Once again, it’s time to patch! After several quiet months, there are a few crucial updates Always On VPN administrators will want to get deployed soon. Thankfully, the impact of the security updates related to Always On VPN is low this time, as there is only one Remote Code Execution (RCE) vulnerability, and it’s for a legacy protocol that should be in limited use today.
IKEv2
CVE-2023-36726 addresses a security vulnerability in Windows Internet Key Exchange (IKE) that can lead to privilege escalation. An attacker who successfully exploits this vulnerability can elevate privileges to that of the local SYSTEM.
L2TP
This month’s update discloses several Layer Two Tunneling Protocol (L2TP) vulnerabilities. The following CVEs all address a vulnerability where an attacker can send a specially crafted protocol message to a Windows Routing and Remote Access Service (RRAS) server, which could lead to remote code execution on the server.
The impact of the L2TP security vulnerabilities should be minimal in most organizations. L2TP is a legacy VPN protocol not commonly used for Always On VPN. However, misconfiguration can leave vulnerable RRAS servers exposed. Administrators must ensure that inbound UDP port 1723 is not open from the Internet. In addition, L2TP should be disabled on the RRAS server if not in use. See the article on the May 2023 security updates for details.
Always On VPN administrators migrating their endpoints to Windows 11 may encounter a scenario where Always On VPN randomly disconnects when the VPN profile is deployed using Microsoft Intune. The same configuration deployed to Windows 10 devices works reliably, however. In addition, Always On VPN profiles deployed using PowerShell (natively or with SCCM) or PowerON DPC do not experience this problem.
Troubleshooting
Administrators troubleshooting this issue will find the root cause is associated with the Always On VPN profiles being removed and replaced each time the device syncs with Intune. This occurs even if there are no changes to the configuration. Removing and replacing the Always On VPN profiles on each device sync is unnecessary, of course, but is also highly disruptive to connected users.
Intune and XML
The Intune team identified the issue, and a fix was made available in the August update. However, many of you have reported the issue persists with some Windows 11 clients after installing the latest updates. Further investigation indicates that although the issue has been resolved when using Intune and the native VPN device configuration profile template, the problem still occurs when using the Custom device configuration template.
Workaround
Microsoft is aware of the issues with deploying Always On VPN client configuration settings using XML in Intune, but there’s no indication when or if they will fix it. Until then, administrators have two options to address this problem.
Native VPN Template
When deploying Always On VPN client configuration settings to Windows 11 endpoints, use the native VPN device configuration template, as shown here.
Using the native VPN template does have some limitations, however. The following settings are not exposed using the native VPN template and can only be configured using XML.
If you must use XML, I’ve had some success by ensuring the order of XML settings is exactly as Intune expects. Follow the steps below to confirm the XML settings order in your XML configuration file.
Compare the order of settings to your existing XML.
Make changes to ensure all settings in your XML are in the same order as the extracted XML.
Publish a new XML configuration file using Intune and test.
I’ll caution you that this workaround doesn’t always work reliably. Some customers report that this solved their problems entirely, while others have indicated it does not. My testing shows the same results. Let us know in the comments below if this works for you!
Windows Server Core is a refactored version of the full Windows Server operating system. Server Core does not include a Graphical User Interface (GUI) and must be managed via the command line or with PowerShell. The Routing and Remote Access Service (RRAS) is a supported workload on all supported versions of Windows Server including Windows Server 2022. Always On VPN administrators should consider installing and configuring RRAS on Windows Server Core to ensure their VPN infrastructure’s best security and performance.
Server Core Benefits
Windows Server Core is a minimal installation option of the Windows Server operating system that provides numerous benefits, particularly for environments where security, resource efficiency, and reduced maintenance overhead are essential. Here are some of the key benefits of using Windows Server Core.
Minimized Attack Surface – Windows Server Core has a smaller footprint compared to the full GUI version, which means fewer components and services are installed by default. This reduces the potential attack surface and minimizes security vulnerabilities.
Enhanced Security – With fewer components and a reduced attack surface, there are fewer potential vectors for malware or unauthorized access. This makes Windows Server Core a more secure choice for critical server roles like RRAS.
Reduced Maintenance – Since there are fewer components to update, patching and maintaining a Windows Server Core system is quicker and requires less effort. This is especially beneficial in large-scale server deployments.
Improved Stability – By removing the graphical user interface (GUI), Windows Server Core has fewer processes running in the background, leading to a more stable and predictable server environment.
Simplified Management – Windows Server Core is designed for remote administration. It allows the administrator to manage it using command-line tools, PowerShell, or remote management tools like the Remote Server Administration Tools (RSAT) and Windows Admin Center. This makes it easier to manage multiple servers from a single location.
Faster Reboots – Windows Servers require periodic reboots. With Windows Server Core, reboot times are considerably faster, resulting in less downtime during maintenance periods.
RSAT
The Remote Server Administration Tools (RSAT) can be installed on Windows clients and servers to enable remote administration using the familiar Routing and Remote Access Management console (rrasmgmt.msc) and Remote Access Management console (ramgmtui.exe) GUI tools.
Windows Client
To install the Remote Access Management tools on Windows client operating systems, navigate to Settings > Apps > Optional Features. Click Add a feature, select RSAT: Remote Access Management Tools, then click Install.
Optionally the Remote Access Management tools can be installed by running the following PowerShell command.
To install the Remote Access Management tools on Windows Server run the following PowerShell command.
Install-WindowsFeature -Name RSAT-RemoteAccess
Windows Admin Center
The Windows Admin Center is a free remote management tool from Microsoft for managing Windows Server (core and GUI) remotely. It is especially helpful for Server Core management as it provides a GUI for many common administrative tasks.
