All posts tagged PowerShell

Always On VPN Short Name Access Failure

Using Microsoft Endpoint Manager (Intune), administrators can provision Always On VPN to devices that are Azure AD joined only. Users accessing on-premises resources from these devices can still use seamless single sign-on, making this deployment option popular for organizations moving to the cloud.

Short Names

After deploying Always On VPN to Windows 10 devices that are Azure AD joined only and configured to use client certificate authentication, administrators may find that users cannot access on-premises resources by their short name, such as \\app1. The connection fails and returns the following error message.

“Windows can’t find <servername/sharename>. Check the spelling and try again.”

FQDN

Interestingly, on-premises resources are accessible using their fully qualified domain name (FQDN), such as \\app1.corp.example.net.

Troubleshooting

Testing name resolution using the short name works as expected, and the resource is reachable at the network layer, as shown here.

Workaround

This issue is related to how Windows performs authentication when connected via VPN. To resolve this issue, edit the rasphone.pbk file and change the value of UseRasCredentials to 0. Rasphone.pbk can be found in the $env:AppData\Microsoft\Network\Connections\Pbk folder.

After updating this setting, restart the VPN connection for the change to take effect.

Proactive Remediations

While helpful for testing, editing rasphone.pbk manually obviously does not scale well. To address this, consider using Intune Proactive Remediations. Intune Proactive Remediations allows administrators to deploy detection and remediation PowerShell scripts to monitor specific settings and update them if or when they change. Proactive Remediations will ensure the setting is applied consistently across all managed endpoints.

GitHub Repository

I have created a new GitHub repository dedicated to PowerShell scripts for Endpoint Manager Proactive Remediations for Always On VPN. There you will find detection and remediation scripts for the UseRasCredentials settings change described in this article.

PowerShell

Administrators can also implement this setting by running the following PowerShell command.

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Lsa’ -Name DisableDomainCreds -Value 1

Group Policy

Another option for implementing this setting is by enabling the following Active Directory Group Policy setting.

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network access: Do not allow storage of passwords and credentials for network authentication

Additional Information

Always On VPN Endpoint Manager Proactive Remediation Scripts on GitHub

Endpoint Manager Proactive Remediations Tutorial

21 Comments
by Richard M. Hicks on September 20, 2021  •  Permalink
Posted in Always On VPN, AOVPN, authentication, Azure Active Directory, Azure AD, Azure AD Join, certificates, cloud, DNS, EAP, Endpoint Manager, Enterprise, enterprise mobility, extensible authentication protocol, GitHub, InTune, MEM, MEMCM, Microsoft Endpoint Manager, Microsoft Intune, Mobility, Name Resolution, Operational Support, PEAP, PowerShell, Protected EAP, public cloud, Remote Access, SCCM, System Center Configuration Manager, systems management, troubleshooting, user tunnel, VPN, Windows 10
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on September 20, 2021

https://directaccess.richardhicks.com/2021/09/20/always-on-vpn-short-name-access-failure/

Always On VPN SSTP Security Configuration

Always On VPN SSTP Security Configuration

When using Windows Server Routing and Remote Access Service (RRAS) to terminate Always On VPN client connections, administrators can leverage the Secure Socket Tunneling Protocol (SSTP) VPN protocol for client-based VPN connections. SSTP is a Microsoft proprietary VPN protocol that uses Transport Layer Security (TLS) to secure connections between the client and the VPN gateway. SSTP provides some crucial advantages over IKEv2 in terms of operational reliability. It uses the TCP port 443, the standard HTTPS port, which is universally available and ensures Always On VPN connectivity even behind highly restrictive firewalls.

TLS Certificate

When configuring SSTP, the first thing to consider is the certificate installed on the server. A certificate with an RSA key is most common, but for SSTP, provisioning a certificate with an ECDSA key is recommended for optimal security and performance. See the following two articles regarding SSTP certificate requirements and ECDSA Certificate Signing Request (CSR) creation.

Always On VPN SSL Certificate Requirements for SSTP

Always On VPN ECDSA SSL Certificate Request for SSTP

TLS Configuration

Much like IKEv2, the default TLS security settings for SSTP are less than optimal. However, SSTP can provide excellent security with some additional configuration.

TLS Protocols

There are several deprecated TLS protocols enabled by default in Windows Server. These include SSLv3.0, TLS 1.0, and TLS 1.1. They should be disabled to improve security for TLS. To do this, open an elevated PowerShell window on the VPN server and run the following commands.

New-Item -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server\’ -Force

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server\’ -Name Enabled -PropertyType DWORD -Value ‘0’

New-Item -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\’ -Force

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\’ -Name Enabled -PropertyType DWORD -Value ‘0’

New-Item -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\’ -Force

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\’ -Name Enabled -PropertyType DWORD -Value ‘0’

Cipher Suites

Many weak TLS cipher suites and enabled by default in Windows Server. To further enhance security and performance, they can be optimized using a tool such as IIS Crypto. For example, consider prioritizing cipher suites that use ECDHE and GCM with ECDSA to improve security. Also, remove ciphers that use AES-256 to enhance scalability and performance.

Note: AES-256 does not provide any additional practical security over AES-128. Details here.

PowerShell Script

I have published a PowerShell script on GitHub that performs security hardening and TLS cipher suite optimization to streamline the configuration TLS on Windows Server RRAS servers. You can download the script here.

Validation Testing

After running the script and restarting the server, visit the SSL Labs Server Test site to validate the configuration. You should receive an “A” rating, as shown here.

Note: An “A” rating is not achievable on Windows Server 2012 or Windows Server 2012 R2 when using an RSA TLS certificate. A TLS certificate using ECDSA is required to receive an “A” rating on these platforms.

Additional Information

Always On VPN SSL/TLS Certificate Requirements for SSTP

Always On VPN ECDSA SSL Certificate Request for SSTP

Qualys SSL Labs Server Test Site

Always On VPN Protocol Recommendations for Windows Server RRAS

Microsoft SSTP Specification on MSDN

13 Comments
by Richard M. Hicks on June 21, 2021  •  Permalink
Posted in Always On VPN, AOVPN, Elliptic Curve Cryptography, Encryption, Enterprise, enterprise mobility, GitHub, Mobility, Operational Support, PowerShell, Remote Access, routing and remote access service, RRAS, Secure Socket Tunneling Protocol, SSL, SSL and TLS, SSTP, TLS, VPN, Windows 10, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on June 21, 2021

https://directaccess.richardhicks.com/2021/06/21/always-on-vpn-sstp-security-configuration/

Always On VPN and Autopilot Hybrid Azure AD Join

Always On VPN and Autopilot Hybrid Azure AD Join

Windows Autopilot is a cloud-based technology that administrators can use to configure new devices wherever they may be, whether on-premises or in the field. Devices provisioned with Autopilot are Azure AD joined by default and managed using Microsoft Endpoint Manager. Optionally, an administrator can enable hybrid Azure AD join by also joining the device to an on-premises Active Directory domain using a domain join configuration profile in conjunction with the offline domain-join connector. Although enabling hybrid Azure AD join might sound appealing, there are specific deployment scenarios that present some rather unique and challenging problems when using this option.

Offline Hybrid Azure AD Join

For field-based devices, the device must have connectivity to a domain controller to support the initial login when the user has no local cached credentials. The Always On VPN device tunnel can be deployed in this scenario to provide connectivity and allow the user to log in to a new device the first time without being on-premises. The Always On VPN device tunnel is easily deployed using a Microsoft Endpoint Manager configuration profile. Certificates required to support the device tunnel can be deployed with Microsoft Endpoint Manager and one of the certificate connectors for Microsoft Endpoint Manager.

Windows 10 Professional

If a Windows 10 Professional device is configured using Autopilot, and hybrid Azure AD joined is enabled, the Always On VPN device tunnel can still be provisioned, but it won’t start automatically because it requires Enterprise Edition to be fully functional. This prevents the user from being able to logon the first time. The device must be upgraded to Enterprise Edition before the first user logon. There are multiple ways to accomplish this depending on the deployment scenario and activation requirements.

Multiple Activation Key

The easiest way to upgrade Windows 10 Professional to Enterprise Edition is to obtain a Multiple Activation Key (MAK) and deploy that to clients using a Microsoft Endpoint Manager configuration profile. Follow the steps below to create a configuration profile to perform this upgrade.

  1. Open the Microsoft Endpoint Manager console and click on Devices > Configuration Profiles.
  2. Click Create profile.
  3. Select Windows 10 and later in the Platform drop-down list.
  4. Select Templates in the Profile type drop-down list.
  5. Select Edition upgrade and mode switch from the list of templates.
  6. Click Create.

Use the following steps to configure the settings for the configuration profile.

  1. Enter a descriptive name for the configuration profile in the Name field.
  2. Enter a description for the profile in the Description field (optional).
  3. Click Next.
  4. Expand the Edition Upgrade section and select Windows 10 Enterprise from the Edition to upgrade to drop-down list.
  5. Enter your multiple activation product key in the Product Key field.

    Always On VPN and Autopilot Hybrid Azure AD Join

Once complete, assign the configuration profile to the appropriate groups and click Create.

KMS Activation

If Key Management Service (KMS) activation is required, follow the steps listed previously for MAK. Enter the KMS client setup key for Windows 10 Enterprise which is NPPR9-FWDCX-D2C8J-H872K-2YT43. The device will complete KMS activation when it can connect to the on-premises KMS host.

Subscription Activation

Windows 10 Enterprise Edition licensing is included in some Microsoft 365 subscriptions. This poses a unique challenge for hybrid Azure AD join scenarios, however. Specifically, subscription activation is a “step-up” process that requires Windows 10 Professional to have been successfully activated previously. Also, this occurs after the user logs on, but the user cannot log on unless the device tunnel is active. Catch 22!

Workaround

A multi-step process is required to address the limitations imposed by subscription activation. To begin, the device must be upgraded to Enterprise Edition, so the device tunnel is available for the initial user logon. This is a temporary, one-time upgrade to Enterprise Edition solely for the purpose of getting the device tunnel to connect and allow the user to authenticate.

To begin, download this PowerShell script and follow the steps below to deploy it to Windows 10 devices using Microsoft Endpoint Manager.

  1. Open the Microsoft Endpoint Manager console and click on Devices > Scripts.
  2. Click Add and select Windows 10.
  3. Enter a descriptive name for the configuration profile in the Name field.
  4. Enter a description for the profile in the Description field (optional).
  5. Click Next.
  6. Enter the location of the PowerShell script in the Script location field.
  7. Click Next, then assign the script to the appropriate device group(s) and click Add.

The PowerShell script will automatically install the KMS client setup key for Windows 10 Enterprise Edition, then restart the network interfaces to ensure the device tunnel starts. This will immediately upgrade the client device to Windows 10 Enterprise Edition and allow the user to authenticate.

Subscription activation with a step-up upgrade to Enterprise Edition still requires that Windows 10 Professional be activated first. To accomplish this, the embedded Windows 10 Professional key must be re-installed on the client. To do this, download this PowerShell script and follow the same steps listed previously to deploy a PowerShell script with Microsoft Endpoint Manager. However, this script should be assigned to users, not devices.

Once this script is run on the client it will be downgraded (temporarily) to Windows 10 Professional edition. After activation is successful, subscription activation will once again upgrade the client to Windows 10 Enterprise Edition.

Considerations

As you can see, the process of getting a Windows 10 Professional edition client onboarded in a hybrid Azure AD joined scenario is somewhat complex. My advice is to avoid this scenario whenever possible. Access to on-premises resources with the Always On VPN user tunnel with full single sign-on support is still available for users on Windows 10 devices that are Azure AD joined only. Unless there is a specific requirement to manage client devices using on-premises Active Directory and group policy, consider choosing native Azure AD join with Autopilot and manage devices using Microsoft Endpoint Manager exclusively.

Special Thanks

I would like to extend a special thank you to everyone in the Microsoft Endpoint Manager community who provided valuable input and feedback for me on this topic, especially John Marcum, Michael Niehaus, and Sandy Zeng. Follow the #MEMCM hashtag on Twitter to keep up on all things Microsoft Endpoint Manager.

Additional Information

Overview of Windows Autopilot

Windows 10 Subscription Activation

Windows 10 Always On VPN Class-Based Default Route and Microsoft Endpoint Manager

Windows 10 Always On VPN Device Tunnel and Custom Cryptography in Microsoft Endpoint Manager

8 Comments
by Richard M. Hicks on April 19, 2021  •  Permalink
Posted in AADJ, administration, Always On VPN, AOVPN, authentication, Azure, Azure Active Directory, Azure AD, Azure AD Join, certificates, cloud, device tunnel, Enterprise, enterprise mobility, HAADJ, Hybrid Azure AD Join, InTune, Intune Certificate Connector, Intune PFX Connector, MEMCM, Microsoft Endpoint Manager, Microsoft Intune, Mobility, NDES, Network Device Enrollment Service, Network Device Enrollment Services, Operational Support, PFX Connector, PKI, PowerShell, public cloud, public key infrastructure, Remote Access, SCCM, SCEP, Security, Simple Certificate Enrollment Protocol, System Center Configuration Manager, systems management, VPN, Windows 10
Tagged , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 19, 2021

https://directaccess.richardhicks.com/2021/04/19/always-on-vpn-and-autopilot-hybrid-azure-ad-join/

« Older Posts
Newer Posts »