Tip of the Day: The VPN CSP - What else is new for the Anniversary Edition 2
Today’s Tip…
What? Did you think named-based triggers and crypto-suite configuration was all?
Additional VPNv2 CSP capabilities released just in time for the Anniversary Edition include:
- Deploy connection profiles using ProfileXML files
- Configure a pre-shared key for L2TP VPN profiles
- Enable the VPN Device Compliance option (requires cloud-based Conditional Access Platform services)
Provision VPN Profile XML with the ‘ProfileXML’ Top-Level URI
The ProfileXML URI allows you to deploy VPN profiles by including the scripted XML, offering an alternative to creating individual URI values in an Intune custom policy.
VPNv2/ProfileName/ProfileXML
- The XML schema for provisioning all the fields of a VPN. For the XSD, see ProfileXML XSD.
- Value type is chr.
Configure L2TP Pre-shared Keys using the ‘L2tpPSK’ URI
Anniversary Edition includes a new URI allowing configuration of pre-shared key for use by an L2TP IPsec VPN connection
VPNv2/ProfileName/NativeProfile/L2tpPsk
- Configure the preshared key used for an L2TP connection.
Enable the Device Compliance Option with ‘DeviceCompliance’ URI
Windows 10 Anniversary Edition includes a new DeviceCompliance configuration URI to support the VPN Device Compliance scenarios.
Setting descriptions and values are as follows:
VPNv2/ProfileName/DeviceCompliance
- Nodes under DeviceCompliance can be used to enable AAD-based Conditional Access for VPN.
VPNv2/ProfileName/DeviceCompliance/Enabled
- Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory.
- Value type is bool.
VPNv2/ProfileName/DeviceCompliance/Sso
- Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance.
VPNv2/ProfileName/DeviceCompliance/Sso/Enabled
- If this field is set to True, the VPN Client will look for a separate certificate for Kerberos Authentication.
- Value type is bool.
VPNv2/ProfileName/DeviceCompliance/Sso/IssuerHash
- Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication.
- Value type is chr.
VPNv2/ProfileName/DeviceCompliance/Sso/Eku
- Comma Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication.