Visualize an Always On VPN device tunnel connection while disabling the disconnect button

Visualize an Always On VPN device tunnel connection while disabling the disconnect button

The need to visualize an Always On VPN device tunnel connection while disabling the disconnect button arises when the user experiences connectivity issues. End users should be able to communicate quickly to their support desk whether or not they have a connected Always On VPN device tunnel. They usually do not see the device VPN tunnel in the modern UI. Only user VPN tunnels show up. Naturally, we don’t want them to disconnect the device VPN or change its properties, so we want to disable the “disconnect” and the “advanced setting buttons. Since a device VPN tunnel runs as a “SYSTEM,” they cannot do this anyway. The GUI shows “Disconnecting” but never complete.

Refreshing the GUI correctly shows “Connected” again. However, it makes sense to disable the buttons to indicate this. So how to we set all of this up?

Visualize an Always On VPN device tunnel connection

Visualizing the Always On VPN device tunnel in the modern GUI is something we achieve via the registry. Scripting deploying these registry settings via GPO or Intune is the way to go.

New-Item -Path ‘HKLM:\SOFTWARE\Microsoft\Flyout\VPN’ -Force
New-ItemProperty -Path ‘HKLM:\Software\Microsoft\Flyout\VPN\’ -Name ‘ShowDeviceTunnelInUI’ -PropertyType DWORD -Value 1 -Force

Disable the disconnect button and the advanced options buttons

Now that the Always On VPN device tunnel is visible in the GUI, we want to disable the disconnect button and the advanced options buttons. How? Well, we can do this in Windows 11 22H2 or more recent versions. For this, we add the following to the VPN configuration file.

<!-- The below 2 GUI settings are only available in Windows 11 22H2 or higher. --><DisableAdvancedOptionsEditButton>true</DisableAdvancedOptionsEditButton><DisableDisconnectButton>true</DisableDisconnectButton>

  <!– These GUI settings below are only available in Windows 11 22H2 or higher. –>    <DisableAdvancedOptionsEditButton>true</DisableAdvancedOptionsEditButton>    <DisableDisconnectButton>true</DisableDisconnectButton>

Visualize a device VPN tunnel connection while disabling the disconnect button

Results

For an administrative account, the Always On VPN device tunnel is visible, but the buttons are dimmed (greyed out).

As before, the administrator can still use the rasphone GUI to hang up the Always On VPN device tunnel or edit the properties like before. Usually, you’ll configure the setting with Intune or via GPO with Powershell and custom XML. There is also a 3rd party option for configuring Always On VPNs via GPO (AOVPN Dynamic Profile Configurator).

For a non-administrator user account, the GUI looks precisely the same. The big difference is that when such a user launches the rasphone GUI, they cannot “Hang Up” the connection. The error message may not be the clearest, but in the end, a user with non-administrative rights cannot disconnect the Always On VPN device tunnel.

So now we have the best of both worlds. An administrator and a standard user can see that the Always On VPN device tunnel is connected. Remember that disabling the buttons requires Windows 11 22H2 or more recent. This blog was written using 23H2. The administrator can use the rasphone GUI or rasdial CLI to access the Always On VPN device tunnel like before.

Conclusion

Device VPN tunnels are supposed to be connected at all times, whether a user is logged on or not. It is also something that users are not supposed to be concerned about in contrast to a user VPN tunnel. However, it can be beneficial to see whether the Always On VPN device tunnel is connected. That is most certainly so when talking to support about an issue. We showed you how to achieve this, combined with disabling the “disconnect” and “advanced” options buttons), in this blog post.

Active Directory Replication Status Tool’s rise, fall, and rebirth

Active Directory Replication Status Tool’s rise, fall, and rebirth

For many years the Active Directory Replication Status Tool has been a trusty companion for many IT Pro. That includes seasoned systems engineers as well as accidental Active Directory administrators. It was an easy way to get a quick and good idea of the replication health of your Active Directory forest or domain.

Sure, repladm is our friend and keeps doing its job with us in the trenches. But I would say that the Active Directory Replication Status Tool is a lot less scary for people. Especially those who incidentally need to find out what issues to address where. It is a non-scarry, kind wrapper to visualize the results and see where we need to pay attention.

It had some quirks, like the ridiculous need to download it again when the license (certificate) expired (I never liked the Sirona DLL hack in a production environment). If other issues arose, I blogged on how to work around them, like in Microsoft Active Directory Replication Status Tool won’t upgrade – Working Hard In ITWorking Hard In IT. But that was minor compared to the sage of the last 18 months. Let’s quickly look at the Active Directory Replication Status Tool’s rise, fall, and rebirth.

The fall

Once in a while, an update to Windows or .NET broke the application. Normally, a fix would follow soon, and everyone was happy again. Last year in the spring or early summer of 2022, the tool was broken for months. Finally, somewhere in August 2022, we got a new version that worked, as far as my experience goes, for about 4 to 6 weeks, It then broke again, and all it ever did after was crash. The cert also expired again but who cared? It was no longer functional anyway,

Well, I cared, and I gave a lot of feedback via Twitter and to Microsoft via e-mail.

Active Directory Replication Status Tool's rise, fall, and rebirth

That went on for about 10 months without any progress! Then suddenly, I notice this: How to get and use the Active Directory Replication Status Tool – Windows Server | Microsoft Learn.

Active Directory Replication Status Tool's rise, fall, and rebirth

What!!??? Is this how it ends? Abandoned in a ditch somewhere?

Important

As of June 2nd, 2023, the Active Directory Replication Status Tool is no longer available for download. The following article is provided for historical purposes only.

Are you kidding me? There went another e-mail right to Redmond! Was this the sad end? I got a reply that not all was lost with a link.

The rebirth

The link I got is this one GitHub – ryanries/ADReplStatus: AD Replication Status Tool. People meet Ryan Ries, an Escalation Engineer at Microsoft who has some very useful and handy private projects to share with the world. ADReplStatus is one of the more recent ones.

I downloaded it and started testing it in the lab. That went well and has already found its way to two production environments. Here is a screenshot from my lab environment!

Active Directory Replication Status Tool's rise, fall, and rebirth

Thank you, Ryan Ries, for helping your customers in your free time with your private projects. You have made my IT Pro existence a bit easier again instead of more difficult. It is appreciated! Thank you, Ned Pyle, for bringing this GitHub repo to my attention. Download your copy here Release v1.3.1 · ryanries/ADReplStatus · GitHub.

What I did find interesting was that the cert expiration time bomb was also an internal issue. That and the fact that the application had no maintainers. But that was obvious to us all.

The old version of the tool had a time bomb in it – an expiring SSL certificate – that rendered the app unusable sometime around September 2022. Only through great effort internally were we able to periodically renew this certificate and republish the app, and the app was architected in such a way that excising the signing certificate check was more work than just rewriting the whole thing. (I know about the Sirona DLL hack, but still.)
The old tool had no active maintainers and no one who was still around was familiar with the app’s internals or source code.

Things are tough all over, it seems.

I was re-awarded as a Microsoft MVP – Cloud and Datacenter Management 2023-2024

I was re-awarded as a Microsoft MVP – Cloud and Datacenter Management 2023-2024

While I was on vacation I received an e-mail that I was re-awarded as a Microsoft MVP – Cloud and Datacenter Management 2023-2024. Needless to say that this put a big smile on my face, despite my vacation coming to an end. Yes it is and remains an honor to be awarded and recognized as a global expert in the community by Microsoft. We all like a compliment and some confirmation that what we do is valuable. As always, it is also a humbling experience, as you meet quite a lot of very talented people which can make that old imposter syndrome flare up.

I was re-awarded as a Microsoft MVP - Cloud and Datacenter Management 2023-2024

For those not in the know, MVP in this case stands for Most Valuable Professional, not Player 😊.

I was re-awarded as a Microsoft MVP - Cloud and Datacenter Management 2023-2024

This is my 12th Microsoft MVP award and it represents a long journey through technology in the Microsoft ecosystem. In tech things seems to change fast and tend not to last long. But it is the learning you do along the way that last through time. Nothing I have learned has ever become completely obsolete and the experience and inights, even from learning VBA and Visual Basic in the early days still help me today as I talk to developers whose Azure infrastructure I help optimize and secure.

I am grateful for the recognition and support of both the community and Microsoft. Especially to the people who originally saw my potential and supported my first-ever nomination as well as those that support me today. The award itself is not the goal, it is a by-product of being active in the global community. Engaging in and with the community helps us all learn, progress, and succeed in our jobs by sharing experiences, knowledge, and insights.

It is all about community

Without any doubt, no matter how good and smart you are or how hard you work, we need others to grow and flourish. You do not contribute to the community in isolation. Sure, IT pros do a lot of technology work individually while testing and learning in the lab, troubleshooting, and delivering projects. Sharing and learning in the community happens with and thanks to others. People who give us opportunities, support, and help us. That means fellow technologists, employers, colleagues, vendors, and our audience asking questions that make us learn even more as well.

Aditionally, let’s not forget about the people who are not in the spotlight. We get a lot of support from those providing locations, material, and logistic support. Many “smaller” businesses are often very generous in this regard. We are all “kids” getting raised in and by a village and in one form or another we all stand on the shoulder of giants. That’s why we all owe at least a little gratitude to all the people and organizations that help us progress. So to all those who do, thank you!

Some tips for businesses that employ MVPs

In the end, here is to another year of community activity where we all share, learn, and grow together. You can always start today. There is no age limit or right time. I was a long time lurker before I became publicly active voicing my opinions and sharing information. You can be an introvert or extrovert, young or old, and anything in between. All you need is the willingness to share and learn. Furthermore, you don’t need 50,000 followers on social media or whatever, you just need to make a difference.

Finally, I can only advise employers to support their community-minded employees. These are the people that learn, grow, adapt, and change with the needs and technology. Also, the incidental cost of travel, registration fees, and hotel nights are nothing compared to the return on investment. So let them attend some conferences and the MVP Summit

Well, to be honest, not supporting this would be penny-wise and pound-foolish. In the end that would mean you have no idea of the value of both developing and retaining talent. An MVP on staff will very easily safe you at least 30-40 days consulting per year. Think about that. Without any doubt, even at a medium rate of 125.00- $/hour means a serious ROI. Now add the cost of replacing such talent … it is a no brainer! You need to invest in on-board talent development anyhow and these are profiles that love to learn and share. That is a near to perfect as it gets people.

Presenting at and attending Experts Live Europe 2023

Presenting at and attending Experts Live Europe 2023

I am happy to share that I am both presenting at and attending Experts Live Europe 2023. It runs September 18-20 2023 in Prague.

Presenting at and attending Experts Live Europe 2023

Isidora Katanic (@IsidoraKatanic) is the lead organizer and driving force behind Experts Live Europe. She’s dedicated to making this one of the best Microsoft technology-focused conferences in Europe. When you look at the pre-conference and session calendar you can already see this. She and her team lined up everything to make the 2023 edition a great professional and community experience. Experts Live Europe is a two-day conference (three days with the preconference workshops) and is scheduled in Prague, September 18-20,  2023.  It is the first edition since 2019 due to the Corona/Covid pandemic. I can share that I personally, and many others, are happy that this is possible again. Next to that, I am thrilled to share my research and expertise at this conference once more.

In my session “Azure Storage – The SMB over QUIC protocol is here!” I will be diving deeper into the why and how of SMB over QUIC.

Presenting at and attending Experts Live Europe 2023

This is a very powerful and promising, relatively recent addition to the SMB 3 stack. Once again it shows that file sharing is far from an obsolete protocol in the era of anything “cloud”.

Meet the experts and ask me anything galore

This conference is about you and me, about us, sharing insights, experiences, knowledge, and expertise. Both the concept and the setup of the conference facilitate this by design.

Presenting at and attending Experts Live Europe 2023

While I’m there, come say hi, and talk shop about networking, storage, clustering, Hyper-V, DevOps, Bicep, and Veeam data protection in on-premises, hybrid, and Azure scenarios. I’ll be around during the breaks for the “Ask The Expert” and at the dedicated speaker’s booth in the expo area. Now, next to a Microsoft MVP I am also a Veeam Vanguard. Veeam is a gold sponsor and I’ll be around their boot as well. So come find me if you want to talk about Veeam Backup & Replication, Hardened (immutable) repositories, and other related subjects.

I am there to learn as well

Finally,  I also look forward to the sessions other speakers are giving. One of those sessions, “Azure Firewall: The Legacy Firewall Killer”,  is presented by Aidan Finn (@joe_elway). That subject is both very interesting and a bit controversial. Many people know and master 3rd party firewall interfaces with their specific tooling and capabilities. While there is nothing wrong with that, many people scoff at Azure Firewall. But you should not write off Azure firewall with different products. This is especially true when you start delivering Azure Firewall via Infrastructure as Code (IaC).

Call to action

Do not delay! Register to attend Experts Live Europe and do not miss out on a ton of great sessions by expert speakers,  networking with knowledgeable attendees, and talking shop with your fellow IT professionals, who are as passionate about technology as you.  I look forward to seeing you there.

Presenting at and attending Experts Live Europe 2023