directaccess.richardhicks.comRichard M. Hicks Consulting, Inc. | Enterprise Mobility and Security Infrastructure | Microsoft Entr

a Private Access, Always On VPN and DirectAccess, Absolute Secure Access, Certificates and PKI Richard M. Hicks Consulting, Inc. Enterprise Mobility and Security Infrastructure | Microsoft Entra Private Access, Always On VPN and DirectAccess, Absolute Secure Access, Certificates and PKI Consulting Services Always On VPN Book DirectAccess Book Training Absolute Secure Access About Me Contact Awards X Facebook LinkedIn GitHub YouTube Reddit Pluralsight Consulting Newsletter 6to4 AADJ Absolute Absolute Secure Access Absolute Software Active Directory Active Directory Certificate Services AD CS ADC ADCS Admin Center administration Always On VPN Always On VPN Book Always On VPN DPC AMA Amazon EC2 Amazon Web Services AOVPN AOVPN Book AovpnDPC application delivery controller Application Filter authentication AWS Azure Azure Active Directory Azure AD Azure AD Join Azure App Proxy Azure Application Gateway Azure Application Proxy Azure Conditional Access Azure Load Balancer Azure MF Azure MFA Azure Traffic Manager Azure Virtual WAN Azure VPN Azure VPN Gateway BIG-IP Certificate Authentication Certificate Authority Certificate Connector for Intune Certificate Services certificates Cisco Cisco Umbrella Cisco Umbrella Roaming Client Citrix ADC cloud Cloud PKI Cloud Service Cloudflare Compliance Conditional Access Consulting Services Cryptography CVE Deployment Device Management device tunnel DirectAccess DirectAccess Book DirectAccess Deprecated DirectAccess End of Life DirectAccess EOL DNS DNS Policies DPC Dynamic Profile Configurator EAP EC2 ECC education Elliptic Curve Cryptography encapsulation Encryption end of life Endpoint Manager Enterprise enterprise mobility Entra Entra Global Secure Access Entra ID Entra Internet Access Entra Private Access EOL extensible authentication protocol F5 force tunnel force tunneling Forefront TMG 2010 Forefront UAG 2010 General Geographic Redundnacy GitHub global server load balancer Group Policy GSLB HAADJ High Availability Hotfix Hybrid Azure AD Join IKEv2 iManage Important Links Infrastructure InTune Intune Certificate Connector Intune PFX Connector IP-HTTPS IPv6 IPv6 Transition ISATAP Kemp learning Load Balancing LoadMaster local traffic manager LTM Manage Out MDM MEM MEMCM MFA Microsoft Microsoft Endpoint Manager Microsoft Entra Microsoft Entra Global Secure Access Microsoft Entra ID Microsoft Entra Internet Access Microsoft Entra Private Access Microsoft Intune Mobile Device Management Mobility Multifactor Authentiction multisite MVP NAC Name Resolution name resolution policy table NAP NCA NCSI NDES NetMotion NetMotion Mobility NetMotion Software Netscaler Network Access Control network connectivity assistant network connectivity status indicator Network Device Enrollment Service Network Device Enrollment Services network policy server nmap NPS NRPT Offline Domain Join OMA-DM OMA-URI OpenDNS OpenSSL OpenVPN Operational Support OTP PEAP PFX Connector PKCS PKI Pluralsight PointSharp PowerShell Professional Services ProfileXML Protected EAP Proxy Proxy Server public cloud public key infrastructure Quad9 Recommended Reading Remote Access Remote Administration reporting routing routing and remote access service RRAS RSAT SASE SCCM SCEP Secure Access Service Edge Secure Service Edge Secure Socket Tunneling Protocol Secure Web Gateway Security Security Update Server Core Simple Certificate Enrollment Protocol Split DNS split tunnel split tunneling SSE SSL SSL and TLS SSTP Surface Pro Surface Pro 4 SWG System Center 2012 System Center Configuration Manager systems management Teredo TLS TLS 1.3 TND TPM Traffic Filter Training transition technology Transport Layer Security troubleshooting Trusted Network Detection Trusted Platform Module Uncategorized Update user tunnel video Visual Studio Visual Studio Code VPN VPN Proxy VS Code Vulnerability Web Application Proxy Web Proxy Web Proxy Server webinar Windows 10 Windows 11 Windows 7 Windows 8 Windows 8.1 Windows Admin Center Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 Windows Server 2022 Workshop WorkSite XML Zero Trust Zero Trust Network Access Zscaler ZTNA Always On VPN Device Tunnel Issues with April 2024 Security Update Always On VPN administrators may find that their device tunnel connections no longer connect automatically after applying the April 2024 security updates . The device tunnel connection is optional and only required under specific conditions, so end users may not be immediately impacted. However, administrators should be aware of this issue. Error Messages When manually establishing an Always On VPN device tunnel connection using rapshone.exe or rasdial.exe, you may receive one of the following error messages. Rasphone.exe Error 0x80070057: The parameter is incorrect. Rasdial.exe Connecting to Name of Device Tunnel…The parameter is incorrect. Affected Devices The issue affects all supported versions of Windows with an Always On VPN device tunnel connection configured to require a specific Enhanced Key Usage (EKU) OID. Administrators can run the following PowerShell command to identify this configuration. Get-VpnConnection -AllUserConnection -Name Name of Device Tunnel | Select-Object MachineCertificateEkuFilter If the output of this PowerShell command returns data, it is affected by this issue. Workaround To restore Always On VPN device tunnel functionality on devices with the April 2024 security updates installed, open an elevated PowerShell command window and run the following command. Set-VpnConnection -AllUserConnection -Name ‘Always On VPN Device Tunnel’ -MachineCertificateEKUFilter $Null After running this command, the output should now be blank. Caveat The problem with implementing the workaround described here is that you likely enabled this configuration to address an issue where the wrong certificate was selected for use with the device tunnel. In this case, the workaround may result in unexpected behavior and may not restore full functionality. Known Issue Rollback Currently, Microsoft is aware of the issue and is actively working to resolve it. If you are experiencing this issue, open a support case with Microsoft, and they will provide you with more information and possibly a private Known Issue Rollback (KIR). I will update this post as soon as Microsoft publishes a permanent fix. Additional Information Always On VPN Device Tunnel Operation and Best Practices Always On VPN Device Tunnel Only Deployment Considerations Considerations for Always On VPN with Azure VPN Gateway and Virtual WAN Share this: Email Print Twitter Facebook LinkedIn Reddit Tumblr Pinterest Like this: Like Loading... Leave a comment by Richard M. Hicks on April 23, 2024 • Permalink Posted in Always On VPN , AOVPN , Certificate Authentication , certificates , device tunnel , Enterprise , enterprise mobility , IKEv2 , Microsoft , Mobility , Operational Support , PowerShell , Remote Access , Security , Security Update , troubleshooting , Update , VPN , Windows 10 , Windows 11 Tagged 0x80070057 , Always On VPN , AOVPN , device tunnel , error , hotfix , KIR , known issue rollback , Microsoft , PowerShell , rapshone , rasdial , security , security update , update , VPN , warning , Windows , workaround Posted by Richard M. Hicks on April 23, 2024 https://directaccess.richardhicks.com/2024/04/23/always-on-vpn-device-tunnel-issues-with-april-2024-security-update/ Always On VPN April 2024 Security Updates Microsoft has released its security updates for April 2024. This month, a few vulnerabilities are potentially impacting Always On VPN administrators. Specifically, three updates address issues with the Windows Server Routing and Remote Access Service (RRAS). In addition, vulnerabilities affect the Remote Access Connection Manager (RasMan) service, affecting both VPN servers and clients. RRAS Windows Server Routing and Remote Access (RRAS) has three security updates available this month. All three are Remote Code Execution...