Forum Discussion

JimmyWork's avatar
JimmyWork
Iron Contributor
Jun 20, 2022

Updating Azure VPN profile not being applied

Hi,   I had a Azure VPN configuration setup in Intune, everthing was working. But we had to upgrade the VPN service, so a new profile was created with the new server configurations.   When I imp...
Intune
  • Moe_Kinani's avatar
    Moe_Kinani
    Jun 23, 2022

    JimmyWork 

     

    Hi Jimmy,

    I have made changes on my test environment to mirror your issue and worked without removing the existing profile.

     

    The xml that you download from Azure (or import manually) needs to be changed in order to import using Intune. Here is an example on how it supposed to look:

     

    Example_VPNProfile/example_vpnprofile.xml at main · j0eyv/Example_VPNProfile · GitHub

     

    Follow the steps below to replace with your tenant info

    Line 5: Modify the <TrustedNetworkDetection> setting to the DNS suffix, your DHCP server is sending out to your clients. This will be used to determine if a device is connected to the internal network or external. For example: contoso.local.
    Line 9: Modify the <ServerUrlList> setting.
    Line 18: Modify the <issuer> setting https://sts.windows.net/TENANTID/.
    Line 19: Modify the <tenant> setting https://login.microsoftonline.com/TENANTID/.
    Line 31: Modify the <name> setting. This is the VNET name.
    Line 41: Modify the <fqdn> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded from Azure.
    Line 46: Modify the <hash> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded from Azure.
    Line 50: Modify the <serversecret> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded from Azure.

     

    Save it as new XML file in order to import to OMA URI Setting.

     

     

    In order to override your existing file:

     

    OMA-URI Setting should be like below:

     

    Name: Give it a name
    Description: Give it description
    OMA-URI: ./User/Vendor/MSFT/VPNv2/*NAME OF YOUR EXISTING PROFILE*/ProfileXML
    Data Type: String (XML File)
     
     
     
JimmyWork's avatar
JimmyWork
Iron Contributor
Currently testing the following.

For users that has the old profile add to Exclude group, forcing the old profile to be removed.
Then Add them back to Include group with new profile.

Will keep you updated if this works
  • JimmyWork's avatar
    JimmyWork
    Iron Contributor
    Jun 21, 2022
    XML is working fine, tested manual import and also always on profile sent from Intune to test device. Only issue with devices that had the old profile from Intune.

    But will confirm later today, but the profile seems to be removed at least, will wait a bit before re-adding it.
    • JimmyWork's avatar
      JimmyWork
      Iron Contributor
      Jun 22, 2022

      Still having issues. Moe_Kinani 

      Excluding would result in a removal of the VPN config.
      After re-adding the user to the include group (after the profile was confirmed removed from the device)

      Then no profile shows up and in Intune I can see the following error:
      Error code: -2016345612
      Error code: 0x87d101f4

      This is a Win 11 device

      Event viewer shows error:

      MDM ConfigurationManager: Command failure status. Configuration Source ID: (NEVER MIND THIS), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (VPNv2), Command Type: (Add: from Replace or Add), CSP URI: (./User/Vendor/MSFT/VPNv2/ProfileTest/ProfileXML), Result: (Windows was unable to parse the requested XML data.).

       

      If I copy the XML i can import it without any issues, I see nothing wrong in the XML file, manual import is working and its generated from Azure.

      • Moe_Kinani's avatar
        Moe_Kinani
        Bronze Contributor
        Jun 23, 2022

        JimmyWork 

         

        Hi Jimmy,

        I have made changes on my test environment to mirror your issue and worked without removing the existing profile.

         

        The xml that you download from Azure (or import manually) needs to be changed in order to import using Intune. Here is an example on how it supposed to look:

         

        Example_VPNProfile/example_vpnprofile.xml at main · j0eyv/Example_VPNProfile · GitHub

         

        Follow the steps below to replace with your tenant info

        Line 5: Modify the <TrustedNetworkDetection> setting to the DNS suffix, your DHCP server is sending out to your clients. This will be used to determine if a device is connected to the internal network or external. For example: contoso.local.
        Line 9: Modify the <ServerUrlList> setting.
        Line 18: Modify the <issuer> setting https://sts.windows.net/TENANTID/.
        Line 19: Modify the <tenant> setting https://login.microsoftonline.com/TENANTID/.
        Line 31: Modify the <name> setting. This is the VNET name.
        Line 41: Modify the <fqdn> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded from Azure.
        Line 46: Modify the <hash> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded from Azure.
        Line 50: Modify the <serversecret> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded from Azure.

         

        Save it as new XML file in order to import to OMA URI Setting.

         

         

        In order to override your existing file:

         

        OMA-URI Setting should be like below:

         

        Name: Give it a name
        Description: Give it description
        OMA-URI: ./User/Vendor/MSFT/VPNv2/*NAME OF YOUR EXISTING PROFILE*/ProfileXML
        Data Type: String (XML File)
         
         
         

Resources