This must be simple but I'm having trouble with it.
I have successfully created a configuration profile using Endpoint Security for Windows devices. It's an IKEv2 connection using username and password.
I'd like to be able to connect to the VPN at the Windows logon screen. This option does not exist however.
How can I create a VPN configuration profile that allows users to connect to the VPN before they logon to Windows?
Which VPN product do you use? Is it configured or supported to do pre-logon?
@RahulSukumar-3862, Agree with Nick, we can firstly contact VPN vendor to confirm if the pre-logon is supported. Afterwards, we can deploy VPN configuration profile which enables Device tunnel and other settings via Intune according to the following article,:
https://docs.microsoft.com/en-us/mem/intune/configuration/vpn-settings-windows-10
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I am actually using the Windows built in VPN. Must I use a third party VPN for this to work?
Have you seen this post? It might help https://oofhours.com/2020/06/23/windows-autopilot-user-driven-hybrid-azure-ad-join-which-vpn-clients-work/
@RahulSukumar-3862, From your description, I find the VPN connection is created by script. But it is failed with error. “domain not reachable”. Please check if there's any DNS resolution issue on this device. If not, we suggest to contact Windows network to check on the VPN issue.
https://docs.microsoft.com/en-us/answers/topics/windows-server-infrastructure.html
Thanks for the understanding and have a nice day!
So I think I found the problem but still no solution. When Intune creates the VPN connection, it does not set AllUserConnection option which I think is required for connecting the VPN at login screen. Is there a way to configure the WIndows VPN via intune so that this option is set?
I hope you are looking for device tunnel. You can achieve this by 2 methods
1.use the native configuration profile to create a VPN profile and chose below option which will enable the vpn even on logon screen.
Always On: Enable automatically connects to the VPN connection when the following events happen:
Users sign into their devices
The network on the device changes
The screen on the device turns back on after being turned off
To use device tunnel connections, such as IKEv2, Enable this setting.
https://docs.microsoft.com/en-us/mem/intune/configuration/vpn-settings-windows-10
You can deploy the vpn profile by creating a powershell script and deploying via intune
Regards
Aravinth
If the answer is helpful kindly accept as answer
If by "Device Tunnel" you mean client certificate based tunnel, then no. I want the VPN connection available for login at the Windows logon screen, allow username and password auth to my firewall device (Watchguard) then use this VPN to allow users to logon to the domain.
I think I'm getting close. I deployed a simple Powershell script via Intune configuration profile that adds the VPN connection. The script is simple:
Add-VpnConnection -Name "IKEv2 VPN" -ServerAddress "server.domain.comxxx" -TunnelType "IKEv2" -EncryptionLevel "Required" -AuthenticationMethod EAP -AllUserConnection
This creates the VPN and allows me to authenticate to the VPN on the logon screen, but then fails with an error that the domain is not reachable.
After a few reboots this is working as expected. The VPN is available for connection at the logon screen. I can login with username and password. Then I can logon to the domain without issue.
5 people are following this question.
