Microsoft Intune

Intune makes it easy to deploy an Always On VPN device tunnel profile

A new feature was announced today for Intune:  You can create an Always On VPN device tunnel profile directly in Intune, without any of the gymnastics that were previously required.  All you need to do is create a VPN profile:

image

For an Always On VPN device tunnel, just choose the appropriate options:

  • Connection type:  IKEv2
  • Always On:  Enable
  • Authentication Method:  Machine Certificates
  • Authentication certificate:  (choose your certificate template that is used to issue a device certificate to the device)
  • Device Tunnel:  Enable

If the default Windows 10 IKE settings don’t match what’s been configured on the RRAS server, you can adjust the settings on the VPN profile to match.  And all of this can be done without using a custom profile XML.

If you haven’t yet tried to set up an RRAS server for Always On VPN, see my previous blog which coincidentally foreshadowed the creation of this Intune capability.  Now you can use the above process instead of Step 6 in that blog.

Combine those two pieces with the Windows Autopilot Hybrid Azure AD Join over VPN support, with SCEP used to issue device certificates, and you’ve got a great solution for provisioning Active Directory-joined devices from anywhere.

Categories: Microsoft Intune

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s