All posts in category PowerShell

Always On VPN Disconnects in Windows 11

Always On VPN administrators migrating their endpoints to Windows 11 may encounter a scenario where Always On VPN randomly disconnects when the VPN profile is deployed using Microsoft Intune. The same configuration deployed to Windows 10 devices works reliably, however. In addition, Always On VPN profiles deployed using PowerShell (natively or with SCCM) or PowerON DPC do not experience this problem.

Troubleshooting

Administrators troubleshooting this issue will find the root cause is associated with the Always On VPN profiles being removed and replaced each time the device syncs with Intune. This occurs even if there are no changes to the configuration. Removing and replacing the Always On VPN profiles on each device sync is unnecessary, of course, but is also highly disruptive to connected users.

Intune and XML

The Intune team identified the issue, and a fix was made available in the August update. However, many of you have reported the issue persists with some Windows 11 clients after installing the latest updates. Further investigation indicates that although the issue has been resolved when using Intune and the native VPN device configuration profile template, the problem still occurs when using the Custom device configuration template.

Workaround

Microsoft is aware of the issues with deploying Always On VPN client configuration settings using XML in Intune, but there’s no indication when or if they will fix it. Until then, administrators have two options to address this problem.

Native VPN Template

When deploying Always On VPN client configuration settings to Windows 11 endpoints, use the native VPN device configuration template, as shown here.

Using the native VPN template does have some limitations, however. The following settings are not exposed using the native VPN template and can only be configured using XML.

XML

If you must use XML, I’ve had some success by ensuring the order of XML settings is exactly as Intune expects. Follow the steps below to confirm the XML settings order in your XML configuration file.

  1. Deploy your XML file with Intune.
  2. Run Get-VpnClientProfileXML.ps1 to extract the deployed XML settings.
  3. Compare the order of settings to your existing XML.
  4. Make changes to ensure all settings in your XML are in the same order as the extracted XML.
  5. Publish a new XML configuration file using Intune and test.

I’ll caution you that this workaround doesn’t always work reliably. Some customers report that this solved their problems entirely, while others have indicated it does not. My testing shows the same results. Let us know in the comments below if this works for you!

Additional Information

Always On VPN Windows 11 Issues with Intune

Always On VPN PowerShell Script Issues in Windows 11

4 Comments
by Richard M. Hicks on October 9, 2023  •  Permalink
Posted in Always On VPN, AOVPN, AovpnDPC, Application Filter, Azure AD Join, Azure VPN, Deployment, Device Management, device tunnel, DPC, Dynamic Profile Configurator, Endpoint Manager, Enterprise, enterprise mobility, InTune, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobility, OMA-DM, OMA-URI, Operational Support, PowerShell, ProfileXML, Remote Access, SCCM, System Center Configuration Manager, systems management, Traffic Filter, Update, user tunnel, VPN, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on October 9, 2023

https://directaccess.richardhicks.com/2023/10/09/always-on-vpn-disconnects-in-windows-11/

Always On VPN and RRAS on Windows Server Core

Windows Server Core is a refactored version of the full Windows Server operating system. Server Core does not include a Graphical User Interface (GUI) and must be managed via the command line or with PowerShell. The Routing and Remote Access Service (RRAS) is a supported workload on all supported versions of Windows Server including Windows Server 2022. Always On VPN administrators should consider installing and configuring RRAS on Windows Server Core to ensure their VPN infrastructure’s best security and performance.

Server Core Benefits

Windows Server Core is a minimal installation option of the Windows Server operating system that provides numerous benefits, particularly for environments where security, resource efficiency, and reduced maintenance overhead are essential. Here are some of the key benefits of using Windows Server Core.

Minimized Attack Surface – Windows Server Core has a smaller footprint compared to the full GUI version, which means fewer components and services are installed by default. This reduces the potential attack surface and minimizes security vulnerabilities.

Enhanced Security – With fewer components and a reduced attack surface, there are fewer potential vectors for malware or unauthorized access. This makes Windows Server Core a more secure choice for critical server roles like RRAS.

Reduced Maintenance – Since there are fewer components to update, patching and maintaining a Windows Server Core system is quicker and requires less effort. This is especially beneficial in large-scale server deployments.

Improved Stability – By removing the graphical user interface (GUI), Windows Server Core has fewer processes running in the background, leading to a more stable and predictable server environment.

Simplified Management – Windows Server Core is designed for remote administration. It allows the administrator to manage it using command-line tools, PowerShell, or remote management tools like the Remote Server Administration Tools (RSAT) and Windows Admin Center. This makes it easier to manage multiple servers from a single location.

Faster Reboots – Windows Servers require periodic reboots. With Windows Server Core, reboot times are considerably faster, resulting in less downtime during maintenance periods.

RSAT

The Remote Server Administration Tools (RSAT) can be installed on Windows clients and servers to enable remote administration using the familiar Routing and Remote Access Management console (rrasmgmt.msc) and Remote Access Management console (ramgmtui.exe) GUI tools.

Windows Client

To install the Remote Access Management tools on Windows client operating systems, navigate to Settings > Apps > Optional Features. Click Add a feature, select RSAT: Remote Access Management Tools, then click Install.

Optionally the Remote Access Management tools can be installed by running the following PowerShell command.

Add-WindowsCapability -Online -Name Rsat.RemoteAccess.Management.Tools~~~~0.0.1.0

Windows Server

To install the Remote Access Management tools on Windows Server run the following PowerShell command.

Install-WindowsFeature -Name RSAT-RemoteAccess

Windows Admin Center

The Windows Admin Center is a free remote management tool from Microsoft for managing Windows Server (core and GUI) remotely. It is especially helpful for Server Core management as it provides a GUI for many common administrative tasks.

You can download Windows Admin Center here.

Additional Information

Windows Server Core Installation Option

Windows Server Core vs. Desktop

PowerShell Remote Server Administration

Windows Admin Center

1 Comment
by Richard M. Hicks on October 2, 2023  •  Permalink
Posted in Admin Center, administration, Always On VPN, AOVPN, Enterprise, enterprise mobility, Infrastructure, Microsoft, Mobility, Operational Support, PowerShell, Remote Access, Remote Administration, routing, routing and remote access service, RRAS, RSAT, Security, Server Core, VPN, Windows 10, Windows 11, Windows Admin Center, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on October 2, 2023

https://directaccess.richardhicks.com/2023/10/02/always-on-vpn-and-rras-on-windows-server-core/

Always On VPN and Interface Metrics

Always On VPN DNS Registration Update Available

In Windows, each network interface identified by the operating system is assigned a metric value. Interface metrics are settings that determine the priority or preference of network interfaces when there are multiple active network connections. The Windows networking stack uses these metrics to determine which network interface should be used for routing traffic when multiple network interfaces are available. Network interface metrics are critical for Always On VPN administrators to understand because they can impact how name resolution requests are processed when an Always On VPN connection is established.

Metric Values

By default, Windows automatically assigns metric values to network interfaces (including VPN interfaces) based on various factors, including the connection speed, link state, and interface type. It tries to select the most suitable interface for general internet connectivity.

Metrics and DNS

Windows will also use the network interface with the lowest metric value as the preferred interface for sending DNS queries by default. This means that DNS queries will be routed through the network interface with the lowest metric value, assuming it is available and connected. When an Always On VPN connection is established, DNS queries may fail or return unexpected results if the network interface metrics are not configured optimally.

Split DNS and Wired Ethernet

Split DNS (sometimes called ‘split brain DNS’) is when the DNS namespace is the same internally and externally. The most common scenario where interface metric settings interfere with DNS operation is when using split DNS and the endpoint is connected to the Internet with a wired Ethernet connection. In this scenario, the Ethernet interface will be assigned the same or lower interface metric value as the Always On VPN interface, which can yield unexpected results.

Viewing Metrics

Always On VPN administrators can view currently assigned interface metric values by running the following PowerShell command.

Get-NetIpInterface

Assigning Metrics

Most Always On VPN administrators will never have to change interface metric settings. However, if your implementation uses split DNS and some of your endpoints connect using wired Ethernet connections, you may need to update the interface metric settings to ensure proper DNS operation. Choose a setting for the interface metric value that is lower than the wired Ethernet interface. I’ve used a value of ‘3’ without issue for many years. Use one of the following methods to update the interface metric for Always On VPN connections.

PowerShell

Updating interface metric settings in Windows can be accomplished by running the Set-NetIpInterface PowerShell command.

Set-NetIpInterface -InterfaceAlias <connection name> -InterfaceMetric 3

Note: Using PowerShell to assign the interface metric is not persistent! While this method is suitable for local validation testing, you should use one of the following methods to implement this change permanently.

Rasphone.pbk

To assign the interface metric permanently, Always On VPN administrators can edit the following settings in the rasphone.pbk configuration file.

IpInterfaceMetric=3

Ipv6InterfaceMetric=3

Administrators can automate updating this setting using the Update-Rasphone.ps1 PowerShell script. In addition, the following scripts can be used with Microsoft Intune remediation.

Detect-DeviceIpv4InterfaceMetric.ps1

Remediate-DeviceIpv4InterfaceMetric.ps1

Detect-DeviceIpv6InterfaceMetric.ps1

Remediate-DeviceIpv6InterfaceMetric.ps1

Detect-Ipv4InterfaceMetric.ps1

Remediate-Ipv4InterfaceMetric.ps1

Detect-Ipv6InterfaceMetric.ps1

Remediate-Ipv6InterfaceMetric.ps1

DPC

Organizations using PowerON Platforms’ Dynamic Profile Configurator (DPC) to manage Always On VPN client configuration settings with Active Directory and group policy or Microsoft Intune can enable the VPN Tunnel Metric setting.

Additional Information

Get-NetIpInterface PowerShell Command

Set-NetIpInterface PowerShell Command

Managing Always On VPN Client Settings with DPC

Always On VPN DPC with Microsoft Intune

Always On VPN DPC Advanced Features

Always On VPN DPC Video Demonstration

PowerON Platforms Always On VPN Dynamic Profile Configurator (DPC)

7 Comments
by Richard M. Hicks on September 25, 2023  •  Permalink
Posted in Active Directory, administration, Always On VPN, Always On VPN DPC, AOVPN, AovpnDPC, Deployment, Device Management, device tunnel, DNS, DPC, Dynamic Profile Configurator, Endpoint Manager, Enterprise, enterprise mobility, Group Policy, HAADJ, Hybrid Azure AD Join, Infrastructure, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, Name Resolution, Operational Support, PowerShell, ProfileXML, Remote Access, Split DNS, split tunnel, split tunneling, systems management, user tunnel, VPN, Windows 10, Windows 11, XML
Tagged , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on September 25, 2023

https://directaccess.richardhicks.com/2023/09/25/always-on-vpn-and-interface-metrics/

« Older Posts
Newer Posts »