Always On VPN and Intune Proactive Remediation

Always On VPN and Autopilot Hybrid Azure AD Join

When configuring and deploying Windows Always On VPN using Microsoft Endpoint Manager (MEM)/Intune, administrators may find that some settings are not exposed in the MEM UI. In some cases, deploying the configuration profile using custom XML is the workaround. However, many crucial Always On VPN settings are not exposed using either method. Here, administrators must resort to editing settings in the VPN configuration file on the client after provisioning the VPN profile.

Phonebook

A file called rasphone.pbk stores all Windows VPN settings on the endpoint. It includes name/value pairs that correspond to many settings administrators change manually in the GUI. Other settings can be changed using PowerShell. Depending on the connection type, the file can be found in one of two locations.

  • User Tunnel: $env:AppData\Microsoft\Network\Connections\Pbk\rasphone.pbk
  • Device Tunnel: $env:ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk

Documentation for Windows VPN client phonebook entry settings can be found here.

Limitations

Unfortunately, editing the rasphone.pbk file isn’t always convenient. Making the changes is technically easy. Administrators can write a simple PowerShell script to update the text file as required. However, automating this at scale is challenging. Thankfully, Intune Proactive Remediations can help.

Proactive Remediations

With Intune Proactive Remediations, administrators can create and deploy script packages to monitor and optionally update specific configuration settings. The package includes two scripts, a detection script, and a remediation script. The detection script looks at the current value of a particular setting and reports on its compliance. The remediation script is triggered to update the setting if the value is incorrect.

Requirements

Intune Proactive Remediations has some specific licensing requirements. Administrators must also enroll devices into Endpoint analytics and provision a Windows Health Monitoring configuration profile. There are also limitations on the size and type of scripts that administrators can use. More information on prerequisites can be found here.

Script Packages

Administrators can create detection and remediation PowerShell scripts to update settings in rasphone.pbk, or optionally, they can download sample scripts from my GitHub repository here. This repository contains user and device tunnel detection and remediation scripts for many popular settings in rasphone.pbk. Examples include updating the VPN Strategy, changing VPN interface metrics, disabling class-based default routes, and many more.

Note: The scripts in my GitHub repository are examples only. While they can be used in production environments, they are basic and may not work as expected in all scenarios. For example, the scripts as written today assume only a single VPN profile provisioned. Unexpected results may occur if more than one VPN profile exists. Please use them at your own risk.

Deployment

In this example, we’ll deploy a Proactive Remediation to disable IKE mobility for user tunnel VPN connections. To configure an Intune Proactive Remediation, open the Microsoft Endpoint Manager portal (https://intune.microsoft.com/) and navigate to Devices > Remediations. After creating or downloading the detection and remediation scripts, perform the following steps to create and deploy a Proactive Remediation script package.

  1. Click Create script package.
  2. Enter a name for the package in the Name field.
  3. Enter a description for the package in the Description field (optional).
  4. Click Next.
  5. Click the blue folder icon next to the Detection script file field and upload the detection script.
  6. Click the blue folder icon next to the Remediation script file field and upload the associated remediation script.
  7. For user tunnel connections, click Yes next to Run this script using the logged-on credentials. For device tunnel connections, click No.
  8. Click Next.
  9. Define scope tags as required.
  10. Click Next.
  11. Assign a group and choose a schedule. The detection script can be run once, daily, hourly, or on an hourly interval.
  12. Click Next, then click Create.

Click Refresh to update the UI to display the newly created script package.

Caveats

Be advised that timing issues could lead to delays in functionality. For example, if there’s a change to an Always On VPN profile after a Proactive Remediation detection script runs, the changes will not be detected until the detection script runs again. Also, changes made while the VPN is active will not take effect until after restarting the connection.

Special Thanks

Special thanks to Tom Klaver at Inspark for turning me on to this feature. It has been an absolute lifesaver for sure!

Additional Information

Microsoft Intune Proactive Remediation Tutorial

Windows VPN Phonebook Entry Settings

Intune Proactive Remediation Script Samples on GitHub

Microsoft Windows Always On VPN Class-Based Default Route and Intune

Microsoft Windows Always On VPN Short Name Access Failure

Always On VPN Short Name Access Failure

Using Microsoft Endpoint Manager (Intune), administrators can provision Always On VPN to devices that are Azure AD joined only. Users accessing on-premises resources from these devices can still use seamless single sign-on, making this deployment option popular for organizations moving to the cloud.

Short Names

After deploying Always On VPN to Windows 10 devices that are Azure AD joined only and configured to use client certificate authentication, administrators may find that users cannot access on-premises resources by their short name, such as \\app1. The connection fails and returns the following error message.

“Windows can’t find <servername/sharename>. Check the spelling and try again.”

FQDN

Interestingly, on-premises resources are accessible using their fully qualified domain name (FQDN), such as \\app1.corp.example.net.

Troubleshooting

Testing name resolution using the short name works as expected, and the resource is reachable at the network layer, as shown here.

Workaround

This issue is related to how Windows performs authentication when connected via VPN. To resolve this issue, edit the rasphone.pbk file and change the value of UseRasCredentials to 0. Rasphone.pbk can be found in the $env:AppData\Microsoft\Network\Connections\Pbk folder.

After updating this setting, restart the VPN connection for the change to take effect.

Proactive Remediations

While helpful for testing, editing rasphone.pbk manually obviously does not scale well. To address this, consider using Intune Proactive Remediations. Intune Proactive Remediations allows administrators to deploy detection and remediation PowerShell scripts to monitor specific settings and update them if or when they change. Proactive Remediations will ensure the setting is applied consistently across all managed endpoints.

GitHub Repository

I have created a new GitHub repository dedicated to PowerShell scripts for Endpoint Manager Proactive Remediations for Always On VPN. There you will find detection and remediation scripts for the UseRasCredentials settings change described in this article.

PowerShell

Administrators can also implement this setting by running the following PowerShell command.

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Lsa’ -Name DisableDomainCreds -Value 1

Group Policy

Another option for implementing this setting is by enabling the following Active Directory Group Policy setting.

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network access: Do not allow storage of passwords and credentials for network authentication

Additional Information

Always On VPN Endpoint Manager Proactive Remediation Scripts on GitHub

Endpoint Manager Proactive Remediations Tutorial