Edit

Deploy Always On VPN profile to Windows 10+ clients with Microsoft Configuration Manager

  • Article

In this how-to article, we'll show you how to use Configuration Manager deploy Always On VPN profiles using a ProfileXML PowerShell configuration PowerShell script.

Prerequisites

Create a user collection

To use Configuration Manager to deploy an Always On VPN profile to Windows 10 or newer client computers, you'll need to create a group of machines or users to whom you'll deploy the profile.

  1. In the Configuration Manager console, go to the Assets and Compliance workspace.

  2. On the Home ribbon, in the Create group, select Create User Collection.

  3. On the General page, complete the following steps:

    1. In Name, type VPN Users.

    2. Select Browse, select All Users and select OK.

    3. Select Next.

  4. On the Membership Rules page, complete the following steps:

    1. In Membership rules, select Add Rule, and select Direct Rule.

    2. On the Welcome page, select Next.

    3. On the Search for Resources page, in Value, type the name of the user you want to add or, if you are adding users to this collection dynamically for a larger-scale deployment, use a query rule to add users. The resource name includes the user's domain. To include results based on a partial match, insert the % character at either end of your search criterion. For example, to find all users containing the string "lori," type %lori%. Select Next.

    4. On the Select Resources page, select the users you want to add to the group, and select Next.

    5. On the Summary page, select Next.

    6. On the Completion page, select Close.

  5. Back on the Membership Rules page of the Create User Collection Wizard, select Next.

  6. On the Summary page, select Next.

  7. On the Completion page, select Close.

After you create the user group to receive the VPN profile, you can create a package and program to deploy your Windows PowerShell ProfileXML configuration script.

Create a package containing a ProfileXML configuration script

  1. Host the ProfileXML configuration script on a network share that the site server computer account can access.

  2. In the Configuration Manager console, go to the Software Library workspace, expand Application Management, and select the Packages node.

  3. In the Home tab of the ribbon, in the Create group, select Create Package.

  4. On the Package page, complete the following steps:

    1. In Name, type a name, such as Windows client Always On VPN Profile.

    2. Select the This package contains source files check box, and select Browse.

    3. In the Set Source Folder dialog box, select Browse, select the file share containing the ProfileXML script, and select OK. Make sure you select a network path, not a local path. In other words, the path should be something like \fileserver\vpnscript, not c:\vpnscript.

  5. Select Next.

  6. On the Program Type page, select Next.

  7. On the Standard Program page, complete the following steps:

    1. In Name, type VPN Profile Script.

    2. In Command line, type PowerShell.exe -ExecutionPolicy Bypass -File "{your-script-name.ps1}".

    3. In Run mode, select Run with administrative rights.

    4. Select Next.

  8. On the Requirements page, complete the following steps:

    1. Select This program can run only on specified platforms.

    2. Select the All Windows 10 (32-bit) and All Windows 10 (64-bit) check boxes.

    3. In Estimated disk space, type 1.

    4. In Maximum allowed run time (minutes), type 15.

    5. Select Next.

  9. On the Summary page, select Next.

  10. On the Completion page, select Close.

With the package and program created, you are now ready to deploy it to the VPN Users group.

Deploy the ProfileXML configuration package

  1. In the Configuration Manager console, open Software Library\Application Management\Packages.

  2. In Packages, select Windows client Always On VPN Profile.

  3. On the Programs tab, at the bottom of the details pane, right-select VPN Profile Script, select Properties, and complete the following steps:

    a. On the Advanced tab, in When this program is assigned to a computer, select Once for every user who logs on.

    b. Select OK.

  4. Right-click VPN Profile Script and select Deploy to start the Deploy Software Wizard.

  5. On the General page, complete the following steps:

    a. Beside Collection, select Browse.

    b. In the Collection Types list (top left), select User Collections.

    c. Select VPN Users, and select OK.

    d. Select Next.

  6. On the Content page, complete the following steps:

    a. Select Add, and select Distribution Point.

    b. In Available distribution points, select the distribution points to which you want to distribute the ProfileXML configuration script, and select OK.

    c. Select Next.

  7. On the Deployment settings page, select Next.

  8. On the Scheduling page, complete the following steps:

    a. Select New to open the Assignment Schedule dialog box.

    b. Select Assign immediately after this event, and select OK.

    c. Select Next.

  9. On the User Experience page, complete the following steps:

    1. Select the Software Installation check box.

    2. Select Summary.

  10. On the Summary page, select Next.

  11. On the Completion page, select Close.

With the ProfileXML configuration script deployed, sign in to a Windows client computer with the user account you selected when you built the user collection. Verify the configuration of the VPN client.

Verify the configuration of the VPN client

  1. In Control Panel, under System > Security, select Configuration Manager.

  2. In the Configuration Manager Properties dialog, on the Actions tab, complete the following steps:

    a. Select Machine Policy Retrieval & Evaluation Cycle, select Run Now, and select OK.

    b. Select User Policy Retrieval & Evaluation Cycle, select Run Now, and select OK.

    c. Select OK.

  3. Close the Control Panel.

You should see the new VPN profile shortly.

Next Steps