All posts in category PowerShell

Always On VPN DPC with Intune

In the past, I’ve written about Always On VPN Dynamic Profile Configurator (DPC), a software solution administrators can use to provision and manage Always On VPN client configuration settings using Active Directory and group policy. In addition to streamlining the deployment and management of Always On VPN client settings, DPC has many advanced features and capabilities to ensure optimal security, performance, and connection reliability.

Optimizations

Many settings required to fine-tune and optimize Always On VPN connections are not exposed in the Intune UI or XML. They must be configured by manipulating configuration files, setting registry keys, and running PowerShell commands. Much of this can be automated using Intune Proactive Remediation, but it is far from ideal. Administrators must configure Always On VPN using one method, then deploy optimizations using another. In addition, Proactive Remediation suffers from timing issues where some settings are not applied immediately, resulting in degraded or inoperable VPN connections until changes take effect.

Always On VPN DPC

Always On VPN DPC allows administrators to configure many advanced settings quickly and conveniently using the familiar Group Policy Management console (gpmc.msc). DPC dramatically reduces the administrative burden associated with Always On VPN client management. In addition, DPC enables many of these options by default, ensuring optimal security and reliable operation. Also, DPC immediately implements all configuration settings, eliminating the need to reboot to apply configuration changes.

Intune and ADMX

Historically, Always On VPN DPC could only be used when managing endpoints exclusively with Active Directory group policy. However, DPC can now be used with Microsoft Endpoint Manager/Intune thanks to a new feature that allows administrators to import custom ADMX and ADML administrative templates to Microsoft Endpoint Manager (MEM).

Note: This feature is in public preview at the time of this writing.

DPC and Intune

The combination of DPC and Intune brings with it many advantages. Using DPC with Microsoft Endpoint Manager/Intune offers administrators simplified deployment and many advanced features provided by Always On VPN DPC. In addition, customers who have deployed DPC on-premises can now migrate seamlessly to Microsoft Endpoint Manager/Intune management without giving up DPC’s valuable features.

Learn More

Enter your contact details in the form below for more information regarding Always On VPN DPC. Also, visit https://aovpndpc.com/ to register for a free Always On VPN DPC trial.

Additional Information

Always On VPN with Active Directory Group Policy

Introduction to Always On VPN DPC

Always On VPN DPC Advanced Features

Always On VPN DPC Video Demonstrations

What’s New in Always On VPN DPC v3.0

Always On VPN DPC Free Trial

2 Comments
by Richard M. Hicks on October 10, 2022  •  Permalink
Posted in AADJ, Active Directory, administration, Always On VPN, AOVPN, AovpnDPC, Azure, Azure Active Directory, Azure AD, Azure AD Join, Azure VPN, Azure VPN Gateway, cloud, Deployment, Device Management, device tunnel, DPC, Dynamic Profile Configurator, Endpoint Manager, Enterprise, enterprise mobility, Group Policy, HAADJ, Hybrid Azure AD Join, MDM, MEM, MEMCM, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, OMA-DM, Operational Support, PowerShell, ProfileXML, public cloud, Remote Access, SCCM, System Center Configuration Manager, systems management, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on October 10, 2022

https://directaccess.richardhicks.com/2022/10/10/always-on-vpn-dpc-with-intune/

Always On VPN NPS Auditing and Logging

The Network Policy Server (NPS) event log is incredibly valuable for administrators when troubleshooting Always On VPN user tunnel connectivity issues. Administrators can find these pertinent events by opening the Event Viewer on the NPS server (eventvwr.msc) and navigating to Custom Views > Server Roles > Network Policy and Access Services.

Event Logs

When configured correctly, event logs will record the disposition of all authentication requests, allowed or denied. The two most common recorded events are event IDs 6272 (access granted) and 6273 (access denied).

NPS Event ID 6272 – Access granted.

NPS Event ID 6273 – Access denied.

Auditing

In some cases, administrators may find none of these events recorded even though user authentication is working correctly. Here, the only events recorded are NPS informational events indicating which domain controller the NPS server is using to perform authentication.

The lack of 6272 and 6273 events in the event log indicates that auditing for NPS events is not enabled. Open an elevated PowerShell window and run the following command to view the current auditing setting for NPS events.

auditpol.exe /get /subcategory:”Network Policy Server”

Open an elevated PowerShell window and run the following command to enable auditing for NPS events.

auditpol.exe /set /subcategory:”Network Policy Server” /success:enable /failure:enable

Group Policy

Alternatively, consider using Active Directory group policy to enforce the NPS server auditing settings. Open the Group Policy Management Console (GPMC) and create a new GPO. Next, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff > Audit Network Policy Server and select the option to audit both success and failure attempts.

Once complete, link this GPO to the OU where the NPS servers reside.

Missing Events

If auditing is enabled and there are no recorded 6272 or 6273 events, the NPS server did not receive any authentication requests from the VPN server. Review the event logs on any other NPS servers if there is more than one configured. In addition, this may indicate that network communication between the VPN and NPS server is blocked. Ensure network connectivity and name resolution are working as expected.

Troubleshooting Guides

Are you interested in learning more about Always On VPN troubleshooting? My Always On VPN book contains an entire chapter dedicated to troubleshooting. Also, my Always On VPN video training course on Pluralsight includes a module on troubleshooting. The video training course is available to Pluralsight subscribers only. If you don’t have a Pluralsight subscription, you can sign up for a free trial here.

Additional Information

Troubleshooting Always On VPN Errors 691 and 812

Troubleshooting Always On VPN Errors 691 and 812 – Part 2

Troubleshooting Always On VPN Errors 691 and 812 – Part 3

Always On VPN NPS Load Balancing

3 Comments
by Richard M. Hicks on August 8, 2022  •  Permalink
Posted in administration, Always On VPN, AOVPN, Enterprise, enterprise mobility, Group Policy, Mobility, network policy server, NPS, Operational Support, PowerShell, Remote Access, reporting, Security, troubleshooting, user tunnel, VPN, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on August 8, 2022

https://directaccess.richardhicks.com/2022/08/08/always-on-vpn-nps-auditing-and-logging/

Always On VPN at MMSMOA 2022

I am excited to announce that I will be presenting at this year’s Midwest Management Summit at the Mall of America (MMSMOA) in Bloomington, Minnesota. The conference takes place the week of May 2. This is my first time presenting at this event, and I’m looking forward to sharing my experience deploying enterprise mobility and security infrastructure solutions with systems management professionals from around the world.

Sessions

I will be delivering three talks at the conference addressing various secure remote access and certificate services topics.

Managing Always On VPN with Intune

This session will provide administrators with everything they need to know about provisioning and managing Always On VPN client configuration settings using Intune. I’ll be providing tips, tricks, and best practices for Always On VPN profile configuration and demonstrating many of the limitations associated with using Intune. I will provide workarounds whenever possible.

Managing Always On VPN with Intune: The Good, The Bad, and the Ugly

Always On VPN Gateway Options in Azure

Deploying Always On VPN in Azure is increasingly common. However, administrators are unaware of the limitations of supporting Always On VPN connections with native Azure VPN gateway solutions. In this session, I’ll describe in detail what’s required to support Always On VPN and, importantly, what the limitations are.

Always On VPN Gateway Options in Azure

Deploying On-premises PKI Certificates with Intune

As organizations continue to migrate applications, services, and infrastructure to the cloud, the requirement for endpoints to be joined to an on-premises domain is fading. Moving to full Intune management and native Azure Active Directory join for endpoints is increasingly common. However, deploying enterprise PKI certificates o these endpoints is often required. This session will provide detailed guidance for choosing the best solution to deliver on-premises certificates to Azure AD joined devices using Intune.

Deploying on-premises PKI Certificates with Intune

Let’s Connect

I’m looking forward to meeting so many folks who have helped me get up to speed with Microsoft Endpoint Manager/Intune over the years. If you’re attending the conference, or if you are in the area, be sure to reach out. Let’s grab a beer and chat!

Additional Information

Midwest Management Summit at Mall of America (MMSMOA) 2022

Managing Always On VPN with Intune: The Good, The Bad, and the Ugly

Always On VPN Gateway Options in Azure

Deploying on-premises PKI Certificates with Intune

Leave a comment
by Richard M. Hicks on April 11, 2022  •  Permalink
Posted in Always On VPN, AOVPN, Azure, Azure AD, Azure Virtual WAN, Azure VPN, Azure VPN Gateway, certificates, cloud, Conditional Access, Device Management, device tunnel, education, Endpoint Manager, Enterprise, enterprise mobility, Intune, Intune Certificate Connector, Intune PFX Connector, MDM, MEM, MEMCM, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, Network Device Enrollment Service, Network Device Enrollment Services, PFX Connector, PKI, PowerShell, public cloud, public key infrastructure, Remote Access, Security, System Center Configuration Manager, systems management, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 11, 2022

https://directaccess.richardhicks.com/2022/04/11/always-on-vpn-at-mmsmoa-2022/

« Older Posts
Newer Posts »