{"id":3844,"date":"2022-02-21T11:37:11","date_gmt":"2022-02-21T10:37:11","guid":{"rendered":"https:\/\/www.lieben.nu\/liebensraum\/?p=3844"},"modified":"2022-02-21T11:37:11","modified_gmt":"2022-02-21T10:37:11","slug":"re-configuring-hidden-vpn-profile-properties","status":"publish","type":"post","link":"https:\/\/lieben.nu\/liebensraum\/2022\/02\/re-configuring-hidden-vpn-profile-properties\/","title":{"rendered":"(re) configuring hidden VPN Profile properties"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Using MEM (Intune) we can automatically deploy VPN profiles to our users&#8217; managed devices directly. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The set of parameters that can be configured in MEM is extremely limited compared to what actually ends up on the rasphone.pbk file (VPN Profile) on a Windows client.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Example of a .pbk file for an Azure P2S VPN connection with Conditional Access\/cert based SSO:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n&#x5B;AzureVirtualNetwork]\nEncoding=1\nPBVersion=6\nType=4\nAutoLogon=0\nUseRasCredentials=1\nLowDateTime=-1117351264\nHighDateTime=30942358\nDialParamsUID=927022140\nGuid=AABC7C8342FD91458105A961BE471F8E\nVpnStrategy=7\nExcludedProtocols=8\nLcpExtensions=1\nDataEncryption=256\nSwCompression=1\nNegotiateMultilinkAlways=1\nSkipDoubleDialDialog=0\nDialMode=0\nOverridePref=15\nRedialAttempts=0\nRedialSeconds=0\nIdleDisconnectSeconds=0\nRedialOnLinkFailure=0\nCallbackMode=0\nCustomDialDll=\nCustomDialFunc=\nCustomRasDialDll=%windir%\\system32\\cmdial32.dll\nForceSecureCompartment=0\nDisableIKENameEkuCheck=0\nAuthenticateServer=0\nShareMsFilePrint=1\nBindMsNetClient=1\nSharedPhoneNumbers=0\nGlobalDeviceSettings=0\nPrerequisiteEntry=\nPrerequisitePbk=\nPreferredPort=VPN2-0\nPreferredDevice=WAN Miniport (IKEv2)\nPreferredBps=0\nPreferredHwFlow=0\nPreferredProtocol=0\nPreferredCompression=0\nPreferredSpeaker=0\nPreferredMdmProtocol=0\nPreviewUserPw=0\nPreviewDomain=0\nPreviewPhoneNumber=0\nShowDialingProgress=0\nShowMonitorIconInTaskBar=1\nCustomAuthKey=13\nCustomAuthData=314442430D000405C000000020005005C0000001500000014000000A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436020001001230FE0006000100FCD02C00\nCustomAuthData=3BCB684FDAE6ED1B763A3EDEB989B12C95EFFAFFD330281E75F1C671B03CDD800FF0844797977764005000500\nAuthRestrictions=128\nIpPrioritizeRemote=0\nIpInterfaceMetric=1\nIpHeaderCompression=1\nIpAddress=0.0.0.0\nIpDnsAddress=172.1.230.4\nIpDns2Address=172.1.230.5\nIpWinsAddress=0.0.0.0\nIpWins2Address=0.0.0.0\nIpAssign=1\nIpNameAssign=2\nIpDnsFlags=0\nIpNBTFlags=1\nTcpWindowSize=0\nUseFlags=2\nIpSecFlags=0\nIpDnsSuffix=\nIpv6Assign=1\nIpv6Address=::\nIpv6PrefixLength=0\nIpv6PrioritizeRemote=1\nIpv6InterfaceMetric=0\nIpv6NameAssign=1\nIpv6DnsAddress=::\nIpv6Dns2Address=::\nIpv6Prefix=0000000000000000\nIpv6InterfaceId=0000000000000000\nDisableClassBasedDefaultRoute=1\nDisableMobility=0\nNetworkOutageTime=0\nIDI=\nIDR=\nImsConfig=0\nIdiType=0\nIdrType=0\nProvisionType=0\nPreSharedKey=\nCacheCredentials=0\nNumCustomPolicy=0\nNumEku=0\nUseMachineRootCert=0\nDisable_IKEv2_Fragmentation=0\nPlumbIKEv2TSAsRoutes=0\nNumServers=0\nRouteVersion=1\nNumRoutes=0\nNumNrptRules=0\nAutoTiggerCapable=0\nNumAppIds=0\nNumClassicAppIds=0\nSecurityDescriptor=\nApnInfoProviderId=\nApnInfoUsername=\nApnInfoPassword=\nApnInfoAccessPoint=\nApnInfoAuthentication=1\nApnInfoCompression=0\nDeviceComplianceEnabled=0\nDeviceComplianceSsoEnabled=0\nDeviceComplianceSsoEku=\nDeviceComplianceSsoIssuer=\nWebAuthEnabled=0\nWebAuthClientId=\nFlagsSet=0\nOptions=0\nDisableDefaultDnsSuffixes=0\nNumTrustedNetworks=0\nNumDnsSearchSuffixes=0\nPowershellCreatedProfile=0\nProxyFlags=0\nProxySettingsModified=0\nProvisioningAuthority=\nAuthTypeOTP=0\nGREKeyDefined=0\nNumPerAppTrafficFilters=0\nAlwaysOnCapable=0\nDeviceTunnel=0\nPrivateNetwork=0\n\nNETCOMPONENTS=\nms_msclient=1\nms_server=1\n\nMEDIA=rastapi\nPort=VPN2-0\nDevice=WAN Miniport (IKEv2)\n\nDEVICE=vpn\nPhoneNumber=azuregateway-12341ef-4922-4edc-a492-589b3e547c58-1ba19cb9ae52.vpn.azure.com\nAreaCode=\nCountryCode=0\nCountryID=0\nUseDialingRules=0\nComment=\nFriendlyName=\nLastSelectedPhone=0\nPromoteAlternates=0\nTryNextAlternateOnFail=1\n<\/pre><\/div>\n\n\n<p class=\"wp-block-paragraph\"><strong>Modifying VPN Profile settings<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To allow admins further customization of these settings, I&#8217;ve written a <a href=\"https:\/\/endpoint.microsoft.com\/#blade\/Microsoft_Intune_Enrollment\/UXAnalyticsMenu\/proactiveRemediations\" target=\"_blank\" rel=\"noreferrer noopener\">Proactive Remediation<\/a> script that can customize any VPN profile property to any value you specify.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In our case, we used it to set IpInterfaceMetric, which defaults to 0, causing ambiguously routed traffic to never prefer the VPN connection (since this is a split tunnel connection). Setting it to 1 resolved our DNS\/routing issues to certain private endpoints in our Azure environment.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Code \/ git link: <a href=\"https:\/\/gitlab.com\/Lieben\/assortedFunctions\/-\/blob\/master\/set-vpnConnectionInterfaceMetric.ps1\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/gitlab.com\/Lieben\/assortedFunctions\/-\/blob\/master\/set-vpnConnectionInterfaceMetric.ps1<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Using MEM (Intune) we can automatically deploy VPN profiles to our users&#8217; managed devices directly. The set of parameters that can be configured in MEM is extremely limited compared to what actually ends up on the rasphone.pbk file (VPN Profile) on a Windows client. Example of a .pbk file for an Azure P2S VPN connection &hellip; <a href=\"https:\/\/lieben.nu\/liebensraum\/2022\/02\/re-configuring-hidden-vpn-profile-properties\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">(re) configuring hidden VPN Profile properties<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[4,5,12,22,39],"tags":[],"class_list":["post-3844","post","type-post","status-publish","format-standard","hentry","category-automation","category-azure","category-ems","category-intune","category-powershell"],"_links":{"self":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/posts\/3844","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/comments?post=3844"}],"version-history":[{"count":0,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/posts\/3844\/revisions"}],"wp:attachment":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/media?parent=3844"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/categories?post=3844"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/tags?post=3844"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}