How to Configure a Windows 10 VPN Profile Using Microsoft Intune

Deploying virtual private network (VPN) profiles to Windows has never been easy. And using Intune wasn’t always a walk in the park either. And while VPN profiles could be easier to implement, what we have in Intune today is relatively simple compared to using Group Policy and the Connection Manager Administration Kit (CMAK).

In this article, I’m going to deploy a PPTP VPN to Windows 10, but you can use the instructions to deploy other types of VPN. Intune supports several different protocols with the built-in Windows 10 VPN client, including IKEv2, L2TP and SSL. L2TP, SSL, and PPTP require the use of the Extensible Authentication Protocol (EAP). IKEv2 VPNs require use of EAP or machine certificates. It’s also worth noting that there’s no support for VPN configurations that use pre-shared keys (PSK) and any client certificates must be deployed independently of the VPN configuration.

Intune also caters for a range of third-party VPN solutions, including Pulse Secure, F5 Access, SonicWall Mobile Connect, Check Point Capsule VPN, Citrix, and Palo Alto Networks GlobalProtect. If using a third-party VPN solution, you need to make sure that the VPN app is installed on devices. Apps can be installed with Intune, but it is out-of-scope for this article.

Set Up a VPN Connection in Windows and Export EAP XML Configuration

Intune requires an EAP XML configuration, so you’ll need to set up a VPN connection manually in Windows 10 before you can export its EAP XML configuration. The Windows 10 Settings app lets you manually set up a VPN, but it doesn’t provide access to advance configuration features. Nevertheless, you can start by setting up your VPN manually in the Settings app and then complete the configuration using the legacy Control Panel; or complete the whole process in the Control Panel.

• To access VPN settings in the Windows 10 Settings app, open Settings from the Start menu, click Network & Internet, and then VPN in the list of options on the left.
• From here you can set up your VPN by clicking Add a VPN connection.
• Once you’re done, click Network and Sharing Center under Related settings to configure the advanced options.
• In the Network and Sharing Center, click Change adapter settings on the left.
• The Network Connections window will open where you should see your VPN. Right click it and select Properties from the menu.
• Switch to the Security tab, configure the required EAP settings for the VPN, and then click OK when you are done.

Once the VPN is set up, you can use PowerShell to export the EAP configuration.

• Open a PowerShell window on the device where the VPN is configured.
• Run the code below, replacing Petri VPN with the name of your VPN connection.

$a = Get-VpnConnection -Name “Petri VPN”
$a.EapConfigXmlStream.InnerXml

• Copy the resulting XML to the clipboard.

Configure a VPN Profile in Microsoft Intune

You now have everything you need to configure the VPN profile in Intune.

• Log in to Microsoft Endpoint Manager admin center here.
• Click Devices under Favorites.
• Under Policy, click Configuration profiles.
• Click + Create profile at the top of the admin center window.
• In the Create profile panel, give the new profile a name and then select Windows 10 and later as the platform from the dropdown menu.
• In the Profile type dropdown, select VPN.
• In the VPN panel, click Base VPN.

• Give the new connection name.
• Add a VPN server by entering a description and then either its IP address or domain name. Click Add when you are done.
• In the Connection type dropdown, select PPTP.
• Paste the XML that was generated by the PowerShell code in the previous steps into the EAP Xml box.
• Click OK to complete the process.
• The rest of the settings on the VPN panel are optional. You can click OK to close the panel.
• To finish the configuration, click Create on the Create profile

Now that you have a VPN profile setup in Intune, you need to assign it to users and/or devices.

• After clicking Create, you are taken to the configuration screen for your VPN profile.
• On the left side of the configuration screen, click Assignments.
• On the Include tab, select a group from the Assign to In this example, I will use All Users & All Devices.
• Click Save to finish assigning the VPN profile.

Now all you need to do is log in to a device managed by Intune and that is in scope of the assignment, and you should see the new VPN profile provisioned. You can check the profile was deployed by clicking on the network icon in the system tray at the far right of the taskbar. The VPN profile should appear in the list of networks.

In an upcoming article, I will show you how to deploy certificates to Windows 10 using Intune.