Configuring Custom Windows 10 VPN Profiles using Intune

This article provides an overview of configuring a basic VPN connection profile using Intune.  High-level steps include:

1. Register the device to be managed by Intune.

2. Create a VPN connection policy.

3. Deploy the VPN profile.

NOTE - the finer points of Intune management (groups, users, etc..) are outside the scope of this article.

Step 1: Register the device to be managed by Intune (Join a workplace)

Before a device can be managed by Intune, it must be registered with the MDM server.  To register a device:

1. Select Accounts from the modern Settings UI.

2. Select theWork access tab and click Connect.

3. Enter the e-mail address provided by your Intune administrator (note - this may or may not be the same as your corporate e-mail account).

4. When prompted, enter your password (also provided by the Intune administrator).

5. You are connected.

    

Step 2: Creating a basic VPN connection policy

This step demonstrates the creation of a VPN connection policy for the Contoso VPN network, using a minimal set of profile configuration settings.

1. Log in to the Intune administration interface at http://manage.microsoft.com

2. Select Policy then click Configuration Policies as shown below.

3. Click Add... in the Configuration Policies pane.

4. Select Windows Custom Policy (Windows 10 and Windows 10 Mobile).  Select Create and Deploy a Custom Policy and click Create Policy.

5. The Create Policy dialoguelaunches allowing you to specify the specifying a Name and any custom OMA-URI settings for your connection profile.  In the example below we will use settings specific to the Contoso network.  Be sure to substitute your own when testing.

1. In the Name field type ‘Contoso VPN Policy’.  This is the name that will be used to identify the policy in Intune, so make it brief but descriptive. 

2. Click Add... to create each necessary OMA-URIs for the ‘Contoso VPN Policy’ per the steps below

1. URI Configuration Steps

   1. 1. Click Add… to create a new OMA-URI Setting.

      2. Complete all required values in the Add or Edit OMA-URI Setting dialogue as shown in the 'URI Configuration Values' section below.

      3. Click OK.

      4. Repeat for each of the OMA-URI resources being configured by the policy.  In this example we will create three OMA-URIs in this order:

   1. 1. 1. VPN Server Address

         2. Tunnel Type

         3. Authentication Method

   URI Configuration Values for Contoso VPN

   Profile Name and VPN Server Address

   • Setting Name– Contoso VPN Server

   • Data String– String

   • OMA-URI– ./Device/Vendor/MSFT/VPNv2/ContosoVPN/NativeProfile/Servers

   • Value– vpn.contoso.com

   Tunnel Type

   • Setting Name– Tunnel Type

   • Data String– String

• OMA-URI– ./Device/Vendor/VPNv2/ContosoVPN/NativeProfile/NativeProtocolType

• Value– Automatic (possible values include PPTP, L2TP, IKEv2 and Automatic)

   Authentication Method

1. • Setting Name– Authentication Method

   • Data String– String

   • OMA-URI– ./Device/Vendor/VPNv2/ContosoVPN/NativeProfile/Authentication/UserMethod

   • Value– MSChapv2
     (possible values for UserMethod include MSChapv2 and EAP.  If specifying EAP additional URIs are required)

IMPORTANT NOTE - Notice how ContosoVPN was substituted in place of the ProfileName resource.  This is how the profile name is specified in an OMA-URI.  The profile name is created by the OMA-URI used to specify the VPN server address.  There is no need to specify a separate URI to populate the profile name.

It is important that you specify the same profile name in all other OMA-URIs settings for that VPN Connection Profile.

    Additional OMA-URI Configuration Notes

• • The table above represents the minimum URIs required to configure the built-in (Native) client.

  • If certain URI values are specified, other URIs may then be required.  When selecting an EAP authentication method for example.

  • The NativeProfile resource is used when configuring the inbox client.  

  • For more information on CSPs, OMA-URIs and their values see the Configuration service provider reference on MSDN. 

IMPORTANT NOTE -When configuring any CSP it is important to identify all required OMA-URIs. When configuring a Windows VPN CSP specifically, it is important that the OMA-URIs be specified in the proper order.  This is because of the way that RAS Phonebook entries are written on the client.

A NOTE ON INTUNE UI POLICY TEMPLATES - At the time of this writing, the Windows 10 Custom Policy node in Intune is a simple interface requiring admins to create CSP policies by specifying individual OMA-URI’s.  Future iterations will include a policy UI specific to the VPNv2-CSP.  Similar to existing 8.1 policy creation, the new UI will include field’s specific to Windows 10 VPN configuration, making it a more intuitive experience.  

Finally, review the configuration in the OMA-URI settings section.  When you have completed configuring all OMA-URI settings click Save Policy.  You will then be provided with the opportunity to deploy the policy to managed devices.

The following section demonstrates how to deploy the policy

. 

Step 3: Deploying the ‘Contoso VPN Policy’

This step demonstrates deploying an existing VPN policy to a set of managed devices.

1. Select the desired policy (in Configuration Policies) and click Manage Deployment…

2. The Manage Deployment windows select the group to which the policy is to be applied.  Click Add.  Click OK.

3. The policy is now deployed and will be applied to online devices.  Though it should not be required, you can also manually sync the policy from the Account Settings UI on the client.