Always On VPN Windows 10 Device Tunnel Step-by-Step Configuration using PowerShell

MVP Profile

Best Modem for Comcast + Xfinity Router Combo
You must use a voice modem if you have Triple Play, even if you do not use the voice. But when I use the ipconfig command in the command prompt, System return as follows: The town is pretty blah and doesn't have much to do, because of that most people just sit around and drink on weekends so it can get pretty boring. I have a wireless LAN and I am fond of playing multiplayer games online. So I worked out if I started playing internet radio, the connection would stay open BUT it was such a bandwidth waste when I have lots of music to begin with. With so many different types of hardware and software involved, troubleshooting of Internet connection issues can be quite challenging.

Question Info


Let me know what happens! I had difficulty deleting the device tunnel as well. I found that rebooting the PC then quickly disconnecting the connection, then delete the connection, finally removed it. Even after disconnecting the network cable, disconnection via the rasdial command is not possible, as well as deletion. Thank you for your help. As stated in my previous posts, even with a card offline, deleting the network card is impossible. I have not done any testing with lockdown mode.

However, I have no experience with the lockdown configuration. You should be able to delete the connection, of course. I read that this and direftive only works with a wireless connection see link https: It should work with any physical adapter on the device, both wired and wireless.

If detected, the VPN will not initialize. Hello, I tested the directive mondomauine. In the documentation it is stated that the tunnel is always mounted whatever the situation.

That is, the device tunnel is not compatible with the suffix-based trigger. TrustedNetworkDetection works for both the user and device tunnels. However, the VPN connection is automatically mounted. It should match exactly. In the eventviewer of the client I can see he is contacting the ISP dns servers and not the internal ones.

How can I get this to work? It is not uncommon to see the client try to register with external DNS servers. However, it will register with internal DNS servers too. Have a close look at the event logs both on the client and server.

Perhaps they will yield some clue as to why it is failing. I had the issue that the ras service was crashing every reboot. So I updated to Windows 10 and the ras service was not crashing anymore. The checkbox register dns under ipv4 dns settings is checked now with Windows 10 it was not checked. So if you use device tunnel — I recommend version …. Hopefully an easy resolution. I have joined 2 x Windows 10 VMs both Pro and Ent to the domain, got a computer certificate on them, created the XML and PS1 files, ran the ps1 file, specifying the xml in the command line ran as system using psexec -i -s and the device tunnel shows up connected great result.

I then log out and attempt to log in as any other domain user, and it says the domain is not available, yet as soon as I log in with cached credentials, it comes up connected again.

The Device Tunnel does not appear in the UI, so that is normal. However, it should provide pre-logon connectivity to allow users without cached credentials to authenticate. There were some known issues in v, but those were resolved in Curious…do you see the device tunnel going down when you log off?

If it is established, it should stay up regardless who is logged on, if anyone. I find that there are not many logs for VPN connections. How does troubleshooting work if there are not many logs? If I use the -AllUserConnection parameter it complains about not being able to find it in the phone book. It does for me. I have to assume that somewhere else they specify the device and not the user URI.

It all worked apart from the AllUserConnection setting. In my experience it has been entirely stable. I would like to see if it is possible to have in addition to the tunnel device, the user tunnel on the same laptop. Can you send me the. Another question, is it mandatory to have the NAP server when mounting a user tunnel based on machine certificates for IKE? I thank you in advance. They are essentially the same as the Microsoft scripts, just modified slightly.

I just send my email address in your personal box. If I understand correctly, contrary to Windows , the tunnel device So, can also be installed on the version of Windows 10 pro ?

The device tunnel is supported only on Windows 10 Enterprise edition clients that are joined to a domain. If connected manually, both work perfectly.

Provisioning for both is through InTune MDM, using custom profile for device tunnel, and a predefined template for the user tunnel, with our EAP section.

All of this works perfectly — once the client attempts to connect. Initially, when testing just the device tunnel with trusted network detection turned on, it connected more reliably, and seemed to be happier to initiate its auto connection.

With the user tunnel though, the device tunnel would disconnect as soon as it connected, presumably due to the trusted network detection. However, there have been some issues reported when TrustedNetworkDetection is configured on the user tunnel. Is that configured in your deployment? Also, there are numerous issues related to the device tunnel, most of which have been fixed in However, I am still hearing reports and experiencing it myself of issues with unreliable device tunnel connectivity.

With that, there may still be some things that are broken with the device tunnel in On user logout, the device tunnel should then reconnect itself quietly. Checking this seems to make it connect automatically, at least a few times, but then stops doing it reliably if the machine is moved around different networks.

Clicking connect works no problem. Thanks for the feedback. Great to understand what others are experiencing. Testing without user tunnel atm. Ok, just making sure. Have a close look at routing tables and metrics. Easy to get tripped up there.

Hi Richard, Your advice and write-ups are really great. I was wondering if you have tested a Device tunnel with Split tunneling disabled, aka ForceTunnel? Typically I deploy the device tunnel for access only to a few restricted machines for the sole purpose of authenticating user logons. If I understand correctly, the tunnel device is also supported in professional version since Windows 10 ?

Register in DNS set on user tunnel, so machine should be reachable. With device tunnel connected, share access to servers the device tunnel has access to , works properly, no issues at all. With just user tunnel connected, shares do not work. Other internal resources are available, everything is pingable, RDP works, etc.

SMB 3 shares do not work. The smartcard certificate used for authentication has expired. Please contact your system administrator. The attempted logon is invalid. This is either due to a bad username or authentication information. Any thoughts on this? Yes, and the tunnel connects successfully — all other resources work, just not SMB shares…. Why, I have no idea.

Must be missing something. And everything other than smb shares works over user tunnel. Huh, so, progress, but also confusion. Learned a little bit more. Looks like similar issue from the past. Tested what they suggested, removing the cert based credential from credential manager this is the Azure Confitional Access cert , and the shares work perfectly.

So Windows appears to be trying to use this cert to authenticate to the SMB shares. Not sure how to stop it doing that though! If I use the InTune wizard and create a profile there, it does work — correct cert is selected and shares are accessible. Does anyone at MS test this stuff???? Basically, when using Azure Conditional Access with the user tunnel, an ent CA cert needs to be selected based on issuer hash and EKU for use by Kerberos…without this, the Azure CA issued cert will be used, and Kerberos auth will fail with all kinds of funny errors.

When capitalization and syntax is not exact, cert selection does not work — the VPN cert is used and Kerberos is broken. For this reason it was desirable to use a custom XML, but defining the correct cert proved difficult as indicated above. I finally figured out the capitalization by pulling it out of a reg key when using the InTune template. With it ticked, it does connect promptly, but that box seems to get unticked periodially.

Anyone know how to programatically set that? What does not, is hibernating a laptop as many of our users routinely do , and resuming on a non-corp connection, or having the machine go to sleep and then wake up on the same connection. Thinking of adding task scheduler job to add my own connect triggers…. Perhaps run a scheduled task trigger by an event? Yes, the XML file is sometimes sensitive to case. For example, true works, True does not. Sounds like you found another scenario in which case matters.

Thanks for sharing that information! Hopefully Microsoft is addressing some of these challenges. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store. Have you ever encountered this problem? Hi Richard, great stuff on your site!

Do you know of a way to prevent local users access via the device tunnel? Hello Jason Thank you very much for your answer. I have another question. Is it possible from the Windows 10 system to verify the integrity logs of the VPN connection? I tried to implement log tracing when rebooting Windows 10 by following the procedure below: Not sure if that helps you or not.

You can also enable IPsec auditing which might help as well. What is the recommendation on the use of machine certificate, is it recommended to use a private certification authority? You should always use a certificate issued by your internal private CA to ensure only your authorized client devices can connect. The idea is that if the first gateway does not respond, the second gateway is contacted.

I ask this question because in LockDown mode only one profile is allowed. Instead having multiple gateways defined simply allows the user to select a different gateway, if required. Post coming on that soon. The problem we face here is fail-over.

As Default, the mobility outage time is minimum set to 30 minutes, which is large time to fail over. Is there any possibility to set the Network outage time as 2 minutes by powershell script?

The Purpose for doing the way is because I would like to implement Device Tunnel connection just for accessing active directory and User Tunnel for authenticating with NPS. Device tunnel and user tunnel are not mutually exclusive. Often the device tunnel is deployed with limited access only to facilitate remote logon without cached credentials.

Once the user is authenticated a user tunnel is established that allows more access. The 1st connection device tunnel works fine thanks to you. Have you tried set up the connection you mentioned above?

I was wondering how 2nd connection user tunnel can automatically get triggered after the 1st connection. The two tunnels are completely independent of each other and will use their own logic to determine when to connect, depending on how you configure them.

If not, both tunnels should come up. I have some difficulty understanding the following directive true What exactly is it on the VPN interface? Can you give me a concrete example because I have trouble understanding the concept. Basically, GPO added vbs and ps1 files, scheduled task calls vbs to call the ps1 to ensure no popup box visible in user session. Ps1 checks to see if any physical adapter is on my corp domain and if NOT and vpn NOT connected, uses rasdial to connect.

The scheduled task has a few triggers, depending on whether the one for device or user tunnels, thinks like logon, resume from sleep, etc. Those retry every 5 minutes for Also a catch-all that runs every half hr or hr. The scripts all seem to work fairly well, and the device tunnel is now rock solid on reconnecting itself automatically. The problem is with the user tunnel; script logic is all good.

The problem is that, specifically with the Azure Conditional Access piece, the way the W10 client works is that it checks to see if there is a valid Azure cert 1 hr validity , and if not, goes out and gets a short lived cert from Azure, which is then presented to my local server infrastructure on the connect.

This is all good. So my logic only works if a manual connect has been done in the last hour and a valid cert is already present. Perhaps someone knows of a way to do it with PowerShell? Is it possible to interconnect the VPN gateway directly to the Active Directory for the account base? Thank you very much. However, it would require that the RRAS server be joined to the domain. We are testing this and always get error Modem is Already in Use.

Would you happen to have any solution. This is on a clean image. Sorry, no idea what could be causing that issue. Hello Terry, strongly agree, the LockDown mode does not cover all situations. All access must be mandatory via a VPN gateway internal or external to corporate. The intermediate solution that I found is to set the Windows firewall to block all outgoing traffic on public and private profiles except the streams required for the establishment of the VPN tunnel.

I thought NPS only applied to user certificates? Device tunnel machine certificate authentication happens on the VPN server, so that might be more of a challenge. NPS is not involved at all on the device tunnel. The machine certificate used for device tunnel authentication is evaluated on the VPN server only. I found this article really helpful during my initial testing. When I connect to the internet through a captive portal, it takes over 10 minutes for the device tunnel to come up.

Is there some kind of setting that can used to recognize when CP is in effect? Or speed some process for connecting? However, the issue you describe could be unrelated to captive portals.

There are numerous reports of tunnel instability, especially when the device tunnel is deployed in conjunction with the user tunnel. Have you ever noticed the device tunnel not coming up for a period of time when accessing the Internet over a connection that does not use a captive portal? I ask because I see this behavior all the time, even on On my test machine it is not uncommon for the device tunnel not to come up for long periods of time, sometimes up to minutes.

It eventually comes up though. Is there a user tunnel that should be configured after the device tunnel connects? The device tunnel was really designed to support limited network access to support pre-logon connectivity. The main use case is to enable users to logon without cached credentials. The user tunnel is the primary avenue of access and it supports better authentication protocols than does the device tunnel. Each time I get to entering the data for the new tunnel, powershell ise just exits.

No problem creating the. Do you know if there is a way to make the device tunnel show up in this VPN device list? This is my first year there and I love it!

Happy I went here and enjoyed the memories I made. I feel well prepared to move on to graduate school. Ive been here a 4 semesters, not really loving it. Im a Civil Engineering major and Ive had a whoping 3 teacher that care about their students over their job. Football and tailgating is a ton of fun but last 2 months.

Campus needs an update. Water tastes chemically if ur not used to it. Not a lot to do in the area if ur under I have had so many rude and burnt out teachers. Especially in the science department. The anatomy teacher has had so many written complaints sent to the department and she is still teaching.

Teachers have no interest in their students. I regret coming to this school. I couldn't have chosen a better university! I love it here! The community makes me feel at home and there is almost every store you can think of in the FM area. Like I would assume for most campuses,they seem to find ways to suck all your money out of you and I feel some charges they give are unnecessary. However, the campus is great and there is always something to do.

Most people are super nice. If you are strong enough to take the ND cold, you should be good. Any problem at all with your Internet connection, even if it just momentary outage or fluctuation, and you experience VPN disconnect. You should definitely try a different kind of VPN! The Speedify protocol is a new type of VPN for mobility that makes your connection more secure, faster, but also keeps you from getting disconnected.

Speedify allows a mobile device, or a computer tethered to a mobile device, to connect to the VPN server via multiple connections at the same time. Speedify carefully monitors the quality of the connections in the background. Because it was designed with auto failover, if any single connection is lost, all the data packets are automatically rerouted through another connection.

The use of multiple internet connections and several parallel sockets reduces errors, minimizes packet loss and allows the VPN to run much faster than any standard VPN is capable of. There is no longer any reason to compromise on speed and reliability for the sake of security. Why are you still struggling with legacy VPN software that always keep disconnecting when you could be using the future of secure internet connections?

You might also be interested in WhatsApp Disconnecting Frequently Solved: