Last year I wrote a couple of blogposts about the Windows 10 AlwaysOn VPN solution with AzureAD Conditional Access. You can find the blogposts here:
- Windows 10 AlwaysOn VPN with Conditional Access – Part 1
- Windows 10 AlwaysOn VPN with Conditional Access – Part 2
- Windows 10 AlwaysOn VPN with Conditional Access – Part 3
After testing this solution more and more I had a strange issue where the user was able to set-up a AlwaysOn VPN connection even when the conditional access conditions were not met. So if my conditional access policy was requiring a compliant device I was able to connect with a non compliant device. I could do this by clicking on the X (Close) icon when I was in the Conditional Access flow. Together with Microsoft I’ve investigated this and a solution has been found.
First let’s explain a bit more about how I was able to connect to my VPN despite if the conditional access conditions were met. I configured my Conditional Access policy to have a compliant device based on a Intune Compliance Policy. When connecting the VPN the following screen appeared:
When clicking on the X (Close) icon the VPN connection was successful and this bypasses the Conditional Access flow. After some investigation together with Microsoft we found that I needed to add and TLSExtension to my VPN profile XML and this will enforce the VPN profile to use the Conditional Access VPN certificate instead of my user certificate deployed by SCEP or the PFX connector. The following lines should be added to your TLS configuration in the AlwaysOn profileXML:
AAD Conditional Access 220.127.116.11.4.1.311.87 AAD Conditional Access
When the above XML is added to the profileXML the AlwaysOn VPN is working as expected. When the device is non-compliant to the Conditional Access policy you will receive the following screens/messages:
and after clicking on the X (close) icon:
As you can see with adding the additional TLSExtension to the ProfileXML we can close the Conditional Access loop without the possibility to connect when the does not have received a valid certificate from the AzureAD Conditional Access service.
Currently this additional information is not added to the documentation yet. If you want to receive more information about the configuration please send me an message through the contact form.