Deploying Always On VPN with Intune using Custom ProfileXML

Deploying Always On VPN with Intune using Custom ProfileXMLWhen deploying Windows 10 Always On VPN using Microsoft Intune, administrators have two choices for configuring VPN profiles. They can use the native Intune user interface (UI) or create and upload a custom ProfileXML. The method chosen will depend on which features and settings are required.

Microsoft Intune

Intune has an intuitive user interface (UI) that can be used to configure and deploy Always On VPN profiles to Windows 10 clients. Guidance for using the UI to deploy Windows 10 Always On VPN with Microsoft Intune can be found here. However, Intune does not expose all Always On VPN settings to the administrator, which can be problematic.

Missing from Intune

At the time of this writing (updated March 2021), the following Always On VPN settings cannot be configured natively using the Intune UI.

  • Disable class-based default route
  • Exclusion routes
  • LockDown Mode
  • IPv6 routing (broken in Intune)

To implement any of the above features or settings the administrator must create and upload a custom ProfileXML.

ProfileXML

ProfileXML is a node within the VPNv2 Configuration Service Provider (CSP). When configuring Always On VPN using the Intune UI, each setting is configured individually. By contrast, the ProfileXML node includes all Always On VPN settings in a single configuration file. It can be deployed using Intune or PowerShell. Sample ProfileXML files for both user and device tunnels can be downloaded from my GitHub repository.

ProfileXML and Intune

I’ve already documented how to deploy an Always On VPN device tunnel configuration using Intune, so this post will focus on deploying the user tunnel using ProfileXML.

Once ProfileXML has been configured, open the Intune management console and follow the steps below to deploy it using Intune.

Create Profile

1. In the navigation pane click Device Configuration.
2. Click Profiles.
3. Click Create Profile.
4. Enter a descriptive name for the new VPN profile.
5. Select Windows 10 and later from the Platform drop-down list.
6. Select Custom from the Profile type drop-down list.

Custom OMA-URI Settings

1. In the Custom OMA-URI Settings blade click Add.
2. Enter a descriptive name in the Name field (this name will appear in the Windows UI on the client).
3. Enter ./User/Vendor/MSFT/VPNv2/Always%20On%20VPN/ProfileXML in the OMA-URI field. I’ve used Always On VPN as an example here, but you can use any text you like. If it includes spaces they must be escaped using %20, as shown here. Also, don’t forget to include the leading “.“.
4. Select String (XML file) from the Data type drop-down list.
5. Click the folder next to the Select a file field and select your ProfileXML file.
6. Click Ok.

Deploying Always On VPN with Intune using Custom ProfileXML

Important Note: The File contents window must show the contents of your ProfileXML. If the contents are unreadable the XML file contains encoding that will not work. If this happens, copy the contents of your ProfileXML to another new text file and upload again.

Assign Profile

Follow the steps below to assign the Always On VPN profile to the appropriate user group.

1. Click Assignments.
2. Click Select groups to include.
3. Select the group that includes the target users.
4. Click Select.
5. Click Save.

Deploying Always On VPN with Intune using Custom ProfileXML

Demonstration Video

A demonstration video with guidance for deploying a Windows 10 Always On VPN user tunnel using the native Microsoft Intune UI as well as custom ProfileXML can be found here. The custom ProfileXML guidance starts at 7:52.

Additional Information

Deploying Windows 10 Always On VPN with Microsoft Intune

Deploying Windows 10 Always On VPN Device Tunnel using PowerShell

Windows 10 Always On VPN IKEv2 Security Configuration

Windows 10 Always On VPN LockDown Mode

Windows 10 Always On VPN Scripts and Sample ProfileXML Files on GitHub

Leave a comment

51 Comments

  1. Colin

     /  August 13, 2019

    Sort of off topic for this post but does anyone know how you would go about shipping RRAS logs to syslog somewhere for centralized logging?

    I would like to log vpn connections for users and computers but I’m not sure of where the logs are or how to enable them. I would love to get the data that you see when you open the console under remote access clients.

    also the vpn activity data from the powershell cmdlet would be awesome too. It shows you what the user/computer connected to during their session.

    Reply
    • Most SIEM platforms have some type of data collector that should work for this. RRAS text file logs are in standard formats so I’d check with your SIEM vendor. They might also have a dedicated connector for RRAS and/or NPS. As for VPN activity, if you’re referring to the output of Get-RemoteAccessConnectionStatistics or Get-RemoteAccessConnectionStatisticsSummary, that information is stored in a local Windows Internal Database (WID) instance. You’d have to write some custom code to get that information exported to a SIEM.

      Reply
  2. Pontus Ohlert

     /  December 13, 2019

    What is the syntax for removing a Custom OMA-URI VPN Profile?

    Jsut removing the profile render the clients to have a VPN connection that is unusable .

    Reply
    • Deleting the VPN profile in Intune should remove it from the client after it syncs. You can always remove them manually in the UI or using the Remove-VpnConnection PowerShell command too.

      Reply
  3. Great video demonstration, thank you. We are just about to implement intune for the second time after trying it a few years ago. (And promptly ditching it). I’m looking forward to migrating our AOVPN config deployment away from SCCM and into intune. Your video will be a great help.

    Reply
  4. Paddy Berger

     /  April 21, 2020

    Hi Richard,

    I have created user and device tunnels through the intune custom profilexml method and deploying is fine. However I cannot get this removed from a client machine, I have tried removing user from the profile, the group from the profile and finally deleting the profile itself yet the client still has the vpn connection there. I want to do this through intune automatically rather than manually on each client. Any ideas

    Reply
    • That’s quite unusual. I would expect that if you remove a VPN profile from a client in Intune the settings would be removed. I don’t know if I’ve ever tested this myself though. Perhaps someone else can confirm this behavior?

      Reply
      • Aaron Harvey

         /  May 14, 2020

        I have found the same thing in my testing. As I built and deployed profiles, then either removed access to the profile or deleted the profiles, the VPN connection was left behind on the client.

  5. Aaron Harvey

     /  May 14, 2020

    Thanks for all the information you provide Richard. I have been successful in deploying both User and Device tunnels via Intune. One question I have remaining is how I can go about deploying the User VPN to non-domain joined computers. I’d like to utilize Intune for management of Azure AD joined computers to deploy the User VPN, but what’s the best/easiest way to get the required User Certificate installed? Most of the articles I’ve read are based on domain-joined PCs using GPOs to deploy the certificates. Would doing this require NDES/SCEP and the Intune Certificate Connector? That seems like a lot more infrastructure to deploy to hand out certs to these machines. Is there an easier way?

    Reply
  6. Thomas

     /  June 1, 2020

    Hi Richard, I tried to deploy with Intune a VPN Profile user tunner without certificate with both methods (using VPN profile or custom profile); but I have an issue. When the profile is deployed, on the client in profile is loaded but apper the messagge: Action needed.
    I have to insert manually the credential although in reference profile I checked the flag in “use my Windows Credential”.
    Could you help me please?
    Thanks

    Reply
    • Using certificate authentication is always recommended/preferred, but if you want to use usernames/passwords then you’ll have to use MS-CHAP v2 authentication. You can’t do this in the native Intune UI, so you’ll have to use custom XML. However, there is no option to select to use Windows logon credentials. This is something you’ll have to do after the profile is deployed, otherwise the user will always be prompted for their credentials at first connection attempt.

      Reply
  7. Aaron

     /  December 2, 2020

    Thought I would share some of my findings, I have setup AoVPN with device tunnels using xml. The deployment method was powershell which worked fine then when I tried Intune it wouldn’t work. Turns out IKEv2 fragmentation was occuring and enabling that reg fix on Server 2019 fixed this issue.

    Another issue I had was putting a ‘-‘ in the connection name in the oma-uri string this caused an intune deployment error: “Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient.”

    dropping the ‘-‘ out solved the problem and the deployment was successful.

    Thanks for all your articles, helped out massively.

    Reply
  8. Carsten Nadorp

     /  January 5, 2021

    Hi Richard, great blog btw, but let’s get to my question. 😉

    We are using Azure VPN GW and custom XML for distributing the VPN profiles to clients. Azure VPN Certificates are used for authentication. Commonly this is working great, but we see a number of users “losing” the profile, it just disappears. We have a workaround to modify registry and delete some information (rasphone.pbk) and then the profile can get re-deployed. Did you ever run into this issue?

    We have a Microsoft ticket open, but troubleshooting seems to be tough, even for the product team.

    The same mechanism with classic on-prem Always On VPN servers is not affected by this, we never saw a profile disappearing here.

    Reply
    • Thanks! 🙂

      Not encountered this issue myself. I have never seen a VPN profile just “disappear” on the client. Very strange.

      Reply
    • Zandder

       /  August 28, 2021

      Carsten, I’m seeing the same thing on maybe 5-10% of my users. Did MS every come up with a reason as to why this was happening?

      Reply
  9. We are testing Always On VPN with an ProfileXML profile with a certificate authentication ,and so far it<S been working fine.
    I<m wondering if the VPN profile/adapter is resilient enough to pick up a certificate in case a new one is pushed ,or in the case the VPN is pushed before the certificate is present.
    Thanks,

    Reply
    • Windows will always choose the best certificate to use for authentication that’s in the certificate store. That is, the one that matches the requirements and is the freshest (most recent issuance, or longest expiration date). As long as the certificate meets the requirements it should work.

      Reply
  10. Satish

     /  June 29, 2021

    Hi Richard,

    I am currently trying to Setup a Lab to perform Hybrid Join via VPN
    So for this I setup RRAS & NPS and currently using a Powershell Script via VPN:

    $a = New-EapConfiguration -Peap -FastReconnect $true
    Add-VpnConnection “VPN-PreLogon” -ServerAddress RRASFQDN -AllUserConnection $true -EapConfigXmlStream $a.EapConfigXmlStream -tunneltype Automatic -encryptionlevel Optional -authenticationmethod Eap
    Set-VPNConnection -Name “VPN-PreLogon” -AllUserConnection -SplitTunneling $true
    $RASPhoneBook = “C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk”
    (Get-Content $RASPhoneBook) -Replace ‘IpDnsFlags=0’, ‘IpDnsFlags=3’ | Set-Content $RASPhoneBook

    It works perfectly fine and I have Pre-Logon connectivity.
    However, one problem that has been bugging me is the need to authenticate with User Name & Password everytime I connect to VPN.
    So I went to Connection Properties > Security > EAP Properties > Select Configure under Authentication Method (EAP-MSCHAP V2) and finally choose the option “Automatically use my Windows logon name & password (and domain if any).

    And it works like a charm. Now I don’t have to enter my Creds every time.

    So I tried to Add the parameter “-UseWinLogonCredentials $true” to the above script but it keeps telling me

    “WARNING: The -UseWinlogonCredential parameter is invalid. This parameter is not supported with the current authentication method” and the Authentication option under Security tab does not have the “Use EAP” Radio button selected without which the VPN connectivity will not work.

    Can you please help me out here?

    Reply
    • That’s not something I’ve tested myself. I can only guess there’s a dependency that prevents you from adding that option with your current configuration. However, you could easily update this value in rapshone.pbk, just as you did with IpDnsFlags.

      I’m curious though…why are you changing the value of IpDnsFlags anyway?

      Reply
  11. John Hough

     /  July 30, 2021

    Is this current? When I go to create a new profile, “Custom” is not an option. Just “settings catalog (preview)” and “templates”. Nowhere in either option do I see “Custom OMA-URI Settings”. None of your screenshots look like anything I see either.

    Reply
    • Just checked…it’s still there. 🙂 When you select Templates from the Profile Type drop-down list you will see it listed in the available templates. It’s the second one on the list below Administrative Templates.

      Reply
      • John Hough

         /  August 3, 2021

        Thanks Richard, I didn’t notice it at first and was just choosing VPN from the templates list. 2 other hopefully quick questions regarding InTune deployment. 1) The connection doesn’t appear in settings>network & internet>vpn on the users machine when deployed through intune, is there a way other than the RASPhone utility in Windows to check, monitor, and troubleshoot it? 2) IF I wanted to make it NOT always on, would I just change this line to false in the XML and upload it to InTune false? Then use the RASPhone utility or something else to manually connect?

        Thanks

      • If it is a device tunnel it won’t show up by default. You can enable a registry key to display it though. Details here: https://directaccess.richardhicks.com/2020/08/27/always-on-vpn-device-tunnel-status-indicator/.

        Rasphone.exe (GUI) or rasdial.exe (command line) are your only real options. You’ll find connection details in the event log as well. And yes, if you don’t want your Always On VPN to be “always on”, then yes, set the value of AlwaysOn to “false”.

  12. Andy Nicholls

     /  September 13, 2021

    Hi Richard

    I’m having to create one of these profiles, rather than use the built in Intune VPN config. I’ve complied the ProfileXML and amalgamed the EapConfig with this, but when I drop it all into a custom profile I get the following error when deploying to devices:

    Syncml(500): The recipient encountered an unexpected condition which prevented it from fulfilling the request

    I’ve checked everything and all seems to be formatted correctly.

    Help 🙁

    Reply
  13. Hi Richard

    We have deployed AOVPN Profiles using custom XML with Intune. Right now, we have deployed these so that user tunnel is deployed to users and device tunnel are deployed to devices. This works perfectly. But this way if a user sign-in on a workstation on-prem, a user tunnel will be deployed. Yes, it won´t be connected, but I would like to avoid this. Therefore, I was thinking about deploying both profiles to devices only. This way I can control that profiles only are created on the targeted devices. But is this the way to go – have you any experience with that?

    Reply
    • Yes, you can certainly do that. Just target the Always On VPN user tunnel at a device security group instead of a user group, and it should work fine. 🙂

      Reply
  14. Rudy Van Poele

     /  April 27, 2023

    Hi Richard,

    when deploying the custom XML with intune for a user tunnel to devices, is it possible to have the profile created in the AllUser context ?

    thanks.

    Reply
  15. Eshaq Choudhury

     /  September 14, 2023

    I am on the latest build of Windows 11 and get the error unable to parse XML when deploying using intune templates. The OMA-URI method doesn’t work either. Is there a bug?

    Reply
  16. Dean Hufford

     /  November 30, 2023

    What would be the advantage of adding additional VPN servers to the Intune AOVPN configuration? How can I configure Intune deployed AOVPN to failover to secondary and tertiary VPN connection from a windows 10 machine should the primary VPN tunnel crash or fail?

    Reply
    • For Always On VPN, none. Always On VPN will not failover to other servers listed in the additional servers fields. In the past the user could select one of those servers in the UI and manually connect, but that feature has since been removed and no longer works. If you want to provide redundancy for VPN server failures, you must use a load balancer of some sort. Traditionally we’ve used layer three load balancers (F5, Kemp, NetScaler, etc.), but recently we’ve started relying more on Azure Traffic Manager to reduce complexity and cost.

      Reply
  17. Alan

     /  June 12, 2024

    Hi, When using an InTune Custom VPN Profile is it possible to specify DisableMobility=1 and NetworkOutageTime=0? What i find is we set these via InTune remediation but the vaulues get reset to DisableMobility=0 and NetworkOutageTime=1800 next time the device Syncs with InTune. Any suggestions would be greatly appreciated.

    Thanks,

    Alan G.

    Reply
  18. Bing Luo

     /  September 20, 2024

    I have the used the IKEV2 template and created 2 templates, basically they are the same except the servers filed as:


    sever1;server1

    I successfully created 1 profile using command:

    .\New-AovpnConnection.ps1 -ProfileName ‘AOVVPN1’ -xmlFilePath .\ProfileXML_Template.xml -AllUserConnection -DeviceTunnel

    But I got error when creating the second one:

    .\New-AovpnConnection.ps1 -ProfileName ‘AOVVPN2’ -xmlFilePath .\ProfileXML_Template2.xml -AllUserConnection -DeviceTunnel

    VERBOSE: CimSession: ..CreateInstance(root\cimv2\mdm\dmmap, MDM_VPNv2_01 (ParentID = “./Vendor/MSFT/VPNv2”, InstanceID
    = “AOVVPN2”))
    Unable to create “AOVVPN2” profile: Exception calling “CreateInstance” with “2” argument(s): “Operation cannot be carried out because an object already exists.”

    Reply
    • It appears you are creating a second device tunnel connection. Only a single device tunnel is supported. You can try creating the tunnel with a different name, though. Not sure if that will work either.

      Reply
  1. Always On VPN DNS Registration Update Available | Richard M. Hicks Consulting, Inc.
  2. Microsoft Intune NDES Connector Setup Wizard Ended Prematurely | Richard M. Hicks Consulting, Inc.
  3. Always On VPN Device Tunnel and Custom Cryptography Native Support Now in Intune | Richard M. Hicks Consulting, Inc.
  4. Always On VPN Class-Based Default Route and Intune | Richard M. Hicks Consulting, Inc.
  5. Always On VPN CSP Updates | Richard M. Hicks Consulting, Inc.
  6. Always On VPN Trusted Network Detection and Native Azure AD Join | Richard M. Hicks Consulting, Inc.

Leave a Reply

Discover more from Richard M. Hicks Consulting, Inc.

Subscribe now to keep reading and get access to the full archive.

Continue reading