Always On VPN Short Name Access Failure

Using Microsoft Endpoint Manager (Intune), administrators can provision Always On VPN to devices that are Azure AD joined only. Users accessing on-premises resources from these devices can still use seamless single sign-on, making this deployment option popular for organizations moving to the cloud.

Short Names

After deploying Always On VPN to Windows 10 devices that are Azure AD joined only and configured to use client certificate authentication, administrators may find that users cannot access on-premises resources by their short name, such as \\app1. The connection fails and returns the following error message.

“Windows can’t find <servername/sharename>. Check the spelling and try again.”

FQDN

Interestingly, on-premises resources are accessible using their fully qualified domain name (FQDN), such as \\app1.corp.example.net.

Troubleshooting

Testing name resolution using the short name works as expected, and the resource is reachable at the network layer, as shown here.

Workaround

This issue is related to how Windows performs authentication when connected via VPN. To resolve this issue, edit the rasphone.pbk file and change the value of UseRasCredentials to 0. Rasphone.pbk can be found in the $env:AppData\Microsoft\Network\Connections\Pbk folder.

After updating this setting, restart the VPN connection for the change to take effect.

Proactive Remediations

While helpful for testing, editing rasphone.pbk manually obviously does not scale well. To address this, consider using Intune Proactive Remediations. Intune Proactive Remediations allows administrators to deploy detection and remediation PowerShell scripts to monitor specific settings and update them if or when they change. Proactive Remediations will ensure the setting is applied consistently across all managed endpoints.

GitHub Repository

I have created a new GitHub repository dedicated to PowerShell scripts for Endpoint Manager Proactive Remediations for Always On VPN. There you will find detection and remediation scripts for the UseRasCredentials settings change described in this article.

Additional Information

Always On VPN Endpoint Manager Proactive Remediation Scripts on GitHub

Endpoint Manager Proactive Remediations Tutorial

Always On VPN Bug in Windows 10 2004

Always On VPN Bug in Windows 10 2004While performing Always On VPN evaluation testing with the latest release of Windows 10 (2004), a bug was discovered that may result in failed VPN connections, but only under certain conditions. Specifically, the failure occurs when both the device tunnel and user tunnel are configured on the same client, and the user tunnel is configured to use IKEv2 exclusively.

Error 829

After upgrading to Windows 10 2004, and when the device tunnel and user tunnel are both deployed and the user tunnel is configured to use IKEv2, the administrator will notice that if the device tunnel connection is established, the user tunnel connects successfully but is then terminated abruptly with error code 829.

Always On VPN Bug in Windows 10 2004

Note: This can happen in reverse if the user tunnel is established before the device tunnel for some reason. In this scenario the user tunnel would be connected but attempts to establish the device tunnel would result in failure.

Error 619

If the user tunnel connection is initiated using rasdial.exe or rasphone.exe, the error code returned is 619.

Always On VPN Bug in Windows 10 2004

Always On VPN Bug in Windows 10 2004

Workaround

The workaround for this issue is to either use a single tunnel, or if both user tunnel and device tunnel are required, configure the user tunnel to use the SSTP VPN protocol instead of IKEv2.

Additional Information

Windows 10 Always On VPN Device Tunnel Only Deployment Considerations

Always On VPN Load Balancing Deployment Guide for Kemp Load Balancers

Always On VPN Load Balancing Deployment Guide for Kemp Load BalancersI’m pleased announce that Kemp has released their Load Balancing Deployment Guide for Windows 10 Always On VPN. Authored by yours truly, this guide provides detailed, prescriptive guidance for configuring the Kemp LoadMaster load balancer to provide important scalability and eliminate critical points of failure in Always On VPN deployments.

Configuration Guidance

Included in the guide are configuration steps for load balancing VPN servers using IKEv2 and SSTP using Kemp LoadMaster. Crucial details for IKEv2 load balancing as well as SSL offload for SSTP are covered in detail. In addition, the guide includes information about load balancing important supporting infrastructure services such as the Network Policy Server (NPS). Finally, guidance is included for enabling active/passive or active/active load balancing as well as geographic load balancing for multisite Always On VPN deployments.

Always On VPN Load Balancing Deployment Guide for Kemp Load Balancers

Download

You can download the Windows 10 Always On VPN load balancing deployment guide for Kemp LoadMaster load balancers here.

Additional Information

Windows 10 Always On VPN Load Balancing Deployment Guide for Kemp LoadMaster Load Balancers

Windows 10 Always On VPN IKEv2 Load Balancing with the Kemp LoadMaster Load Balancer

 

 

DirectAccess and Windows 10 Professional

Does Windows 10 Professional Support DirectAccess?

This is a question I’ve received on more than one occasion. For some reason there seems to be a persistent rumor on the Internet that Windows 10 Professional is now a supported client for DirectAccess. I’m not sure where this rumor got started, but I’ll put it to rest right now – Windows 10 Professional is NOT a supported DirectAccess client! DirectAccess still requires Enterprise edition (with two exceptions) to take advantage of DirectAccess for secure remote access.

Supported DirectAccess Clients

The following is a complete list (as of this writing) of client operating systems that support DirectAccess.

  • Windows 10 Enterprise
  • Windows 10 Education
  • Windows 8.1 Enterprise
  • Windows 7 Enterprise
  • Windows 7 Ultimate

DirectAccess and Windows 10 Professional

If you are running a version of Windows that is not Enterprise edition (with the exception of Windows 7 Ultimate and Windows 10 Education) DirectAccess will not work. Be careful, because you can still provision non-Enterprise SKUs such as Windows 10 Professional for DirectAccess. All of the DirectAccess settings will be applied without issue and everything will look perfectly normal, but DirectAccess won’t work. The telltale sign on Windows 8.x and Windows 10 clients is that you won’t be able to start the Network Connectivity Assistant (NCA) service (NcaSvc). When you attempt to do so you will receive the following error message:

Failed to start service 'Network Connectivity Assistant (NcaSvc)'

DirectAccess and Windows 10 Professional

Identify OS Version

You can verify the operating system SKU by looking at the output of systeminfo.exe or by going to the control panel under System and Security and clicking System.

DirectAccess and Windows 10 Professional

DirectAccess and Windows 10 Professional

Upgrade from Windows 10 Professional to Enterprise

A new feature introduced in Windows 10 allows you to easily upgrade the product SKU without having to perform an in place upgrade or reinstall the entire operating system from scratch. So, if you have Windows 10 Enterprise licenses and you want to upgrade a Windows 10 Professional device to Enterprise (for example you want to enable your new Surface Pro 4 to use DirectAccess!) you can simply provide the enterprise product license key in Windows 10 to upgrade. You can provide a new product key by navigating to Start | Settings | Update & Security | Activation | Change Product Key, or run changepk.exe from the Run dialog box or the command line.

DirectAccess and Windows 10 Professional

Enter your Windows 10 Enterprise product key and then click Start Upgrade.

DirectAccess and Windows 10 Professional

After the system reboots it will have been upgraded to Enterprise edition and now work as a DirectAccess client.

DirectAccess and Windows 10 Professional

DirectAccess and Windows 10 Professional
Summary

With Windows 10, it’s easy to upgrade from Professional to Enterprise edition by simply providing the Enterprise edition product key. This works great if you have just a few machines to upgrade, but if you are planning to upgrade many machines I would recommend creating a deployment package using the Windows Imaging and Configuration Designer (ICD), which is included with the Windows 10 Assessment and Deployment Kit (ADK) and can be downloaded here. Once you’ve upgraded your Windows 10 Professional devices to Windows 10 Enterprise you can begin provisioning them for DirectAccess!

DirectAccess consulting services now available! Click here for more details!

%d bloggers like this: