 Windows 10 1903 Windows 10 2004 Windows 10 Always On VPN Windows 10 anniversary update Windows 10 Enterprise Windows 10 November Update Windows 10 pro Windows 10 Professional Windows 10 Technical Preview Windows11 Windows 11 Windows 11 Enterprise Windows DirectAccess windows firewall Windows Firewall with Advanced Security Windows Hello Windows Hello for Business Windows Information Protection Windows Information Protection (WIP) Windows Internal Database Windows RRAS Windows Server Windows Server 1809 Windows Server 2003 Windows Server 2003 R2 Windows Server 2008 R2 Windows Server 2008R2 Windows Server 2012 Windows Server 2012 Core Windows Server 2012 DirectAccess Windows Server 2012 R2 Windows Server 2015 TP5 Windows Server 2016 Windows Server 2016 Technical Preview Windows Server 2016 Technical Preview 5 Windows Server 2019 Windows Server 2022 Windows server core Windows Server Update Services Windows Servr 2012 R2 Windows Sever Windows Update winhttp WinPcap WinRM WinRM quickconfig WIP Wireshark workaround work folders workplace join WorkSite WSAETIMEDOUT WSAHOST_NOT_FOUND WSUS XenApp XML YouTube Zero Trust Zero Trust Network Access Zscaler ZTNA

All posts in category MEM

Always On VPN and Intune Proactive Remediation

Always On VPN and Autopilot Hybrid Azure AD Join

When configuring and deploying Windows Always On VPN using Microsoft Endpoint Manager (MEM)/Intune, administrators may find that some settings are not exposed in the MEM UI. In some cases, deploying the configuration profile using custom XML is the workaround. However, many crucial Always On VPN settings are not exposed using either method. Here, administrators must resort to editing settings in the VPN configuration file on the client after provisioning the VPN profile.

Phonebook

A file called rasphone.pbk stores all Windows VPN settings on the endpoint. It includes name/value pairs that correspond to many settings administrators change manually in the GUI. Other settings can be changed using PowerShell. Depending on the connection type, the file can be found in one of two locations.

User Tunnel: $env:AppData\Microsoft\Network\Connections\Pbk\rasphone.pbk
Device Tunnel: $env:ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk

Documentation for Windows VPN client phonebook entry settings can be found here.

Limitations

Unfortunately, editing the rasphone.pbk file isn’t always convenient. Making the changes is technically easy. Administrators can write a simple PowerShell script to update the text file as required. However, automating this at scale is challenging. Thankfully, Intune Proactive Remediations can help.

Proactive Remediations

With Intune Proactive Remediations, administrators can create and deploy script packages to monitor and optionally update specific configuration settings. The package includes two scripts, a detection script, and a remediation script. The detection script looks at the current value of a particular setting and reports on its compliance. The remediation script is triggered to update the setting if the value is incorrect.

Requirements

Intune Proactive Remediations has some specific licensing requirements. Administrators must also enroll devices into Endpoint analytics and provision a Windows Health Monitoring configuration profile. There are also limitations on the size and type of scripts that administrators can use. More information on prerequisites can be found here.

Script Packages

Administrators can create detection and remediation PowerShell scripts to update settings in rasphone.pbk, or optionally, they can download sample scripts from my GitHub repository here. This repository contains user and device tunnel detection and remediation scripts for many popular settings in rasphone.pbk. Examples include updating the VPN Strategy, changing VPN interface metrics, disabling class-based default routes, and many more.

Note: The scripts in my GitHub repository are examples only. While they can be used in production environments, they are basic and may not work as expected in all scenarios. For example, the scripts as written today assume only a single VPN profile provisioned. Unexpected results may occur if more than one VPN profile exists. Please use them at your own risk.

Deployment

In this example, we’ll deploy a Proactive Remediation to disable IKE mobility for user tunnel VPN connections. To configure an Intune Proactive Remediation, open the Microsoft Endpoint Manager portal (https://endpoint.microsoft.com/) and navigate to Reports > Endpoint analytics > Proactive remediations. After creating or downloading the detection and remediation scripts, perform the following steps to create and deploy a Proactive Remediation script package.

Click Create script package.
Enter a name for the package in the Name field.
Enter a description for the package in the Description field (optional).
Click Next.
Click the blue folder icon next to the Detection script file field and upload the detection script.
Click the blue folder icon next to the Remediation script file field and upload the associated remediation script.
For user tunnel connections, click Yes next to Run this script using the logged-on credentials. For device tunnel connections, click No.
Click Next.

Assign scope tags and group assignments as necessary, then click Create. Click Refresh to update the UI to display the newly created script package.

Caveats

Be advised that Proactive Remediation script packages run immediately after the first device sync and then every 24 hours after that. Timing issues could lead to delays in functionality. For example, if an Always On VPN profile is provisioned after a Proactive Remediation script runs, the changes made by the remediation script won’t be available until much later. Also, changes made while the VPN is active will not take effect until after restarting the connection.

Special Thanks

Special thanks to Tom Klaver at Inspark for turning me on to this feature. It has been an absolute lifesaver for sure!

Additional Information

Microsoft Intune Proactive Remediation Tutorial

Windows VPN Phonebook Entry Settings

Intune Proactive Remediation Script Samples on GitHub

Microsoft Windows Always On VPN Class-Based Default Route and Intune

Microsoft Windows Always On VPN Short Name Access Failure

Always On VPN Client Routes Missing

When configuring Always On VPN for Windows 10 and Windows 11 clients, administrators may encounter a scenario where an IPv4 route defined in Microsoft Endpoint Manager/Intune or custom XML is not reachable over an established Always On VPN connection. Further investigation indicates the route is added to the configuration on the endpoint but does not appear in the routing table when the connection is active.

Routing Configuration

When split tunneling is enabled, administrators must define routes to IP networks that are reachable over the Always On VPN connection. The method of defining these routes depends on the client configuration deployment method.

Endpoint Manager

Using Microsoft Endpoint Manager, administrators define IP routes in the Split Tunneling section of the configuration settings for the Always On VPN device configuration profile. Routes are defined by entering the destination prefix and prefix size. In this example, the 10.0.0.0/8 and 172.21.12.0/21 IPv4 networks are defined for routing over the Always On VPN tunnel.

Custom XML

Using custom XML deployed using Microsoft Endpoint Manager, System Center Configuration Manager (SCCM), or PowerShell, routes are defined in the XML file using the following syntax.

Client Configuration

Validate the routing configuration has been implemented on the endpoint successfully by running the following PowerShell command.

Get-VpnConnection -Name <Connection Name> | Select-Object -ExpandProperty Routes

As you can see here, the IPv4 routes 10.0.0.0/8 and 172.21.12.0/21 are included in the client’s Always On VPN configuration, as shown below.

Missing Route

However, after establishing an Always On VPN connection, the 172.21.12.0/21 network is not reachable. To continue troubleshooting, run the following PowerShell command to view the active routing table.

Get-NetRoute -AddressFamily IPv4

As you can see above, the only IPv4 route in the VPN configuration added to the routing table is the 10.0.0.0/8 network. The 172.21.12.0/21 IPv4 route is missing.

Network Prefix Definition

IPv4 routes missing from the Always On VPN client’s routing table result from incorrect network prefix definition. Specifically, the IPv4 route 172.21.12.0/21 used in the example here is not a valid network address. Rather, it is a host address in the 172.21.8.0/21 network, as shown below.

The Get-Subnet PowerShell cmdlet is part of the Subnet PowerShell module. To install this module, run the following PowerShell command.

Install-Module Subnet

Resolution

Using the example above, enabling access to the 172.21.12.0/21 subnet would require defining the IPv4 prefix in the routing configuration as 172.21.8.0/21. The moral of this story is always validate routing prefixes to ensure they are, in fact, network addresses and not host addresses.

Additional Information

Always On VPN Routing Configuration

Always On VPN Default Class-based Route and Microsoft Endpoint Manager/Intune

2 Comments

by Richard M. Hicks on November 8, 2021 • Permalink

Posted by Richard M. Hicks on November 8, 2021

https://directaccess.richardhicks.com/2021/11/08/always-on-vpn-client-routes-missing/

Always On VPN Windows 11 Issues with Intune

Since the introduction of Windows 11, there have been numerous reports of issues with Always On VPN when deployed using Microsoft Endpoint Manager/Intune. Specifically, administrators have been reporting that Always On VPN profiles are being deleted, then later reappearing. Obviously, this is highly disruptive to users in the field.

Causes

According to Microsoft, there are several causes for deleted VPN profiles.

Changes to an Existing Profile

Missing Always On VPN profiles commonly occurs when updating settings for an existing VPN profile applied to Windows 11 endpoints. In this scenario, the VPN profile is deleted but not immediately replaced. Synchronize the device with Microsoft Endpoint Manager/Intune once more to return the VPN profile.

Multiple Profiles

Issues with Always On VPN profiles may also occur if two new VPN profiles are applied to the endpoint simultaneously.

Remove and Replace

Removing and replacing an Always On VPN profile at the same time will also result in connectivity issues.

Reference: https://docs.microsoft.com/en-us/mem/intune/configuration/vpn-settings-configure

Workaround

There is no known workaround for these issues at this time. Microsoft is aware of the problem and is working on a fix, and until then, rolling out Windows 11 with Always On VPN should be avoided.

Additional Issues

There have been reports of other known issues with Windows 11 and Always On VPN. For instance, my PowerShell script that removes an Always On VPN connection doesn’t work with Windows 11. I’m working to resolve that issue as we speak.

Are you experiencing any issues with Always On VPN on Windows 11? Please share them in the comments below!

23 Comments

by Richard M. Hicks on October 28, 2021 • Permalink

Posted in administration, Always On VPN, AOVPN, device tunnel, Endpoint Manager, Enterprise, enterprise mobility, InTune, MEM, MEMCM, Microsoft Endpoint Manager, Microsoft Intune, Mobility, Operational Support, Remote Access, user tunnel, VPN, Windows 10, Windows 11

Posted by Richard M. Hicks on October 28, 2021

https://directaccess.richardhicks.com/2021/10/28/always-on-vpn-windows-11-issues-with-intune/

Always On VPN Short Name Access Failure

Using Microsoft Endpoint Manager (Intune), administrators can provision Always On VPN to devices that are Azure AD joined only. Users accessing on-premises resources from these devices can still use seamless single sign-on, making this deployment option popular for organizations moving to the cloud.

Short Names

After deploying Always On VPN to Windows 10 devices that are Azure AD joined only and configured to use client certificate authentication, administrators may find that users cannot access on-premises resources by their short name, such as \\app1. The connection fails and returns the following error message.

“Windows can’t find <servername/sharename>. Check the spelling and try again.”

FQDN

Interestingly, on-premises resources are accessible using their fully qualified domain name (FQDN), such as \\app1.corp.example.net.

Troubleshooting

Testing name resolution using the short name works as expected, and the resource is reachable at the network layer, as shown here.

Workaround

This issue is related to how Windows performs authentication when connected via VPN. To resolve this issue, edit the rasphone.pbk file and change the value of UseRasCredentials to 0. Rasphone.pbk can be found in the $env:AppData\Microsoft\Network\Connections\Pbk folder.

After updating this setting, restart the VPN connection for the change to take effect.

Proactive Remediations

While helpful for testing, editing rasphone.pbk manually obviously does not scale well. To address this, consider using Intune Proactive Remediations. Intune Proactive Remediations allows administrators to deploy detection and remediation PowerShell scripts to monitor specific settings and update them if or when they change. Proactive Remediations will ensure the setting is applied consistently across all managed endpoints.

GitHub Repository

I have created a new GitHub repository dedicated to PowerShell scripts for Endpoint Manager Proactive Remediations for Always On VPN. There you will find detection and remediation scripts for the UseRasCredentials settings change described in this article.

Additional Information

Always On VPN Endpoint Manager Proactive Remediation Scripts on GitHub

Endpoint Manager Proactive Remediations Tutorial

6 Comments

by Richard M. Hicks on September 20, 2021 • Permalink

Posted by Richard M. Hicks on September 20, 2021

https://directaccess.richardhicks.com/2021/09/20/always-on-vpn-short-name-access-failure/

Richard M. Hicks Consulting, Inc.

Awards

Consulting

Newsletter

Connect

RSS Feed

Archives

Categories

Tag Cloud

All posts in category MEM

Always On VPN and Intune Proactive Remediation

Phonebook

Limitations

Proactive Remediations

Requirements

Script Packages

Deployment

Caveats

Special Thanks

Additional Information

Share this:

Like this:

Always On VPN Client Routes Missing

Routing Configuration

Endpoint Manager

Custom XML

Client Configuration

Missing Route

Network Prefix Definition

Resolution

Additional Information

Share this:

Like this:

Always On VPN Windows 11 Issues with Intune

Causes

Changes to an Existing Profile

Multiple Profiles

Remove and Replace

Workaround

Additional Issues

Share this:

Like this:

Always On VPN Short Name Access Failure

Short Names

FQDN

Troubleshooting

Workaround

Proactive Remediations

GitHub Repository

Additional Information

Share this:

Like this:

Always On VPN Book

DirectAccess Book

Recent Posts

Always On VPN Resources

DirectAccess Resources