Tutorial - Deploy Always On VPN profile for Windows clients (2024)

Article
06/29/2023

Previous: 2 - Configure Certificate Authority templates

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows 10, Windows 11

In this last part of the tutorial, you'll learn how to use a ProfileXML PowerShell configuration script to configure Always On VPN settings and create a user tunnel for client connections.

For more detailed information on Always on VPN configuration options for the configuration service provider (CSP), see VPNv2 configuration service provider.

Prerequisites

Complete Tutorial: Deploy Always On VPN - Configure Certificate Authority templates.

Create an Always On VPN client profile

In this section, we'll create a VPN client connection in order to verify that the VPN test client can establish a successful VPN connection. This will also allow us to create the EAP settings for export in the next section.

For more information about EAP settings, see EAP configuration.

Sign in to the domain-joined VPN client computer as the VPN user you created in Create Active Directory test user.
On the Start menu, type VPN to select VPN Settings. Press ENTER.
In the details pane, select Add a VPN connection.
For VPN Provider, select Windows (built-in).
For Connection Name, enter Contoso VPN.
For Server name or address, enter the external FQDN of your VPN server (for example, vpn.contoso.com).
For VPN type, select IKEv2.
See Also
Always On VPN – Microsoft Veilig internetten via Always-on-VPN - Security.NL About Always On VPN for Windows Server Remote Access Always On VPN for Your Business | NordLayer
For Type of sign-in info, select Certificate.
Select Save.
Under Related Settings, select Change adapter options.
Right-click Contoso VPN, and select Properties.
On the Security tab, for Data encryption, select Maximum strength encryption.
Select Use Extensible Authentication Protocol (EAP). Then, for Use Extensible Authentication Protocol (EAP), select Microsoft: Protected EAP (PEAP) (encryption enabled).
Select Properties to open Protected EAP Properties, and complete the following steps:
1. For Connect to these servers, enter the name of the NPS server.
2. For Trusted Root Certification Authorities, select the CA that issued the NPS server's certificate (for example, contoso-CA).
3. For Notifications before connecting, select Don't ask user to authorize new servers or trusted CAs.
4. For Select Authentication Method, select Smart Card or other certificate.
5. Select Configure.
  1. Select Use a certificate on this computer.
  2. For Connect to these servers, enter the name of the NPS server.
  3. For Trusted Root Certification Authorities, select the CA that issued the NPS server's certificate.
    See Also
    Tutorial - Deploy Always On VPN - Configure Certification Authority templates
  4. Select Don't prompt user to authorize new servers or trusted certification authorities.
  5. Select OK to close Smart Card or other Certificate Properties.
  6. Select OK to close Protected EAP Properties.
6. Select OK to close Contoso VPN Properties.
Close the Network Connections window.
In Settings, select Contoso VPN, and then select Connect.

Important

Make sure that the template VPN connection to your VPN server is successful. Doing so ensures that the EAP settings are correct before you use them in the next step. You must connect at least once before continuing; otherwise, the profile will not contain all the information necessary to connect to the VPN.

Configure your Windows VPN client

In this section, you'll manually configure the Windows VPN client using a PowerShell script.

Sign in as your VPN User to the VPN client computer.
Open Windows PowerShell integrated scripting environment (ISE) as Administrator.

Copy and paste the following script:

# Define key VPN profile parameters# Replace with your own values$Domain = 'corp' # Name of the domain.$TemplateName = 'Contoso VPN' # Name of the test VPN connection you created in the tutorial. $ProfileName = 'Contoso AlwaysOn VPN' # Name of the profile we are going to create.$Servers = 'aov-vpn.contoso.com' #Public or routable IP address or DNS name for the VPN gateway.$DnsSuffix = 'corp.contoso.com' # Specifies one or more commas separated DNS suffixes. $DomainName = '.corp.contoso.com' #Used to indicate the namespace to which the policy applies. Contains `.` prefix.$DNSServers = '10.10.0.6' #List of comma-separated DNS Server IP addresses to use for the namespace.$TrustedNetwork = 'corp.contoso.com' #Comma-separated string to identify the trusted network.#Get the EAP settings for the current profile called $TemplateName$Connection = Get-VpnConnection -Name $TemplateNameif(!$Connection){ $Message = "Unable to get $TemplateName connection profile: $_" Write-Host "$Message" exit}$EAPSettings= $Connection.EapConfigXmlStream.InnerXml$ProfileNameEscaped = $ProfileName -replace ' ', '%20'# Define ProfileXML$ProfileXML = @("<VPNProfile> <DnsSuffix>$DnsSuffix</DnsSuffix> <NativeProfile><Servers>$Servers</Servers><NativeProtocolType>IKEv2</NativeProtocolType><Authentication> <UserMethod>Eap</UserMethod> <Eap> <Configuration> $EAPSettings </Configuration> </Eap></Authentication><RoutingPolicyType>SplitTunnel</RoutingPolicyType> </NativeProfile><AlwaysOn>true</AlwaysOn><RememberCredentials>true</RememberCredentials><TrustedNetworkDetection>$TrustedNetwork</TrustedNetworkDetection> <DomainNameInformation><DomainName>$DomainName</DomainName><DnsServers>$DNSServers</DnsServers></DomainNameInformation></VPNProfile>")#Output the XML for possible use in Intune$ProfileXML | Out-File -FilePath ($env:USERPROFILE + '\desktop\VPN_Profile.xml')# Escape special characters in the profile (<,>,")$ProfileXML = $ProfileXML -replace '<', '&lt;'$ProfileXML = $ProfileXML -replace '>', '&gt;'$ProfileXML = $ProfileXML -replace '"', '&quot;'# Define WMI-to-CSP Bridge properties$nodeCSPURI = "./Vendor/MSFT/VPNv2"$namespaceName = "root\cimv2\mdm\dmmap"$className = "MDM_VPNv2_01"try{ # Determine user SID for VPN profile. $WmiLoggedOnUsers = (Get-WmiObject Win32_LoggedOnUser).Antecedent If($WmiLoggedOnUsers.Count -gt 1) { $WmiLoggedOnUsers = $WmiLoggedOnUsers -match "Domain=""$Domain""" } $WmiUserValid = ($WmiLoggedOnUsers | Select-Object -Unique -First 1) -match 'Domain="([^"]+)",Name="([^"]+)"' If(-not $WmiUserValid){ Throw "Returned object is not a valid WMI string" } $UserName = "$($Matches[1])\$($Matches[2])" $ObjUser = New-Object System.Security.Principal.NTAccount($UserName) $Sid = $ObjUser.Translate([System.Security.Principal.SecurityIdentifier]) $SidValue = $Sid.Value $Message = "User SID is $SidValue." Write-Host "$Message"}catch [Exception] { $Message = "Unable to get user SID. $_" Write-Host "$Message" exit}try { # Define WMI session. $session = New-CimSession $options = New-Object Microsoft.Management.Infrastructure.Options.CimOperationOptions $options.SetCustomOption("PolicyPlatformContext_PrincipalContext_Type", "PolicyPlatform_UserContext", $false) $options.SetCustomOption("PolicyPlatformContext_PrincipalContext_Id", "$SidValue", $false)}catch { $Message = "Unable to create new session for $ProfileName profile: $_" Write-Host $Message exit}try{ #Detect and delete previous VPN profile. $deleteInstances = $session.EnumerateInstances($namespaceName, $className, $options) foreach ($deleteInstance in $deleteInstances) { $InstanceId = $deleteInstance.InstanceID if ("$InstanceId" -eq "$ProfileNameEscaped") { $session.DeleteInstance($namespaceName, $deleteInstance, $options) $Message = "Removed $ProfileName profile $InstanceId" Write-Host "$Message" } else { $Message = "Ignoring existing VPN profile $InstanceId" Write-Host "$Message" } }}catch [Exception]{ $Message = "Unable to remove existing outdated instance(s) of $ProfileName profile: $_" Write-Host $Message exit}try{ # Create the VPN profile. $newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", "$nodeCSPURI", "String", "Key") $newInstance.CimInstanceProperties.Add($property) $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", "$ProfileNameEscaped", "String", "Key") $newInstance.CimInstanceProperties.Add($property) $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ProfileXML", "$ProfileXML", "String", "Property") $newInstance.CimInstanceProperties.Add($property) $session.CreateInstance($namespaceName, $newInstance, $options) $Message = "Created $ProfileName profile." Write-Host "$Message"}catch [Exception]{ $Message = "Unable to create $ProfileName profile: $_" Write-Host "$Message" exit}$Message = "Script Complete"Write-Host "$Message"

Set the value for the following variables at the top of the script: $Domain, $TemplateName, $ProfileName, $Servers, $DnsSuffix, $DomainName, and $DNSServers. For more detailed information about how to set these variables, see: VPNv2 CSP.
Press ENTER to run the script.
Verify that the script was successful by running the following command in the Windows PowerShell ISE:
```
 Get-CimInstance -Namespace root\cimv2\mdm\dmmap -ClassName MDM_VPNv2_01
```

You should see the following output (the ProfileXML value has been truncated for readability):

AlwaysOn : TrueByPassForLocal : DeviceTunnel : DnsSuffix : corp.contoso.comEdpModeId : InstanceID : Contoso%20AlwaysOn%20VPNLockDown : ParentID : ./Vendor/MSFT/VPNv2ProfileXML : <VPNProfile>...</VPNProfile>RegisterDNS : RememberCredentials : TrueTrustedNetworkDetection : corp.contoso.comPSComputerName : `

You have now configured your user tunnel for Always On VPN. If you want to learn how to configure a device tunnel, see Configure VPN device tunnels in Windows client.

Next steps

To learn how to configure Always On VPN profiles with Microsoft Configuration Manager, see Deploy Always On VPN profile to Windows clients with Microsoft Configuration Manager.
To learn how to configure Always On VPN profiles with Microsoft Intune, see Deploy Always On VPN profile to Windows clients with Microsoft Intune.
Learn how to Configure conditional access for VPN connectivity using Azure AD.
To learn more about the advanced VPN features, see Advanced VPN Features.
For more detailed information on Always on VPN configuration options for the configuration service provider (CSP), see VPNv2 configuration service provider.
To troubleshoot issues with Always On VPN, see Troubleshoot Always On VPN.

Insights, advice, suggestions, feedback and comments from experts

I am an expert in the field of configuring Always On VPN settings and creating user tunnels for client connections. I have extensive knowledge and experience in this area, and I can provide you with the information you need.

Let's go through the concepts mentioned in this article:

ProfileXML PowerShell Configuration Script

The article mentions using a ProfileXML PowerShell configuration script to configure Always On VPN settings and create a user tunnel for client connections. This script allows you to define key VPN profile parameters and create the VPN profile. It also includes steps to get the EAP settings for the current profile and define the WMI-to-CSP Bridge properties. The script is provided in the article for you to copy and paste.

Always On VPN Client Profile

To create an Always On VPN client profile, you need to sign in to the domain-joined VPN client computer as the VPN user you created. Then, follow these steps:

Type "VPN" on the Start menu and select "VPN Settings."
In the details pane, select "Add a VPN connection."
Choose "Windows (built-in)" as the VPN Provider.
Enter a "Connection Name" (e.g., Contoso VPN).
Enter the external FQDN of your VPN server as the "Server name or address" (e.g., vpn.contoso.com).
Select "IKEv2" as the VPN type.
For "Type of sign-in info," choose "Certificate."
Select "Save."
Under "Related Settings," select "Change adapter options."
Right-click on the newly created VPN connection (e.g., Contoso VPN) and select "Properties."
On the "Security" tab, select "Maximum strength encryption" for "Data encryption."
Select "Use Extensible Authentication Protocol (EAP)" and choose "Microsoft: Protected EAP (PEAP) (encryption enabled)" for "Use Extensible Authentication Protocol (EAP)."
Select "Properties" to open "Protected EAP Properties" and complete the required fields, such as the NPS server name and the CA that issued the NPS server's certificate.
Select "OK" to close the properties windows.
Close the "Network Connections" window.
In "Settings," select the newly created VPN connection (e.g., Contoso VPN) and click "Connect."

Configuring the Windows VPN Client

To manually configure the Windows VPN client using a PowerShell script, follow these steps:

Sign in to the VPN client computer as your VPN user.
Open Windows PowerShell Integrated Scripting Environment (ISE) as Administrator.
Copy and paste the provided PowerShell script into the PowerShell ISE.
Set the values for the variables at the top of the script, such as $Domain, $TemplateName, $ProfileName, $Servers, $DnsSuffix, $DomainName, and $DNSServers.
Press ENTER to run the script.
Verify the success of the script by running the command "Get-CimInstance -Namespace root\cimv2\mdm\dmmap -ClassName MDM_VPNv2_01" in the PowerShell ISE.

These are the main concepts covered in this article. If you have any specific questions or need further assistance, feel free to ask.