The last couple of months I worked together with Microsoft on protecting the Windows 10 AlwaysOn VPN connection with AzureAD Conditional Access. As I’ve explained in this blogpost I found a strange issue where a user was able to connect without having being compliant to the Conditional Access request. I described that in this blogpost. After publishing that blogpost Microsoft came back to me that even that configuration is not the ‘total’ solution. The reason is that the VPN backend (RAS or NPS) should enforce the use of the AzureAD Conditional Access certificate. In this blogpost I will explain the steps needed to get this configured.
Continue reading
AzureAD
Join me at the Tech Summit AMSTERDAM Next Week!
StandardNext week I will be speaking on the Microsoft Tech Summit which takes place in the Amsterdam RAI. On Wednesday the 28th I will be speaking about ‘Protect your Windows 10 VPN solution with AzureAD Conditional Access’. Beside my own session I will also take part in the Microsoft 365 Keynote where we will share our KPN Microsoft 365 Migration experiences. At the end of the day I will also be present on the ‘Ask-the-Experts’ session. On Thursday I will also be at the Tech Summit but just as an attendee 
. I hope to see you at my session in the The Hub Theater.
Session Abstract:
In this demo-rich session I will discuss the Windows 10 AlwaysOn VPN solution. Beside the solution I will also show how we can publish the VPN through Microsoft Intune to our Windows 10 workstations and how we can protect the AlwaysOn VPN with AzureAD Conditional Access. Come to this session if you want to learn more about the AlwaysOn VPN and how to protect it with AzureAD Conditional Access.
Windows 10 AlwaysOn Conditional Access Connection Fix
StandardLast year I wrote a couple of blogposts about the Windows 10 AlwaysOn VPN solution with AzureAD Conditional Access. You can find the blogposts here:
- Windows 10 AlwaysOn VPN with Conditional Access – Part 1
- Windows 10 AlwaysOn VPN with Conditional Access – Part 2
- Windows 10 AlwaysOn VPN with Conditional Access – Part 3
After testing this solution more and more I had a strange issue where the user was able to set-up a AlwaysOn VPN connection even when the conditional access conditions were not met. So if my conditional access policy was requiring a compliant device I was able to connect with a non compliant device. I could do this by clicking on the X (Close) icon when I was in the Conditional Access flow. Together with Microsoft I’ve investigated this and a solution has been found.
Intune Device Compliance Notifications
StandardThis weeks short blogpost is all about the new Device Compliance Notification functionality in Microsoft Intune. With this new option you can send notifications to your users when the device of the user becomes non-compliant. This is a great new way of informing users about the compliance state of their device. When using Device Compliance in AzureAD Conditional Access it’s very important to inform your users about the compliance state of the device. Users can view the compliance state in the Intune Company portal and this is just a new additional functionality.
Continue reading
Windows 10 AlwaysOn VPN with Conditional Access – Part 3
StandardThis is the last part of the blogpost series about Windows 10 AlwaysOn VPN with AzureAD Conditional Access. In the first part I described what infrastructure is needed to get up and running with the Windows 10 AlwaysOn VPN. The second part was about the configuration which was needed to add AzureAD Conditional Access to the configuration. In the second post I also showed how MFA can be enforced on AlwaysOn VPN connections with AzureAD Conditional Access. In this last part I want to show you that AzureAD can also enforce a compliant device and I want to describe the scenario of blocking access to the AlwaysOn VPN.
Continue reading
Windows 10 AlwaysOn VPN with Conditional Access – Part 2
StandardThis is the second part of the series about the Windows 10 AlwaysOn VPN solution. In the first part, which you can find here, I described how to set up the infrastructure for the AlwaysOn VPN solution. The infrastructure which is described in that blogpost is a prerequisite for this blogpost. This blogpost will focus on the configuration needed to add AzureAD Conditional Access to the solution. With AzureAD Conditional Access we add a great set of capabilities to control who can connect to the VPN solution and which conditions the user must meet before the connection can be made. In this blogpost I configure the first scenario and that is enforcing a Multi-Factor authentication request before the VPN connection can be activated.
Continue reading
Windows 10 AlwaysOn VPN with Conditional Access – Part 1
StandardIn this series of blogposts I want to show you how you can use AzureAD Conditional Access to protect your Windows 10 / Server 2016 AlwaysOn VPN solution (deployed with Intune). This first part of the series will describe the initial requirements and setup of the infrastructure which is needed for the AlwaysOn VPN solution. The second part will focus on the configuration needed to add AzureAD Conditional Access for VPN connections to the flow and the last part of the series will focus on testing the Conditional Access features against AlwaysOn VPN connections. But let’s start with the description of the needed components and the initial configuration of those components.
Allow or Block Windows 10 versions accessing corporate data
StandardWith this blogpost I want to focus on controlling which Windows 10 versions can access corporate date and which versions will be blocked when accessing corporate date. To achieve this I’m using AzureAD Conditional Access together with Compliance Policies configured in Microsoft Intune. In this blogpost I want to focus on the scenario to only allow Windows 10 versions which are receiving updates and are supported by Microsoft. The second scenario is about allowing your users to run Insider Builds for testing purposes but block them to connect to corporate services and data.
AzureAD Conditional Access and RDS Session Hosts
Standard
The last couple of weeks I was thinking about could a RDS environment be used together with Device Based Conditional Access (CA) provided by AzureAD and Microsoft Intune. With AzureAD CA you can configure this based on the user, the device of the user, the application and the risk of the request. This blogpost only covers Device Based Conditional Access. When Conditional Access for Devices is configured the devices either need to be domain joined (AD and AzureAD) or compliant to the configured compliance policies. These policies need to be configured within Microsoft Intune or System Center Configuration Manager. This blogpost will focus specific on the use of RDS 2016 Session Hosts together with Conditional Access.
Continue reading