Tag: Windows

Always On VPN Device Tunnel with Windows 10 1709

Always On VPN Device Tunnel with Windows 10 1709

Always On VPN Device Tunnel with Windows 10 1709

Update 22/11/2017: Microsoft’s official guidance on Device Tunnel configuration is now available at https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config

A long awaited feature with the DirectAccess successor Always On VPN (Auto VPN) is the ability for clients to initiate an infrastructure tunnel to the corporate network without the user logging on. This feature named Device Pre-Logon is available in Windows 10 1709 update.

Over the last several years Microsoft’s VPN or remote connectivity solution has primarily been DirectAccess. Whilst DirectAccess provided seamless always on remote connectivity, it did however come with a few drawbacks. Originally released with Server 2008 it only supported IPv6 and utilised UAG. With Server 2012, 2012R2 Microsoft removed the need to utilise UAG and streamlined the installation and configuration. Still available in Server 2016 DirectAccess is not a technology that is obsolete but far from it with many organisation using it to provide users with remote connectivity. Once configured DIrectAccess…just works. For at least the short term DirectAccess is proven to be reliable and the remote connectivity solution of choice, as long as you can overcome single stack IPv6,  but if you want the latest and greatest then Always On VPN is the future.

However DirectAccess is a dark art and the solution can be difficult to install and configure to the novice professional. Always On VPN on the other hand has all the missing features and more that DirectAccess should have had. This not to to be taken lightly, as Always On VPN is also not a walk in the park to implement, away with the GUI, Always On VPN utilises configuration service provider (CSP’s) in order for implementation.

Always On VPN is the new kid on the block, released in Windows 10, the major benefit of a Device Pre-Logon tunnel has been released with 1709 Creators Update for Windows 10. This allows administrators to always have the ability to manage Windows 10 devices once they leave the corporate environment. When a device is connected to a known network, it will automatically initiate a VPN connection back to corporate environment where it can be managed. For example this can group policies, windows update or even configmgr.

The official statement from Microsoft is to deploy Always On VPN instead of DirectAccess, but many organisations would be very reluctant to deploy a solution which has just arrived on the market. The below outlines the benefits and drawbacks of DirectAccess:



  1. Always On
  2. Seamless
  3. Infrastructure Tunnel for device management in addition to the User Tunnel
  4. Built into Windows 10 no additional clients needed
  5. Uses IPHTTPS tunneling protocol
  6. GUI for easy configuration
  7. Still supported and available in Server 2016


  1. IPv6 only solution. Applications installed on the client must support IPv6, certain exception are made for example Office Communication Server 2007 does not work with DirectAccess
  2. No granular control
  3. Manage-Out not supported when more than 1 DirectAccess server is present in a configuration ( although it is possible to get Manage-Out working with multiple servers using a solution by Richard Hick’s)
  4. Limited access to End to End encryption to application servers
  5. No support for VPN gateways
  6. NAT64, DNS64 componets are utilised to transverse IPv6 to IPv4
  7. Teredo and 6to4 are not supported behind a NAT/Firewall
  8. Only Windows Domain joined devices are supported
  9. Network Access Protection deprecated in 2012R2


Always On VPN


  1. Uses industry standard IKEv2 tunneling protocol with the ability to fall back to SSTP when behind firewalls or proxy’s
  2. Dual stack support for IPv4 and IPv6
  3. Granular control for End to End encryption to application servers using policies
  4. Granular control over routing, specifically control routing behavior to define which traffic should only ever traverse the VPN and not go over the physical network interface
  5. Name based triggering allow specific domain name queries to trigger the VPN
  6. Application Triggering, when specified desktop and/or universal windows apps are, the VPN will automatically trigger
  7. Supports VPN gateways behind a NAT or edge device in addition Remote Access servers can be used
  8. No requirement for Active Directory or Windows domain joined devices, nor a requirement on an Enterprise version of Windows 10
  9. Application specific routing is supported (Managed tunnel)
  10. No requirement for Network Location Servers in order to determine if a client is within the corporate boundary or outside. Trusted Network Assessment is ustilised which assesses  the connection-specific DNS suffix assigned to network interfaces
  11. Ability to integrate with Azure Conditional Access Platform to enforce Device Compliance and/or multi-factor authentication
    1. Multi-factor authentication includes the ability to use Windows Hello for Business Certificate
  12. Support of RSA and ECC to meet specific cryptography requirements such as those set by the National Cyber Security Centre in the United Kingdom or other government/corporate organisations.


  1. Can be difficult to configure using PowerShell, Intune, ConfigMgr or Windows Configuration Designer have to be used to configure Always On VPN
  2. Remediation’s or quarantining is not supported using Azure Conditional Access Platform
  3. New kid on the block and may require maturing, potential to have unknown bugs


Command Line Cheat Sheet

Command Line Cheat Sheet

Some useful command lines:

Find which Logon Server

Echo %logonserver%

Find all Domain Controllers

Nltest /dclist:[Domain Name]

Machine Up Time:

systeminfo | find /i "Boot Time"

Some common run commands: Click Start > Run (or Windows key + R):

Accessibility Options                   access.cpl
Add New Hardware                     sysdm.cpl
Add/Remove Programs              appwiz.cpl
Date/Time Properties                 timedate.cpl
Display Properties                       desk.cpl
FindFast                                        findfast.cpl
Internet Properties                     inetcpl.cpl
Keyboard Properties                   main.cpl
Microsoft Exchange                    mlcfg32.cpl
Network Properties                     netcpl.cpl
Password Properties                   password.cpl
Regional Settings                         intl.cpl
System Properties                       sysdm.cpl
Device Manager                           Devmgmt.msc
Disk Management                       Diskmgmt.msc
AD Users & Computers              Dsa.msc

FTP command

ftp://username:[email protected]

Recycle Bin

start shell:RecycleBinFolder

Find Hidden Devices in Device Manager

Set  devmgr_show_nonpresent_devices=1

Find Hardware Spec of a PC


Active Directory


Group Policy Update – no timeout

gpupdate /force /wait:-1

Boot to safe mode


Run as Admin

Runas /user:domain\Username cmd

Run any Command remotely

Winrs -r:PC1 ipconfig (or any command)

Disable Firewall remotely (this is deprecated in Server 2012)

Winrs -r:PC1 netsh firewall set opmode disable

Disable Firewall remotely Server 2012 +

Winrs -r:PC1 netsh advfirewall firewall set opmode disable

Get MAC address

Getmac -s

Disk Management

Diskpart.exe - disk management utility through CMD

Scan the integrity of all protected system files and replaces incorrect versions with correct Microsoft versions.

sfc /scannow

Replicate Domain Controllers

Repadmin /replicate
Uninstall a Windows HotFix

Uninstall a Windows HotFix

Removing a Windows hotfix

To uninstall a Windows hotfix, locate the KB hotfix number and run the below PowerShell command:

function Uninstall-Hotfix {
[string] $computername,
[string] $HotfixID
$hotfixes = Get-WmiObject -ComputerName $computername -Class Win32_QuickFixEngineering | select hotfixid            
if($hotfixes -match $hotfixID) {
    $hotfixID = $HotfixID.Replace("KB","")
    Write-host "Found the hotfix KB" + $HotfixID
    Write-Host "Uninstalling the hotfix"
    $UninstallString = "cmd.exe /c wusa.exe /uninstall /KB:$hotfixID /quiet /norestart"
    ([WMICLASS]"\\$computername\ROOT\CIMV2:win32_process").Create($UninstallString) | out-null            
    while (@(Get-Process wusa -computername $computername -ErrorAction SilentlyContinue).Count -ne 0) {
        Start-Sleep 3
        Write-Host "Waiting for update removal to finish ..."
write-host "Completed Uninstall of $hotfixID"
else {            
write-host "Hotfix($hotfixID) not found"
Uninstall-HotFix -ComputerName PC1 -HotfixID KB3068708