Intune Makes Deploying Always On VPN Device Tunnels Easier without ProfileXML Node

Organizations have been rushing to deploy solutions that allows employees to work from home because of the worldwide health pandemic. But at the same time, IT departments need to manage devices that might not be directly connected to the corporate intranet for long periods. Windows 10 Always On VPN is Microsoft’s replacement for DirectAccess.

Like DirectAccess, Always On VPN is a remote access solution that works seamlessly for end users. Always On VPN doesn’t require users to manually establish a connection to the VPN server, it is built-in to Windows 10, and it works with different VPN servers, like Windows Server and Citrix Gateway.

Device tunnels are used where pre-login connectivity is required

VPN device tunnels are used where pre-login connectivity is required for device management purposes. User tunnels connect only after a user has logged in to Windows. Users tunnels provide access to an organization’s intranet resources, like fileservers and intranet sites.

Both device and user tunnels can be connected at the same time. Each tunnel type requires its own VPN profile on the client, and they can use different authentication methods and configuration settings. Always On VPN user tunnels support Secure Socket Tunneling Protocol (SSTP) and IKEv2. Device tunnels support only IKEv2 without SSTP fallback.

Microsoft provides more information about the differences between the two tunnel types and how they can be used on its website here.

Mobile Device Management (MDM) CSPs expose management features in Windows

But configuring the Windows 10 VPN client to work with an Always On VPN device tunnel has up until recently been difficult. In Microsoft Intune, it required using the VPNv2 configuration service provider (CSP). Mobile Device Management (MDM) CSPs expose management features in Windows, and at least from a conceptual point-of-view, work like Group Policy. Each CSP consists of configuration nodes that represent settings like registry keys and files.

Manually configuring the ProfileXML node

MDM products, like Microsoft Intune, are supposed to provide a user-friendly way for administrators to manage CSP configuration nodes. Intune uses the VPNv2 CSP to configure the Windows 10 VPN client. But until recently, it required manually configuring the ProfileXML node. The ProfileXML node lets you configure all the required settings to configure the VPN client instead of using individual nodes.

To see the VPNv2 CSP nodes in tree format, check out Microsoft’s website here.

The ProfileXML Open Mobile Alliance Uniform Resource Identifier (OMA-URI) node can be configured using OMA Device Management protocol (OMA-DM) or a Windows Management Instrumentation (WMI) class called MDM_VPNv2_01. Both methods require a properly formatted XML VPN profile based on the ProfileXML schema definition (XSD), which you can find here.

Now there’s an option to enable Device Tunnel in the VPN profile options

Setting up an Always On VPN device tunnel in Intune previously required use of a custom ProfileXML. But now there’s an option to enable Device Tunnel in the VPN profile options. The new option should make it easier for IT departments to set up Always On VPN device tunnels so that they can manage remote devices as more of us work from home.

For more information on how to configure a VPN profile using Intune, check out this article on Petri.