Always On VPN November 2023 Security Updates

Microsoft has released its security updates for November 2023. For Always On VPN administrators, it’s a light month, with just a single CVE affecting Always On VPN infrastructure.

PEAP

CVE-2023-36028 addresses a remote code execution (RCE) vulnerability in the Microsoft Protected Extensible Authentication Protocol (PEAP). An attacker could exploit this vulnerability by sending a specially crafted PEAP packet to a Windows Network Policy Server (NPS). This attack does not require authentication or user interaction.

Affected Systems

This PEAP vulnerability affects only NPS servers configured to support PEAP authentication explicitly. PEAP authentication is a best practice configuration for Always On VPN deployments and is widely deployed. NPS servers deployed to support other services, such as Wi-Fi or router and switch access that are configured to allow PEAP authentication, are also affected.

Exposure

NPS servers are not (or should not be!) exposed directly to the public Internet. This limits the attack surface to adversaries already on the internal network.

Mitigation

Microsoft suggests disabling PEAP authentication support on NPS servers until the update is applied. However, this would break the majority of Always On VPN deployments today. Since disabling PEAP isn’t a viable option, administrators can reduce their attack surface by updating the NPS firewall rules to restrict access only to authorized VPN servers or other network devices until their systems are fully updated.

Additional Information

November 2023 Security Updates

CVE-2023-36028 PEAP Remote Code Execution Vulnerability

Always On VPN Disconnects in Windows 11

Always On VPN administrators migrating their endpoints to Windows 11 may encounter a scenario where Always On VPN randomly disconnects when the VPN profile is deployed using Microsoft Intune. The same configuration deployed to Windows 10 devices works reliably, however. In addition, Always On VPN profiles deployed using PowerShell (natively or with SCCM) or Dynamic Profile Configurator (DPC) do not experience this problem.

Troubleshooting

Administrators troubleshooting this issue will find the root cause is associated with the Always On VPN profiles being removed and replaced each time the device syncs with Intune. This occurs even if there are no changes to the configuration. Removing and replacing the Always On VPN profiles on each device sync is unnecessary, of course, but is also highly disruptive to connected users.

Intune and XML

The Intune team identified the issue, and a fix was made available in the August update. However, many of you have reported the issue persists with some Windows 11 clients after installing the latest updates. Further investigation indicates that although the issue has been resolved when using Intune and the native VPN device configuration profile template, the problem still occurs when using the Custom device configuration template.

Workaround

Microsoft is aware of the issues with deploying Always On VPN client configuration settings using XML in Intune, but there’s no indication when or if they will fix it. Until then, administrators have two options to address this problem.

Native VPN Template

When deploying Always On VPN client configuration settings to Windows 11 endpoints, use the native VPN device configuration template, as shown here.

Using the native VPN template does have some limitations, however. The following settings are not exposed using the native VPN template and can only be configured using XML.

XML

If you must use XML, I’ve had some success by ensuring the order and syntax of XML settings is exactly as Intune expects. Follow the steps below to confirm the XML settings order in your XML configuration file.

  1. Deploy your XML file with Intune.
  2. Run Get-VpnClientProfileXML.ps1 to extract the deployed XML settings.
  3. Compare the order of settings to your existing XML.
  4. Compare the syntax of all settings. For example, the <Servers> section should list the server FQDN twice, separated by a semi-colon.
  5. Make changes to ensure all settings in your XML are in the same order as the extracted XML.
  6. Publish a new XML configuration file using Intune and test.

I’ll caution you that this workaround doesn’t always work reliably. Some customers report that this solved their problems entirely, while others have indicated it does not. My testing shows the same results. Let us know in the comments below if this works for you!

Reference XML

I have published an Always On VPN XML configuration file on GitHub for reference. It includes all common settings using the order and syntax required to ensure reliable operation. As a reminder, the sample file includes many settings that aren’t required. It is published as guidance for reference only.

Additional Information

Always On VPN Windows 11 Issues with Intune

Always On VPN PowerShell Script Issues in Windows 11

Always On VPN Windows 11 Status Indicator

Viewing the status of an Always On VPN connection has been challenging since the introduction of this technology. To see if an Always On VPN connection is active, users must proactively click on the network status icon in the system tray to view the current connection status. Optionally, users can use the Settings application in Windows and select the Network & Internet tab to view the Always On VPN connection status. Further, there were no options to see VPN status in the system tray natively if the user is using a consumer VPN such as Proton VPN.

New Status Indicator

Always On VPN administrators will be happy to hear that Microsoft recently introduced a new VPN status indicator for Windows 11. Beginning with the July 2023 cumulative update (KB5028185), users will begin to see a new network status icon (a small shield) on the network connectivity indicator on the system tray in Windows. Microsoft calls this new feature “glanceable VPN“.

Source: https://blogs.windows.com/windowsexperience/2023/05/23/announcing-new-windows-11-innovation-with-features-for-secure-efficient-it-management-and-intuitive-user-experience/

Consumer VPN

While this new VPN status indicator is helpful for Always On VPN deployments, it is not limited to Always On VPN. The VPN status indicator will also display the lock icon in the system tray when the device is connected to any recognized VPN. The new VPN status indicator will include third-party enterprise VPN clients as well as some consumer VPNs.

Additional Information

Windows 11 July 2023 Update KB5028185

Always On VPN Device Tunnel Status Indicator