1 00:00:02,840 --> 00:00:03,700 So at this point, 2 00:00:03,700 --> 00:00:06,900 you've learned how to provision Always On VPN client configuration 3 00:00:06,900 --> 00:00:10,910 settings using Intune and the VPN template using the UI, 4 00:00:10,910 --> 00:00:13,830 walking through the wizard, if you want to call it that, 5 00:00:13,830 --> 00:00:14,760 and then, of course, 6 00:00:14,760 --> 00:00:20,240 we've learned how to deploy an XML configuration file using PowerShell. 7 00:00:20,240 --> 00:00:24,240 It is possible to deploy that XML configuration file using Intune. 8 00:00:24,240 --> 00:00:27,520 This is kind of a hybrid model, it's a combination of the two, 9 00:00:27,520 --> 00:00:33,300 and you can use XML within Intune for both device and user tunnels, 10 00:00:33,300 --> 00:00:35,710 as long as you know the correct OMA‑URI, and I'll 11 00:00:35,710 --> 00:00:37,940 explain that a little more shortly. 12 00:00:37,940 --> 00:00:40,420 It does require that you use the custom template, 13 00:00:40,420 --> 00:00:42,010 not the VPN template, 14 00:00:42,010 --> 00:00:45,580 and the reason you might want to do this is because using 15 00:00:45,580 --> 00:00:49,040 XML exposes some additional settings that are not 16 00:00:49,040 --> 00:00:51,920 available to you in the Intune UI. 17 00:00:51,920 --> 00:00:53,700 So if you're using the VPN template, 18 00:00:53,700 --> 00:00:57,160 there may be some things that you want to define or change or 19 00:00:57,160 --> 00:01:00,350 set that are just simply not in the Intune UI, 20 00:01:00,350 --> 00:01:02,730 so you have to do it through XML. 21 00:01:02,730 --> 00:01:06,210 And you're going to see that in detail in the next module. 22 00:01:06,210 --> 00:01:06,790 For now, 23 00:01:06,790 --> 00:01:09,250 I want to show you how to deploy the XML file that you were 24 00:01:09,250 --> 00:01:11,870 deploying locally with PowerShell previously, 25 00:01:11,870 --> 00:01:17,240 and I want to show you how to push that XML file out using Intune. 26 00:01:17,240 --> 00:01:18,730 So let's get on to this demonstration, 27 00:01:18,730 --> 00:01:21,330 and I'll show you how to deploy a user tunnel and a 28 00:01:21,330 --> 00:01:24,200 device tunnel using XML with Intune. 29 00:01:24,200 --> 00:01:28,280 Back in the Microsoft Endpoint Manager admin center, 30 00:01:28,280 --> 00:01:33,640 we'll click on Devices and Configuration profiles. 31 00:01:33,640 --> 00:01:36,700 And here you'll see that we have are Always On VPN device 32 00:01:36,700 --> 00:01:39,610 tunnel and user tunnels that we provisioned in an earlier 33 00:01:39,610 --> 00:01:42,210 lesson using the Intune UI. 34 00:01:42,210 --> 00:01:45,150 These are listed as profile type VPN. 35 00:01:45,150 --> 00:01:47,010 We're going to do this a little differently now, so 36 00:01:47,010 --> 00:01:50,440 we're going to click Create profile, 37 00:01:50,440 --> 00:01:52,660 and we'll select Windows 10 and later as our 38 00:01:52,660 --> 00:01:55,570 platform and a Templates profile type. 39 00:01:55,570 --> 00:02:01,220 And here, instead of selecting VPN as we did previously, 40 00:02:01,220 --> 00:02:03,830 we're actually going to select Custom this time, 41 00:02:03,830 --> 00:02:06,540 so we'll click Create. 42 00:02:06,540 --> 00:02:07,810 We'll provide a name here. 43 00:02:07,810 --> 00:02:11,240 And by the way, this is not how it appears in Windows, 44 00:02:11,240 --> 00:02:17,940 this is simply an administrative name, so you can call it whatever you like. 45 00:02:17,940 --> 00:02:19,980 You can provide a description if you like as well, 46 00:02:19,980 --> 00:02:26,040 then we'll choose Next, and then we'll click Add for our OMA‑URI Settings. 47 00:02:26,040 --> 00:02:27,770 Here we'll provide a name, and once again, 48 00:02:27,770 --> 00:02:33,640 this is just an administrative name, not how it appears in Windows. 49 00:02:33,640 --> 00:02:36,040 You can enter a description if you like. 50 00:02:36,040 --> 00:02:36,730 And then next, 51 00:02:36,730 --> 00:02:41,590 we need to provide the OMA‑URI or the target location for the settings we 52 00:02:41,590 --> 00:02:45,610 want to deploy for this specific Always On VPN profile. 53 00:02:45,610 --> 00:02:49,870 The OMA‑URI that you choose depends on which tunnel you want to deploy, 54 00:02:49,870 --> 00:02:52,850 whether it's a user tunnel or a device tunnel. 55 00:02:52,850 --> 00:02:55,100 The OMA‑URI for the user tunnel is 56 00:02:55,100 --> 00:03:02,300 ./User/Vendor/MSFT/VPNv2/Example%20Profile%20Name is what I'm using 57 00:03:02,300 --> 00:03:02,790 here. 58 00:03:02,790 --> 00:03:05,050 This is the name as it appears in Windows. 59 00:03:05,050 --> 00:03:08,050 This is what will actually show up in the UI on the client. 60 00:03:08,050 --> 00:03:12,080 And so, the XML does not accept spaces, 61 00:03:12,080 --> 00:03:15,490 so you must escape them with the %20 character. 62 00:03:15,490 --> 00:03:19,040 So if you choose to use spaces in your name, 63 00:03:19,040 --> 00:03:23,370 then you must use the %20 characters in place of the spaces. 64 00:03:23,370 --> 00:03:24,730 If you don't want to use spaces, great, 65 00:03:24,730 --> 00:03:27,220 you can avoid this by just calling it a name without 66 00:03:27,220 --> 00:03:31,960 spaces like AOVPN and then /ProfileXML. 67 00:03:31,960 --> 00:03:35,590 So the OMA‑URI that you enter in Intune should look exactly 68 00:03:35,590 --> 00:03:38,640 like this except for with your specific name. 69 00:03:38,640 --> 00:03:40,890 And the difference between the user and the device 70 00:03:40,890 --> 00:03:45,060 tunnel is the prefix ./User or ./Device, 71 00:03:45,060 --> 00:03:48,430 and the rest of it is functionally the same. 72 00:03:48,430 --> 00:03:51,910 In the previous lessons, when we deployed the XML using PowerShell, 73 00:03:51,910 --> 00:03:56,290 we used Always On VPN as the name of the user tunnel and Always On 74 00:03:56,290 --> 00:03:59,580 VPN device tunnel as the name of the device tunnel, 75 00:03:59,580 --> 00:04:02,040 and we'll use those here in our examples. 76 00:04:02,040 --> 00:04:06,290 So I'm going to copy and paste the OMA‑URI here for the user tunnel, 77 00:04:06,290 --> 00:04:07,970 so that's ./User. 78 00:04:07,970 --> 00:04:10,260 And again, just to drive that point home, 79 00:04:10,260 --> 00:04:12,630 the dot, that trailing dot or leading dot, 80 00:04:12,630 --> 00:04:14,720 I should say, is critical. 81 00:04:14,720 --> 00:04:18,870 If everything looks good, the UI will, of course, validate it for you. 82 00:04:18,870 --> 00:04:22,920 Next we'll choose data type, and we'll choose String XML. 83 00:04:22,920 --> 00:04:24,790 We'll click on the little blue folder here, 84 00:04:24,790 --> 00:04:28,830 and we will just simply select our XML file that we used in that 85 00:04:28,830 --> 00:04:31,290 previous lesson to deploy with PowerShell. 86 00:04:31,290 --> 00:04:33,240 So we'll click Open. 87 00:04:33,240 --> 00:04:37,730 And if everything looks good, should be no errors here. 88 00:04:37,730 --> 00:04:41,020 If there's an issue with the syntax in your XML, 89 00:04:41,020 --> 00:04:44,230 this UI will complain, so it does validate this XML. 90 00:04:44,230 --> 00:04:47,580 It doesn't validate the settings, just the syntax, right? 91 00:04:47,580 --> 00:04:51,210 So if you've missed a tag or added something incorrectly, 92 00:04:51,210 --> 00:04:53,940 it will appear as an error here. 93 00:04:53,940 --> 00:04:57,140 So once you're done, go ahead and click Save. 94 00:04:57,140 --> 00:05:00,850 And at this point, I should probably drive home the fact that this XML file, 95 00:05:00,850 --> 00:05:02,840 before you push it out with Intune, 96 00:05:02,840 --> 00:05:08,840 it's always best to use the PowerShell technique to at least test it locally. 97 00:05:08,840 --> 00:05:11,590 You want to make sure that your syntax is correct, 98 00:05:11,590 --> 00:05:14,810 that all the settings are functioning as expected, 99 00:05:14,810 --> 00:05:17,900 and that it's working before you deploy it broadly using Intune. 100 00:05:17,900 --> 00:05:21,440 So once this is done, we'll click Next. 101 00:05:21,440 --> 00:05:22,690 We'll add our group. 102 00:05:22,690 --> 00:05:29,940 This is a user tunnel, so I'm going to find my VPN Users group, 103 00:05:29,940 --> 00:05:36,140 Select, Next, Next, and Create. 104 00:05:36,140 --> 00:05:36,900 And that's it. 105 00:05:36,900 --> 00:05:39,880 So this is going to go out to that target group. 106 00:05:39,880 --> 00:05:43,960 Now, to deploy a device‑based connection, it is almost identical. 107 00:05:43,960 --> 00:05:47,730 So we'll go to Devices, Configuration profiles, 108 00:05:47,730 --> 00:05:51,440 and then we'll click Create profile again, 109 00:05:51,440 --> 00:05:56,240 Windows 10 and later, Templates, Custom, 110 00:05:56,240 --> 00:06:05,240 Create, ,ive this one a different name, choose Next. 111 00:06:05,240 --> 00:06:13,240 We'll click Add, provide a name again. 112 00:06:13,240 --> 00:06:16,750 And then this time, I'll paste in the OMA‑URI 113 00:06:16,750 --> 00:06:19,360 relating to the device‑based connection, 114 00:06:19,360 --> 00:06:24,460 so ./Device and then the name of my profile there as you see it. 115 00:06:24,460 --> 00:06:31,440 We'll select our String XML, and this time we will select our Device XML. 116 00:06:31,440 --> 00:06:34,440 Click Open, Save, 117 00:06:34,440 --> 00:06:39,850 Next, nd we'll assign this to our VPN Devices group because this 118 00:06:39,850 --> 00:06:46,540 is a device‑based connection, click Select, 119 00:06:46,540 --> 00:06:52,840 Next, and Create. 120 00:06:52,840 --> 00:06:53,860 And at this point, 121 00:06:53,860 --> 00:07:03,000 you should now see that we have our VPN profiles deployed using the custom profile type.