When deploying Windows 10 Always On VPN using Microsoft Intune, administrators have two choices for configuring VPN profiles. They can use the native Intune user interface (UI) or create and upload a custom ProfileXML. The method chosen will depend on which features and settings are required.
Microsoft Intune
Intune has an intuitive user interface (UI) that can be used to configure and deploy Always On VPN profiles to Windows 10 clients. Guidance for using the UI to deploy Windows 10 Always On VPN with Microsoft Intune can be found here. However, Intune does not expose all Always On VPN settings to the administrator, which can be problematic.
Missing from Intune
At the time of this writing (updated March 2021), the following Always On VPN settings cannot be configured natively using the Intune UI.
- Disable class-based default route
- Exclusion routes
- LockDown Mode
- IPv6 routing (broken in Intune)
To implement any of the above features or settings the administrator must create and upload a custom ProfileXML.
ProfileXML
ProfileXML is a node within the VPNv2 Configuration Service Provider (CSP). When configuring Always On VPN using the Intune UI, each setting is configured individually. By contrast, the ProfileXML node includes all Always On VPN settings in a single configuration file. It can be deployed using Intune or PowerShell. Sample ProfileXML files for both user and device tunnels can be downloaded from my GitHub repository.
ProfileXML and Intune
I’ve already documented how to deploy an Always On VPN device tunnel configuration using Intune, so this post will focus on deploying the user tunnel using ProfileXML.
Once ProfileXML has been configured, open the Intune management console and follow the steps below to deploy it using Intune.
Create Profile
1. In the navigation pane click Device Configuration.
2. Click Profiles.
3. Click Create Profile.
4. Enter a descriptive name for the new VPN profile.
5. Select Windows 10 and later from the Platform drop-down list.
6. Select Custom from the Profile type drop-down list.
Custom OMA-URI Settings
1. In the Custom OMA-URI Settings blade click Add.
2. Enter a descriptive name in the Name field (this name will appear in the Windows UI on the client).
3. Enter ./User/Vendor/MSFT/VPNv2/Always%20On%20VPN/ProfileXML in the OMA-URI field. I’ve used Always On VPN as an example here, but you can use any text you like. If it includes spaces they must be escaped using %20, as shown here. Also, don’t forget to include the leading “.“.
4. Select String (XML file) from the Data type drop-down list.
5. Click the folder next to the Select a file field and select your ProfileXML file.
6. Click Ok.
Important Note: The File contents window must show the contents of your ProfileXML. If the contents are unreadable the XML file contains encoding that will not work. If this happens, copy the contents of your ProfileXML to another new text file and upload again.
Assign Profile
Follow the steps below to assign the Always On VPN profile to the appropriate user group.
1. Click Assignments.
2. Click Select groups to include.
3. Select the group that includes the target users.
4. Click Select.
5. Click Save.
Demonstration Video
A demonstration video with guidance for deploying a Windows 10 Always On VPN user tunnel using the native Microsoft Intune UI as well as custom ProfileXML can be found here. The custom ProfileXML guidance starts at 7:52.
Additional Information
Deploying Windows 10 Always On VPN with Microsoft Intune
Deploying Windows 10 Always On VPN Device Tunnel using PowerShell
Windows 10 Always On VPN IKEv2 Security Configuration
Windows 10 Always On VPN LockDown Mode
Windows 10 Always On VPN Scripts and Sample ProfileXML Files on GitHub