VPN Scripts

Firstly – let me point out Richard Hicks is the guru on all things VPN – especially in a Microsoft world. His blog / site is here: Richard M. Hicks Consulting, Inc. | Enterprise Mobility and Security Infrastructure – Microsoft Always On VPN and DirectAccess, NetMotion Mobility, PKI and MFA (richardhicks.com)

I had an issue distributing a VPN profile via Intune (MEM) – It was fine in Windows 10, but in Windows 11 the profile would vanish and then come back. I was able to replicate it on a number of AAD-Joined devices. – The easiest workaround was to re-deploy the VPN Profile – but as a .intunewin powershell script.

Below is the powershell I used. This worked for an IPSec VPN to a pfSense firewall.

I later discovered that the VPN Profile was being added as ‘Public’ meaning I couldnt then browse the network; I then needed to write the second script to update the registry file and set the Category to Public. (Same script would work to set the connection as Domain).

Both these scripts should also work as custom detection scripts.

The Scripts…

Powershell to create a VPN Profile

#This is to add the VPN config to machine...  (the Intune native plugin isnt working fully)
#https://docs.microsoft.com/en-us/powershell/module/vpnclient/add-vpnconnection?view=windowsserver2022-ps
#https://www.reddit.com/r/Intune/comments/q224qc/win_11_vpn_profile_gets_removed/
#https://www.pdq.com/powershell/add-vpnconnection/
$vpnname = "My VPN (ps1)"
if (Get-VpnConnection $vpnname -ErrorAction SilentlyContinue) { Write-Host "$vpnname exists" } else { 
$xmlconfig2 = New-EapConfiguration
Add-VpnConnection -Name $vpnname `
                  -ServerAddress "server.mydomain.com" `
                  -TunnelType Ikev2 `
                  -RememberCredential `
                  -SplitTunneling `
                  -EncryptionLevel Optional `
                  -AuthenticationMethod Eap `
                  -EapConfigXmlStream $xmlconfig2.EapConfigXmlStream 
                  }

However…. It created the VPN Profile is ‘Public’ not ‘Private’…. There is no native Powershell to modify that. 🙁

Registry Tweak (via Powershell) – change Category from Public to Private

#Fix Registry Entry for VPN - make it 'Private'

$RegKey = (Get-ChildItem -path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" -Recurse | Get-ItemProperty | Where {$_.ProfileName -eq "My VPN (ps1)"} | select PSChildName).PSChildName
$RegPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\$RegKey"
#We need to set Category from 0 (Public) to 1 (Private) (2 would be domain)
$RegName = "Category"
$RegValue = "1"


if ((Get-ItemProperty -Path $RegPath -Name $RegName).$RegName -ne $RegValue){
  # Write-Host -f Cyan "Registry Not Like Value - needs updating"
   New-ItemProperty -Path $RegPath -Name $RegName -Value $RegValue -Force
 }
else { 
  Write-Host -f Green "Already Set - must be fine" 
}

(future note to self…)

There maybe an extra step needed in some cases;
Get-NetConnectionProfile maybe needed to use ‘Interface Name’ (as the name to match in the registry and ‘Interface Alias’ as the user facing name.

Leave a comment