Always On VPN CSP Updates

Always On VPN DNS Registration Update Available

Administrators can deploy Always On VPN client configuration settings in several ways. The simplest method is to use the native Microsoft Intune UI and the VPN device configuration profile template. Optionally, administrators can create an XML file that can be deployed with Intune using the Custom template. In addition, the XML file can be deployed using PowerShell, either interactively or with System Center Configuration Manager (SCCM). Administrators can also deploy the XML file using PowerShell via Active Directory group policy startup script or another software provisioning platform.

Custom XML

While using the native Intune VPN device configuration template to deploy and manage Always On VPN client configuration settings is easy and convenient, it lacks support for many crucial configuration settings. Deploying Always On VPN client settings using the Custom template is helpful to overcome these limitations as it enables additional configuration settings not exposed in the Intune VPN template.

VPNv2CSP

The VPNv2 Configuration Service Provider (CSP) is the interface used by Intune to deploy Always On VPN client configuration settings to the endpoint. The WMI-to-CSP bridge enables settings deployment using PowerShell. In either scenario, administrators must create an XML file that includes the settings used for the Always On VPN profile. A reference for all supported settings in the VPNv2 CSP can be found here.

New Settings

Microsoft recently introduced some new settings in the VPNv2 CSP. Beginning with Windows 11 22H2, administrators can disable the disconnect button and prevent access to the advanced settings menu for device and user tunnels in the Windows UI by adding the following entries in the XML configuration file.

<DisableDisconnectButton>true</DisableDisconnectButton>

<DisableAdvancedOptionsEditButton>true
</DisableAdvancedOptionsEditButton>

Additional Updates

Microsoft also added options to define encryption settings, disable IKEv2 fragmentation support, update IPv4 and IPv6 interface metrics, adjust IKEv2 network outage time, and disable the use of RAS credentials in XML for device and user tunnels. These new options eliminate the need to use Intune Proactive Remediation to adjust these VPN client configuration settings post-deployment.

Unfortunately, these settings are not supported in any current release of Windows 10 or 11 today. However, they are available in the latest Windows Insider build (development channel) if you want to test them. I’ve provided example settings below. These settings will be supported in a public release of Windows in the future.

<DataEncryption>Max</DataEncryption>
<DisableIKEv2Fragmentation>true</DisableIKEv2Fragmentation>
<IPv4InterfaceMetric>3</IPv4InterfaceMetric>
<IPv6InterfaceMetric>3</IPv6InterfaceMetric>
<NetworkOutageTime>0</NetworkOutageTime>
<UseRasCredentials>false</UseRasCredentials>

Note: At the time of this writing, the VPNv2 CSP indicates these settings apply to Windows 11 21H2 and later. That is incorrect. Microsoft is aware of the issue and will hopefully correct it soon.

Intune Support

At some point, Microsoft may add these features to the Intune VPN device configuration template. However, XML with the Custom template is the only way to enable these new settings today.

Additional Information

Always On VPN VPNv2 CSP Reference

Deploying Always On VPN with Intune using Custom ProfileXML

Always On VPN and Intune Proactive Remediation

Microsoft Intune Learning Resources for Always On VPN Administrators

Example Always On VPN User Tunnel ProfileXML

Example Always On VPN Device Tunnel ProfileXML

Always On VPN with Active Directory Group Policy

Windows Always On VPN is a workload explicitly designed to be implemented and managed using Microsoft Endpoint Manager/Intune. While this is the best way to deploy and manage Always On VPN client configuration settings, it is not the only way. Administrators can also use System Center Configuration Manager (SCCM) by deploying a PowerShell script and XML configuration file to configure Always On VPN. Of course, it’s always possible to run the PowerShell script on individual machines.

Group Policy

Until now, there have been few options for deploying and managing Windows Always On VPN using Active Directory and group policy. This presents a challenge for administrators who still rely on group policy to manage their endpoints. It is possible to deploy the PowerShell script and XML configuration file using a group policy startup script. However, there are many limitations to this approach. Administrators must learn to properly configure the XML file and manage any configuration updates post-implementation.

Always On VPN DPC

The folks at PowerON Platforms have developed the Always On VPN Dynamic Profile Configurator (DPC) to address these shortcomings. Always On VPN DPC allows administrators to deploy and manage Always On VPN client configuration settings using Active Directory and group policy. Their software comes with Active Directory group policy templates that include all the necessary settings and client software that manages the configuration on the endpoint.

Advanced Features

Always On VPN DPC includes advanced features not included in Microsoft Endpoint Manager/Intune or XML. Here’s a sample of helpful custom settings that can be configured using Always On VPN DPC.

  • VpnStrategy
  • Interface metrics
  • Route metrics
  • Dynamically updated Office 365 exclusion route list
  • IKE mobility settings
  • IPv6 routes
  • And more…

DPC and Intune

Microsoft recently announced support for importing custom ADMX files to Intune. This allows administrators to leverage Always On VPN DPC using Microsoft Endpoint Manager/Intune. More details here.

Videos

I’ve created a brief introduction video for PowerOn Platforms Always On VPN DPC on YouTube. Soon I’ll be releasing additional videos that cover the installation and configuration of Always On VPN DPC and some of its advanced features, so be sure to subscribe to my YouTube channel.

Learn More

Are you interested in learning more about PowerON Platforms Always On VPN DPC? Fill out the form below, and I’ll contact you with more information. In addition, you can visit aovpndpc.com to register for an evaluation license.

Special Thanks

I want to extend a special thank you to Leo D’Arcy and the entire team at PowerON Platforms for allowing me to preview this software before its wide release. Also, I’m honored that you have graciously accepted my input and feedback for this solution. I’m consistently amazed at how rapidly you’ve corrected issues and implemented new features at my behest. You are all amazing. Thanks again! 😁

Additional Information

AovpnDPC.com

Introducing PowerON Platforms Always On VPN DPC on YouTube.com

What’s New in Always On VPN DPC 3.0

Always On VPN DPC and Microsoft Endpoint Manager/Intune

Always On VPN Client Routes Missing

Choosing an Enterprise VPN

When configuring Always On VPN for Windows 10 and Windows 11 clients, administrators may encounter a scenario where an IPv4 route defined in Microsoft Endpoint Manager/Intune or custom XML is not reachable over an established Always On VPN connection. Further investigation indicates the route is added to the configuration on the endpoint but does not appear in the routing table when the connection is active.

Routing Configuration

When split tunneling is enabled, administrators must define routes to IP networks that are reachable over the Always On VPN connection. The method of defining these routes depends on the client configuration deployment method.

Endpoint Manager

Using Microsoft Endpoint Manager, administrators define IP routes in the Split Tunneling section of the configuration settings for the Always On VPN device configuration profile. Routes are defined by entering the destination prefix and prefix size. In this example, the 10.0.0.0/8 and 172.21.12.0/21 IPv4 networks are defined for routing over the Always On VPN tunnel.

Custom XML

Using custom XML deployed using Microsoft Endpoint Manager, System Center Configuration Manager (SCCM), or PowerShell, routes are defined in the XML file using the following syntax.

Client Configuration

Validate the routing configuration has been implemented on the endpoint successfully by running the following PowerShell command.

Get-VpnConnection -Name <Connection Name> | Select-Object -ExpandProperty Routes

As you can see here, the IPv4 routes 10.0.0.0/8 and 172.21.12.0/21 are included in the client’s Always On VPN configuration, as shown below.

Missing Route

However, after establishing an Always On VPN connection, the 172.21.12.0/21 network is not reachable. To continue troubleshooting, run the following PowerShell command to view the active routing table.

Get-NetRoute -AddressFamily IPv4

As you can see above, the only IPv4 route in the VPN configuration added to the routing table is the 10.0.0.0/8 network. The 172.21.12.0/21 IPv4 route is missing.

Network Prefix Definition

IPv4 routes missing from the Always On VPN client’s routing table result from incorrect network prefix definition. Specifically, the IPv4 route 172.21.12.0/21 used in the example here is not a valid network address. Rather, it is a host address in the 172.21.8.0/21 network, as shown below.

The Get-Subnet PowerShell cmdlet is part of the Subnet PowerShell module. To install this module, run the following PowerShell command.

Install-Module Subnet

Resolution

Using the example above, enabling access to the 172.21.12.0/21 subnet would require defining the IPv4 prefix in the routing configuration as 172.21.8.0/21. The moral of this story is always validate routing prefixes to ensure they are, in fact, network addresses and not host addresses.

Additional Information

Always On VPN Routing Configuration

Always On VPN Default Class-based Route and Microsoft Endpoint Manager/Intune