1
00:00:00,340 --> 00:00:03,930
So in terms of provisioning and managing our endpoints for Always On VPN,

2
00:00:03,930 --> 00:00:05,260
as I just mentioned,

3
00:00:05,260 --> 00:00:09,250
the preferred method is using Microsoft Endpoint Manager or Intune.

4
00:00:09,250 --> 00:00:12,910
It's important to understand that Always On VPN as a workload was

5
00:00:12,910 --> 00:00:16,480
designed to be managed using Endpoint Manager or Intune,

6
00:00:16,480 --> 00:00:19,340
so that's going to be the best administrative experience and

7
00:00:19,340 --> 00:00:22,520
it's going to be the path of least resistance to deploying and

8
00:00:22,520 --> 00:00:25,640
managing our Always On VPN profiles.

9
00:00:25,640 --> 00:00:31,460
It is possible to use SCCM, however, it's important to understand that with SCCM,

10
00:00:31,460 --> 00:00:36,620
although you can provision VPN profiles using the native management tools,

11
00:00:36,620 --> 00:00:40,890
you cannot natively deploy Always On VPN profiles.

12
00:00:40,890 --> 00:00:42,230
So with SCCM,

13
00:00:42,230 --> 00:00:45,240
you will have to use a PowerShell script and XML

14
00:00:45,240 --> 00:00:49,080
configuration file and then you will wrap that up and

15
00:00:49,080 --> 00:00:51,850
deliver that to your endpoints via SCCM,

16
00:00:51,850 --> 00:00:52,830
and of course,

17
00:00:52,830 --> 00:00:56,110
the PowerShell script could be run just directly on an endpoint if

18
00:00:56,110 --> 00:00:59,170
you have just a handful of endpoints to manage,

19
00:00:59,170 --> 00:01:01,960
you could certainly run those ad hoc on those

20
00:01:01,960 --> 00:01:05,940
devices to configure Always On VPN.

21
00:01:05,940 --> 00:01:06,690
Without a doubt,

22
00:01:06,690 --> 00:01:09,440
the cloud integration features and capabilities with

23
00:01:09,440 --> 00:01:11,440
Always On VPN are really important.

24
00:01:11,440 --> 00:01:13,710
When we enable cloud integration,

25
00:01:13,710 --> 00:01:17,630
we have the advantage of using a variety of different identities,

26
00:01:17,630 --> 00:01:20,810
specifically, we can use native Azure AD accounts,

27
00:01:20,810 --> 00:01:23,920
but we can also use on‑premises Active Directory accounts,

28
00:01:23,920 --> 00:01:25,740
or we can use a combination of the two.

29
00:01:25,740 --> 00:01:28,560
We can use on‑premises AD accounts that have been

30
00:01:28,560 --> 00:01:31,140
synchronized with Azure AD as well.

31
00:01:31,140 --> 00:01:33,580
When we integrate with the cloud, and specifically,

32
00:01:33,580 --> 00:01:34,100
Azure,

33
00:01:34,100 --> 00:01:37,980
we get the advantage of using a conditional access so we can apply

34
00:01:37,980 --> 00:01:41,280
conditional access policies to our VPN access,

35
00:01:41,280 --> 00:01:44,390
and we can also leverage proactive remediation,

36
00:01:44,390 --> 00:01:46,030
which is a feature of Intune,

37
00:01:46,030 --> 00:01:52,000
and we can use this capability to finetune the VPN configuration settings post deployment.