SOLVED

Configuration Profiles not applying to users.

Occasional Contributor

Hello,

 

I need help understadning Intune and how it works applying configuration profiles to users and devices.  I am trying to deploy an Always on VPN for our VPN users. I created a custom configuration profile for the VPN settings and applied it to the group VPN_Users.   I have everything working but the configuration profile will only apply to the device if the user is logged in who enrolled in the MDM.   For example, if User A logs in the Windows 10 computer 21H2 and enrolls into MDM only that user will get the configuration profile and VPN, but if User B logs in to the same device after User A enrolled into the MDM then User B will not get the configuration profile even though both users are in the VPN_Users group. What am I missing here? Does every user have to enroll into the MDM?

11 Replies

@Ryan_Fischer 

From Intune point of view, it doesn't matter if you assign a policy to user or device (by Intune I’m referring to CSP – Not PowerShell scripts assignment).

The thing is the that some CSP’s are design to run on user scope and some on device scope (but still you can assign either of them to user OR device group – it doesn’t matter).

 

So there are 2 things to consider:

  1. Group assignment (devices or users) – this determine who will be the trigger for the policy to be applied, if it is device assignment then the policy will be applied before user sign-in, if it is user assignment then the policy will be applied only after user sign-in
  2. Scope level – this determine at which level the policy is configured (and when will be triggered  - as same as with assignment)– device scope means the policy is configured on device level and no user must sign-in, user scope means the policy is configured in the user context and user must sign-in before the policy can be applied and configured.

 

Example 1 – You configured a user scope CSP and assigned it to device group -  the policy applied to any signed in user (dure to device assignment) only after they sign-in (due to user scope).

Example 2 – You configured a device scope CSP and assigned it to user group – the policy applied on device level and most likely affect all users (due to device scope) only after the first sign-in of one of users group members (due to user assignment).

 

In your case I suspect that your SCP run on the wrong scope level – can you share the exact CSP you are using (custom policy) – btw: for VPN you can use buit in VPN profile, you don’t have to use custm (at least in most case :smiling_face_with_smiling_eyes:)

 

 

For general info on CSP scope level check this link – https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider

 

@giladkeidar

I have to use a custom policy because the VPN template doesn't have the option to set IKEv2 security settings which I need set to as seen in the example below. 

 
<CryptographySuite>
   <AuthenticationTransformConstants>SHA256128</AuthenticationTransformConstants>
   <CipherTransformConstants>AES128</CipherTransformConstants>
   <EncryptionMethod>AES128</EncryptionMethod>
   <IntegrityCheckMethod>SHA256</IntegrityCheckMethod>
   <DHGroup>Group14</DHGroup>
   <PfsGroup>PFS2048</PfsGroup>
  </CryptographySuite>
 
Here is a screen shot of the profile settings.  (./User/Vendor/MSFT/VPNv2)
Ryan_Fischer_0-1637513091017.png

 

try change it to /Device/ and assign it to device group
best response confirmed by Ryan_Fischer (Occasional Contributor)
Solution
Do I need to change the Scope tag to anything or do I leave that default?
Default, scope is only for permissions
That worked!

Thank you. I am obviously new to Intune.
Actually this is one of toughest issues to understand, I summarized you a lot of information to few lines :)
How does this work if I want to provide two VPNs to users depending on their needs? For example, I want some users to have a forced tunnel VPN and some to have a split tunnel VPN. I tried making two of these configuration policy and targeting computer security groups but seems to do nothing.
2 different CSP profile for 2 users on the same device might not work.
I am not trying to do two, I want some devices to get one profile and another set of devices to get a different profile. So instead of using "All Devices" group I create AD security groups and added computers to them.
Never mind it is working it just took it's time, more than usual.