You've probably heard a lot about all the VPN capabilities that Windows 10 managed with Intune can offer, but if you're like me, to really understand it you will want to get your hands dirty – you'll want to set it up and play with it, break it and then fix it again. And of course the problem with VPN is that not everyone has a spare Pulse Secure /F5/ Sonic Wall/ CheckPoint or Citrix VPN device sitting in their home office.
This post will help you get started on your Windows 10 + Intune journey by helping you build your own lab – and you will need hardly any gear at all.
Infrastructure Setup:
You will need:
-
One Hyper V host (I use an old Surface Pro 3 running Windows 10 1709)
-
2x VMs configured like this:
VPN Server Everything Else Server OS Windows Server 2016 Windows Server 2016 Trust type Workgroup Domain Joined Specs 2GB Memory 2GB Memory Network Nic1 - External Network, Nic 2 - Private Network Nic1 - Private Network Server Roles Remote Access (Direct Access and VPN - RAS)
Domain Controller, DNS Server, AD Certificate Services, Network Policy Server
-
*These roles we will install in this guide, the others you need to have installed and configured already.
-
2x Hyper-V Virtual Networks (1 x Internal, 1 x External (internet facing))
- 1x Windows 10 test device (This can be a VM or physical. It can be hosted in your Hyper-V machine in the external network or you could use an Azure VM)
Other Assumptions:
- You've already created an Intune tennant and set the MDM authority to Intune Standalone
- You've already Installed and configured Active Directory / DNS, and set up a new domain /forest and installed Azure AD Connect to sync users and groups into Intune.
TIP: Your VPN Server will need a public IP address. Because most home lab networks only have one public IP address and all the devices sitting behind it share it using NAT , we are going to enlist the help of IPv6. I'll cover this within the post, but if your ISP only provides one IPv4 address, you can still make this lab work by enabling IPv6 on your Internet Gateway. This will allow all the devices that sit in your network (Including your VPN server VM) to obtain a publicly routable Ipv6 address.
Configuration Overview
- On the Certification Authority, create 3 certificated templates and a couple of security groups that we are going to need. Then perform the certificate request on both VPN Server and NPS Server.
- Install RRAS Role on VPN Server and configure it to act as a VPN Server supporting IKEv2
- Install the NPS role on the Everything Else Server and configure it
- Configure PEAP Settings on the NPS Server
- Configure Public DNS so that internet clients know how to hit your VPN server endpoint
- Install the Intune certificate connector on the "Everything Else" server and create the certificate profiles in Intune, then assign the profiles to a group.
- Manually create a VPN Profile on a Windows 10 device. Then export the PEAP settings for easy deployment with Intune.
- Create and deploy an Always-On VPN Profile with Intune and deploy to your test device
- Create and deploy an App-Triggered VPN Profile with Intune.
Lets get started....
Step 1 – Setup Security Groups and Certificate Templates
Create 2 AD Groups:
- VPN Users - add test users
- NPS Server - add computer account of Everything Server (that NPS role will be installed on)
Create 3 new certificate templates on CA Server:
VPN Server Auth
- Duplicate the RAS and IAS template
- Extensions: Application Policies - Add "IP security IKE intermediate"
- Permissions: Everything Else Server: "Enroll"
- Request Handling: Allow Private key to be exported
-
Subject name: Supply in Request
![]()
NPS Server Auth
- Duplicate the RAS and IAS template
-
Permissions: NPS Servers: Enroll and AutoEnroll
![]()
VPN Users
- Duplicate the Users Template
- Permissions: VPN Users = Enroll and AutoEnroll, Computer Account where PFX connector installed = Enroll
- Subject Name - Supply in request
- Cryptography -> Key Storage Provider -> Microsoft Platform Crypto Provider check box.
-
Compatibility: Certification Authority- Windows Server 2012 R2, Certificate recipient - 8.1/Windows Server 2012 R2.
Now request the certificates from the CA:
On the NPS Server – Run Certlm.msc, go to Personal store, right-click and follow the wizard to request a cert using the NPS Server Auth template
On the VPN Server, because its not domain joined, we need to perform a few more steps and do an offline certificate request.
On your Root CA Server, Copy the below to notepad and save as VPNServer.inf
(Make sure you edit the highlighted bits to match your environment)
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=VPNServer.theduffnet.xyz" ; For a wildcard use "CN=*.CONTOSO.COM" for example
; For an empty subject use the following line instead or remove the Subject line entierely
; Subject =
Exportable = TRUE ; Private key is exportable
KeyLength = 2048 ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384
KeySpec = 1 ; AT_KEYEXCHANGE
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True ; The key belongs to the local computer account
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
SMIME = FALSE
RequestType = CMC
; At least certreq.exe shipping with Windows Vista/Server 2008 is required to interpret the [Strings] and [Extensions] sections below
[Strings]
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"
szOID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2"
[Extensions]
%szOID_SUBJECT_ALT_NAME2% = "{text}dns=vpnserver.theduffnet.xyz"
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%,%szOID_PKIX_KP_CLIENT_AUTH%"
[RequestAttributes]
CertificateTemplate= VPNServerAuth
Launch an elevated command prompt and run
Certreq -new VPNServer.inf VPNServer.req
Certreq -submit VPNServer.req
Certreq -Accept VPNServer.cer
You will be prompted to save the issued certificate locally.
After you save the .cer file locally, you need to double click on it and import it into the User Personal certificate store. Once it's imported, open Certmgr.msc, go to Personal and find the newly imported certificate. Now export it along with its private key (This will require you to set a password),
Now you can copy the Certificate (along with the RootCA certificate) to the VPN Server
Step 2 – VPN Server Setup
On your VPN Server, Copy the exported certificate and import it into the Computers Personal certificate store (you need to recall the password from the last step). Run certlm.msc and navigate to Personal. Make sure the certificate is installed properly.
User Powershell to install the RAS role:
Install-WindowsFeature DirectAccess-VPN -IncludeManagementToolsConfigure RAS Role:
- Run Wizard
- Select Deploy VPN ONLY
- Right click server and Configure and Enable Routing and Remote Access,
next
- Custom Configuration
- VPN Access, Finish
-
Start Service
Right click VPN Server, Properties, Ipv4. Add an internal Ipv4 range as a static address pool. Your VPN clients will be handed out IP addresses in this range. (I've set mine from 10.0.0.150 - 10.0.0.200)
On Security Tab, Select RADIUS Authentication, then Configure and enter details for the NPS Server
- Server Name – Name of the "Everything else" server where you are going to install NPS
- Shared Secret – Make up a secret key (and keep note of it for later)
Choose RADIUS ACCOUNTING, Configure, and enter the same Servername and secret as above, then hit Ok.
Right click ports, properties and and disable SSTP and L2TP ports by deselecting the checkboxes, configure maximum number of incoming IKEv2 ports (I choose 50 here)
Step 3 – NPS Server Setup
Install Network Policy Server Role
Install-WindowsFeature NPAS -IncludeManagementTools
Configure Role:
Register the NPS Server in Active Directory
Add the VPN Server as a RADIUS Client
Add key details about the radius client including the secret key from earlier
Step 4 – Configure additional Radius Settings
On NPS Server, Under Getting Started, Standard Config, Click Configure VPN or Dial Up
Next
Next.
Configure Authentication Methods as below (remove MS-CHAP-v2):
Add the VPN Users group who will be allowed to use the VPN
Next, Next, Next Finish
Step 4 – Configure Public DNS
In this step you're going to create an A or AAAA record on the internet that points to your VPN Server. As mentioned earlier – I use IPv6 (AAAA) records here so that my VPN server can have its very own public IPv6 address.
If for some reason you cant get a native IPv6 address on your VPN Server, don't give up – you can still configure this scenario but you will need to configure port forwarding on your gateway device (I'm not covering the steps for that here).
Enable Ipv6 on your home router/gateway (Your home Internet router configuration screen will almost certainly be different to mine)
Check your Hyper-V host machine and VPN Server. Both should now have a routable IPv6 address (a fe80: address won't do – that's link local and not reachable over the internet).
On my VPN Server:
Now create an AAAA record with your domain name DNS provider that points to your VPN server (eg: godaddy)
Step 6 – Deploy certificates to a Windows 10 client with Intune
If you haven't done so already, you will need to install the Intune certificate connector on any server in the internal network. (This can be installed on the same VM as your domain controller and CA).
TIP: The Intune Certificate Connector requires connectivity to the internet/Intune service, which we have not explicitly covered here. In the lab, you could handle this in two ways – Configure NAT on your existing VPN server to allow the DC to connect out to the internet through the existing server running Routing and Remote Services…. or you could cheat and add a second NIC to DC and connect it to the external facing hyper-v network.
Pre-req for certificate connector is .net 3.5 - Install that with Powershell or via server manager
Install-WindowsFeature Net-framework-core
Install certificate connector by downloading from Intune Console, setup with defaults (including using System account to request certs).
NOTE: If you use a service account, make sure you update the permissions on the VPN Users Certificate template with the computer account of the Everything Else server so that it is allowed to request certs.
In the Intune portal, Create a Trusted CA Profile - upload your RootCA certificate
In the Intune portal, Create the PFX Profile so that it deploys certs using the VPNUserAuth profile. Make sure you match the Certificate Template Name and add the other required fields.
Assign both the Trusted Certificate and PKCS profiles to the VPN Users group
Step 7 – Manually Configure VPN Profile
- Enrol a test windows 10 PC (can be a VM with internet connectivity) into Intune (Either Azure AD Join or add a work or school account – doesn't really matter how you get it enrolled)
- Sync with Intune and make sure the Root Certificate and User certificate were deployed successfully. (Launch Certmgr.msc and go to personal to find the User certificate, Root CA will be in the Trusted Root CA store)
- Once you have ensured you have the certs, go to Control Panel / Network and Internet / Network and Sharing Centre / Setup a new connection or Network to start creating a VPN profile manually.
- Choose Connect to a Workplace / Use my Internet Connection (VPN)
Enter some basic details about the VPN and click create (we will manually edit this next)
Click Change adapter settings to get to the network adapters control panel (ncpa.cpl), right click the vpn you just created and click properties to start configuring the below settings manually:
Now from the Network connections screen you should be able to click Start this connection. This will take you to the VPN settings screen when you can click Connect.
If you connected successfully you will see the screen above, and if you do an IPCONFIG you should also see that you got assigned an IP address in the internal IPv4 range.
Step 7 – Export your VPN Profile
This step will export the EAP settings that we configured in the last step.
Note – there are some scripts out there on the internet that export the wholeVPN profile, and modify it so that it can be imported into Intune as a custom (OMA-URI) policy. Intune now supports configuring VPN profiles natively in the Azure portal, However for complex EAP settings - we need to supply these as .XML format.
The easiest way to do that is to run this powershell on the machine where you setup the profile manually:
(Replace VPN with the name you gave the VPN profile)
$Connection = Get-VpnConnection -Name 'VPN'
$EAPSettings= $Connection.EapConfigXmlStream.InnerXml
$EapSettings | Out-File -FilePath ($env:USERPROFILE + 'desktopEAP.xml')
Step 8 – Create an Always on VPN Profile in Intune
Login into Intune portal and create a new Configuration Profile. Select Windows 10 and VPN and fill in the details as below:
Base VPN blade:
Apps and Traffic Rules blade - (not required but we will use it for your App-Triggered VPN profile)
Conditional Access blade - (not required but I'll cover this in a future post)
Proxy blade - (Not required for this lab)
DNS Settings blade:
After you have created and saved the profile. Assign it to the VPN Users group.
Sync the Windows 10 test device with Intune and the VPN profile will be installed.
Step 9 – Create an App – Triggered VPN profile
If you had success with a basic VPN profile, you may want to get fancy and configure some Auto-VPN settings. These are the steps to ensure the VPN in launched when a certain application (eg: Onenote) is started:
Create a new VPN Profile exactly the same as the last one with a couple of exceptions:
- Give it a different name like "Auto VPN"
- Ensure Split tunnelling is enabled (Connection triggers require split tunnelling be enabled)
- On the Apps and Traffic rules blade, setup like the below screenshot:
Tip: For associated Apps, You'll need to enter the package family name for UWP apps, or the path for Desktop apps. To get the package family name of an app you can use the Get-AppxPackage powershell command. Here is how I got it for OneNote:
Get-AppxPackage -Name *OneNote* | select Packagefamilyname
Tip: For Desktop apps, you need to specify an app path. For example if you wanted to start the VPN every time Notepad was launched you could use the App Identifier: C:WindowsSystem32Notepad.exe and Type: Desktop
Now assign the policy to the same user group, sync Intune policy and launch your App – you should see the VPN tunnel gets connected!
Troubleshooting
If the trigger didn't work – You my need to do some troubleshooting on the Client:
Powershell:
# To test the Auto-VPN properties are configured correctly on the client use powershell on client: Get-VpnConnection -Name 'AutoVPN' # To view all the triggers for your VPN profiles Get-VPNConnection | Get-VPNConnectionTrigger
Windows Client event Logs
VPN Autotrigger events: Windows Networking Vpn Plugin Platform/Operational (needs to be enabled first)
MDM Sync problems: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Summary
The point of this post was to help you get started managing and deploying Windows 10 VPN, particularly for those devices that you have under Modern Management with Intune.
I realize some of the steps in the post are brief and not super prescriptive but it should be good enough for most -- If you need some more step-by step, I recommend checking out this detailed document:
Always on VPN Deployment Guide: https://gallery.technet.microsoft.com/Always-On-VPN-Deployment-e681bc7d
These docs will also help with App-Triggered VPN profiles:
https://docs.microsoft.com/en-us/windows/access-protection/vpn/vpn-auto-trigger-profile