Windows 10 Always On VPN is designed to be implemented and managed using a Mobile Device Management (MDM) platform such as Microsoft Intune. With Intune specifically, there is an option to configure an Always On VPN profile in the UI. However, it provides only limited support and does not include all settings and options required for many deployments. Crucially, IKEv2 advanced security settings cannot be configured using the Intune portal. Also, there is currently no option for configuring a device tunnel with Intune. In these scenarios the administrator must manually create a ProfileXML file and provision it using Intune, System Center Configuration Manager (SCCM), or PowerShell.
ProfileXML
ProfileXML includes all settings that define the Always On VPN connection. The options and settings available are documented in the VPNv2 Configuration Service Provider (CSP) reference on Microsoft’s web site. ProfileXML is formatted using elements and settings within those elements. The formatting and syntax are critical to ensuring proper operation. Any error in syntax or formatting can result in an error, such as those described here.
XML Readability
Formatting is also important for readability, which is often helpful when reviewing configuration settings or troubleshooting syntax errors. For example, an element may be defined correctly but may be nested wrong. Often XML files are created with all text being left-justified, or with everything on a single line, making the content difficult to read. Using a file editor that recognizes XML files can be beneficial.
Visual Studio Code
To create, edit, and review ProfileXML it is recommended that a proper editing tool be used. I recommend using Microsoft’s Visual Studio Code. It is free, and it is especially helpful when editing XML files. Visual Studio Code can be downloaded here.
XML Tools VS Code Plug-In
To further enhance Visual Studio Code’s XML editing and formatting capabilities I recommend installing the XML Tools plug-in. This tool extends the native features of VS code for handling XML files. One important thing it adds is a formatting feature that will make your ProfileXML much easier to manage. The XML Tools plug-in for VS Code can be downloaded here.
XML Formatting
Once the XML Tools plug-in for VS code has been installed, formatting XML for readability is straightforward. Simply right-click anywhere in the document and choose Format Document.
Once complete, the XML document will be formatted with proper indenting and nesting of elements, as shown here.
Summary
Formatting and syntax must be strictly adhered to when creating a ProfileXML file for Windows 10 Always On VPN. Using Visual Studio Code with the XML Tools plug-in allow the administrator to create and edit XML with proper formatting, which greatly improves readability and allows for streamlined configuration review and troubleshooting.
Acknowledgements
Special thanks to Colin, an avid reader of the articles on this web site for this tip. Thanks, Colin! 🙂
Additional Information
Always On VPN and DirectAccess Scripts and Sample Files on GitHub
Always On VPN IKEv2 Security Configuration
Always On VPN Device Tunnel Step-by-Step Configuration using PowerShell
wasnlos11
/ April 14, 2021Hello Richard,
thanks for this (and all the other) wonderful articles about Microsoft ALON.
Can you tell me, if it is possible to insert a IPv4 or IPv6 as -Argument in the ProfileXML?
All examples I can see include DNS-Names like “corp.example.com” or “vpn.contoso.com”. We would like to do this for security reasons …
Another question: Is it possible to insert multiple “-Tags” as backup/redundancy option?
Best regards
Richard M. Hicks
/ April 14, 2021You should be able to use IP addresses where you use hostnames/FQDNs in XML. The only thing I would avoid is using an IP address for the VpnServer element, because you need that to match the subject name on the server certificate.