All posts in category System Center Configuration Manager

Always On VPN at MMSMOA 2023

I’m excited to share that I’ve been invited to present at the popular Midwest Management Summit at Mall of America (MMSMOA) this year! The event takes place Monday, May 2, through Thursday, May 4, 2023.

Sessions

I will be delivering two talks at the event this year. One on Microsoft Always On VPN and Intune, the other on deploying certificate using Intune.

Always On VPN and Intune: Notes from the Field – Tuesday, May 2 at 10:00 AM CDT

This session will cover all aspects of deploying and managing Always On VPN client configuration settings using Microsoft Intune.

Intune Certificate Management – Wednesday, May 3 at 10:00 AM CDT

This session will provide detailed configuration guidance and best practice recommendations for issuing on-premises enterprise PKI certificate using Microsoft Intune.

Attending MMS?

Will you be attending MMSMOA? Let’s connect! Drop in on my sessions, of course, but let’s plan to hang out! I will have copies of my book to give away too, so don’t miss out. Send me a note here or on Twitter, or just find me at the conference. Looking forward to seeing all of you soon!

Always On VPN CSP Updates

Administrators can deploy Always On VPN client configuration settings in several ways. The simplest method is to use the native Microsoft Intune UI and the VPN device configuration profile template. Optionally, administrators can create an XML file that can be deployed with Intune using the Custom template. In addition, the XML file can be deployed using PowerShell, either interactively or with System Center Configuration Manager (SCCM). Administrators can also deploy the XML file using PowerShell via Active Directory group policy startup script or another software provisioning platform.

Custom XML

While using the native Intune VPN device configuration template to deploy and manage Always On VPN client configuration settings is easy and convenient, it lacks support for many crucial configuration settings. Deploying Always On VPN client settings using the Custom template is helpful to overcome these limitations as it enables additional configuration settings not exposed in the Intune VPN template.

VPNv2CSP

The VPNv2 Configuration Service Provider (CSP) is the interface used by Intune to deploy Always On VPN client configuration settings to the endpoint. The WMI-to-CSP bridge enables settings deployment using PowerShell. In either scenario, administrators must create an XML file that includes the settings used for the Always On VPN profile. A reference for all supported settings in the VPNv2 CSP can be found here.

New Settings

Microsoft recently introduced some new settings in the VPNv2 CSP. Beginning with Windows 11 22H2, administrators can disable the disconnect button and prevent access to the advanced settings menu for device and user tunnels in the Windows UI by adding the following entries in the XML configuration file.

<DisableDisconnectButton>true</DisableDisconnectButton>

<DisableAdvancedOptionsEditButton>true
</DisableAdvancedOptionsEditButton>

Additional Updates

Microsoft also added options to define encryption settings, disable IKEv2 fragmentation support, update IPv4 and IPv6 interface metrics, adjust IKEv2 network outage time, and disable the use of RAS credentials in XML for device and user tunnels. These new options eliminate the need to use Intune Proactive Remediation to adjust these VPN client configuration settings post-deployment.

Unfortunately, these settings are not supported in any current release of Windows 10 or 11 today. However, they are available in the latest Windows Insider build (development channel) if you want to test them. I’ve provided example settings below. These settings will be supported in a public release of Windows in the future.

<DataEncryption>Max</DataEncryption>
<DisableIKEv2Fragmentation>true</DisableIKEv2Fragmentation>
<IPv4InterfaceMetric>3</IPv4InterfaceMetric>
<IPv6InterfaceMetric>3</IPv6InterfaceMetric>
<NetworkOutageTime>0</NetworkOutageTime>
<UseRasCredentials>false</UseRasCredentials>

Note: At the time of this writing, the VPNv2 CSP indicates these settings apply to Windows 11 21H2 and later. That is incorrect. Microsoft is aware of the issue and will hopefully correct it soon.

Intune Support

At some point, Microsoft may add these features to the Intune VPN device configuration template. However, XML with the Custom template is the only way to enable these new settings today.

Additional Information

Always On VPN VPNv2 CSP Reference

Deploying Always On VPN with Intune using Custom ProfileXML

Always On VPN and Intune Proactive Remediation

Microsoft Intune Learning Resources for Always On VPN Administrators

Example Always On VPN User Tunnel ProfileXML

Example Always On VPN Device Tunnel ProfileXML

8 Comments

by Richard M. Hicks on March 6, 2023 • Permalink

Posted by Richard M. Hicks on March 6, 2023

https://directaccess.richardhicks.com/2023/03/06/always-on-vpn-csp-updates/

Intune Certificate Connector Service Account and PKCS

Microsoft Always On VPN administrators have two choices when deploying enterprise PKI certificates using Intune; PKCS and SCEP. I prefer using PKCS because it is easier to configure and manage. Also, PKCS requires no inbound connectivity, simplifying the deployment and reducing the organization’s public attack surface. Provisioning certificates using Intune is inherently risky. However, there are some steps administrators can take to mitigate much of this risk.

PKCS Security

The service account is the most critical aspect of configuring the Intune Certificate Connector for PKCS securely. The service account has permission to enroll for an exceedingly dangerous published certificate template. Specifically, the PKCS certificate template has the deadly combination of supplying the subject information in the request, and the Client Authentication enhanced key usage (EKU). Further, the scenario does not allow administrative approval to be enabled on the certificate template. If an attacker were to gain access to this certificate template, they could enroll as any principal they chose, including a domain administrator, and their request would be processed automatically. Subsequently, they could authenticate to Active Directory using only the certificate without knowing the account’s password.

Service Account

Using a Group Managed Service Account (GMSA) would be ideal in this scenario. However, the Intune Certificate Connector does not support using GMSA when using PKCS. With that, administrators must use a regular domain service account instead, which introduces additional risk. To enhance the overall security of the solution, consider performing the following PKCS service account hardening tasks when using the Intune Certificate Connector to issue PKCS certificates with Intune.

Standard User

The service account should be a standard domain user with no special privileges. The service should be dedicated to PKCS and not shared with other services in the enterprise. Create the account from scratch (do not duplicate another account!), and use a long, complex password. Document this password securely. In addition, ensure the PKCS service account is not a member of any other security groups. It does not require local administrator access, either.

Account Hardening

After creating the service account, click the Log On To button and ensure the account can only log on to the server(s) where you have installed the Intune Certificate Connector.

Next, check the box next to Account is sensitive and cannot be delegated in the Account options section.

In addition, select the option Deny access in the Network Access Permission section of the Dial-In properties page.

Finally, uncheck Enable remote control on the Remote control properties page.

Local Access Rights

Open the Local Group Policy Editor (gpedit.msc) on each server where you installed the Intune Certificate Connector. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Enable the following policy settings for the PKCS service account.

Deny access to this computer from the network
Deny log on as a batch job
Deny log on locally
Deny log on through Remote Desktop Services

Optionally these settings can be enforced on the Intune Certificate Connector server using Active Directory group policy.

Disclaimer

I am not an Active Directory security expert! The guidance provided here is based on my many years of Windows administrative experience, conversations with Identity and Access security professionals, and published guidance found on the Internet. If you have suggestions to further improve service account security, don’t hesitate to let me know! Please share in the comments, below.