Step 7.5. Create OMA-DM based VPNv2 profiles to Windows 10 devices
Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows 10
- Previous: Step 7.4. Deploy conditional access root certificates to on-premises AD
- Next: Learn how conditional access for VPN works
In this step, you can create OMA-DM based VPNv2 profiles using Intune to deploy a VPN Device Configuration policy. If you want to use Microsoft Endpoint Configuration Manager or PowerShell script to create VPNv2 profiles, see VPNv2 CSP settings for more details.
Managed Deployment using Intune
Everything discussed in this section is the minimum needed to make VPN work with Conditional Access. It does not cover Split Tunneling, Using WIP, creating custom Intune device configuration profiles to get AutoVPN working, or SSO. Integrate the settings below into the VPN profile you created earlier under Step 5. Configure Windows 10 Client Always On VPN Connections. In this example, we are integrating them into the Configure the VPN client by using Intune policy.
Windows 10 client computer has already been configured with a VPN connection using Intune.
In the Azure portal, select Intune > Device Configuration > Profiles and select the VPN profile you created earlier in Configure the VPN client by using Intune.
In the policy editor, select Properties > Settings > Base VPN. Extend the existing EAP Xml to include a filter that gives the VPN client the logic it needs to retrieve the AAD Conditional Access certificate from the user's certificate store instead of leaving it to chance allowing it to use the first certificate discovered.
Without this, the VPN client could retrieve the user certificate issued from the on-premises certificate authority, resulting in a failed VPN connection.
Locate the section that ends with </AcceptServerName></EapType> and insert the following string between these two values to provide the VPN client with the logic to select the AAD Conditional Access Certificate:
<TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"><FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3"><EKUMapping><EKUMap><EKUName>AAD Conditional Access</EKUName><EKUOID>18.104.22.168.4.1.311.87</EKUOID></EKUMap></EKUMapping><ClientAuthEKUList Enabled="true"><EKUMapInList><EKUName>AAD Conditional Access</EKUName></EKUMapInList></ClientAuthEKUList></FilteringInfo></TLSExtensions>
Select the Conditional Access blade and toggle Conditional access for this VPN connection to Enabled.
Enabling this setting changes the <DeviceCompliance><Enabled>true</Enabled> setting in the VPNv2 Profile XML.
Select Assignments, under Include, select Select groups to include.
Select the VPN Users group that receives this policy and select Save.
Force MDM Policy Sync on the Client
If the VPN profile does not show up on the client device, under Settings\Network & Internet\VPN, you can force MDM policy to sync.
Sign in to a domain-joined client computer as a member of the VPN Users group.
On the Start menu, enter account, and press Enter.
In the left navigation pane, select Access work or school.
Under Access work or school, select Connected to <\domain> MDM, then select Info.
Select Sync and verify the VPN profile appears under Settings\Network & Internet\VPN.
You are done configuring the VPN profile to use Azure AD conditional access.
|If you want to...||Then see...|
|Learn more about how conditional access works with VPNs||VPN and conditional access: This page provides more information about how conditional access works with VPNs.|
|Learn more about the advanced VPN features||Advanced VPN Features: This page provides guidance on how to enable VPN Traffic Filters, how to configure Automatic VPN connections using App-Triggers, and how to configure NPS to only allow VPN Connections from clients using certificates issued by Azure AD.|
VPNv2 CSP: This topic provides you with an overview of VPNv2 CSP. The VPNv2 configuration service provider allows the mobile device management (MDM) server to configure the VPN profile of the device.
Configure Windows 10 Client Always On VPN Connections: This topic provides information about the ProfileXML options and schema, and how to create the ProfileXML VPN. After setting up the server infrastructure, you must configure the Windows 10 client computers to communicate with that infrastructure with a VPN connection.
Configure the VPN client by using Intune: This topic provides information on how to deploy Windows 10 Remote Access Always On VPN profiles. Intune now uses Azure AD groups. If Azure AD Connect synced the VPN Users group from on-premises to Azure AD, then there is no need for configuring the VPN client using Intune.