Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Sunday, December 30, 2018 10:06 PM
I'm attempting to deploy an Always on VPN profile to Windows 10 using an XML file. What I see once the profile has been deployed is that he network interface has been created however if I go to Settings>VPN to try to connect to the VPN there's no VPN there. If I try to manually create the VPN there I get a message that says it already exists. Anyone know what would cause this?
<VPNProfile>
<AlwaysOn>true</AlwaysOn>
<DnsSuffix>MYDOMAIN.com</DnsSuffix>
<NativeProfile>
<Servers>RAS.MYDOMAIN.com</Servers>
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
<NativeProtocolType>IKEv2</NativeProtocolType>
<Authentication>
<MachineMethod>Certificate</MachineMethod>
</Authentication>
</NativeProfile>
<DeviceTunnel>true</DeviceTunnel>
<RegisterDNS>true</RegisterDNS>
<TrustedNetworkDetection>MYDOMAIN.local</TrustedNetworkDetection>
<DomainNameInformation>
<DomainName>MYDOMAIN.local</DomainName>
<DnsServers>192.168.100.4</DnsServers>
</DomainNameInformation>
</VPNProfile>
BI For SCCM https://www.fatstacks.tech/home/bi | Register for a Free Demo
All replies (7)
Friday, July 12, 2019 12:56 AM ✅Answered
Configure a profile on a client correctly and then run the following script from an elevated prompt.
Change your $TemplateName to match your current profile name, change the rest of the custom variables to match your environment.
This will generate a XML file for deployment and a Powershellscript to configure (needs local admin).
$TemplateName = 'Template'
$ProfileName = 'Contoso AlwaysOn VPN'
$Servers = 'vpn.contoso.com'
$DnsSuffix = 'corp.contoso.com'
$DomainName = '.corp.contoso.com'
$DNSServers = '10.10.0.2,10.10.0.3'
$TrustedNetwork = 'corp.contoso.com'
#script begin
$Connection = Get-VpnConnection -Name $TemplateName
if(!$Connection)
{
$Message = "Unable to get $TemplateName connection profile: $_"
Write-Host "$Message"
exit
}
$EAPSettings= $Connection.EapConfigXmlStream.InnerXml
$ProfileXML = @("
<VPNProfile>
<DnsSuffix>$DnsSuffix</DnsSuffix>
<NativeProfile>
<Servers>$Servers</Servers>
<NativeProtocolType>IKEv2</NativeProtocolType>
<Authentication>
<UserMethod>Eap</UserMethod>
<Eap>
<Configuration>
$EAPSettings
</Configuration>
</Eap>
</Authentication>
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
</NativeProfile>
<AlwaysOn>true</AlwaysOn>
<RememberCredentials>true</RememberCredentials>
<TrustedNetworkDetection>$TrustedNetwork</TrustedNetworkDetection>
<DomainNameInformation>
<DomainName>$DomainName</DomainName>
<DnsServers>$DNSServers</DnsServers>
</DomainNameInformation>
</VPNProfile>
")
$ProfileXML | Out-File -FilePath ($env:USERPROFILE + '\desktop\VPN_Profile.xml')
$Script = @("
`$ProfileName = '$ProfileName'
`$ProfileNameEscaped = `$ProfileName -replace ' ', '%20'
`$ProfileXML = '$ProfileXML'
`$ProfileXML = `$ProfileXML -replace '<', '<'
`$ProfileXML = `$ProfileXML -replace '>', '>'
`$ProfileXML = `$ProfileXML -replace '`"', '"'
`$nodeCSPURI = `"./Vendor/MSFT/VPNv2`"
`$namespaceName = `"root\cimv2\mdm\dmmap`"
`$className = `"MDM_VPNv2_01`"
try
{
`$username = Gwmi -Class Win32_ComputerSystem | select username
`$objuser = New-Object System.Security.Principal.NTAccount(`$username.username)
`$sid = `$objuser.Translate([System.Security.Principal.SecurityIdentifier])
`$SidValue = `$sid.Value
`$Message = `"User SID is `$SidValue.`"
Write-Host `"`$Message`"
}
catch [Exception]
{
`$Message = `"Unable to get user SID. User may be logged on over Remote Desktop: `$_`"
Write-Host `"`$Message`"
exit
}
`$session = New-CimSession
`$options = New-Object Microsoft.Management.Infrastructure.Options.CimOperationOptions
`$options.SetCustomOption(`"PolicyPlatformContext_PrincipalContext_Type`", `"PolicyPlatform_UserContext`", `$false)
`$options.SetCustomOption(`"PolicyPlatformContext_PrincipalContext_Id`", `"`$SidValue`", `$false)
try
{
`$deleteInstances = `$session.EnumerateInstances(`$namespaceName, `$className, `$options)
foreach (`$deleteInstance in `$deleteInstances)
{
`$InstanceId = `$deleteInstance.InstanceID
if (`"`$InstanceId`" -eq `"`$ProfileNameEscaped`")
{
`$session.DeleteInstance(`$namespaceName, `$deleteInstance, `$options)
`$Message = `"Removed `$ProfileName profile `$InstanceId`"
Write-Host `"`$Message`"
} else {
`$Message = `"Ignoring existing VPN profile `$InstanceId`"
Write-Host `"`$Message`"
}
}
}
catch [Exception]
{
`$Message = `"Unable to remove existing outdated instance(s) of `$ProfileName profile: `$_`"
Write-Host `"`$Message`"
exit
}
try
{
`$newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance `$className, `$namespaceName
`$property = [Microsoft.Management.Infrastructure.CimProperty]::Create(`"ParentID`", `"`$nodeCSPURI`", `"String`", `"Key`")
`$newInstance.CimInstanceProperties.Add(`$property)
`$property = [Microsoft.Management.Infrastructure.CimProperty]::Create(`"InstanceID`", `"`$ProfileNameEscaped`", `"String`", `"Key`")
`$newInstance.CimInstanceProperties.Add(`$property)
`$property = [Microsoft.Management.Infrastructure.CimProperty]::Create(`"ProfileXML`", `"`$ProfileXML`", `"String`", `"Property`")
`$newInstance.CimInstanceProperties.Add(`$property)
`$session.CreateInstance(`$namespaceName, `$newInstance, `$options)
`$Message = `"Created `$ProfileName profile.`"
Write-Host `"`$Message`"
}
catch [Exception]
{
`$Message = `"Unable to create `$ProfileName profile: `$_`"
Write-Host `"`$Message`"
exit
}
`$Message = `"Script Complete`"
Write-Host `"`$Message`"
")
$Script | Out-File -FilePath ($env:USERPROFILE + '\desktop\VPN_Profile.ps1')
$Message = "Successfully created VPN_Profile.xml and VPN_Profile.ps1 on the desktop."
Write-Host "$Message"
Monday, December 31, 2018 7:47 AM
Hi,
Have you tried manually creating a template connection profile before creating profileXML files?
Make sure that the template VPN connection to your VPN server is successful. Doing so ensures that the EAP settings are correct before you use them in the next example. You must connect at least once before continuing; otherwise, the profile will not contain all the information necessary to connect to the VPN.
Please refer to the link below:
Best regards,
Travis
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Monday, December 31, 2018 4:46 PM
I'm really struggling to understand this document. I have manually created a tested a VPN profile on my test PC.
I would assume that "The Windows PowerShell script in Listing 1", (which is MakeProfile.ps1 so why not just say "MakeProfile.ps1) creates two files on the desktop that are generated by reading my VPN profile that I manually created however that's not the case.
MakeProfile.ps1 actually just created the XML based on the the parameters in the script. If my VPN is not configured exactly as the VPN that the script creates an XML for this is totally useless to me.
My ultimate goal here is to deploy the XML from Intune so I go to the section "Configure the VPN client by using Intune" and I'm instructed to "configure the ProfileXML CSP node by using the VPN profile you created in the section Create the ProfileXML configuration files" but as I've already mentioned that XML is not any good for my scenario so I go to option 2, "Or you can use the base EAP XML sample provided below" which again seems to indicate that my VPN is configured a certain way that it may or may not be.
I want to deploy my VPN profile to devices during Autopilot, I want it to be always on and use Ikev2 machine certificates for authentication.
While I very much appreciate what this document is attempting to do I do not understand why it tells me to manually create a VPN profile and confirm it works but does not attempt to export that working profile in to an XML. Nor does this document, or any other document that I can find, tell me how to create an XML that will work in my scenario.
In my OP I posted the XML that I've cobbled together but it's not working as it should. I do have a case with CSS on this however the case owner (Intune team) indicated to me that getting help from another team to ensure the XML is correct was highly unlikely.
BI For SCCM https://www.fatstacks.tech/home/bi | Register for a Free Demo
Wednesday, January 2, 2019 5:52 AM
Hi,
Have you read this article written by Richard M.Hicks? It may be easier to understand.
Best regards,
Travis
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, January 2, 2019 1:04 PM
It’s funny you ask....Richard actually helped me setup the VPN server. I had him look at my xml. He made some changes and sent that back to me. It still does not work.
BI For SCCM https://www.fatstacks.tech/home/bi | Register for a Free Demo
Friday, January 4, 2019 5:48 AM
Hi,
It is awkward.....
Based on the complexity and the specific situation, we don't have more ideas for the time being.
I think you should expect CSS to give you a solution.
Best regards,
Travis
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Tuesday, June 4, 2019 9:27 AM
I know this is a slightly dated post, but Device Tunnels don't appear in the UI, which is what you're trying to set up based on your XML.
You can check for the status of a Device Tunnel using Powershell (as an admin):
Get-VpnConnection -AllUserConnection