Intune – Azure VPN Always On

This post will cover the following parts.

Create an Azure VPN always on profile.

Prerequisite:
You already have a Point-to-Site VPN setup in your tenant.
The Azure VPN Client for Windows 10 is already deployed on the client machine.
Only Windows version 19H2 or higher is supported.

Microsoft Documentation

Let’s get started.

Go to your Azure Portal
Open the Virtual network gateways and select your virtual network gateway.

Click on the Point-to-site configuration.

Now we will download your VPN profile from the Azure portal.
Click on the Download VPN client.

Creating the Azure VPN Config XML file.

Extract the file you downloaded, in the folder AzureVPN you will find the configuration file azurevpnconfig.xml, we will use this file soon.

Open your favorite text editor and copy-paste the text below into your new text editor file.

<VPNProfile>
   <!--<EdpModeId>corp.contoso.com</EdpModeId>-->
   <RememberCredentials>true</RememberCredentials>
   <AlwaysOn>true</AlwaysOn>
   <TrustedNetworkDetection>contoso.com,test.corp.contoso.com</TrustedNetworkDetection>
   <DeviceTunnel>false</DeviceTunnel>
   <RegisterDNS>false</RegisterDNS>
   <PluginProfile>
     <ServerUrlList>azuregateway-7cee0077-d553-4323-87df-069c331f58cb-053dd0f6af02.vpn.azure.com</ServerUrlList> 
     <CustomConfiguration>

     </CustomConfiguration>
     <PluginPackageFamilyName>Microsoft.AzureVpn_8wekyb3d8bbwe</PluginPackageFamilyName>
   </PluginProfile>
 </VPNProfile>

• Modify the entry between <ServerUrlList> and </ServerUrlList> with the entry from your downloaded profile (azurevpnconfig.xml). Change the “TrustedNetworkDetection” FQDN to fit your environment.
  
• Open the Azure downloaded profile (azurevpnconfig.xml) and copy the entire contents to the clipboard by highlighting the text and pressing (ctrl) + C.
  
• Paste the copied text from the previous step into the file you created in step 2 between the <CustomConfiguration> </CustomConfiguration> tags. Save the file with an xml extension.
  
• Write down the value in the <name> </name> tags. This is the name of the profile. You will need this name when you create the profile in Intune. Close the file and remember the location where it is saved. (You can change this name in your configuration to anything you like, it will be displayed as the name it’s connected to)

Now we have the configuration file ready.
The next step is to create the Intune profile that we will push out to our users.

Creating the configuration profile

Go to Microsoft Endpoint
Navigate to Devices – Configuration profiles – Create profile

Select the following
Platform: Windows 10 and later
Profile type: Templates
Template name: Custom

Select a name for your profile and click next.

Now we are going to add the xml file to the configuration.

Click on the “Add” button.
Fill in a name and description.

For the OMA-URI we are going to add the below text, make sure you add the name of your connection from the azurevpnconfig.xml file in the tag.
OMA-URI: ./User/Vendor/MSFT/VPNv2/<name of your connection>/ProfileXML
Data type: String (XML file)

Click on the blue folder icon to import your azurevpnconfig.xml file and click Save.

Click Next, all you must do is assign it to the users or devices you want to have the profile and select any applicability rules if needed. Review your summary and click Create.

Make sure you also push out the Azure VPN Client to the users/devices that will be using any Azure VPN configuration profile.

How it looks like and works for the end-user.

The first time the user gets assigned to the Azure VPN profile they will get a notification asking them to complete the authentication needed for the VPN.

For some reason the users might get multiple notifications at one time, I counted to 5 notifications instantly after each other. (Not sure if anyone else has this issue?)

Once the user has clicked Continue they are prompted to sign in with their credentials.
After this step, they are connected to the VPN and can close the Azure VPN Client completely (No need to minimize it as it will always be connected now)

The user can see that they are connected to the VPN by pressing their Wi-Fi/Local area connection icon in the taskbar next to the Date/time. The connection will display the name you specified in the azurevpnconfig.xml file.

Next time the user boots the VPN auto connects no need to enter the credentials again. (This might be different depending on if you have set up conditional access policies.)