Always On VPN SSTP with Let’s Encrypt Certificates

Always On VPN SSTP Security Configuration

When configuring the Windows Server Routing and Remote Access Service (RRAS) to support Secure Socket Tunneling Protocol (SSTP) for Always On VPN user tunnel connections, administrators must install a Transport Layer Security (TLS) certificate on the VPN server. The best practice is to use a certificate issued by a public Certification Authority (CA). In addition, administrators should use a TLS certificate using Elliptic Curve Digital Signature Algorithm (ECDSA) for optimal security and performance.

Let’s Encrypt

Obtaining a public TLS certificate is not inherently difficult, nor is it expensive. However, Let’s Encrypt is a nonprofit public CA issues TLS certificates entirely for free. Always On VPN supports Let’s Encrypt TLS certificates, and installing a Let’s Encrypt certificate on the Always On VPN RRAS server is quite simple.

Pros and Cons

Using Let’s Encrypt certificates for Always On VPN has several significant advantages over traditional public CAs.

  • Cost – Let’s Encrypt certificates are free! No cost whatsoever.
  • Speed – Enrolling for a Let’s Encrypt certificate takes just a few minutes.
  • Trusted – Let’s Encrypt certificates are trusted by default in Windows 10 and Windows 11.

Let’s Encrypt is not without some drawbacks, however.

  • Lifetime – Let’s Encrypt certificates are only valid for 90 days.
  • Administration – Certificates must be redeployed frequently (every 90 days).
  • Security – PFX files (which include private keys) are left on disk by default.

It is possible to mitigate some of these drawbacks, though. For example, deleting PFX files after import can improve security. Alternatively, using a Certificate Signing Request (CSR) eliminates PFX files completely.

Also, it is possible to fully automate the Let’s Encrypt certificate enrollment and RRAS configuration process, which eases the administrative burden. And rotating certificates every 90 days could be considered an advantage from a security perspective! Enrolling new certificates (and specifically certificates with unique keys) is advantageous in that respect.

Certificate Enrollment

There are several different ways to enroll for Let’s Encrypt certificates. The preferred method is using PowerShell, as it works on both Windows Server with Desktop Experience (GUI) and Windows Server Core. Using PowerShell, administrators can also fully automate the enrollment and assignment of the certificate in RRAS.

PowerShell Module

To enroll for Let’s Encrypt TLS certificates on the VPN server, install the Posh-ACME PowerShell module. On the RRAS server, open an elevated PowerShell window and run the following command.

Install-Module Posh-ACME

Certificate Request

After installing the Posh-ACME PowerShell module, select a Let’s Encrypt environment by running the following command. Use LE_PROD for the production Let’s Encrypt server or LE_STAGE for the staging environment (used for testing).

Set-PAServer LE_PROD

Next, request a new certificate using the following command.

New-PACertificate -Domain vpn.example.net -Contact ‘[email protected]’ -CertKeyLength ec-256 -AcceptTOS -Install

The administrator is prompted to create a TXT record in public DNS to prove ownership of the domain. Using the example above, create a DNS record called _acme-challenge.vpn in the example.net DNS zone.

Once complete, the TLS certificate is automatically installed in the local computer certificate store on the VPN server and can be assigned in the RRAS management console, as shown here.

Note: R3 is a Let’s Encrypt issuing certification authority.

DNS Plugin

The Posh-ACME PowerShell module supports DNS plugins that allow administrators to automate the creation of the DNS TXT record used to authorize certificate enrollment. DNS plugins for many public DNS providers are available. Some of the more popular DNS providers are listed here.

  • Microsoft Azure
  • Amazon Route53
  • Cloudflare
  • Akamai
  • GoDaddy
  • Infoblox
  • Windows Server

A list of all supported DNS plugins for Posh-ACME can be found here.

Certificate Binding

Administrators can use the following PowerShell example code to automate the process of binding the new TLS certificate to the SSTP listener in RRAS.

$Thumbprint = <TLS certificate thumbprint>
$Cert = Get-ChildItem -Path Cert:\LocalMachine\My\$thumbprint
Set-RemoteAccess -SslCertificate $Cert
Restart-Service RemoteAccess -Passthru

Additional Information

Posh-ACME Tutorial

Windows 10 Always On VPN TLS Certificate Requirements for SSTP

Windows 10 Always On VPN SSTP Security Configuration

Always On VPN Book Available for Pre-Order

Great news! My new book, Implementing Always On VPN, is now available for pre-order on Amazon.com. This new book, scheduled for release in late 2021, is a comprehensive implementation guide for Windows 10 Always On VPN. Drawing on many years of experience deploying Always On VPN for organizations worldwide, it covers all aspects of an Always On VPN deployment, including planning and design, prerequisite gathering, infrastructure preparation, and client deployment.

In addition, it contains detailed, prescriptive guidance for advanced configuration options such as application and traffic filtering and proxy server configuration. Cloud deployments using Azure VPN gateway and Virtual WAN are covered, and it includes guidance for configuring Azure MFA and Conditional Access.

Also, the book includes thorough guidance for provisioning certificates using Microsoft Endpoint Manager/Intune using both PKCS and SCEP. It outlines options for high availability for VPN and authentication infrastructure and provides details for ongoing system maintenance and operational support.

Finally, the book has an entire chapter dedicated to troubleshooting and resolving common (and not so common!) issues encountered with Windows 10 Always On VPN.

Reserve your copy today. Pre-order Implementing Always On VPN now!

Chapter List

  1. Always On VPN Overview
  2. Plan an Always On VPN Deployment
  3. Prepare the Infrastructure
  4. Configure Windows Server for Always On VPN
  5. Provision Always On VPN clients
  6. Advanced Configuration
  7. Cloud Deployments
  8. Deploy Certificates with Intune
  9. Integrating Azure MFA
  10. High Availability
  11. Monitor and Report
  12. Troubleshooting

Always On VPN Error 853 on Windows 11

Recently I did some validation testing with Always On VPN on Windows 11, and I’m happy to report that everything seems to work without issue. However, a few readers have reported 853 errors when establishing an Always On VPN connection after upgrading to Windows 11.

Can’t Connect

After upgrading to Windows 11, an Always On VPN connection may fail with the following error message.

“The remote access connection completed, but authentication failed because the certificate that authenticates the client to the server is not valid. Ensure the certificate used for authentication is valid.”

Error 853

In addition, the Application event log records an event ID 20227 from the RasClient source that includes the following message.

“The user <username> dialed a connection name <connection name> which has failed. The error code returned on failure is 853.”

Server Identity

This error will occur when using Protected Extensible Authentication Protocol (PEAP) authentication. Specifically, it can happen when the option to verify NPS server validity by its certificate is selected, and an explicit list of NPS servers is defined, as shown here.

Case Sensitive

In this specific scenario, Windows 11 now appears to be case-sensitive when it compares the NPS server name entered in the NPS configuration to the Subject Name on the certificate returned by the server. For example, if the Subject Name (or Subject Alternative Name, if present) entry on the NPS server certificate is nps.lab.richardhicks.net, using NPS.lab.richardhicks.net will not match and return an 853 error.

Windows 11

Case matching when validating the NPS server certificate is a change in behavior from Windows 10. Before Windows 11, this comparison was case-insensitive, and any combination of case would match if the entire hostname matched. Going forward, it appears Microsoft has also decided to require case matching to validate the server certificate.

Recommendations

Administrators should look carefully at the server certificate issued to the NPS server and ensure their client configuration accurately reflects the hostname in a case-sensitive manner to ensure a smooth migration from Windows 10 to Windows 11.

Additional Information

Troubleshooting Windows 10 Always On VPN Error 853

Windows 10 Always On VPN Network Policy Server (NPS) Load Balancing

Troubleshooting Always On VPN Error 853

Troubleshooting Always On VPN Error 691 and 812 – Part 2

Using Windows Server Network Policy Server (NPS) servers is a common choice for authenticating Microsoft Windows 10 Always On VPN user tunnel connections. The NPS server is joined to the domain and configured with a Network Policy that defines the authentication scheme used by clients for authentication when establishing an Always On VPN connection. Protected Extensible Authentication Protocol (PEAP) using client authentication certificates recommended for most Always On VPN deployment scenarios.

Can’t Connect

Users establishing an Always On VPN user tunnel connection using PEAP and client authentication certificates may encounter a scenario in which a VPN connection attempt fails with the following error message.

“The remote access connection completed, but authentication failed because the certificate that authenticates the client to the server is not valid. Ensure that the certificate used for authentication is valid.”

Error 853

In addition, the Application event log records an event ID 20227 from the RasClient source that includes the following error message.

“The user <username> dialed a connection named <connection name> which has failed. The error code is 853.”

Missing NTAuth Certificate

Error code 853 is commonly caused by a missing issuing Certification Authority (CA) certificate in the NTAuth store on the NPS server. The NPS server must have the issuing CA certificate included in this store to perform authentication using client certificates. You can see the contents of the NTAuth certificate store by opening an elevated command window on the NPS server and running the following command.

certutil.exe -enterprise -viewstore NTAuth

Install Certificate

To install the issuing CA server’s certificate into the NTAuth store, copy the CA certificate to the NPS server, open an elevated command window, then run the following command.

certutil.exe -enterprise -addstore NTAuth <issuing CA certificate>

Once complete, view the store again, and you’ll see the issuing CA certificate listed in the NTAuth certificate store.

Additional Information

Troubleshooting Always On VPN Error Code 858

Troubleshooting Always On VPN Error Code 864

Always On VPN and Windows Server 2019 NPS Bug

Always On VPN Network Policy Server (NPS) Load Balancing

Microsoft Network Policy Server (NPS) Reason Codes

Always On VPN and Zero Trust Network Access (ZTNA)

Always On VPN and Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) is a term that administrators are likely familiar with, as it is one of the hottest marketing buzzwords in circulation today. ZTNA can mean different things depending on the deployment scenario. ZTNA is fundamentally about enforcing the principle of least privilege for endpoints connecting remotely to the corporate network when it comes to enterprise mobility and remote access.

Trusted Access

Historically, VPNs and even DirectAccess granted full, unrestricted network access to authenticated devices and users. Once the endpoint has an IP address, and in the absence of other controls (routing limitations, firewall access controls, etc.), the user could access any resource on the internal network. The rationale was that authenticated devices and users should be considered “trusted”.

Limitations

The Trusted Access model has some significant limitations. It assumes that all traffic from authorized users and devices is legitimate. However, if an endpoint is compromised, an attacker has broad access to the internal network, which is not ideal from a security perspective.

Zero Trust

Zero Trust Network Access is a concept where administrators define explicitly the minimum level of access required to support remote workers. Instead of granting full network access to the endpoint, controlling access using fine-grained policies is enforced on the VPN connection. Configuring limited network access for Always On VPN clients dramatically reduces exposure of the internal network to compromised endpoints.

ZTNA Management

There is a significant management burden associated with this approach, however. Administrators must identify each application requiring VPN access and determine all associated protocols and ports to be allowed, and internal resources to which they will communicate. Although this task isn’t difficult if clients require access to a small subset of internal resources, it can be a substantial undertaking if clients require access to many internal resources from numerous client applications.

Moving Targets

Making things more challenging is that application and network infrastructure often change constantly, requiring administrators to manage network access continually to ensure application availability. When adding new applications or changing the internal infrastructure, updating the configuration on all remote endpoints will be required.

Updating Always On VPN configuration for devices managed with Microsoft Endpoint Manager (formerly Intune) isn’t difficult. However, it can be more challenging when using PowerShell with System Center Configuration Manager (SCCM) or another endpoint management platform.

Traffic Filters

ZTNA can be configured with Always On VPN using Traffic Filters. With Traffic Filters, administrators can apply fine-grained access control for VPN traffic based on a combination of the following.

  • Source IP address (IP address, address range, or subnet)
  • Destination IP address (IP address, address range, or subnet)
  • Protocol (TCP, UDP, IP, etc.)
  • Source Port
  • Destination Port

Endpoint Manager Configuration

Configuring Traffic Filters for Always On VPN connections can be performed using Microsoft Endpoint Manager. Open the Endpoint Manager management console (https://endpoint.microsoft.com), navigate to the Always On VPN device configuration profile, then perform the following steps.

  1. Expand App and Traffic Rules.
  2. Click Add next to Network traffic rules for this VPN connection.
  1. Enter a descriptive name in the Name field.
  2. Select Split tunnel from the Rule type drop-down list.
  3. Enter “6” in the Protocol field.
  4. Enter “3389” in the Lower port and Upper port fields in the Remote port ranges section.
  5. Enter an IPv4 address in the Lower IPv4 address field.
  6. Enter an IPv4 address in the Upper IPv4 address field. Enter the same IPv4 address as the lower address to specify a single host.
  7. Click Save.

The example above shows a traffic filter restricting access to TCP port 3389 (Remote Desktop Protocol) from all VPN clients to the 172.16.0.0/24 network.

Note: Repeat these steps to create as many traffic filters as required for any processes or applications that must communicate over the Always On VPN connection.

XML Configuration

Traffic Filters can also be configured using custom XML. To implement the same Traffic Filter described previously, add the following code between the <VPNProfile> and </VPNProfile> tags in your XML configuration file.

<TrafficFilter>
   <Protocol>6</Protocol>
   <RemotePortRanges>3389</LocalPortRanges>
   <RemoteAddressRanges>172.16.0.0/24</RemoteAddressRanges>
</TrafficFilter>

Note: Address ranges used in Traffic Filters can be defined using CIDR notation in XML, but they are not supported using Microsoft Endpoint Manager today.

Default Deny

When configuring a Traffic Filter for an Always On VPN profile, an implicit “deny all” rule is automatically enabled. Any traffic not explicitly defined in a Traffic Filter will be denied, including unsolicited inbound traffic, which has crucial implications for the device tunnel because it is used commonly for system management of remote devices.

Direction

Traffic Filters are enabled for the Outbound direction only, by default. Beginning with Windows 10 2004, Microsoft introduced support for Inbound traffic filters. Before Windows 10 2004, configuring a Traffic Filter on the device tunnel would break manage-out scenarios by denying all unsolicited inbound network access.

As of this writing, configuring inbound Traffic Filters using Microsoft Endpoint Manager is not supported. They are only configurable using custom XML.

To implement a Traffic Filter to allow inbound RDP access from the internal network over the device tunnel, add the following code between the <VPNProfile> and </VPNProfile> tags in your XML configuration file.

<TrafficFilter>
   <Protocol>6</Protocol>
   <LocalPortRanges>3389</LocalPortRanges>
   <RemoteAddressRanges>172.16.0.0/16</RemoteAddressRanges>
   <Direction>Inbound</Direction>
</TrafficFilter>

Note: When configuring inbound Traffic Filters, specify the port of the listening process or application using the LocalPortRanges field.

Application Filters

Administrators can combine Application Filters with Traffic Filters to control network access over the Always On VPN connection even more granularly. Applications can be defined by the following.

  • Package Family Name (PFN) – This is the unique name of a Microsoft Store application. Use the Get-AppxPackage PowerShell command to find the PFN for an application.
  • File Path – This is the full path to any executable on the file system. For example, c:\Windows\System32\mstsc.exe.
  • SYSTEM – This allows Windows kernel-mode drivers (such as ping.exe and net.exe) to send traffic over the Always On VPN connection.

As of this writing, configuring Application Filters using Microsoft Endpoint Manager is not supported. They are only configurable using custom XML.

Application Filter Examples

Below are three examples showing different Application Filters based on file path, Package Family Name, and SYSTEM.

File Path

This example shows a Traffic Filter configured to allow RDP access to an internal subnet using the native Windows Remote Desktop client (mstsc.exe).

<TrafficFilter>
   <App>
      <Id>C:\Windows\System32\mstsc.exe</Id>
   </App>
   <Protocol>6</Protocol>
   <RemotePortRanges>3389</RemotePortRanges>
   <RemoteAddressRanges>172.16.0.0/24</RemoteAddressRanges>
</TrafficFilter>

Package Family Name

This example shows a Traffic Filter configured to allow RDP access to an internal subnet using the Microsoft Windows Store Remote Desktop client.

<TrafficFilter>
   <App>
      <Id>Microsoft.RemoteDesktop_8wekyb3d8bbwe</Id>
   </App>
   <Protocol>6</Protocol>
   <RemotePortRanges>3389</RemotePortRanges>
   <RemoteAddressRanges>172.16.0.0/24</RemoteAddressRanges>
</TrafficFilter>

SYSTEM

This example shows a Traffic Filter configured to allow the netsh.exe process access to an internal subnet.

<TrafficFilter>
   <App>
      <Id>SYSTEM</Id>
   </App>
   <Protocol>6</Protocol>
   <RemotePortRanges>445</RemotePortRanges>
   <RemoteAddressRanges>172.16.0.0/24</RemoteAddressRanges>
</TrafficFilter>

This example shows a Traffic Filter configured to allow the ping.exe process access to an internal subnet.

<TrafficFilter>
   <App>
      <Id>SYSTEM</Id>
   </App>
   <Protocol>1</Protocol>
   <RemoteAddressRanges>172.16.0.0/24</RemoteAddressRanges>
</TrafficFilter>

Note: Ping uses ICMP (IP protocol 1), which is a network layer protocol. As such, defining ports for the filter is not required.

IPv6 Compatibility

Sadly, the filtering techniques described in this article do not work when also configuring IPv6 on the Always On VPN connection. As of this writing, enabling Traffic Filters when an IPv6 address is assigned to the VPN interface is not supported. More details can be found here.

Always On VPN Traffic Filters and IPv6

Summary

Configuring Zero Trust Network Access (ZTNA) with Windows 10 Always On VPN is not trivial. Still, with attention to detail, it can be a highly effective tool to enforce fine-grained network access policies and reduce exposure of the internal network to compromised endpoints. Combining Traffic Filters with Application Filters allows administrators to tightly control Always On VPN access and ensure the principle of least privilege is applied.

Additional Information

Windows 10 Always On VPN Traffic Filters and IPv6

Windows 10 Always On VPN User Tunnel XML Configuration Reference File

Windows 10 Always On VPN Device Tunnel XML Configuration Reference File

Windows 10 Always On VPN VPNv2 CSP Reference

IP Protocol Numbers

Always On VPN Traffic Filters and IPv6

Always On VPN Windows Server RRAS Service Does Not Start

Using Traffic Filters with Always On VPN provides administrators the option to configure a true Zero Trust Network Access (ZTNA) solution for their field-based users and devices. By enabling traffic filtering, network access over the Always On VPN connection can be controlled using fine-grained policies. Traffic Filter rules can be configured to restrict access based source and destination IP addresses, protocols, and source and destination ports. Administrators can further restrict access based on the application generating the traffic.

IPv6

While testing these features recently, I learned that the Microsoft Endpoint Manager (formerly Intune) user interface does not appear to support IPv6 when configuring traffic filter rules. As you can see here, the UI explicitly asks for an IPv4 address and complains when entering an IPv6 address in the address field, as shown here.

Interestingly, it is possible to add IPv6 addresses in XML, as follows.

<TrafficFilter>
   <App>
      <Id>Microsoft.RemoteDesktop_8wekyb3d8bbwe</Id>
   </App>
   <Protocol>6</Protocol>
   <RemotePortRanges>3389</RemotePortRanges>
   <RemoteAddressRanges>2001:470:f109::/48</RemoteAddressRanges>
</TrafficFilter>

Connection Failure

Unfortunately, after loading the XML on a test client, the Always On VPN connection fails with the following error message.

“Can’t connect to <ConnectionName>. Catastrophic failure.”

In addition, the Application event log records an event ID 20227 from the RasClient source with the following error.

“The user <UserName> dialed a connection name <ConnectionName> which has failed. The error code returned on failure is -2147418113.”

Workaround

At this time, the only known workaround is to update the configuration on the RRAS server to use IPv4 addressing for VPN clients.

Summary

Unfortunately, IPv6 is still a second-class citizen when it comes to Always On VPN. Although enabling IPv6 works well in most common deployment scenarios, the Microsoft Endpoint Manager management console often fails to accept IPv6 entries in IP address fields. In addition, some advanced features such as traffic filtering are incompatible with IPv6.

Additional Information

Windows 10 Always On VPN and Zero Trust Network Access (ZTNA)

Windows 10 Always On VPN Windows Server RRAS Service Does Not Start

Always On VPN and Autopilot Hybrid Azure AD Join

Always On VPN and Autopilot Hybrid Azure AD Join

Windows Autopilot is a cloud-based technology that administrators can use to configure new devices wherever they may be, whether on-premises or in the field. Devices provisioned with Autopilot are Azure AD joined by default and managed using Microsoft Endpoint Manager. Optionally, an administrator can enable hybrid Azure AD join by also joining the device to an on-premises Active Directory domain using a domain join configuration profile in conjunction with the offline domain-join connector. Although enabling hybrid Azure AD join might sound appealing, there are specific deployment scenarios that present some rather unique and challenging problems when using this option.

Offline Hybrid Azure AD Join

For field-based devices, the device must have connectivity to a domain controller to support the initial login when the user has no local cached credentials. The Always On VPN device tunnel can be deployed in this scenario to provide connectivity and allow the user to log in to a new device the first time without being on-premises. The Always On VPN device tunnel is easily deployed using a Microsoft Endpoint Manager configuration profile. Certificates required to support the device tunnel can be deployed with Microsoft Endpoint Manager and one of the certificate connectors for Microsoft Endpoint Manager.

Windows 10 Professional

If a Windows 10 Professional device is configured using Autopilot, and hybrid Azure AD joined is enabled, the Always On VPN device tunnel can still be provisioned, but it won’t start automatically because it requires Enterprise Edition to be fully functional. This prevents the user from being able to logon the first time. The device must be upgraded to Enterprise Edition before the first user logon. There are multiple ways to accomplish this depending on the deployment scenario and activation requirements.

Multiple Activation Key

The easiest way to upgrade Windows 10 Professional to Enterprise Edition is to obtain a Multiple Activation Key (MAK) and deploy that to clients using a Microsoft Endpoint Manager configuration profile. Follow the steps below to create a configuration profile to perform this upgrade.

  1. Open the Microsoft Endpoint Manager console and click on Devices > Configuration Profiles.
  2. Click Create profile.
  3. Select Windows 10 and later in the Platform drop-down list.
  4. Select Templates in the Profile type drop-down list.
  5. Select Edition upgrade and mode switch from the list of templates.
  6. Click Create.

Use the following steps to configure the settings for the configuration profile.

  1. Enter a descriptive name for the configuration profile in the Name field.
  2. Enter a description for the profile in the Description field (optional).
  3. Click Next.
  4. Expand the Edition Upgrade section and select Windows 10 Enterprise from the Edition to upgrade to drop-down list.
  5. Enter your multiple activation product key in the Product Key field.

    Always On VPN and Autopilot Hybrid Azure AD Join

Once complete, assign the configuration profile to the appropriate groups and click Create.

KMS Activation

If Key Management Service (KMS) activation is required, follow the steps listed previously for MAK. Enter the KMS client setup key for Windows 10 Enterprise which is NPPR9-FWDCX-D2C8J-H872K-2YT43. The device will complete KMS activation when it can connect to the on-premises KMS host.

Subscription Activation

Windows 10 Enterprise Edition licensing is included in some Microsoft 365 subscriptions. This poses a unique challenge for hybrid Azure AD join scenarios, however. Specifically, subscription activation is a “step-up” process that requires Windows 10 Professional to have been successfully activated previously. Also, this occurs after the user logs on, but the user cannot log on unless the device tunnel is active. Catch 22!

Workaround

A multi-step process is required to address the limitations imposed by subscription activation. To begin, the device must be upgraded to Enterprise Edition, so the device tunnel is available for the initial user logon. This is a temporary, one-time upgrade to Enterprise Edition solely for the purpose of getting the device tunnel to connect and allow the user to authenticate.

To begin, download this PowerShell script and follow the steps below to deploy it to Windows 10 devices using Microsoft Endpoint Manager.

  1. Open the Microsoft Endpoint Manager console and click on Devices > Scripts.
  2. Click Add and select Windows 10.
  3. Enter a descriptive name for the configuration profile in the Name field.
  4. Enter a description for the profile in the Description field (optional).
  5. Click Next.
  6. Enter the location of the PowerShell script in the Script location field.
  7. Click Next, then assign the script to the appropriate device group(s) and click Add.

The PowerShell script will automatically install the KMS client setup key for Windows 10 Enterprise Edition, then restart the network interfaces to ensure the device tunnel starts. This will immediately upgrade the client device to Windows 10 Enterprise Edition and allow the user to authenticate.

Subscription activation with a step-up upgrade to Enterprise Edition still requires that Windows 10 Professional be activated first. To accomplish this, the embedded Windows 10 Professional key must be re-installed on the client. To do this, download this PowerShell script and follow the same steps listed previously to deploy a PowerShell script with Microsoft Endpoint Manager. However, this script should be assigned to users, not devices.

Once this script is run on the client it will be downgraded (temporarily) to Windows 10 Professional edition. After activation is successful, subscription activation will once again upgrade the client to Windows 10 Enterprise Edition.

Considerations

As you can see, the process of getting a Windows 10 Professional edition client onboarded in a hybrid Azure AD joined scenario is somewhat complex. My advice is to avoid this scenario whenever possible. Access to on-premises resources with the Always On VPN user tunnel with full single sign-on support is still available for users on Windows 10 devices that are Azure AD joined only. Unless there is a specific requirement to manage client devices using on-premises Active Directory and group policy, consider choosing native Azure AD join with Autopilot and manage devices using Microsoft Endpoint Manager exclusively.

Special Thanks

I would like to extend a special thank you to everyone in the Microsoft Endpoint Manager community who provided valuable input and feedback for me on this topic, especially John Marcum, Michael Niehaus, and Sandy Zeng. Follow the #MEMCM hashtag on Twitter to keep up on all things Microsoft Endpoint Manager.

Additional Information

Overview of Windows Autopilot

Windows 10 Subscription Activation

Windows 10 Always On VPN Class-Based Default Route and Microsoft Endpoint Manager

Windows 10 Always On VPN Device Tunnel and Custom Cryptography in Microsoft Endpoint Manager

Always On VPN IPsec Root Certificate Configuration Issue

Always On VPN Device Tunnel Status IndicatorWhen configuring a Windows Routing and Remote Access Service (RRAS) server to support Internet Key Exchange version 2 (IKEv2) VPN connections, it is essential for the administrator to define the root certification authority for which to accept IPsec security associations (SAs). Without defining this setting, the VPN server will accept a device certificate issued by any root certification authority defined in the Trusted Root Certification Authorities store. Details about configuring IKEv2 security and defining the root certification authority can be found here.

Multiple Root Certificates

Administrators may find that when they try to define a specific root certification authority, the setting may not be implemented as expected. This commonly occurs when there is more than one root certificate in the Trusted Root Certification Authorities store for the same PKI.

Always On VPN IPsec Root Certificate Configuration Issue

Certificate Selection

When running the PowerShell command Set-VpnAuthProtocol to define the root certification authority, PowerShell may ignore the administrator-defined certificate and choose a different one, as shown here. This will result in failed IPsec VPN connections from Windows 10 Always On VPN clients using IKEv2.

Always On VPN IPsec Root Certificate Configuration Issue

Certificate Publishing

This issue can occur when root certification authority certificates are published using Active Directory group policy. It appears that Windows prefers Active Directory group policy published certificates over those published directly in the Certification Authorities Container in Active Directory. To resolve this issue, remove any group policy objects that are publishing root certification authority certificates and ensure those root certificates are published in the Certification Authorities container in Active Directory.

PowerShell Script

A PowerShell script to configure this setting that can be found in my Always On VPN GitHub repository here. I have updated this script to validate the defined root certification authority certificate and warn the user if it does not match.

Additional Information

Set-Ikev2VpnRootCertificate.ps1 PowerShell script on GitHub

Windows 10 Always On VPN IKEv2 Security Configuration

Windows 10 Always On VPN IKEv2 Load Balancing and NAT

Windows 10 Always On VPN IKEv2 Features and Limitations

Windows 10 Always On VPN IKEv2 Fragmentation

Windows 10 Always On VPN IKEv2 Certificate Requirements

Always On VPN Updates for Windows 10 2004

Always On VPN Updates for Windows 10 2004Microsoft recently made available an update for Windows 10 2004 that includes many important fixes for outstanding issues with Windows 10 Always On VPN. KB4571744 (build 19041.488) addresses many challenges faced by Always On VPN administrators today, including the following.

TPM

This update addresses an issue that prevents hash signing from working correctly using the Microsoft Platform Crypto Provider for Trusted Platform Module (TPM). This issue can occur when administrators configure Always On VPN to use Protected Extensible Authentication Protocol (PEAP) with client certificate authentication using a FortiGate security device.

Sleep/Hibernate

This update also addresses issues with Windows 10 Always On VPN failing to automatically reconnect when resuming from sleep or hibernate. I’ve written about issues with Always On VPN and sleep/hibernate in the past. This is an issue that has plagued Always On VPN since its introduction, so let’s hope this finally provides some meaningful relief from this persistent problem.

Certificate Authentication

When both the Always On VPN device tunnel and user tunnel are provisioned to a Windows 10 clients, user tunnel connections may be authenticated using the machine certificate and not EAP/PEAP. This can result in connections that are not validated as intended, and allowing a user to bypass configured NPS policies, MFA requirements, or conditional access rules. This update includes a fix for this issue, restoring proper authentication for the user tunnel when the device tunnel is also provisioned.

Device and User Tunnel Coexistence

A bug that first appeared when Windows 10 2004 was introduced prevented a device tunnel and user tunnel Always On VPN connection from being established to the same VPN server if the user tunnel used Internet Key Exchange Version 2 (IKEv2). This update restores full functionality under those conditions.

Update KB4571744

To resolve these issues with Windows 10 Always On VPN as well as others, download and install update KB4571744 today. If you are experiencing any of these issues with releases of Windows 10 prior to 2004, look for updates for those build to come later this year.

Additional Information

September 3, 2020 – KB4571744 (OS Build 19041.488) Preview

Windows 10 Always On VPN Connection Issues after Sleep or Hibernate

Windows 10 Always On VPN Bug in Windows 10 2004

Always On VPN SSTP Certificate Binding Error

Always On VPN SSTP Certificate Binding ErrorWhen configuring a Windows Server with the Routing and Remote Access Service (RRAS) role to support Windows 10 Always On VPN connections, the administrator may encounter the following error message when installing or updating the TLS certificate used for Secure Socket Tunneling Protocol (SSTP) connections.

“The thumbprint (cert hash) of the certificate used for Secure Socket Tunneling Protocol (SSTP) is different than the certificate bound to the Web listener (HTTP.sys). Configure SSTP to use the default certificate or the certificate bound to SSL. You can configure web server applications to use the same certificate used by SSTP.”

Always On VPN SSTP Certificate Binding Error

IIS Binding

Most commonly this error can occur if an administrator mistakenly binds a TLS certificate directly in IIS. To resolve this problem, open the IIS management console (inetmgr.exe), navigate to the Default Web Site and click Bindings in the Actions section. Highlight the HTTPS binding and click Remove. Once complete, open an elevated command window and run the iisreset.exe command.

Always On VPN SSTP Certificate Binding Error

Netsh

In some instances, the administrator may find no certificate bindings in the IIS management console. However, a certificate binding may still be present. To confirm, open an elevated command window and run the following command.

netsh.exe http show sslcert

Always On VPN SSTP Certificate Binding Error

Remove existing certificate binding by running the following commands.

netsh.exe http delete sslcert ipport=0.0.0.0:443
netsh.exe http delete sslcert ipport=[::]:443

SSTP Configuration

When configuring SSTP in RRAS for Always On VPN, certificate assignment should always be performed using the Routing and Remote Access management console (rrasmgmt.msc). No changes are required to be made in the IIS management console for SSTP.

Additional Information

Windows 10 Always On VPN SSL Certificate Requirements for SSTP

Windows 10 Always On VPN SSTP Load Balancing with Citrix NetScaler ADC Load Balancer

Windows 10 Always On VPN SSTP Load Balancing with Kemp LoadMaster Load Balancer

Windows 10 Always On VPN SSTP Load Balancing with F5 BIG-IP Load Balancer

%d bloggers like this: