Tip of the Day: The VPN CSP - What else is new for the Anniversary Edition 2

  • Article

Today’s Tip…

What?  Did you think named-based triggers and crypto-suite configuration was all?

Additional VPNv2 CSP capabilities released just in time for the Anniversary Edition include:

  • Deploy connection profiles using ProfileXML files
  • Configure a pre-shared key for L2TP VPN profiles
  • Enable the VPN Device Compliance option (requires cloud-based Conditional Access Platform services)

Provision VPN Profile XML with the ‘ProfileXML’ Top-Level URI

The ProfileXML URI allows you to deploy VPN profiles by including the scripted XML, offering an alternative to creating individual URI values in an Intune custom policy.

VPNv2/ProfileName/ProfileXML

  • The XML schema for provisioning all the fields of a VPN. For the XSD, see ProfileXML XSD.
  • Value type is chr.

clip_image001

Configure L2TP Pre-shared Keys using the ‘L2tpPSK’ URI

Anniversary Edition includes a new URI allowing configuration of pre-shared key for use by an L2TP IPsec VPN connection

clip_image002

VPNv2/ProfileName/NativeProfile/L2tpPsk

  • Configure the preshared key used for an L2TP connection.

Enable the Device Compliance Option with ‘DeviceCompliance’ URI

Windows 10 Anniversary Edition includes a new DeviceCompliance configuration URI to support the VPN Device Compliance scenarios.

clip_image003

Setting descriptions and values are as follows:

VPNv2/ProfileName/DeviceCompliance

  • Nodes under DeviceCompliance can be used to enable AAD-based Conditional Access for VPN.

VPNv2/ProfileName/DeviceCompliance/Enabled

  • Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory.
  • Value type is bool.

VPNv2/ProfileName/DeviceCompliance/Sso

  • Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance.

VPNv2/ProfileName/DeviceCompliance/Sso/Enabled

  • If this field is set to True, the VPN Client will look for a separate certificate for Kerberos Authentication.
  • Value type is bool.

VPNv2/ProfileName/DeviceCompliance/Sso/IssuerHash

  • Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication.
  • Value type is chr.

VPNv2/ProfileName/DeviceCompliance/Sso/Eku

  • Comma Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication.