Always On VPN and Intune Proactive Remediation

Always On VPN and Autopilot Hybrid Azure AD Join

When configuring and deploying Windows Always On VPN using Microsoft Endpoint Manager (MEM)/Intune, administrators may find that some settings are not exposed in the MEM UI. In some cases, deploying the configuration profile using custom XML is the workaround. However, many crucial Always On VPN settings are not exposed using either method. Here, administrators must resort to editing settings in the VPN configuration file on the client after provisioning the VPN profile.


A file called rasphone.pbk stores all Windows VPN settings on the endpoint. It includes name/value pairs that correspond to many settings administrators change manually in the GUI. Other settings can be changed using PowerShell. Depending on the connection type, the file can be found in one of two locations.

  • User Tunnel: $env:AppData\Microsoft\Network\Connections\Pbk\rasphone.pbk
  • Device Tunnel: $env:ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk

Documentation for Windows VPN client phonebook entry settings can be found here.


Unfortunately, editing the rasphone.pbk file isn’t always convenient. Making the changes is technically easy. Administrators can write a simple PowerShell script to update the text file as required. However, automating this at scale is challenging. Thankfully, Intune Proactive Remediations can help.

Proactive Remediations

With Intune Proactive Remediations, administrators can create and deploy script packages to monitor and optionally update specific configuration settings. The package includes two scripts, a detection script, and a remediation script. The detection script looks at the current value of a particular setting and reports on its compliance. The remediation script is triggered to update the setting if the value is incorrect.


Intune Proactive Remediations has some specific licensing requirements. Administrators must also enroll devices into Endpoint analytics and provision a Windows Health Monitoring configuration profile. There are also limitations on the size and type of scripts that administrators can use. More information on prerequisites can be found here.

Script Packages

Administrators can create detection and remediation PowerShell scripts to update settings in rasphone.pbk, or optionally, they can download sample scripts from my GitHub repository here. This repository contains user and device tunnel detection and remediation scripts for many popular settings in rasphone.pbk. Examples include updating the VPN Strategy, changing VPN interface metrics, disabling class-based default routes, and many more.

Note: The scripts in my GitHub repository are examples only. While they can be used in production environments, they are basic and may not work as expected in all scenarios. For example, the scripts as written today assume only a single VPN profile provisioned. Unexpected results may occur if more than one VPN profile exists. Please use them at your own risk.


In this example, we’ll deploy a Proactive Remediation to disable IKE mobility for user tunnel VPN connections. To configure an Intune Proactive Remediation, open the Microsoft Endpoint Manager portal ( and navigate to Devices > Remediations. After creating or downloading the detection and remediation scripts, perform the following steps to create and deploy a Proactive Remediation script package.

  1. Click Create script package.
  2. Enter a name for the package in the Name field.
  3. Enter a description for the package in the Description field (optional).
  4. Click Next.
  5. Click the blue folder icon next to the Detection script file field and upload the detection script.
  6. Click the blue folder icon next to the Remediation script file field and upload the associated remediation script.
  7. For user tunnel connections, click Yes next to Run this script using the logged-on credentials. For device tunnel connections, click No.
  8. Click Next.
  9. Define scope tags as required.
  10. Click Next.
  11. Assign a group and choose a schedule. The detection script can be run once, daily, hourly, or on an hourly interval.
  12. Click Next, then click Create.

Click Refresh to update the UI to display the newly created script package.


Be advised that timing issues could lead to delays in functionality. For example, if there’s a change to an Always On VPN profile after a Proactive Remediation detection script runs, the changes will not be detected until the detection script runs again. Also, changes made while the VPN is active will not take effect until after restarting the connection.

Special Thanks

Special thanks to Tom Klaver at Inspark for turning me on to this feature. It has been an absolute lifesaver for sure!

Additional Information

Microsoft Intune Proactive Remediation Tutorial

Windows VPN Phonebook Entry Settings

Intune Proactive Remediation Script Samples on GitHub

Microsoft Windows Always On VPN Class-Based Default Route and Intune

Microsoft Windows Always On VPN Short Name Access Failure

Leave a comment


  1. Corey

     /  February 4, 2022

    Just curious why we should consider Proactive Remediation over using a Win32 app deployment in Intune. We’re looking to set the ipmetric and vpnstrategy for our user tunnels. I’ve put together detection logic and implementation scripts which I plan to deploy as an Intune app. Then I planned to use a Policy Set to push the Configuration Profiles (vpn, certs, and win32 app). I’m hoping with a Policy Set that I’ll see the VPN applied followed by PowerShell script which will update rasphone.pbk. I would greatly appreciate your opinion. Thanks.

    • You’re not limited to using Intune and Proactive Remediation at all. If you can accomplish your goals using a Win32 app that’s great. Just make sure your solution monitors the settings regularly because they can and do change. You’ll want to periodically evaluate those settings and ensure your values persist. If using a Win32 app does that you’re good to go. 🙂

  2. Matthew Vandervort

     /  May 12, 2023

    Hey Richard,

    Thanks for being the godfather of RRAS for us. All of your blog has been incredibly valuable to me and the community.

    I just wanted to put in a scenario here and give some context to the other comments on here so that hopefully noone else runs into this issue. Its a “thing” and its a terrible place to be in if you didn’t know about it and just deployed. We need to update the learn documentation and get those feature requests bubbling.

    I was deploying an AOVPN for use with Azure Files with AAD kerberos auth. The AOVPN was to circumvent limitations of port 445 from many ISPs being blocked. I dont believe that this scenario is as niche as its led on to believe.

    Because of this architecture with AAD kerberos, rasphone attribute “UseRASCredentials” needs to be set to 0 to successfully authenticate when connected to the VPN. Intune VPN config profile natively will push a 1 and the attribute is not able to be adjusted unless manually adjusted on the client side. Eventually the intune profile will push again and change it back to the default value. If you’re going to keep the intune VPN config profile, the only thing you can do is something like proactive remediation or a win32 app detection that kicks off a install script that remediates.

    The better solution is to delete your intune VPN config profile, get a known good working rasphone file and wrap a win32 app and a cmd file to push the file to the appdata\microsoft\network\connections\pbk folder for user VPN profile. When you have the config profile, it constantly overwrites your custom values in the rasphone with the default values.

    The command file is a simple copy command to push the rasphone file that has the attributes set the way that you want. If you’re using proactive remediation, you’re waiting a MINIMUM of an hour before it runs a dectection script and in my experience, that minimum 1 hour never is what the true value is. Its always multiple hours or even days before the detection runs (with a known good detection script). Its just the nature of intune and the frequency of the sync.

    If you’re adjusting any of the default values of the rasphone that are not able to be modified by way of intune VPN config profile attributes, save yourself the headache and just ditch the intune profile all together and script it.



    • Thanks for sharing, Matt! No question that having Intune redploy your profiles and having your customization/otpimizations overwritten is frustrating. Indeed, Intune proactive remediation is helpful, but it isn’t perfect.

      You’re not the first person I’ve spoken with who uses the technique of deploying VPN profiles by simply copying the rasphone.pbk file across machines. However, in my experience, this does not work with Always On VPN. It copies the profiles, certainly, but they aren’t “always on” and will not connect automatically. VPN connections can be established interactively by the user, or by using rasdial.exe or rasphone.exe. However, the “always on” functionality doesn’t carry over when using this method.

      So, for clarification, are you using true “always on” VPN connections? Or are these just ad-hoc connections? I’m assuming the latter, but wanted to make sure. 🙂

  1. Always On VPN CSP Updates | Richard M. Hicks Consulting, Inc.
  2. Always On VPN Authentication Failed Reason Code 16 | Richard M. Hicks Consulting, Inc.

Leave a Reply

%d bloggers like this: