Intune and Always On VPN
Until recently, provisioning Windows 10 Always On VPN connections involved manually creating a ProfileXML and uploading to Intune using a custom profile. This has proven to be challenging for many, as the process is unintuitive and error prone.
A recent Intune update now allows administrators to create a basic Windows 10 Always On VPN deployment. Although it still has its limitations, it will go a long way to making the adoption of Always On VPN easier.
Prerequisites
Certificates must first be provisioned to all clients before deploying Windows 10 Always On VPN using Intune. In addition, if using a third-party VPN client, the VPN plug-in software must be installed prior to deploying the VPN profile.
Test VPN Connection
It is recommended that a test VPN connection be created on a client machine locally before deploying an Always On VPN profile using Intune. This allows the administrator to test connectivity and validate Extensible Authentication Protocol (EAP) settings. Once complete, run the following PowerShell commands to extract the EAP configuration settings to a file for later publishing with Intune.
$Vpn = Get-VpnConnection -Name [Test VPN connection name]
$Xml = $Vpn.EapConfigXmlStream.InnerXml | Out-File .\eapconfig.xml -Encoding ASCII
Deploying Always On VPN with Intune
Follow the steps below to deploy an Always On VPN connection using Intune.
Create a VPN Profile
- Open the Microsoft Intune management portal.
- Click Device configuration.
- Click Profiles.
- Click Create profile.
- Enter a name for the VPN profile.
- Enter a description (optional).
- From the Platform drop-down menu select Windows 10 and later.
- From the Profile type drop-down menu select VPN.
- In the Settings section click Configure.
Define VPN Profile Settings
- Click Base VPN.
- Enter a name for the connection.
- Enter a description and provide the Fully Qualified Domain Name (FQDN) of the VPN server. If it will be the default server select True and click Add.
- Enter a description and provide the FQDN for any additional VPN servers, as required.
- From the Connection type drop-down list choose the preferred connection type.
- In the Always On section click Enable.
- Select Enable to Remember credentials at each logon (optional).
- Click Select a certificate.
- Choose a client authentication certificate and click Ok.
- Paste the contents of eapconfig.xml (saved previously) in the EAP Xml field.
- Click Ok.
Define Additional Settings
You can also configure the following optional VPN settings using Intune.
- Apps and Traffic Rules
- Conditional Access
- DNS Settings
- Proxy
- Split Tunneling
After configuring any required additional settings, click Create.
Assign VPN Profile
- Click Assignments.
- From the Assign to drop-down menu choose Selected Groups.
- Click Select groups to include.
- Choose an Azure Active Directory group to apply the VPN profile and click Select.
- Click Save.
Limitations
Although the ability to provision Always On VPN using Microsoft Intune without using a custom profile is welcome, it is not without its limitations. At the time of this writing, only Always On VPN user profiles can be configured. A device tunnel, which is optional, must be configured manually using a custom profile. In addition, the Intune user interface lacks the ability to define settings for the following parameters:
- Custom IKEv2 cryptography policy
- Exclusion routes
- Lockdown mode
To make changes to the default settings for any of the above parameters, a ProfileXML must be created manually and provisioned with Intune using a custom policy.
Additional Information
Windows 10 Always On VPN Device Tunnel Step-by-Step Configuration using PowerShell
Windows 10 Always On VPN Certificate Requirements for IKEv2
Windows 10 Always On VPN and the Name Resolution Policy Table (NRPT)
Windows 10 Always On VPN Hands-On Training