Share via

Intune - Always On VPN Custom Policy Profile deployment

Simon Belmont 20 Reputation points
2024-05-31T14:00:26.6433333+00:00

We can't use the built-in Intune based profile deployment, since we are using forced tunneling, and have to use exclusion routes.

Therefore we must use the custom ProfileXML based method. Does anyone have experience with this method, and what is the best course of action when you have to make changes to the profile?

I've tried the following without it yielding the desirable results,

Method 1:

  1. Update the xml file with changes and save it with a new name
  2. Update the Custom policy in Intune by keeping the same Name and Oma-Uri, but only uploading the new XML file

This results in the profile on the client not picking up the changes at all.

It's also not feasible when you need to deploy changes to 1000 users and you don't know which one of them picked up the changes, and which ones did not.

Method 2:

  1. Update the xml file with changes and save it with a new name
  2. In the old/current Custom policy exclude user/group from assignment
  3. Create new Custom policy and deploy the new xml file to it

This deploys the new profile, but leaves the old VPN profile on the client.

Method 3:

  1. Update the xml file with changes and save it with a new name
  2. Delete the current Custom policy
  3. Create new Custom policy and deploy the new xml file to it

This deploys the new profile, but also leaves the old VPN profile on the client.

From what I've gathered, for the built-in policy there are no issues, as you can make changes directly in it and the client will apply them to the VPN profile. Also deleting or unassigning the policy, will delete the old VPN profile on the client.

https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#a-profile-is-deleted-or-no-longer-applicable

Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
428 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,917 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,173 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 49,191 Reputation points Microsoft Vendor
    2024-06-03T01:36:24.7233333+00:00

    @Simon Belmont, Thanks for posting in Q&A. Based on my checking, the Custom-URI ./Device/Vendor/MSFT/VPNv2/{ProfileName}/ProfileXML has action replace. We can update on the custom profile to replace with a new value in theory.

    https://learn.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp#deviceprofilenameprofilexml

    Here is one I test before:

    https://learn.microsoft.com/en-us/answers/questions/64671/updating-vpn-profile-through-intune

    I notice you have upload new xml but not working, please also change the profile name, sync on device side and see if it will be update on the device side.

    If there's any update, feel free to let us know.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.