All posts tagged template

Always On VPN CSP Updates

Always On VPN DNS Registration Update Available

Administrators can deploy Always On VPN client configuration settings in several ways. The simplest method is to use the native Microsoft Intune UI and the VPN device configuration profile template. Optionally, administrators can create an XML file that can be deployed with Intune using the Custom template. In addition, the XML file can be deployed using PowerShell, either interactively or with System Center Configuration Manager (SCCM). Administrators can also deploy the XML file using PowerShell via Active Directory group policy startup script or another software provisioning platform.

Custom XML

While using the native Intune VPN device configuration template to deploy and manage Always On VPN client configuration settings is easy and convenient, it lacks support for many crucial configuration settings. Deploying Always On VPN client settings using the Custom template is helpful to overcome these limitations as it enables additional configuration settings not exposed in the Intune VPN template.

VPNv2CSP

The VPNv2 Configuration Service Provider (CSP) is the interface used by Intune to deploy Always On VPN client configuration settings to the endpoint. The WMI-to-CSP bridge enables settings deployment using PowerShell. In either scenario, administrators must create an XML file that includes the settings used for the Always On VPN profile. A reference for all supported settings in the VPNv2 CSP can be found here.

New Settings

Microsoft recently introduced some new settings in the VPNv2 CSP. Beginning with Windows 11 22H2, administrators can disable the disconnect button and prevent access to the advanced settings menu for device and user tunnels in the Windows UI by adding the following entries in the XML configuration file.

<DisableDisconnectButton>true</DisableDisconnectButton>

<DisableAdvancedOptionsEditButton>true
</DisableAdvancedOptionsEditButton>

Additional Updates

Microsoft also added options to define encryption settings, disable IKEv2 fragmentation support, update IPv4 and IPv6 interface metrics, adjust IKEv2 network outage time, and disable the use of RAS credentials in XML for device and user tunnels. These new options eliminate the need to use Intune Proactive Remediation to adjust these VPN client configuration settings post-deployment.

Unfortunately, these settings are not supported in any current release of Windows 10 or 11 today. However, they are available in the latest Windows Insider build (development channel) if you want to test them. I’ve provided example settings below. These settings will be supported in a public release of Windows in the future.

<DataEncryption>Max</DataEncryption>
<DisableIKEv2Fragmentation>true</DisableIKEv2Fragmentation>
<IPv4InterfaceMetric>3</IPv4InterfaceMetric>
<IPv6InterfaceMetric>3</IPv6InterfaceMetric>
<NetworkOutageTime>0</NetworkOutageTime>
<UseRasCredentials>false</UseRasCredentials>

Note: At the time of this writing, the VPNv2 CSP indicates these settings apply to Windows 11 21H2 and later. That is incorrect. Microsoft is aware of the issue and will hopefully correct it soon.

Intune Support

At some point, Microsoft may add these features to the Intune VPN device configuration template. However, XML with the Custom template is the only way to enable these new settings today.

Additional Information

Always On VPN VPNv2 CSP Reference

Deploying Always On VPN with Intune using Custom ProfileXML

Always On VPN and Intune Proactive Remediation

Microsoft Intune Learning Resources for Always On VPN Administrators

Example Always On VPN User Tunnel ProfileXML

Example Always On VPN Device Tunnel ProfileXML

4 Comments
by Richard M. Hicks on March 6, 2023  •  Permalink
Posted in administration, Always On VPN, AOVPN, Deployment, Device Management, device tunnel, Endpoint Manager, Enterprise, enterprise mobility, Group Policy, IKEv2, Infrastructure, InTune, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, OMA-DM, Operational Support, PowerShell, ProfileXML, Remote Access, SCCM, Security, System Center Configuration Manager, systems management, Update, VPN, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 6, 2023

https://directaccess.richardhicks.com/2023/03/06/always-on-vpn-csp-updates/

Certificate-Based Authentication Changes and Always On VPN

Microsoft introduced important changes affecting certificate-based authentication on Windows domain controllers as part of the May 10, 2022 update KB5014754 that may affect Always On VPN deployments. The update addresses privilege escalation vulnerabilities when a domain controller is processing a certificate-based authentication request. The recommendation from Microsoft is that the update be applied to all Windows domain controllers and Active Directory Certificate Services (AD CS) servers as soon as possible.

Updated 5/20/2022: An out-of-band update to address authentication issues reported with this update is now available. Updates are available for Windows Server 2022, Windows Server 20H2, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2.

Certificate Services

After applying the update to certification authority (CA) servers, a non-critical extension with Object Identifier (OID) 1.3.6.1.4.1.311.25.2 is added to all issued certificates with the user or device security identifier (SID) included. Domain controllers with the update installed will use this information to validate the certificate used for authentication and ensure that it matches the information in Active Directory.

Domain Controllers

The update operates in Compatibility Mode, by default, when applied to domain controllers. Windows monitors authentication requests and records audit events for certificates presented for authentication under the following conditions.

No strong mapping (event ID 39) – The certificate has not been mapped explicitly to a domain account, and the certificate did not include the new SID extension.

Certificate predates account (event ID 40) – A certificate was issued before the user existed in Active Directory, and no explicit mapping could be found.

User’s SID does not match certificate (event ID 41) – A certificate contains the new SID extension, but it does not match the SID of the corresponding user account.

Certificate Mapping

Administrators can map certificates explicitly to accounts in Active Directory, but this results in a significant administrative burden in most environments. A better option is to reissue user and device authentication certificates after applying the KB5014754 update to all issuing CA servers.

Reenroll Certificates

Administrators should reissue user and device authentication certificates after applying the KB5014754 update. Open the Certificate Templates management console (certtmpl.msc), identify the user or device authentication certificate template, then right-click on the template and choose Reenroll All Certificate Holders.

Enforcement Mode

After applying update KB5014754, administrators should monitor domain controller event logs for event IDs 39, 40, and 41. Once all certificates have been updated, and none of these events have been recorded for 30 days, administrators can switch to Full Enforcement Mode by enabling it in the registry on all domain controllers.

Key: HKLM\SYSTEM\CurrentControlSet\Services\KDC
Value: StrongCertificateBindingEnforcement
Type: DWORD
Data: 2

Updated 12/8/2022: Microsoft has pushed back the original enforcement date of May 9, 2023, to November 14, 2023 “or later”. Stay tuned!

Known Issues

There have been some reports of authentication issues after installing the KB5014754 update. Early indications are that device authentication certificates missing a Subject Alternative Name (SAN) entry are to blame. Administrators are encouraged to update their device certificates to include the SAN entry. Optionally, but not recommended, administrators can place the update in disabled mode by editing the registry.

Note: An out-of-band update for these authentication issues is now available. See the reference links at the top of this article for more information.

Caveat

It’s important to understand that this new OID is added only to online templates. Online templates are those that build the subject information from Active Directory. Unfortunately, this new OID is NOT applied to offline templates (templates where the subject name is supplied in the request), such as those used for delivering certificates with Microsoft Endpoint Manager/Intune using PKCS or SCEP. It is impossible to move to enforcement mode when issuing user or device authentication certificates with Microsoft Endpoint Manager or Intune today. Microsoft is aware of this limitation and is working to address this issue as we speak. I expect a fix to be available sometime before the May 2023 deadline when Microsoft permanently switches on enforcement mode.

Additional Information

KB5014754 – Certificate-based authentication changes on Windows domain controllers

Microsoft Windows Always On VPN Users Prompted for Certificate

Microsoft Windows Always On VPN Clients Prompted for Authentication when Accessing Internal Resources

21 Comments
by Richard M. Hicks on May 16, 2022  •  Permalink
Posted in Active Directory, administration, Always On VPN, AOVPN, authentication, certificates, device tunnel, EAP, Enterprise, enterprise mobility, extensible authentication protocol, Hotfix, Mobility, network policy server, Operational Support, PKI, public key infrastructure, Remote Access, routing and remote access service, RRAS, Security, TLS, troubleshooting, Update, VPN, Vulnerability, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on May 16, 2022

https://directaccess.richardhicks.com/2022/05/16/certificate-based-authentication-changes-and-always-on-vpn/

%d bloggers like this: