The Workplace Ninja Summit takes place from 12-14 September 2022 in Lucerne, Switzerland. The conference focuses on endpoint management and security with platforms such as System Center Configuration Manager (SCCM) and Microsoft Endpoint Manager/Intune.
Conference Sessions
If you are participating in the conference, be sure to attend one of my sessions! I’m delivering the following three talks during the event.
This session will explore the options for deploying enterprise PKI certificates using Intune. I’ll be sharing lots of security and implementation best practices.
This talk will dive into the options for deploying Always On VPN using Intune. I’ll be covering many tips, tricks, and best practices and shining a light on many limitations and shortcomings of using Intune for Always On VPN.
Join Me!
Unfortunately, the conference is sold out, so if you haven’t made arrangements to attend you’ll have to wait until next year. If you are attending, please be sure to say hello!
I am excited to announce that I will be presenting at this year’s Midwest Management Summit at the Mall of America (MMSMOA) in Bloomington, Minnesota. The conference takes place the week of May 2. This is my first time presenting at this event, and I’m looking forward to sharing my experience deploying enterprise mobility and security infrastructure solutions with systems management professionals from around the world.
Sessions
I will be delivering three talks at the conference addressing various secure remote access and certificate services topics.
Managing Always On VPN with Intune
This session will provide administrators with everything they need to know about provisioning and managing Always On VPN client configuration settings using Intune. I’ll be providing tips, tricks, and best practices for Always On VPN profile configuration and demonstrating many of the limitations associated with using Intune. I will provide workarounds whenever possible.
Deploying Always On VPN in Azure is increasingly common. However, administrators are unaware of the limitations of supporting Always On VPN connections with native Azure VPN gateway solutions. In this session, I’ll describe in detail what’s required to support Always On VPN and, importantly, what the limitations are.
Deploying On-premises PKI Certificates with Intune
As organizations continue to migrate applications, services, and infrastructure to the cloud, the requirement for endpoints to be joined to an on-premises domain is fading. Moving to full Intune management and native Azure Active Directory join for endpoints is increasingly common. However, deploying enterprise PKI certificates o these endpoints is often required. This session will provide detailed guidance for choosing the best solution to deliver on-premises certificates to Azure AD joined devices using Intune.
I’m looking forward to meeting so many folks who have helped me get up to speed with Microsoft Endpoint Manager/Intune over the years. If you’re attending the conference, or if you are in the area, be sure to reach out. Let’s grab a beer and chat!
Many administrators are now beginning to test Always On VPN functionality on the latest Microsoft Windows client operating system, Windows 11. Initially, Microsoft had some issues with provisioning and managing Always On VPN profiles on Windows 11 using Microsoft Endpoint Manager/Intune, but those have been resolved. However, some lingering problems may delay enterprise deployments of Always On VPN on Windows 11 for some organizations, specifically those using PowerShell with Active Directory group policy startup scripts or System Center Configuration Manager (SCCM).
Important Note: The issues outlined in this article have been resolved! The fix for the WMI enumeration bug is addressed in the following updates:
Microsoft has published guidance for deploying Always On VPN profiles using PowerShell with their MakeProfile.ps1 script. This script extracts configuration details from a template VPN profile to create another PowerShell script called VPN_Profile.ps1, which is used to create the Always On VPN profile. SCCM administrators commonly use VPN_Proifle.ps1 to deploy Always On VPN profiles. However, running this script on Windows 11 fails and returns the following error message.
“Unable to create [VPN profile name] profile: A general error occurred that is not covered by a more specific code.”
This issue appears to be related to a problem with the WMI-to-CSP bridge, specifically enumerating the MDM_VPNv2_01 class in the root\cimv2\mdm\dmmap namespace. Here you can see the template VPN profile with PowerShell and Get-VpnConnection.
However, attempts to view the MDM_VPNv2_01 class of this VPN profile using PowerShell and Get-CimInstance fail.
New-AovpnConnection.ps1
Interestingly, administrators may find that my Always On VPN PowerShell deployment script works more reliably on Windows 11, although not always. In my experience, I’ve found that it sometimes fails once (profile is loaded, but the configuration is incomplete), then works after deleting the profile and creating it again. If the Microsoft-provided script isn’t working, give mine a try and see if it works better for you.
Note: When deploying Always On VPN profiles using my PowerShell deployment script via Active Directory startup scripts, it seems to fail consistently for some reason. Go figure. 😉
Remove-AovpnConnection.ps1
The issues described previously with Windows 11 are also negatively affecting some of my other PowerShell scripts. For example, running Remove-Aovpnconnection.ps1 on Windows 11 fails and returns the following error message.
“A general error occurred that is not covered by a more specific error code.”
Current Status
Microsoft is currently aware of this issue. However, I am aware of no timeframe for resolution at the time of this writing. Hopefully, Microsoft addresses this soon so organizations can move forward with their Windows 11 migration projects.
