Always On VPN DPC with Intune

In the past, I’ve written about PowerON Platforms’ Always On VPN Dynamic Profile Configurator (DPC), a software solution administrators can use to provision and manage Always On VPN client configuration settings using Active Directory and group policy. In addition to streamlining the deployment and management of Always On VPN client settings, DPC has many advanced features and capabilities to ensure optimal security, performance, and connection reliability.


Many settings required to fine-tune and optimize Always On VPN connections are not exposed in the Intune UI or XML. They must be configured by manipulating configuration files, setting registry keys, and running PowerShell commands. Much of this can be automated using Intune Proactive Remediation, but it is far from ideal. Administrators must configure Always On VPN using one method, then deploy optimizations using another. In addition, Proactive Remediation suffers from timing issues where some settings are not applied immediately, resulting in degraded or inoperable VPN connections until changes take effect.

Always On VPN DPC

Always On VPN DPC allows administrators to configure many advanced settings quickly and conveniently using the familiar Group Policy Management console (gpmc.msc). DPC dramatically reduces the administrative burden associated with Always On VPN client management. In addition, DPC enables many of these options by default, ensuring optimal security and reliable operation. Also, DPC immediately implements all configuration settings, eliminating the need to reboot to apply configuration changes.

Intune and ADMX

Historically, Always On VPN DPC could only be used when managing endpoints exclusively with Active Directory group policy. However, DPC can now be used with Microsoft Endpoint Manager/Intune thanks to a new feature that allows administrators to import custom ADMX and ADML administrative templates to Microsoft Endpoint Manager (MEM).

Note: This feature is in public preview at the time of this writing.

DPC and Intune

The combination of DPC and Intune brings with it many advantages. Using DPC with Microsoft Endpoint Manager/Intune offers administrators simplified deployment and many advanced features provided by Always On VPN DPC. In addition, customers who have deployed DPC on-premises can now migrate seamlessly to Microsoft Endpoint Manager/Intune management without giving up DPC’s valuable features.

Learn More

Enter your contact details in the form below for more information regarding Always On VPN DPC. Also, visit to register for a free Always On VPN DPC trial.

Additional Information

Always On VPN with Active Directory Group Policy

Introduction to Always On VPN DPC

Always On VPN DPC Advanced Features

Always On VPN DPC Video Demonstrations

What’s New in Always On VPN DPC v3.0

Always On VPN DPC Free Trial

Always On VPN Device Tunnel Operation and Best Practices

Always On VPN Device Tunnel Operation and Best PracticesUnlike DirectAccess, Windows 10 Always On VPN settings are deployed to the individual user, not the device. As such, there is no support for logging on without cached credentials using the default configuration. To address this limitation, and to provide feature parity with DirectAccess, Microsoft later introduced the device tunnel option in Windows 10 1709.

Device Tunnel Use Cases

The device tunnel is designed to allow the client device to establish an Always On VPN connection before the user logs on. This enables important scenarios such as logging on without cached credentials. This feature is crucial for organizations who expect users to log on to devices the first time remotely. The device tunnel can also be helpful for remote support, allowing administrators to manage remotely connected Always On VPN clients without having a user logged on. In addition, the device tunnel can alleviate some of the pain caused by administrators resetting remote worker’s passwords, or by users initiating a Self-Service Password Reset (SSPR).

Device Tunnel Requirements

The device tunnel requires Windows 10 Enterprise edition 1709 or later, and the client device must be joined to the domain. The device tunnel must be provisioned in the context of the local system account. Guidance for configuring and deploying a Windows 10 Always On VPN device tunnel can be found here.

Device Tunnel Authentication

The device tunnel is authenticated using a certificate issued to the client device, much the same as DirectAccess does. Authentication takes place on the Routing and Remote Access Service (RRAS) VPN server. It does not require a Network Policy Server (NPS) to perform authentication for the device tunnel.

Always On VPN Device Tunnel Operation and Best Practices

CRL Checking

Eventually an administrator may need to deny access to a device configured with an Always On VPN device tunnel connection. In theory, revoking the client device’s certificate and terminating their IPsec Security Associations (SAs) on the VPN server would accomplish this. However, Windows Server RRAS does not perform certificate revocation checking for Windows 10 Always On VPN device tunnel connections by default. Thankfully an update is available to enable this functionality. See Always On VPN Device Tunnel and Certificate Revocation for more details.

Configuration Best Practices

As the device tunnel is designed only to support domain authentication for remote clients, it should be configured with limited access to the on-premises infrastructure. Below is a list of required and optional infrastructure services that should be reachable over the device tunnel connection.


  • All domain controllers
  • Enterprise DNS servers (if DNS is running on servers other than domain controllers)


  • All issuing certification authority (CA) servers
  • All certificate services online HTTP responders
  • All certificate services Online Certificate Status Protocol (OCSP) servers
  • System Center Configuration Manager (SCCM) distribution point servers
  • Windows Server Update Services (WSUS) servers
  • Management workstations

Limiting Access

Limiting access over the Always On VPN device tunnel can be accomplished in one of the following two ways.

Traffic Filters

The administrator can configure traffic filters on the device tunnel to restrict access only to those IP addresses required. However, be advised that when a traffic filter is enabled on the device tunnel, all inbound access will be blocked. This effectively prevents any remote management of the device from an on-premises system over the device tunnel.

Host Routes

An alternative to using traffic filters to limit access over the device tunnel is using host routes. Host routes are configured with a /32 prefix size and define a route to a specific individual host. The following is an example of host route configuration in ProfileXML.

Always On VPN Device Tunnel Operation and Best Practices

Note: A PowerShell script that enumerates all enterprise domain controllers and outputs their IP addresses in XML format for use in ProfileXML can be found here.


Some organizations may have hundreds or even thousands of domain controllers, so creating individual host route entries for all domain controllers in profileXML may not be practical. In this scenario it is recommended to add host routes only for the domain controllers that belong to the Active Directory site where the VPN server resides.


Do not use the <DomainNameInformation> element in ProfileXML or enable force tunneling for the device tunnel. Neither of these configurations are supported.

Tunnel Coexistence

The device tunnel can be safely deployed in conjunction with the user tunnel whenever its functionality is required.

DNS Registration

If the device tunnel and user tunnel are both deployed, it is recommended that only one of the tunnels be configured to register in DNS. If the device tunnel is configured to register its IP address in DNS, be advised that only those devices with routes configured in the device tunnel VPN profile will be able to connect remotely to Always On VPN clients.

Additional Information

Windows 10 Always On VPN Device Tunnel with Azure VPN Gateway

Windows 10 Always On VPN Device Tunnel and Certificate Revocation

Windows 10 Always On VPN Device Tunnel Configuration with Microsoft Intune

Windows 10 Always On VPN Device Tunnel Does Not Connect Automatically

Windows 10 Always On VPN Device Tunnel Missing in Windows 10 UI

Deleting a Windows 10 Always On VPN Device Tunnel

Windows 10 Always On VPN Device Tunnel Configuration using PowerShell

Always On VPN RRAS Monitoring and Reporting

Always On VPN RRAS Monitoring and ReportingWindows Server with the Routing and Remote Access Service (RRAS) role installed is a popular choice for Windows 10 Always On VPN deployments. Configuring RRAS is commonly performed using the RRAS management console but it can also be configured using PowerShell and/or netsh. In addition, there are a few different options for natively monitoring server health and client connection status.

RRAS Management Console

After installing the RRAS role, the administrator uses the RRAS management console (rrasmgmt.msc) to perform initial configuration. The RRAS management console can also be used to view client connection status by expanding the server and highlighting Remote Access Clients.

Connection Details

To view connection details for a specific connection, the administrator can right-click a connection and choose Status, or simply double-click the connection.

High level information about the connection including duration, data transfer, errors, and IP address assignment can be obtained here. In addition, the administrator can terminate the VPN connection by clicking the Disconnect button.

RRAS Management Console Limitations

Using the RRAS management console has some serious limitations. It offers only limited visibility into client connectivity status, for example. In addition, the client connection status does not refresh automatically. Also, the RRAS management console offers no historical reporting capability.

Remote Access Management Console

The Remote Access Management console (ramgmtui.exe) will be familiar to DirectAccess administrators and is a better option for viewing VPN client connectivity on the RRAS server. It also offers more detailed information on connectivity status and includes an option to enable historical reporting.


The Dashboard node in the Remote Access Management console provides high-level status for various services associated with the VPN server. It also provides a high-level overview of aggregate VPN client connections.

Operations Status

The Operations Status node in the Remote Access Management console provides more detailed information regarding the status of crucial VPN services. Here the administrator will find current status and information about service uptime.

Remote Client Status

The Remote Client Status node in the Remote Access Management console is where administrators will find detailed information about client connectivity. Selecting a connection will provide data about the connection including remote IP addresses, protocols, and ports accessed by the remote client, in addition to detailed connection information such as authentication type, public IP address (if available), connection start time, and data transferred.

Always On VPN RRAS Monitoring and Reporting

Double-clicking an individual connection brings up a detailed client statistics page for the connection, as shown here.

Always On VPN RRAS Monitoring and Reporting

Custom View

The Remote Access Management console includes the option to customize the data presented to the administrator. To view additional details about client connections, right-click anywhere in the column headings to enable or disable any of the fields as required.

Always On VPN RRAS Monitoring and Reporting

Recommended Columns

From personal experience I recommend adding the following columns in the Remote Access Management console.

  • IPv4 Address (this is the IP address assigned to the VPN clients by RRAS)
  • Connection Start Time
  • Authentication Method
  • Total Bytes In
  • Total Bytes Out
  • Rate

Always On VPN RRAS Monitoring and Reporting


The only real drawback to using the Remote Access Management console is that it supports viewing connections from just one VPN server at a time. If you have multiple RRAS servers deployed, you must retarget the Remote Access Management console each time to view connections on different VPN servers in the organization.

You can retarget the Remote Access Management console at any time by highlighting the Configuration node in the navigation pane and then clicking the Manage a Remote Server link in the Tasks pane.

Always On VPN RRAS Monitoring and Reporting


Remote Access reporting is not enabled by default on the RRAS VPN server. Follow the steps below to enable historical reporting for RRAS VPN connections.

1. Highlight the Reporting node in the Remote Access Management console.
2. Click Configure Accounting.
3. Uncheck Use RADIUS accounting.
4. Check Use inbox accounting.
5. Review the settings for data retention and make changes as required.
6. Click Apply.

Always On VPN RRAS Monitoring and Reporting

Optionally, historical reporting can be enabled using PowerShell by opening and elevated PowerShell command window and running the following command.

Set-RemoteAccessAccounting -EnableAccountingType Inbox -PassThru

Database Management

A Windows Internal Database (WID) is automatically installed and configured for data storage when inbox accounting is enabled. WID is nothing more than a basic instance of Microsoft SQL Server. As such, the database will require periodic maintenance to perform optimally. I have published the InboxAccountingDatabaseManagement PowerShell module to address many of the required and optional administrative tasks associated with inbox accounting. You can learn more about this PowerShell module and its functions here.

Important Note! There is a known issue with the inbox accounting database that can result in high CPU utilization for very busy RRAS VPN servers. Specifically, a crucial index is missing from one of the tables in the logging database. To correct this issue, be sure to run the Optimize-InboxAccountingDatabase function included in my InboxAccountingDatabaseManagement PowerShell module.

Additional Information

Always On VPN Inbox Accounting Database Management

Always On VPN Inbox Accounting Database Management PowerShell module on Github

Windows 10 Always On VPN and Windows Routing and Remote Access Service (RRAS)

Windows 10 Always On VPN Protocol Recommendations for Windows Server Routing and Remote Access Service (RRAS)

Windows 10 Always On VPN and RRAS with Single NIC

Windows 10 Always On VPN and RRAS in Microsoft Azure