SCCM and deploy Windows 10 Always On VPN Custom profile

%3CLINGO-SUB%20id%3D%22lingo-sub-1420870%22%20slang%3D%22en-US%22%3ESCCM%20and%20deploy%20Windows%2010%20Always%20On%20VPN%20Custom%20profile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1420870%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20posted%20a%20question%20this%20morning%20in%20System%20Center%20space.%3C%2FP%3E%3CP%3EI'm%20looking%20for%20suggestions%20in%20order%20to%20deploy%20custom%20AlwaysOn%20vpn%20profile%20to%20my%20clients.%3C%2FP%3E%3CP%3EI%20have%20SCCM%20Current%20Branch%20and%20about%202k%20clients%20to%20manage.%3C%2FP%3E%3CP%3EI've%20successfully%20deployed%20AlwaysOn%20vpn%20custom%20profile%20by%20MEM%20but%20now%20I%20need%20to%20do%20the%20same%20with%20SCCM%20that%20I'm%20not%20so%20familiar%20with.%3C%2FP%3E%3CP%3EMy%20profile%20is%20composed%20by%20one%20PS1%20script%20and%20one%20xml%20configuration%20file%20with%20NRPT%20and%20custom%20IKEv2%20security%20baseline.%20Sometimes%20I%20need%20to%20edit%20the%20xml%20file%20in%20order%20to%20update%20NRTP%2C%20so%20I%20need%20to%20update%20client%20configuration.%20I%20need%20to%20deploy%20these%20setting%20to%20a%20User%20collection.%3C%2FP%3E%3CP%3EI%20tried%20to%20make%20a%20package%20with%20both%20files%2C%20first%20deploy%20were%20successfully%20but%20if%20I'll%20need%20to%20modify%20one%20of%20the%20files%20in%20the%20package%2C%20I%20should%20create%20a%20new%20package%20and%20a%20new%20deploy%20each%20time.%3C%2FP%3E%3CP%3EI%20tried%20with%20Compliance%20Settings%20%26gt%3B%20VPN%20profile%20but%20I%20can't%20upload%20my%20custom%20xml%20and%20the%20wizard%20doesn't%20allow%20to%20edit%20the%20IKEv2%20security.%3C%2FP%3E%3CP%3ELast%20test%20was%20with%20Application.%20In%20this%20case%20the%20configuration%20failed%20due%20to%20client%20user%20permission%20(ps1%20requires%20elevated%20but%20local%20user%20are%20not%20local%20administrator).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20have%20any%20suggestion%3F%3C%2FP%3E%3CP%3EMany%20thanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrancesco%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1420966%22%20slang%3D%22en-US%22%3ERe%3A%20SCCM%20and%20deploy%20Windows%2010%20Always%20On%20VPN%20Custom%20profile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1420966%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F207812%22%20target%3D%22_blank%22%3E%40Danny%20Guillory%3C%2FA%3E%26nbsp%3B%20Thank%20you%20Danny.%20Do%20you%20mean%20that%20I%20should%20create%20a%20kind%20of%20check-item%20(like%20a%20file%20or%20reg-key)%20and%20search%20for%20that%3F%20In%20case%20of%20missing%20or%20different%20status%2C%20I%20should%20create%20a%20remediation%20starting%20new%20deploy%20of%20the%20profile%3F%3C%2FP%3E%3CP%3EWhat%20about%20deploy%20method%3F%20Can%20I%20packages%20or%20applications%20or%20should%20think%20different%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1420997%22%20slang%3D%22en-US%22%3ERe%3A%20SCCM%20and%20deploy%20Windows%2010%20Always%20On%20VPN%20Custom%20profile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1420997%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F657997%22%20target%3D%22_blank%22%3E%40FrancescoFacco%3C%2FA%3E%2C%20when%20you%20use%20that%20scripted%20method%20your%20only%20limited%20to%20your%20own%20PowerShell%20skills%20so%20you%20can%20then%20check%20whatever%20your%20requirements%20are%20and%20create%20or%20put%20what's%20needed%20from%20there.%20Lots%20of%20ways%20you%20can%20go%20here.%20Feel%20free%20to%20DM%20me%20if%20you%20want%20to%20kick%20some%20ideas%20around.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1420911%22%20slang%3D%22en-US%22%3ERe%3A%20SCCM%20and%20deploy%20Windows%2010%20Always%20On%20VPN%20Custom%20profile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1420911%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F657997%22%20target%3D%22_blank%22%3E%40FrancescoFacco%3C%2FA%3E%26nbsp%3BSince%20you%20need%20to%20make%20changes%20have%20you%20considered%20using%20Configuration%20Item(s)%20%5BScript%5D%20to%20do%20that%20evaluation%20and%20remediation.%20Ideally%2C%20you%20can%20set%20up%20a%20configuration%20baseline%20that%20should%20be%20able%20to%20do%20this%2C%20that's%20one%20option.%20Another%20option%20might%20be%20to%20try%20different%20deployments.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fconfigmgr%2Fcompliance%2Fdeploy-use%2Fcreate-custom-configuration-items-for-windows-desktop-and-server-computers-managed-with-the-client%23bkmk_script%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fconfigmgr%2Fcompliance%2Fdeploy-use%2Fcreate-custom-configuration-items-for-windows-desktop-and-server-computers-managed-with-the-client%23bkmk_script%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

I posted a question this morning in System Center space.

I'm looking for suggestions in order to deploy custom AlwaysOn vpn profile to my clients.

I have SCCM Current Branch and about 2k clients to manage.

I've successfully deployed AlwaysOn vpn custom profile by MEM but now I need to do the same with SCCM that I'm not so familiar with.

My profile is composed by one PS1 script and one xml configuration file with NRPT and custom IKEv2 security baseline. Sometimes I need to edit the xml file in order to update NRTP, so I need to update client configuration. I need to deploy these setting to a User collection.

I tried to make a package with both files, first deploy were successfully but if I'll need to modify one of the files in the package, I should create a new package and a new deploy each time.

I tried with Compliance Settings > VPN profile but I can't upload my custom xml and the wizard doesn't allow to edit the IKEv2 security.

Last test was with Application. In this case the configuration failed due to client user permission (ps1 requires elevated but local user are not local administrator).

 

Did you have any suggestion?

Many thanks!

 

Francesco

3 Replies
Highlighted

@FrancescoFacco Since you need to make changes have you considered using Configuration Item(s) [Script] to do that evaluation and remediation. Ideally, you can set up a configuration baseline that should be able to do this, that's one option. Another option might be to try different deployments. https://docs.microsoft.com/en-us/mem/configmgr/compliance/deploy-use/create-custom-configuration-ite...

Highlighted

@Danny Guillory  Thank you Danny. Do you mean that I should create a kind of check-item (like a file or reg-key) and search for that? In case of missing or different status, I should create a remediation starting new deploy of the profile?

What about deploy method? Can I packages or applications or should think different?

Highlighted

@FrancescoFacco, when you use that scripted method your only limited to your own PowerShell skills so you can then check whatever your requirements are and create or put what's needed from there. Lots of ways you can go here. Feel free to DM me if you want to kick some ideas around.