Forum Discussion

Iron Contributor

Jun 20, 2022

Solved

Updating Azure VPN profile not being applied

Hi, I had a Azure VPN configuration setup in Intune, everthing was working. But we had to upgrade the VPN service, so a new profile was created with the new server configurations. When I imp...

Intune

Moe_Kinani
Jun 22, 2022
JimmyWork

Hi Jimmy,
I have made changes on my test environment to mirror your issue and worked without removing the existing profile.

The xml that you download from Azure (or import manually) needs to be changed in order to import using Intune. Here is an example on how it supposed to look:

https://github.com/j0eyv/Example_VPNProfile/blob/main/example_vpnprofile.xml

Follow the steps below to replace with your tenant info
Line 5: Modify the <TrustedNetworkDetection> setting to the DNS suffix, your DHCP server is sending out to your clients. This will be used to determine if a device is connected to the internal network or external. For example: contoso.local.
Line 9: Modify the <ServerUrlList> setting.
Line 18: Modify the <issuer> setting https://sts.windows.net/TENANTID/.
Line 19: Modify the <tenant> setting https://login.microsoftonline.com/TENANTID/.
Line 31: Modify the <name> setting. This is the VNET name.
Line 41: Modify the <fqdn> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded from Azure.
Line 46: Modify the <hash> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded from Azure.
Line 50: Modify the <serversecret> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded from Azure.

Save it as new XML file in order to import to OMA URI Setting.

In order to override your existing file:

OMA-URI Setting should be like below:

Name: Give it a name
Description: Give it description
OMA-URI: ./User/Vendor/MSFT/VPNv2/*NAME OF YOUR EXISTING PROFILE*/ProfileXML
Data Type: String (XML File)

Moe_Kinani

Bronze Contributor

Jun 22, 2022

JimmyWork

Hi Jimmy,

I have made changes on my test environment to mirror your issue and worked without removing the existing profile.

The xml that you download from Azure (or import manually) needs to be changed in order to import using Intune. Here is an example on how it supposed to look:

https://github.com/j0eyv/Example_VPNProfile/blob/main/example_vpnprofile.xml

Follow the steps below to replace with your tenant info

Line 5: Modify the <TrustedNetworkDetection> setting to the DNS suffix, your DHCP server is sending out to your clients. This will be used to determine if a device is connected to the internal network or external. For example: contoso.local.
Line 9: Modify the <ServerUrlList> setting.
Line 18: Modify the <issuer> setting https://sts.windows.net/TENANTID/.
Line 19: Modify the <tenant> setting https://login.microsoftonline.com/TENANTID/.
Line 31: Modify the <name> setting. This is the VNET name.
Line 41: Modify the <fqdn> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded from Azure.
Line 46: Modify the <hash> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded from Azure.
Line 50: Modify the <serversecret> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded from Azure.

Save it as new XML file in order to import to OMA URI Setting.

In order to override your existing file:

OMA-URI Setting should be like below:

Name: Give it a name

Description: Give it description

OMA-URI: ./User/Vendor/MSFT/VPNv2/*NAME OF YOUR EXISTING PROFILE*/ProfileXML

Data Type: String (XML File)

JimmyWork

Iron Contributor

Jun 23, 2022

You where correct, not sure what i was thinking or why it said working on some devices, but now working on all 🙂 Thank you again

spateluk
Copper Contributor
Mar 07, 2023
JimmyWork I am having the same issue where user with existing configuration profile fails to have the newly updated profile overwrite the existing downloaded profile. Could you please share what changes specifically worked for you? I have used a updated the existing xml file with the new settings and uploaded with new xml file name keeping existing Profile Name and OMA URI but only new devices pick up the new profile and devices having the old config fails to overwrite.

appreciate you help in confirming this as I am not keen on excluding user group to remove old profile and then re-add the group back to add with same connection name or emir old profile and add with new name.

thanks
- JimmyWork
  Iron Contributor
  Mar 07, 2023
  I was importing the wrong XML settings.
  But I belive I ended up re-doing all the steps, creating a new policy, deleting the old one.
  But if you check in the Event logs im pretty sure you can see why the policy is not applied.
  If i remember corectly it was due to the profile name was already exisiting, creating a new profile name worked. I'm sorry for not being able to help you and I don't know at what scale you need to do this, but please test the following.
  
  Create a new policy with the new settings, same profile name.
  Exclude test user from the first policy with the old settings.
  Include test user in the new policy.
  
  Check the Event logs
  
  I hade to download a fresh XML file and then upload that with my settings.
Moe_Kinani
Bronze Contributor
Jun 23, 2022
Glad it’s working now!