Is it required for the Always On VPN to have the Encrypting File System (1.3.6.1.4.1.311.10.3.4) and Secure Email (1.3.6.1.5.5.7.3.4) EKU in it?
As documented to duplicate the User Template, this would be the case.
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
@shortpatti - can you take a look at this question? Thanks!
Hi @makauf, I sent an email to the remote access team this morning to get an answer to your question.
@makauf, thank you for your patience. I've been in contact with engineering and support to update several areas in the content, including your question.
Create the User Authentication template - Step 5d ambiguity: After adding the VPN Users group, Read permission defaults to Allow. The instruction is: "select the Enroll and Autoenroll check boxes in the Allow column". Do I leave the Read permission in the Allow column unchanged (checked is the default) or should I clear so that ONLY Allow Enroll and Allow Autoenroll are checked? I suspect that I am supposed to just make the changes specifically listed and leave Allow Read checked, but more clarification would be appreciated.
@kmorley the ACE for read is necessary for the user but it does not make any differences because the read permission is already on the authenticated users entry - by default - if you removed the authenticated users from your ACE you have to leave the read permissions checked (no enrollment without read permissions - simple as that :-)) and i think thats the reason why the documentation does not say remove read permission on the new added ACE (as it is maybe required)
Create the User Authentication template - Step 4 warning: When making a duplicate of the User Template in Step 4, the remaining steps detail several additional configuration changes before saving the copied template in Step 10. If "OK" or "Apply" buttons are clicked before ALL of the parameters are entered, many of the choices become fixed and no longer editable. For example Cryptography tab -> Provider Category field may show "Legacy Cryptographic Storage Provider" and become disabled, preventing any further change. The only alternative is to delete the template and recreate, following the instructions verbatim. Do not click "Apply" or "OK" at any time prior to Step 10.
Create the VPN Server Authentication template - Step 13 clarification: In Step 4, a "Template Display Name" was chosen, probably from the examples given: "VPN Server Authentication or RADIUS Server". In Step 13 a "Certificate Template to Issue" is chosen and instructions indicate to choose "RADIUS Server". For Step 13, select the name you chose in Step 4 in place of "RADIUS Server".
Thank you for all the feedback. It looks like I have some updating to do on this particular topic.
I've made the changes and they will be published later today.
after your update the EKUs on the VPN Template still contains EFS and Secure Email (initial question) and i still cant think of that they are required.
@MihaiSP, can you take a look at this issue?