When deploying Windows 10 Always On VPN using Protected Extensible Authentication Protocol (PEAP) authentication with client certificates, administrators may find the VPN connection does not establish automatically. In this specific scenario the client is prompted to select a certificate to use to authenticate to the VPN server.
Multiple Certificates
This can occur when certificates from multiple Certification Authorities (CAs) are issued to the user that include the Client Authentication Enhanced Key Usage (EKU). When this happens, the user is forced to select the correct certificate to use for VPN authentication.
Clearly this is less than ideal, as it not only breaks the seamless and transparent nature of Always On VPN, the user may select the wrong certificate resulting in authentication failure. Ideally the client should be configured to select the correct certificate without user interaction.
Certificate Selection
Follow the steps below to configure automatic certificate selection for VPN authentication.
- On a VPN client, right-click the Always On VPN connection and choose Properties.
- Select the Security tab.
- In the Authentication section click Properties below Use Extensible Authentication Protocol (EAP).
- In the Select Authentication Method section click Configure.
- In the When connecting section click Advanced.
- Check the box next to Certificate Issuer.
- Select the root CA used to issue client authentication certificates for VPN authentication.
- Click Ok four times to save the configuration.
Once complete, export the EAP configuration to XML from the VPN client and paste the new settings in Intune or in your custom ProfileXML.
Certificate Purpose
By default, a client certificate requires only the Client Authentication EKU to establish a VPN connection. In some cases, this may not be desirable. For example, consider a deployment where Client Authentication certificates are issued to all users for Wi-Fi authentication. Depending on the Network Policy Server (NPS) configuration, these certificates may also be used to authenticate to the VPN.
VPN Specific Certificate
Follow the steps below to create a user authentication certificate template to be used exclusively for VPN authentication.
Certificate Template
- On the CA server, open the Certificate Templates management console (certtmpl.msc).
- Right-click the certificate template configured for VPN authentication and choose Properties.
- Select the Extension tab.
- Highlight Application Policies and click Edit.
- Click Add.
- Click New.
- Enter a descriptive name for the new application policy.
- Copy the Object identifier for later use and click Ok four times to save the configuration.
- If certificate autoenrollment is configured and the certificate is already provisioned to users, right-click the certificate template and choose Reenroll All Certificate holders.
Client Configuration
- On the VPN client, follow the steps outlined previously to configure certificate selection.
- In addition to choosing a certificate issuer, select Extended Key Usage (EKU).
- Uncheck All Purpose.
- Select Client Authentication and the following EKUs.
- Click Add.
- Click Add once more.
- Enter the name of the custom EKU policy created previously.
- Enter the custom EKU object identifier copied previously from the custom policy.
- Click Ok twice.
- Uncheck AnyPurpose and the following EKUs.
- Click Ok four times to save the configuration.
Once complete, export the EAP configuration to XML from the VPN client and paste the new settings in Intune or in your custom ProfileXML.
Additional Information
Windows 10 Always On VPN Clients Prompted for Authentication when Accessing Internal Resources
When deploying Windows 10 Always On VPN using Protected Extensible Authentication Protocol (PEAP) with client authentication certificates, the administrator may encounter a scenario in which the user can establish a VPN connection without issue, but when accessing internal resources they are prompted for credentials and receive the following error message.
When DirectAccess is deployed using the Getting Started Wizard (GSW), sometimes referred to as the “simplified deployment” method, self-signed certificates are created during the installation and used for the IP-HTTPS IPv6 transition technology, the Network Location Server (NLS), and for RADIUS secret encryption.
Configuring Multifactor Authentication (MFA) is an excellent way to ensure the highest level of assurance for Always On VPN users. 
Once Windows 10 Always On VPN has been deployed in production, it may be necessary at some point for administrators to deny access to individual users or computers. Commonly this occurs when an employee is terminated or leaves the company, or if a device is lost, stolen, or otherwise compromised. Typically, this means that user accounts and computer accounts in Active Directory are disabled, and any issued certificates are revoked. However, additional steps may be required to disconnect current VPN sessions or prevent future remote connections.
A longstanding issue with Windows 10 Always On VPN is that of VPN tunnel connectivity reliability and device tunnel/user tunnel interoperability. Many administrators have reported that Always On VPN connections fail to establish automatically at times, that only one tunnel comes up at a time (user tunnel or device tunnel, but not both), or that VPN tunnels fail to establish when coming out of sleep or hibernate modes. Have a look at the comments on this post and you’ll get a good understanding of the issues with Always On VPN.
The 
The Internet Key Exchange version 2 (IKEv2) is the protocol of choice for Always On VPN deployments where the highest level of security is required. Implementing Always On VPN at scale often requires multiple VPN servers to provide sufficient capacity and to provide redundancy. Commonly an Application Delivery Controller (ADC) or load balancer is configured in front of the VPN servers to provide scalability and high availability for Always On VPN.
The Windows Server Routing and Remote Access Service (RRAS) is a popular choice for a VPN server to support Windows 10 Always On VPN deployments. One significant advantage RRAS provides is support for the Secure Socket Tunneling Protocol (SSTP). SSTP is a Microsoft proprietary VPN protocol that uses Transport Layer Security (TLS) to ensure privacy between the VPN client and server. The advantage to using a TLS-based transport is that it leverages the standard HTTPS TCP port 443, making it firewall friendly and ensuring ubiquitous remote access even behind highly restrictive firewalls.
