Deploying Always On VPN with Intune using Custom ProfileXML

Deploying Always On VPN with Intune using Custom ProfileXMLWhen deploying Windows 10 Always On VPN using Microsoft Intune, administrators have two choices for configuring VPN profiles. They can use the native Intune user interface (UI) or create and upload a custom ProfileXML. The method chosen will depend on which features and settings are required.

Microsoft Intune

Intune has an intuitive user interface (UI) that can be used to configure and deploy Always On VPN profiles to Windows 10 clients. Guidance for using the UI to deploy Windows 10 Always On VPN with Microsoft Intune can be found here. However, Intune does not expose all Always On VPN settings to the administrator, which can be problematic.

Missing from Intune

At the time of this writing, the following Always On VPN settings cannot be configured natively using the Intune UI.

To implement any of the above features or settings the administrator must create and upload a custom ProfileXML.

ProfileXML

ProfileXML is a node within the VPNv2 Configuration Service Provider (CSP). When configuring Always On VPN using the Intune UI, each setting is configured individually. By contrast, the ProfileXML node includes all Always On VPN settings in a single configuration file. It can be deployed using Intune or PowerShell. Sample ProfileXML files for both user and device tunnels can be downloaded from my GitHub repository.

ProfileXML and Intune

I’ve already documented how to deploy an Always On VPN device tunnel configuration using Intune, so this post will focus on deploying the user tunnel using ProfileXML.

Once ProfileXML has been configured, open the Intune management console and follow the steps below to deploy it using Intune.

Create Profile

1. In the navigation pane click Device Configuration.
2. Click Profiles.
3. Click Create Profile.
4. Enter a descriptive name for the new VPN profile.
5. Select Windows 10 and later from the Platform drop-down list.
6. Select Custom from the Profile type drop-down list.

Custom OMA-URI Settings

1. In the Custom OMA-URI Settings blade click Add.
2. Enter a descriptive name in the Name field (this name will appear in the Windows UI on the client).
3. Enter ./User/Vendor/MSFT/VPNv2/Always%20On%20VPN/ProfileXML in the OMA-URI field. I’ve used Always On VPN as an example here, but you can use any text you like. If it includes spaces they must be escaped using %20, as shown here. Also, don’t forget to include the leading “.“.
4. Select String (XML file) from the Data type drop-down list.
5. Click the folder next to the Select a file field and select your ProfileXML file.
6. Click Ok.

Deploying Always On VPN with Intune using Custom ProfileXML

Important Note: The File contents window must show the contents of your ProfileXML. If the contents are unreadable the XML file contains encoding that will not work. If this happens, copy the contents of your ProfileXML to another new text file and upload again.

Assign Profile

Follow the steps below to assign the Always On VPN profile to the appropriate user group.

1. Click Assignments.
2. Click Select groups to include.
3. Select the group that includes the target users.
4. Click Select.
5. Click Save.

Deploying Always On VPN with Intune using Custom ProfileXML

Demonstration Video

A demonstration video with guidance for deploying a Windows 10 Always On VPN user tunnel using the native Microsoft Intune UI as well as custom ProfileXML can be found here. The custom ProfileXML guidance starts at 7:52.

Additional Information

Deploying Windows 10 Always On VPN with Microsoft Intune

Deploying Windows 10 Always On VPN Device Tunnel using PowerShell

Windows 10 Always On VPN IKEv2 Security Configuration

Windows 10 Always On VPN LockDown Mode

Windows 10 Always On VPN Scripts and Sample ProfileXML Files on GitHub

Leave a comment

17 Comments

  1. Colin

     /  August 13, 2019

    Sort of off topic for this post but does anyone know how you would go about shipping RRAS logs to syslog somewhere for centralized logging?

    I would like to log vpn connections for users and computers but I’m not sure of where the logs are or how to enable them. I would love to get the data that you see when you open the console under remote access clients.

    also the vpn activity data from the powershell cmdlet would be awesome too. It shows you what the user/computer connected to during their session.

    Reply
    • Most SIEM platforms have some type of data collector that should work for this. RRAS text file logs are in standard formats so I’d check with your SIEM vendor. They might also have a dedicated connector for RRAS and/or NPS. As for VPN activity, if you’re referring to the output of Get-RemoteAccessConnectionStatistics or Get-RemoteAccessConnectionStatisticsSummary, that information is stored in a local Windows Internal Database (WID) instance. You’d have to write some custom code to get that information exported to a SIEM.

      Reply
  2. Pontus Ohlert

     /  December 13, 2019

    What is the syntax for removing a Custom OMA-URI VPN Profile?

    Jsut removing the profile render the clients to have a VPN connection that is unusable .

    Reply
    • Deleting the VPN profile in Intune should remove it from the client after it syncs. You can always remove them manually in the UI or using the Remove-VpnConnection PowerShell command too.

      Reply
  3. Great video demonstration, thank you. We are just about to implement intune for the second time after trying it a few years ago. (And promptly ditching it). I’m looking forward to migrating our AOVPN config deployment away from SCCM and into intune. Your video will be a great help.

    Reply
  4. Paddy Berger

     /  April 21, 2020

    Hi Richard,

    I have created user and device tunnels through the intune custom profilexml method and deploying is fine. However I cannot get this removed from a client machine, I have tried removing user from the profile, the group from the profile and finally deleting the profile itself yet the client still has the vpn connection there. I want to do this through intune automatically rather than manually on each client. Any ideas

    Reply
    • That’s quite unusual. I would expect that if you remove a VPN profile from a client in Intune the settings would be removed. I don’t know if I’ve ever tested this myself though. Perhaps someone else can confirm this behavior?

      Reply
      • Aaron Harvey

         /  May 14, 2020

        I have found the same thing in my testing. As I built and deployed profiles, then either removed access to the profile or deleted the profiles, the VPN connection was left behind on the client.

  5. Aaron Harvey

     /  May 14, 2020

    Thanks for all the information you provide Richard. I have been successful in deploying both User and Device tunnels via Intune. One question I have remaining is how I can go about deploying the User VPN to non-domain joined computers. I’d like to utilize Intune for management of Azure AD joined computers to deploy the User VPN, but what’s the best/easiest way to get the required User Certificate installed? Most of the articles I’ve read are based on domain-joined PCs using GPOs to deploy the certificates. Would doing this require NDES/SCEP and the Intune Certificate Connector? That seems like a lot more infrastructure to deploy to hand out certs to these machines. Is there an easier way?

    Reply
  6. Thomas

     /  June 1, 2020

    Hi Richard, I tried to deploy with Intune a VPN Profile user tunner without certificate with both methods (using VPN profile or custom profile); but I have an issue. When the profile is deployed, on the client in profile is loaded but apper the messagge: Action needed.
    I have to insert manually the credential although in reference profile I checked the flag in “use my Windows Credential”.
    Could you help me please?
    Thanks

    Reply
    • Using certificate authentication is always recommended/preferred, but if you want to use usernames/passwords then you’ll have to use MS-CHAP v2 authentication. You can’t do this in the native Intune UI, so you’ll have to use custom XML. However, there is no option to select to use Windows logon credentials. This is something you’ll have to do after the profile is deployed, otherwise the user will always be prompted for their credentials at first connection attempt.

      Reply
  1. Always On VPN DNS Registration Update Available | Richard M. Hicks Consulting, Inc.
  2. Microsoft Intune NDES Connector Setup Wizard Ended Prematurely | Richard M. Hicks Consulting, Inc.
  3. Always On VPN Device Tunnel and Custom Cryptography Native Support Now in Intune | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: