Always On VPN Device Tunnel Configuration using Intune

Always On VPN Device Tunnel Configuration using IntuneA while back I described in detail how to configure a Windows 10 Always On VPN device tunnel connection using PowerShell. While using PowerShell is fine for local testing, it obviously doesn’t scale well. In theory you could deploy the PowerShell script and XML file using System Center Configuration Manager (SCCM), but using Microsoft Intune is the recommended and preferred deployment method. However, as of this writing Intune does not support device tunnel configuration natively. The administrator must create a ProfileXML manually and use Intune to deploy it.

Device Tunnel Prerequisites

I outlined the Always On VPN device tunnel prerequisites in my previous post here. To summarize, the client must be running Windows 10 Enterprise edition and be domain-joined. It must also have a certificate issued by the internal PKI with the Client Authentication EKU in the local computer certificate store.

ProfileXML

To begin, create a ProfileXML for the device tunnel that includes the required configuration settings and parameters for your deployment. You can find a sample Windows 10 Always On VPN device tunnel ProfileXML here.

Note: Be sure to define a custom IPsec policy in ProfileXML for the device tunnel. The default security settings for the IKEv2 protocol (required for the device tunnel) are quite poor. Details here.

Intune Deployment

Open the Intune management console and follow the steps below to deploy an Always On VPN device tunnel using Microsoft Intune.

Create Profile

1. Navigate to the Intune portal.
2. Click Device configuration.
3. Click Profiles.
4. Click Create profile.

Define Profile Settings

1. Enter a name for the VPN connection in the Name field.
2. Enter a description for the VPN connection in the Description field (optional).
3. Select Windows 10 and later from the Platform drop-down list.
4. Select Custom from the Profile type drop-down list.

Always On VPN Device Tunnel Configuration using Intune

Define Custom OMA-URI Settings

1. On the Custom OMA-URI Settings blade click Add.
2. Enter a name for the device tunnel in the Name field.
3. Enter a description for the VPN connection in the Description field (optional).
4. Enter the URI for the device tunnel in the OMA-URI field using the following syntax. If the profile name includes spaces they must be escaped, as shown here.

./Device/Vendor/MSFT/VPNv2/Example%20Profile%Name/ProfileXML

5. Select String (XML file) from the Data Type drop-down list.
6. Click the folder next to the Select a file field and chose the ProfileXML file created previously.
7. Click Ok twice and then click Create.

Always On VPN Device Tunnel Configuration using Intune

Assign Profile

Follow the steps below to assign the Always On VPN device tunnel profile to the appropriate device group.

1. Click Assignments.
2. Click Select groups to include.
3. Select the group that includes the Windows 10 client devices.
4. Click Select.
5. Click Save.

Always On VPN Device Tunnel Configuration using Intune

Demonstration Video

A video demonstration of the steps outlined above can be viewed here.

Additional Information

Windows 10 Always On VPN Device Tunnel Configuration using PowerShell

Windows 10 Always On VPN IKEv2 Security Configuration

Deleting a Windows 10 Always On VPN Device Tunnel

Windows 10 Always On VPN Device Tunnel Missing in the UI

Video: Deploying Windows 10 Always On VPN User Tunnel with Microsoft Intune

Leave a comment

18 Comments

  1. Tim

     /  August 28, 2019

    After spending quite some time testing, am I right in saying there is an issue deploying a Device Tunnel and a User Tunnel via Intune when wanting both connections to use TrustedNetworkDetection? What I am seeing is the device or user tunnel can be deployed perfectly individually, however, if both device and user tunnels are deplyed via Intune and TrustedNetworkDetection is enabled – the user tunnel never initiates a connection as the Device Tunnel connects and is seen to be on the TrustedNetwork – not using the TrustedNetworkDetection option on either the device or user tunnel would mean a really untidy deployment. If I roll out the Device Tunnel using a PowerShell script or SCCM (again a PowerShell script) then the Device Tunnel connects with TrustedNetworkDetection and so does the User Tunnel (deployed via Intune) – Anyone else seen this? Are Microsoft aware?

    Reply
    • A while back there were issues with Windows 10 and trusted network detection that exhibited this exact behavior, but those were resolved quite some time ago. If you running 1803/1809 that’s been updated since February/March, you should have those fixes. Are you deploying Always On VPN with Intune using the native UI or custom ProfileXML?

      Reply
      • Tim

         /  August 29, 2019

        Everything is using ProfileXML – The native UI doesn’t provide all the options needed for some strange reason – It would be great if Microsoft included all the options in the native UI as that would certainly remove any syntax errors that may be contained in the XML. I thought the TrustedNetworkDetection was fixed too – but this is the first time I have created both User and Device Tunnels via Intune and there seems to be an issue – I am running August 19 Cumulative Update for Windows 10 1803 and I am seeing this issue. The issue does not occur if I create the Device Tunnel with PowerShell and the User Tunnel with Intune – only when using Intune for both. Is this something that others are experiencing / others can test?

      • Very strange. Might be time to engage with Microsoft support. Perhaps this bug is back?

  2. tim

     /  September 11, 2019

    I’m having an odd issue with a device tunnel configuration. I can’t seem to find ANY documentation on the correct .xml configuration for a device tunnel with Force Tunneling turned on. I have a completely working device tunnel with split tunneling however if i change SplitTunnel to ForceTunnel under the RoutingPolicyType section it fails to install the VPN on the endpoints with an error saying the Parameter is Incorrect. Im probably missing something but again, super hard to find any good full examples of the configuration file except for on your site.

    Thanks in advance.

    Reply
    • Using force tunneling with the device tunnel is not common, but I think it should work. When using force tunneling you must remove the DisableClassBasedDefaultRoute option and also any routes. Give that a shot and let me know what happens.

      Reply
      • Tim

         /  September 12, 2019

        Interestingly I just got this working a few hours ago, I had to leave the DisableClassBasedDefaultRoute option in and set it to false. If i tried removing this (which common sense says you should) it failed to install the VPN adapter with a configuration error. I also had to remove all of the route entries as you mentioned as well.

        Thanks for your help!

      • Interesting. Good to know!

    • Tim

       /  September 13, 2019

      Tim? Are you deploying this via Intune? If so – when the device configuration is applied to a computer which user / object does Intune report as Successfully installing the profile for the Device Tunnel? The reason I ask is that whenever I deploy a Device Tunnel via Intune it is always installed as a User, and it breaks the Always On function of the User Tunnel (I guess it’s because a user can only have 1 Always On profile and with the Device tunnel being rolled out as a user it breaks the User Tunnel) Thanks for any confirmation.

      Reply
      • If you are deploying the device tunnel and it is being installed in the context of the user it sounds like you have the OMA-URI defined incorrectly. Have a close look at that and see what’s up. It should start with ./Device, not ./User.

      • Tim

         /  September 16, 2019

        yes i’m using Intune to deploy, I haven’t seen this behavior. While it does show a deployment to a user, it also shows the device deployment. I have had both user and device tunnel running at the same time with no issues, both deployed by intune.

  3. Tim

     /  September 17, 2019

    I can confirm that my device tunnel OMA-URI is: “./Device/Vendor/MSFT/VPNv2/Device%20Tunnel/ProfileXML”

    Can you both try something for me on one of your machines managed by Intune? Can you delete both the User and Device Tunnel from that machine – and then perform a sync when logged in as a Always On VPN user on that machine. This should install the Device and User Tunnel again – then go and check Intune and see who installed each Configuration Profiles? I am wondering if Intune installed the Device Tunnel when the machine was logged in as a different user to the one who has the User Tunnel Always On VPN installed. I am seeing that if the user is logged in then Intune installs both the Device Tunnel and User Tunnel as that user which breaks alwayson=true for the User Tunnel as only one profile can be AlwaysOn and that is always the Device Tunnel. Any info / screenshots you have would be great to help me sort this out.

    Reply
    • Sure. Will test as soon as possible. I’ll warn you that it might be a bit though. I’m full engaged this week and on vacation the next two weeks after. 😉

      Reply
  1. Always On VPN LockDown Mode | Richard M. Hicks Consulting, Inc.
  2. Always On VPN Windows 10 Device Tunnel Step-by-Step Configuration using PowerShell | Richard M. Hicks Consulting, Inc.
  3. Deploying Always On VPN with Intune using Custom ProfileXML | Richard M. Hicks Consulting, Inc.
  4. Always On VPN DNS Registration Update Available | Richard M. Hicks Consulting, Inc.
  5. Microsoft Intune NDES Connector Setup Wizard Ended Prematurely | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: