Jun 20 2022 03:53 AM
Hi,
I had a Azure VPN configuration setup in Intune, everthing was working.
But we had to upgrade the VPN service, so a new profile was created with the new server configurations.
When I import the xml file manually in Azure VPN everything works, but when I update the configuration in Intune, the settings on device does not change, it keeps the old profile (Same name)
./User/Vendor/MSFT/VPNv2/<name of your connection>/ProfileXML
No changes happens on the device.
So i tested deleteing the old profile from my device.
Now i see an error in Intune, and i have no VPN profile at all in Azure VPN app.
Error code: -2016345612
Error code: 0x87d101f4
Jun 20 2022 09:57 AM
Jun 20 2022 07:10 PM
Jun 21 2022 12:13 AM
Jun 22 2022 02:22 AM - edited Jun 22 2022 02:36 AM
Still having issues. @Moe_Kinani
Excluding would result in a removal of the VPN config.
After re-adding the user to the include group (after the profile was confirmed removed from the device)
Then no profile shows up and in Intune I can see the following error:
Error code: -2016345612
Error code: 0x87d101f4
This is a Win 11 device
Event viewer shows error:
MDM ConfigurationManager: Command failure status. Configuration Source ID: (NEVER MIND THIS), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (VPNv2), Command Type: (Add: from Replace or Add), CSP URI: (./User/Vendor/MSFT/VPNv2/ProfileTest/ProfileXML), Result: (Windows was unable to parse the requested XML data.).
If I copy the XML i can import it without any issues, I see nothing wrong in the XML file, manual import is working and its generated from Azure.
Jun 22 2022 06:16 PM - edited Jun 22 2022 06:19 PM
Solution
Hi Jimmy,
I have made changes on my test environment to mirror your issue and worked without removing the existing profile.
The xml that you download from Azure (or import manually) needs to be changed in order to import using Intune. Here is an example on how it supposed to look:
Example_VPNProfile/example_vpnprofile.xml at main · j0eyv/Example_VPNProfile · GitHub
Follow the steps below to replace with your tenant info
Line 5: Modify the <TrustedNetworkDetection> setting to the DNS suffix, your DHCP server is sending out to your clients. This will be used to determine if a device is connected to the internal network or external. For example: contoso.local.
Line 9: Modify the <ServerUrlList> setting.
Line 18: Modify the <issuer> setting https://sts.windows.net/TENANTID/.
Line 19: Modify the <tenant> setting https://login.microsoftonline.com/TENANTID/.
Line 31: Modify the <name> setting. This is the VNET name.
Line 41: Modify the <fqdn> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded from Azure.
Line 46: Modify the <hash> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded from Azure.
Line 50: Modify the <serversecret> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded from Azure.
Save it as new XML file in order to import to OMA URI Setting.
In order to override your existing file:
OMA-URI Setting should be like below:
Jun 23 2022 01:37 AM
Jun 23 2022 02:03 AM
Mar 07 2023 12:13 AM
@JimmyWork I am having the same issue where user with existing configuration profile fails to have the newly updated profile overwrite the existing downloaded profile. Could you please share what changes specifically worked for you? I have used a updated the existing xml file with the new settings and uploaded with new xml file name keeping existing Profile Name and OMA URI but only new devices pick up the new profile and devices having the old config fails to overwrite.
appreciate you help in confirming this as I am not keen on excluding user group to remove old profile and then re-add the group back to add with same connection name or emir old profile and add with new name.
thanks
Mar 07 2023 05:59 AM
Jun 22 2022 06:16 PM - edited Jun 22 2022 06:19 PM
Solution
Hi Jimmy,
I have made changes on my test environment to mirror your issue and worked without removing the existing profile.
The xml that you download from Azure (or import manually) needs to be changed in order to import using Intune. Here is an example on how it supposed to look:
Example_VPNProfile/example_vpnprofile.xml at main · j0eyv/Example_VPNProfile · GitHub
Follow the steps below to replace with your tenant info
Line 5: Modify the <TrustedNetworkDetection> setting to the DNS suffix, your DHCP server is sending out to your clients. This will be used to determine if a device is connected to the internal network or external. For example: contoso.local.
Line 9: Modify the <ServerUrlList> setting.
Line 18: Modify the <issuer> setting https://sts.windows.net/TENANTID/.
Line 19: Modify the <tenant> setting https://login.microsoftonline.com/TENANTID/.
Line 31: Modify the <name> setting. This is the VNET name.
Line 41: Modify the <fqdn> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded from Azure.
Line 46: Modify the <hash> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded from Azure.
Line 50: Modify the <serversecret> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded from Azure.
Save it as new XML file in order to import to OMA URI Setting.
In order to override your existing file:
OMA-URI Setting should be like below: