When deploying Windows 10 Always On VPN using Microsoft Intune, administrators have two choices for configuring VPN profiles. They can use the native Intune user interface (UI) or create and upload a custom ProfileXML. The method chosen will depend on which features and settings are required.
Microsoft Intune
Intune has an intuitive user interface (UI) that can be used to configure and deploy Always On VPN profiles to Windows 10 clients. Guidance for using the UI to deploy Windows 10 Always On VPN with Microsoft Intune can be found here. However, Intune does not expose all Always On VPN settings to the administrator, which can be problematic.
Missing from Intune
At the time of this writing (updated March 2021), the following Always On VPN settings cannot be configured natively using the Intune UI.
- Disable class-based default route
- Exclusion routes
- LockDown Mode
- IPv6 routing (broken in Intune)
To implement any of the above features or settings the administrator must create and upload a custom ProfileXML.
ProfileXML
ProfileXML is a node within the VPNv2 Configuration Service Provider (CSP). When configuring Always On VPN using the Intune UI, each setting is configured individually. By contrast, the ProfileXML node includes all Always On VPN settings in a single configuration file. It can be deployed using Intune or PowerShell. Sample ProfileXML files for both user and device tunnels can be downloaded from my GitHub repository.
ProfileXML and Intune
I’ve already documented how to deploy an Always On VPN device tunnel configuration using Intune, so this post will focus on deploying the user tunnel using ProfileXML.
Once ProfileXML has been configured, open the Intune management console and follow the steps below to deploy it using Intune.
Create Profile
1. In the navigation pane click Device Configuration.
2. Click Profiles.
3. Click Create Profile.
4. Enter a descriptive name for the new VPN profile.
5. Select Windows 10 and later from the Platform drop-down list.
6. Select Custom from the Profile type drop-down list.
Custom OMA-URI Settings
1. In the Custom OMA-URI Settings blade click Add.
2. Enter a descriptive name in the Name field (this name will appear in the Windows UI on the client).
3. Enter ./User/Vendor/MSFT/VPNv2/Always%20On%20VPN/ProfileXML in the OMA-URI field. I’ve used Always On VPN as an example here, but you can use any text you like. If it includes spaces they must be escaped using %20, as shown here. Also, don’t forget to include the leading “.“.
4. Select String (XML file) from the Data type drop-down list.
5. Click the folder next to the Select a file field and select your ProfileXML file.
6. Click Ok.
Important Note: The File contents window must show the contents of your ProfileXML. If the contents are unreadable the XML file contains encoding that will not work. If this happens, copy the contents of your ProfileXML to another new text file and upload again.
Assign Profile
Follow the steps below to assign the Always On VPN profile to the appropriate user group.
1. Click Assignments.
2. Click Select groups to include.
3. Select the group that includes the target users.
4. Click Select.
5. Click Save.
Demonstration Video
A demonstration video with guidance for deploying a Windows 10 Always On VPN user tunnel using the native Microsoft Intune UI as well as custom ProfileXML can be found here. The custom ProfileXML guidance starts at 7:52.
Additional Information
Deploying Windows 10 Always On VPN with Microsoft Intune
Deploying Windows 10 Always On VPN Device Tunnel using PowerShell
Windows 10 Always On VPN IKEv2 Security Configuration
Windows 10 Always On VPN LockDown Mode
Windows 10 Always On VPN Scripts and Sample ProfileXML Files on GitHub
Colin
/ August 13, 2019Sort of off topic for this post but does anyone know how you would go about shipping RRAS logs to syslog somewhere for centralized logging?
I would like to log vpn connections for users and computers but I’m not sure of where the logs are or how to enable them. I would love to get the data that you see when you open the console under remote access clients.
also the vpn activity data from the powershell cmdlet would be awesome too. It shows you what the user/computer connected to during their session.
Richard M. Hicks
/ August 13, 2019Most SIEM platforms have some type of data collector that should work for this. RRAS text file logs are in standard formats so I’d check with your SIEM vendor. They might also have a dedicated connector for RRAS and/or NPS. As for VPN activity, if you’re referring to the output of Get-RemoteAccessConnectionStatistics or Get-RemoteAccessConnectionStatisticsSummary, that information is stored in a local Windows Internal Database (WID) instance. You’d have to write some custom code to get that information exported to a SIEM.
Pontus Ohlert
/ December 13, 2019What is the syntax for removing a Custom OMA-URI VPN Profile?
Jsut removing the profile render the clients to have a VPN connection that is unusable .
Richard M. Hicks
/ December 15, 2019Deleting the VPN profile in Intune should remove it from the client after it syncs. You can always remove them manually in the UI or using the Remove-VpnConnection PowerShell command too.
OzThe2
/ March 31, 2020Great video demonstration, thank you. We are just about to implement intune for the second time after trying it a few years ago. (And promptly ditching it). I’m looking forward to migrating our AOVPN config deployment away from SCCM and into intune. Your video will be a great help.
Richard M. Hicks
/ March 31, 2020Awesome! Let me know if there’s anything else you need! 🙂
Paddy Berger
/ April 21, 2020Hi Richard,
I have created user and device tunnels through the intune custom profilexml method and deploying is fine. However I cannot get this removed from a client machine, I have tried removing user from the profile, the group from the profile and finally deleting the profile itself yet the client still has the vpn connection there. I want to do this through intune automatically rather than manually on each client. Any ideas
Richard M. Hicks
/ April 22, 2020That’s quite unusual. I would expect that if you remove a VPN profile from a client in Intune the settings would be removed. I don’t know if I’ve ever tested this myself though. Perhaps someone else can confirm this behavior?
Aaron Harvey
/ May 14, 2020I have found the same thing in my testing. As I built and deployed profiles, then either removed access to the profile or deleted the profiles, the VPN connection was left behind on the client.
Aaron Harvey
/ May 14, 2020Thanks for all the information you provide Richard. I have been successful in deploying both User and Device tunnels via Intune. One question I have remaining is how I can go about deploying the User VPN to non-domain joined computers. I’d like to utilize Intune for management of Azure AD joined computers to deploy the User VPN, but what’s the best/easiest way to get the required User Certificate installed? Most of the articles I’ve read are based on domain-joined PCs using GPOs to deploy the certificates. Would doing this require NDES/SCEP and the Intune Certificate Connector? That seems like a lot more infrastructure to deploy to hand out certs to these machines. Is there an easier way?
Richard M. Hicks
/ May 14, 2020You can use Intune for this. There is an option to use SCEP, but I much prefer the PFX connector. Details here: https://docs.microsoft.com/en-us/mem/intune/protect/certficates-pfx-configure.
Aaron Harvey
/ May 15, 2020That was simpler, and I was successful using the assigned certs with the VPN on Azure AD joined computers. Thanks so much for the direction.
Thomas
/ June 1, 2020Hi Richard, I tried to deploy with Intune a VPN Profile user tunner without certificate with both methods (using VPN profile or custom profile); but I have an issue. When the profile is deployed, on the client in profile is loaded but apper the messagge: Action needed.
I have to insert manually the credential although in reference profile I checked the flag in “use my Windows Credential”.
Could you help me please?
Thanks
Richard M. Hicks
/ June 4, 2020Using certificate authentication is always recommended/preferred, but if you want to use usernames/passwords then you’ll have to use MS-CHAP v2 authentication. You can’t do this in the native Intune UI, so you’ll have to use custom XML. However, there is no option to select to use Windows logon credentials. This is something you’ll have to do after the profile is deployed, otherwise the user will always be prompted for their credentials at first connection attempt.
Aaron
/ December 2, 2020Thought I would share some of my findings, I have setup AoVPN with device tunnels using xml. The deployment method was powershell which worked fine then when I tried Intune it wouldn’t work. Turns out IKEv2 fragmentation was occuring and enabling that reg fix on Server 2019 fixed this issue.
Another issue I had was putting a ‘-‘ in the connection name in the oma-uri string this caused an intune deployment error: “Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient.”
dropping the ‘-‘ out solved the problem and the deployment was successful.
Thanks for all your articles, helped out massively.
Richard M. Hicks
/ December 3, 2020Thanks for the update! 🙂
Carsten Nadorp
/ January 5, 2021Hi Richard, great blog btw, but let’s get to my question. 😉
We are using Azure VPN GW and custom XML for distributing the VPN profiles to clients. Azure VPN Certificates are used for authentication. Commonly this is working great, but we see a number of users “losing” the profile, it just disappears. We have a workaround to modify registry and delete some information (rasphone.pbk) and then the profile can get re-deployed. Did you ever run into this issue?
We have a Microsoft ticket open, but troubleshooting seems to be tough, even for the product team.
The same mechanism with classic on-prem Always On VPN servers is not affected by this, we never saw a profile disappearing here.
Richard M. Hicks
/ January 6, 2021Thanks! 🙂
Not encountered this issue myself. I have never seen a VPN profile just “disappear” on the client. Very strange.
Zandder
/ August 28, 2021Carsten, I’m seeing the same thing on maybe 5-10% of my users. Did MS every come up with a reason as to why this was happening?
Tektrick
/ March 18, 2021We are testing Always On VPN with an ProfileXML profile with a certificate authentication ,and so far it<S been working fine.
I<m wondering if the VPN profile/adapter is resilient enough to pick up a certificate in case a new one is pushed ,or in the case the VPN is pushed before the certificate is present.
Thanks,
Richard M. Hicks
/ March 22, 2021Windows will always choose the best certificate to use for authentication that’s in the certificate store. That is, the one that matches the requirements and is the freshest (most recent issuance, or longest expiration date). As long as the certificate meets the requirements it should work.
Satish
/ June 29, 2021Hi Richard,
I am currently trying to Setup a Lab to perform Hybrid Join via VPN
So for this I setup RRAS & NPS and currently using a Powershell Script via VPN:
$a = New-EapConfiguration -Peap -FastReconnect $true
Add-VpnConnection “VPN-PreLogon” -ServerAddress RRASFQDN -AllUserConnection $true -EapConfigXmlStream $a.EapConfigXmlStream -tunneltype Automatic -encryptionlevel Optional -authenticationmethod Eap
Set-VPNConnection -Name “VPN-PreLogon” -AllUserConnection -SplitTunneling $true
$RASPhoneBook = “C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk”
(Get-Content $RASPhoneBook) -Replace ‘IpDnsFlags=0’, ‘IpDnsFlags=3’ | Set-Content $RASPhoneBook
It works perfectly fine and I have Pre-Logon connectivity.
However, one problem that has been bugging me is the need to authenticate with User Name & Password everytime I connect to VPN.
So I went to Connection Properties > Security > EAP Properties > Select Configure under Authentication Method (EAP-MSCHAP V2) and finally choose the option “Automatically use my Windows logon name & password (and domain if any).
And it works like a charm. Now I don’t have to enter my Creds every time.
So I tried to Add the parameter “-UseWinLogonCredentials $true” to the above script but it keeps telling me
“WARNING: The -UseWinlogonCredential parameter is invalid. This parameter is not supported with the current authentication method” and the Authentication option under Security tab does not have the “Use EAP” Radio button selected without which the VPN connectivity will not work.
Can you please help me out here?
Richard M. Hicks
/ July 6, 2021That’s not something I’ve tested myself. I can only guess there’s a dependency that prevents you from adding that option with your current configuration. However, you could easily update this value in rapshone.pbk, just as you did with IpDnsFlags.
I’m curious though…why are you changing the value of IpDnsFlags anyway?
John Hough
/ July 30, 2021Is this current? When I go to create a new profile, “Custom” is not an option. Just “settings catalog (preview)” and “templates”. Nowhere in either option do I see “Custom OMA-URI Settings”. None of your screenshots look like anything I see either.
Richard M. Hicks
/ July 30, 2021Just checked…it’s still there. 🙂 When you select Templates from the Profile Type drop-down list you will see it listed in the available templates. It’s the second one on the list below Administrative Templates.
John Hough
/ August 3, 2021Thanks Richard, I didn’t notice it at first and was just choosing VPN from the templates list. 2 other hopefully quick questions regarding InTune deployment. 1) The connection doesn’t appear in settings>network & internet>vpn on the users machine when deployed through intune, is there a way other than the RASPhone utility in Windows to check, monitor, and troubleshoot it? 2) IF I wanted to make it NOT always on, would I just change this line to false in the XML and upload it to InTune false? Then use the RASPhone utility or something else to manually connect?
Thanks
Richard M. Hicks
/ August 3, 2021If it is a device tunnel it won’t show up by default. You can enable a registry key to display it though. Details here: https://directaccess.richardhicks.com/2020/08/27/always-on-vpn-device-tunnel-status-indicator/.
Rasphone.exe (GUI) or rasdial.exe (command line) are your only real options. You’ll find connection details in the event log as well. And yes, if you don’t want your Always On VPN to be “always on”, then yes, set the value of AlwaysOn to “false”.
Andy Nicholls
/ September 13, 2021Hi Richard
I’m having to create one of these profiles, rather than use the built in Intune VPN config. I’ve complied the ProfileXML and amalgamed the EapConfig with this, but when I drop it all into a custom profile I get the following error when deploying to devices:
Syncml(500): The recipient encountered an unexpected condition which prevented it from fulfilling the request
I’ve checked everything and all seems to be formatted correctly.
Help 🙁
Richard M. Hicks
/ September 14, 2021Drop me a note and let’s connect. Happy to review it for you. 🙂
Andy Nicholls
/ September 21, 2021Ah really? That’s brilliant, thank you so much. Sent you a separate contact via the contact page. Hope this is ok?
Richard M. Hicks
/ September 22, 2021Absolutely. 🙂
Per Vestergaard (@Ithlp_dk)
/ February 10, 2023Hi Richard
We have deployed AOVPN Profiles using custom XML with Intune. Right now, we have deployed these so that user tunnel is deployed to users and device tunnel are deployed to devices. This works perfectly. But this way if a user sign-in on a workstation on-prem, a user tunnel will be deployed. Yes, it won´t be connected, but I would like to avoid this. Therefore, I was thinking about deploying both profiles to devices only. This way I can control that profiles only are created on the targeted devices. But is this the way to go – have you any experience with that?
Richard M. Hicks
/ February 10, 2023Yes, you can certainly do that. Just target the Always On VPN user tunnel at a device security group instead of a user group, and it should work fine. 🙂
Rudy Van Poele
/ April 27, 2023Hi Richard,
when deploying the custom XML with intune for a user tunnel to devices, is it possible to have the profile created in the AllUser context ?
thanks.
Richard M. Hicks
/ April 27, 2023Absolutely. Just use the ./Device/Vendor/MSFT in your OMA-URI instead of ./User/Vendor/MSFT.
Eshaq Choudhury
/ September 14, 2023I am on the latest build of Windows 11 and get the error unable to parse XML when deploying using intune templates. The OMA-URI method doesn’t work either. Is there a bug?
Richard M. Hicks
/ September 15, 2023I don’t think so. Can you deploy your XML using my PowerShell script?
https://github.com/richardhicks/aovpn/blob/master/New-AovpnConnection.ps1
Eshaq Choudhury
/ September 21, 2023I tried and it doesnt work. I get the below errors. I ran it in system context.
PS C:\temp> .\New-AovpnConnection.ps1 -xmlFilePath ‘C:\temp\ProfileXML_User.xml’ -ProfileName ‘Always on VPN’
Unable to create “Always on VPN” profile: Exception calling “CreateInstance” with “3” argument(s): “A general error occurred that is not covered by a more specific error code.”
PS C:\temp> .\New-AovpnConnection.ps1 -xmlFilePath ‘C:\temp\ProfileXML_User.xml’ -ProfileName ‘Always on VPN’ -AllUserConnection
Unable to create “Always on VPN” profile: Exception calling “CreateInstance” with “2” argument(s): “A general error occurred that is not covered by a more specific error code.”
Richard M. Hicks
/ September 21, 2023That error commonly occurs when there is a syntax error in the XML configuration file. I’d suggest looking it over carefully to see where the error might be. You can find a sample XML configuration file for reference here.
https://github.com/richardhicks/aovpn/blob/master/ProfileXML_User.xml
The VPNv2 CSP reference is here.
https://learn.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp
Dean Hufford
/ November 30, 2023What would be the advantage of adding additional VPN servers to the Intune AOVPN configuration? How can I configure Intune deployed AOVPN to failover to secondary and tertiary VPN connection from a windows 10 machine should the primary VPN tunnel crash or fail?
Richard M. Hicks
/ December 1, 2023For Always On VPN, none. Always On VPN will not failover to other servers listed in the additional servers fields. In the past the user could select one of those servers in the UI and manually connect, but that feature has since been removed and no longer works. If you want to provide redundancy for VPN server failures, you must use a load balancer of some sort. Traditionally we’ve used layer three load balancers (F5, Kemp, NetScaler, etc.), but recently we’ve started relying more on Azure Traffic Manager to reduce complexity and cost.
Alan
/ June 12, 2024Hi, When using an InTune Custom VPN Profile is it possible to specify DisableMobility=1 and NetworkOutageTime=0? What i find is we set these via InTune remediation but the vaulues get reset to DisableMobility=0 and NetworkOutageTime=1800 next time the device Syncs with InTune. Any suggestions would be greatly appreciated.
Thanks,
Alan G.
Richard M. Hicks
/ June 12, 2024Those settings aren’t yet supported in Windows. However, they will work today on an Insider build. They will also work later this year when Microsoft releases Windows 11 24H2 (or whatever they will call it!). If you are setting them today with remediation, it’s being overwritten on device sync because of a known issue with Intune and Windows 11. Have a look at the comments on the following post.
https://directaccess.richardhicks.com/2021/10/28/always-on-vpn-windows-11-issues-with-intune/
Bing Luo
/ September 20, 2024I have the used the IKEV2 template and created 2 templates, basically they are the same except the servers filed as:
sever1;server1
I successfully created 1 profile using command:
.\New-AovpnConnection.ps1 -ProfileName ‘AOVVPN1’ -xmlFilePath .\ProfileXML_Template.xml -AllUserConnection -DeviceTunnel
But I got error when creating the second one:
.\New-AovpnConnection.ps1 -ProfileName ‘AOVVPN2’ -xmlFilePath .\ProfileXML_Template2.xml -AllUserConnection -DeviceTunnel
VERBOSE: CimSession: ..CreateInstance(root\cimv2\mdm\dmmap, MDM_VPNv2_01 (ParentID = “./Vendor/MSFT/VPNv2”, InstanceID
= “AOVVPN2”))
Unable to create “AOVVPN2” profile: Exception calling “CreateInstance” with “2” argument(s): “Operation cannot be carried out because an object already exists.”
Richard M. Hicks
/ September 26, 2024It appears you are creating a second device tunnel connection. Only a single device tunnel is supported. You can try creating the tunnel with a different name, though. Not sure if that will work either.