I recently published a post on setting up your own Windows 10 VPN lab with instructions to build a lab environment needed to start playing with the Windows 10 VPN – specifically using Intune to configure cool features like app-triggered VPN.
This post is an add-on, so I suggest you start at my first post, then come back.
In this VPN Scenario, Windows 10 clients are no longer going to authenticate using a certificate issued from your on-prem CA, but instead when a user goes to launch VPN, Windows will reach out to Azure AD, authenticate via modern auth and ask for a short-lived certificate. Azure AD will look at the authentication session and compare it against conditional access policy(s) that you set up. If it passes, the client gets a cert issued from Azure AD and will be good for an hour, if not.. no vpn for you.
On the Intune side we no longer need to deploy a user certificate because Azure AD will handle that. We just need to configure and deploy the VPN profile, so that Windows clients know which certificate to present to your Radius server when connecting. On the AAD side we'll need to configure a couple of things – VPN Connectivity (ie: download a trusted CA) and the Conditional Access policy itself.
Simple!
In this post we will:
- Configure AZURE AD as a trusted Certificate Authority for our clients
- Create a conditional Access policy in Azure AD, and specify that devices have to be enrolled and compliant in Intune before being issued a certificate they can use for VPN
- Configure the VPN profile in Intune in such a way that it leverages the Azure AD issued certificate instead of one that comes from your internal PKI
- Test connecting to the VPN with a compliant device and a non-compliant device
Step 1 - Configure AZURE AD VPN Connectivity
Log into the azure portal, go to Azure Active Directory then conditional access. Under VPN Connectivity, create a new certificate
Validity = One Year
Primary= Yes
Download Certificate, and save it somewhere handy on your Network Policy Server (NPS)
On the NPS Server, Use Certutil commands to import into RootCA and NtAuthCA stores:
Certutil -dspublish -f AADTrustedRootCert.cer RootCA
Certutil -dspublish -f AADTrustedRootCert.cer NTAuthCA
One additional step required on the NPS server is configuring it to ignore revocation checking. The reason for this is that the AAD issued certificate doesn't have any CRL information.
To do this, you will need to set the following registry keys and then reboot.
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRasManPPPEAP13
IgnoreNoRevocationCheck = 1
If you don't configure this, your Windows 10 client won't be allowed to connect with an error like this:
and you will receive an error in the radius server event log:
"The revocation function was unable to check revocation for the certificate."
Step 2 – Create an Azure AD Conditional Access Policy
In the Azure AD blade, Create a new Conditional Access Policy:
In my test policy, I want to make sure that all VPN connections from "VPN Users" group gets stopped at the front door. I want to make sure that the Windows 10 devices that connect are compliant against my Intune Compliance policies.
Name: VPN CA Policy
Users and Groups: VPN Users
Cloud Apps: "VPN Server"
Conditions: blank
Grant: Grant Access
Require Device to be marked as compliant
Session: blank
Note: You could also use other controls like Require MFA or Require Hybrid Azure AD in this scenario. (Require approved client app doesn't make sense in this scenario).
Don't forget to enable the policy when you are happy with it.
Now that you have a conditional access policy in place, you need a way for devices to be marked "Compliant" in Azure AD so that they can get access to VPN.
NOTE: A recent change in the Intune service means that all devices require a Compliance policy (even if its blank) to be eligible for a "Compliant" status.
So head to the Intune portal, go to Device Compliance, Policies, Create Policy and Create a new Compliance Policy without configuring any Settings in it.
Now Assign it to VPN Users group (or the "All Users" assignment).
Step 3 – Create a VPN Profile in Intune
Go to the Intune Portal and create a new VPN Profile for Windows 10. You can use exactly the same VPN Profile that we created in my last post…. with one key addition.
Conditional Access: Enable
When you are happy with the VPN Profile, assign it to the VPN Users group and test it out.
Step 4 – Test it
On an Intune enrolled Windows 10 device, trigger a Sync and wait for the new VPN profile to be installed. Then attempt to connect the VPN.
After you have successfully connected, Open Certmgr.msc – You should see a newly provisioned certificate in there issued by "Microsoft VPN root CA gen 1". Its expiry date will be 60minutes from when it was first requested.
Now to test access on a non-compliant device….
Back in the Intune Console, edit your existing, deployed conditional access policy so that devices require encryption to be compliant
Return to the test Win 10 device and download the company portal app. Select the Win10 device you are using and "Check Compliance" and note that the device is not compliant because it isn't encrypted.
Now test to see if you can connect to the VPN.
If the device is not-compliant You will be blocked with an OOPS message:
More details….
TIP: If you were allowed to connect, chances are you still have a valid certificate from the last test, you might need to wait for it to expire or delete it to speed things along.
To resolve, enable bitlocker the device and then run the compliance check again.
TIP: If using a hyper-V VM, you might need to shut the vm down and enable the Virtual TPM first before it will let you enable Bitlocker.
After enabling Bitlocker you should be able to obtain a user certificate from AAD and access the VPN again.
Summary:
This post was to demonstrate Azure AD Conditional Access and Intune working together to enable a nice remote access solution for your Windows 10 devices. I recommend trying out some of the other variations on this scenario – for example, if the User is dialling VPN from an untrusted region, require MFA and a compliant device. Or get fancy with the compliance policies and require more validation from the Windows 10 Device Health Attestation service to be marked compliant.
Don't forget that in a Modern Managed Windows 10 environment, a VPN isn't always needed – we can leverage cloud services like OneDrive/Sharepoint Online for storing docs, Azure App Proxy for publishing internal web applications.