Always On VPN Device Tunnel Configuration using Intune

Always On VPN Device Tunnel Configuration using IntuneA while back I described in detail how to configure a Windows 10 Always On VPN device tunnel connection using PowerShell. While using PowerShell is fine for local testing, it obviously doesn’t scale well. In theory you could deploy the PowerShell script and XML file using System Center Configuration Manager (SCCM), but using Microsoft Intune is the recommended and preferred deployment method. However, as of this writing Intune does not support device tunnel configuration natively. The administrator must create a ProfileXML manually and use Intune to deploy it.

Device Tunnel Prerequisites

I outlined the Always On VPN device tunnel prerequisites in my previous post here. To summarize, the client must be running Windows 10 Enterprise edition and be domain-joined. It must also have a certificate issued by the internal PKI with the Client Authentication EKU in the local computer certificate store.

ProfileXML

To begin, create a ProfileXML for the device tunnel that includes the required configuration settings and parameters for your deployment. You can find a sample Windows 10 Always On VPN device tunnel ProfileXML here.

Note: Be sure to define a custom IPsec policy in ProfileXML for the device tunnel. The default security settings for the IKEv2 protocol (required for the device tunnel) are quite poor. Details here.

Intune Deployment

Open the Intune management console and follow the steps below to deploy an Always On VPN device tunnel using Microsoft Intune.

Create Profile

1. Navigate to the Intune portal.
2. Click Device configuration.
3. Click Profiles.
4. Click Create profile.

Define Profile Settings

1. Enter a name for the VPN connection in the Name field.
2. Enter a description for the VPN connection in the Description field (optional).
3. Select Windows 10 and later from the Platform drop-down list.
4. Select Custom from the Profile type drop-down list.

Always On VPN Device Tunnel Configuration using Intune

Define Custom OMA-URI Settings

1. On the Custom OMA-URI Settings blade click Add.
2. Enter a name for the device tunnel in the Name field.
3. Enter a description for the VPN connection in the Description field (optional).
4. Enter the URI for the device tunnel in the OMA-URI field using the following syntax. If the profile name includes spaces they must be escaped, as shown here.

./Device/Vendor/MSFT/VPNv2/Example%20Profile%Name/ProfileXML

5. Select String (XML file) from the Data Type drop-down list.
6. Click the folder next to the Select a file field and chose the ProfileXML file created previously.
7. Click Ok twice and then click Create.

Always On VPN Device Tunnel Configuration using Intune

Assign Profile

Follow the steps below to assign the Always On VPN device tunnel profile to the appropriate device group.

1. Click Assignments.
2. Click Select groups to include.
3. Select the group that includes the Windows 10 client devices.
4. Click Select.
5. Click Save.

Always On VPN Device Tunnel Configuration using Intune

Demonstration Video

A video demonstration of the steps outlined above can be viewed here.

Additional Information

Windows 10 Always On VPN Device Tunnel Configuration using PowerShell

Windows 10 Always On VPN IKEv2 Security Configuration

Deleting a Windows 10 Always On VPN Device Tunnel

Windows 10 Always On VPN Device Tunnel Missing in the UI

Video: Deploying Windows 10 Always On VPN User Tunnel with Microsoft Intune

Always On VPN Device Tunnel Does Not Connect Automatically

When configuring a Windows 10 Always On VPN device tunnel, the administrator may encounter a scenario in which the device tunnel does not connect automatically. This can occur even when ProfileXML is configured with the AlwaysOn element set to “true”.

Always On VPN Device Tunnel Does Not Connect Automatically

Manual Connection

An administrator can establish a device tunnel connection manually using rasdial.exe however, indicating no issues with connectivity or authentication that would prevent a successful automatic connection.

Always On VPN Device Tunnel Does Not Connect Automatically

Root Cause

This scenario will occur when the device tunnel configuration is applied to a Windows 10 Professional edition client.

Always On VPN Device Tunnel Does Not Connect Automatically

Device Tunnel Support

The Windows 10 Always On VPN device tunnel is supported only on Windows 10 1709 or later Enterprise edition clients that are domain-joined. To ensure the device tunnel connects automatically, upgrade to Windows 10 Enterprise 1709 or later and join it to a domain.

Always On VPN Device Tunnel Does Not Connect Automatically

Source: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config#device-tunnel-requirements-and-features

Additional Information

Windows 10 Always On VPN Device Tunnel Configuration using PowerShell

Windows 10 Always On VPN Device Tunnel Missing in the Windows UI

Deleting a Windows 10 Always On VPN Device Tunnel

DirectAccess Broken in Windows 10 Insider Preview Build 14971

DirectAccess Broken in Windows 10 Enterprise Insider Preview Build 14971Updated 12/9/2016: This issue has been resolved in build 14986. If you are still running build 14971, update to the latest build to resolve this issue.

For anyone running the Insider Preview version of Windows 10 Enterprise, be advised that the latest Fast Ring build (14971) has a bug that breaks DirectAccess connectivity. Microsoft is aware of the issue and is currently working to identify the root cause. As it stands now, there is no known workaround.

I’ll post an update as soon as I have more information. Stay tuned!

DirectAccess and Windows 10 Professional

Does Windows 10 Professional Support DirectAccess?

This is a question I’ve received on more than one occasion. For some reason there seems to be a persistent rumor on the Internet that Windows 10 Professional is now a supported client for DirectAccess. I’m not sure where this rumor got started, but I’ll put it to rest right now – Windows 10 Professional is NOT a supported DirectAccess client! DirectAccess still requires Enterprise edition (with two exceptions) to take advantage of DirectAccess for secure remote access.

Supported DirectAccess Clients

The following is a complete list (as of this writing) of client operating systems that support DirectAccess.

  • Windows 10 Enterprise
  • Windows 10 Education
  • Windows 8.1 Enterprise
  • Windows 7 Enterprise
  • Windows 7 Ultimate

DirectAccess and Windows 10 Professional

If you are running a version of Windows that is not Enterprise edition (with the exception of Windows 7 Ultimate and Windows 10 Education) DirectAccess will not work. Be careful, because you can still provision non-Enterprise SKUs such as Windows 10 Professional for DirectAccess. All of the DirectAccess settings will be applied without issue and everything will look perfectly normal, but DirectAccess won’t work. The telltale sign on Windows 8.x and Windows 10 clients is that you won’t be able to start the Network Connectivity Assistant (NCA) service (NcaSvc). When you attempt to do so you will receive the following error message:

Failed to start service 'Network Connectivity Assistant (NcaSvc)'

DirectAccess and Windows 10 Professional

Identify OS Version

You can verify the operating system SKU by looking at the output of systeminfo.exe or by going to the control panel under System and Security and clicking System.

DirectAccess and Windows 10 Professional

DirectAccess and Windows 10 Professional

Upgrade from Windows 10 Professional to Enterprise

A new feature introduced in Windows 10 allows you to easily upgrade the product SKU without having to perform an in place upgrade or reinstall the entire operating system from scratch. So, if you have Windows 10 Enterprise licenses and you want to upgrade a Windows 10 Professional device to Enterprise (for example you want to enable your new Surface Pro 4 to use DirectAccess!) you can simply provide the enterprise product license key in Windows 10 to upgrade. You can provide a new product key by navigating to Start | Settings | Update & Security | Activation | Change Product Key, or run changepk.exe from the Run dialog box or the command line.

DirectAccess and Windows 10 Professional

Enter your Windows 10 Enterprise product key and then click Start Upgrade.

DirectAccess and Windows 10 Professional

After the system reboots it will have been upgraded to Enterprise edition and now work as a DirectAccess client.

DirectAccess and Windows 10 Professional

DirectAccess and Windows 10 Professional
Summary

With Windows 10, it’s easy to upgrade from Professional to Enterprise edition by simply providing the Enterprise edition product key. This works great if you have just a few machines to upgrade, but if you are planning to upgrade many machines I would recommend creating a deployment package using the Windows Imaging and Configuration Designer (ICD), which is included with the Windows 10 Assessment and Deployment Kit (ADK) and can be downloaded here. Once you’ve upgraded your Windows 10 Professional devices to Windows 10 Enterprise you can begin provisioning them for DirectAccess!

DirectAccess consulting services now available! Click here for more details!

DirectAccess and Surface Pro for the Enterprise

DirectAccess, Windows 10, and Surface ProToday Microsoft announced a new partnership with Dell to deliver the Surface Pro and Windows 10 to enterprise customers around the world. This new initiative addressees the specific needs of large enterprises, whose increasingly mobile workforce places unique demands on IT to provide high levels of security and consistent platform management. This partnership will ensure that Dell’s enterprise customers have access to the Microsoft Surface Pro along with Dell’s enterprise-class service and support offerings.

Of course DirectAccess on Windows Server 2012 R2 complements this initiative quite nicely. Using DirectAccess with it’s always on functionality ensures that remote Windows devices like the Surface Pro are always managed and consistently updated, providing IT administrators greater control and visibility for their field-based assets than traditional VPN is capable of providing. In addition, DirectAccess connectivity is bi-directional, allowing administrators to “manage out” to their connected DirectAccess devices. This opens up compelling use cases such as initiating remote desktop sessions for the purposes of troubleshooting or conducting vulnerability scans to determine the client’s security posture.

In addition, Windows 10 now supports the full enterprise feature set of DirectAccess on Windows Server 2012 R2, including geographic redundancy and transparent site failover, along with significant performance improvements over Windows 7 for perimeter/DMZ deployments. DirectAccess with Windows 10 is also easier to manage and support.

For more information about the Microsoft/Dell partnership, watch Microsoft CEO Satya Nadella’s message here. For assistance with the planning, design, and implementation of a DirectAccess solution, click here.

%d bloggers like this: