IntuneDeviceConfigurationVpnPolicyWindows10¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
AssociatedApps | Write | MSFT_MicrosoftGraphwindows10AssociatedApps[] | Associated Apps. This collection can contain a maximum of 10000 elements. | |
AuthenticationMethod | Write | String | Authentication method. Possible values are: certificate, usernameAndPassword, customEapXml, derivedCredential. | certificate , usernameAndPassword , customEapXml , derivedCredential |
ConnectionType | Write | String | Connection type. Possible values are: pulseSecure, f5EdgeClient, dellSonicWallMobileConnect, checkPointCapsuleVpn, automatic, ikEv2, l2tp, pptp, citrix, paloAltoGlobalProtect, ciscoAnyConnect, unknownFutureValue, microsoftTunnel. | pulseSecure , f5EdgeClient , dellSonicWallMobileConnect , checkPointCapsuleVpn , automatic , ikEv2 , l2tp , pptp , citrix , paloAltoGlobalProtect , ciscoAnyConnect , unknownFutureValue , microsoftTunnel |
CryptographySuite | Write | MSFT_MicrosoftGraphcryptographySuite | Cryptography Suite security settings for IKEv2 VPN in Windows10 and above | |
DnsRules | Write | MSFT_MicrosoftGraphvpnDnsRule[] | DNS rules. This collection can contain a maximum of 1000 elements. | |
DnsSuffixes | Write | StringArray[] | Specify DNS suffixes to add to the DNS search list to properly route short names. | |
EapXml | Write | String | Extensible Authentication Protocol (EAP) XML. (UTF8 encoded byte array) | |
EnableAlwaysOn | Write | Boolean | Enable Always On mode. | |
EnableConditionalAccess | Write | Boolean | Enable conditional access. | |
EnableDeviceTunnel | Write | Boolean | Enable device tunnel. | |
EnableDnsRegistration | Write | Boolean | Enable IP address registration with internal DNS. | |
EnableSingleSignOnWithAlternateCertificate | Write | Boolean | Enable single sign-on (SSO) with alternate certificate. | |
EnableSplitTunneling | Write | Boolean | Enable split tunneling. | |
MicrosoftTunnelSiteId | Write | String | ID of the Microsoft Tunnel site associated with the VPN profile. | |
OnlyAssociatedAppsCanUseConnection | Write | Boolean | Only associated Apps can use connection (per-app VPN). | |
ProfileTarget | Write | String | Profile target type. Possible values are: user, device, autoPilotDevice. | user , device , autoPilotDevice |
ProxyServer | Write | MSFT_MicrosoftGraphwindows10VpnProxyServer | Proxy Server. | |
RememberUserCredentials | Write | Boolean | Remember user credentials. | |
Routes | Write | MSFT_MicrosoftGraphvpnRoute[] | Routes (optional for third-party providers). This collection can contain a maximum of 1000 elements. | |
SingleSignOnEku | Write | MSFT_MicrosoftGraphextendedKeyUsage | Single sign-on Extended Key Usage (EKU). | |
SingleSignOnIssuerHash | Write | String | Single sign-on issuer hash. | |
TrafficRules | Write | MSFT_MicrosoftGraphvpnTrafficRule[] | Traffic rules. This collection can contain a maximum of 1000 elements. | |
TrustedNetworkDomains | Write | StringArray[] | Trusted Network Domains | |
WindowsInformationProtectionDomain | Write | String | Windows Information Protection (WIP) domain to associate with this connection. | |
ConnectionName | Write | String | Connection name displayed to the user. | |
CustomXml | Write | String | Custom XML commands that configures the VPN connection. (UTF8 encoded byte array) | |
ServerCollection | Write | MSFT_MicrosoftGraphvpnServer[] | List of VPN Servers on the network. Make sure end users can access these network locations. This collection can contain a maximum of 500 elements. | |
Description | Write | String | Admin provided description of the Device Configuration. | |
DisplayName | Key | String | Admin provided name of the device configuration. | |
Id | Write | String | The unique identifier for an entity. Read-only. | |
Assignments | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | |
Ensure | Write | String | Present ensures the policy exists, absent ensures it is removed. | Present , Absent |
Credential | Write | PSCredential | Credentials of the Admin | |
ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. | |
TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. | |
ApplicationSecret | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | |
CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | |
ManagedIdentity | Write | Boolean | Managed ID being used for authentication. | |
AccessTokens | Write | StringArray[] | Access token used for authentication. |
MSFT_DeviceManagementConfigurationPolicyAssignments¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
dataType | Write | String | The type of the target assignment. | #microsoft.graph.groupAssignmentTarget , #microsoft.graph.allLicensedUsersAssignmentTarget , #microsoft.graph.allDevicesAssignmentTarget , #microsoft.graph.exclusionGroupAssignmentTarget , #microsoft.graph.configurationManagerCollectionAssignmentTarget |
deviceAndAppManagementAssignmentFilterType | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | none , include , exclude |
deviceAndAppManagementAssignmentFilterId | Write | String | The Id of the filter for the target assignment. | |
groupId | Write | String | The group Id that is the target of the assignment. | |
groupDisplayName | Write | String | The group Display Name that is the target of the assignment. | |
collectionId | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) |
MSFT_MicrosoftGraphWindows10AssociatedApps¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
AppType | Write | String | Application type. Possible values are: desktop, universal. | desktop , universal |
Identifier | Write | String | Identifier. |
MSFT_MicrosoftGraphCryptographySuite¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
AuthenticationTransformConstants | Write | String | Authentication Transform Constants. Possible values are: md5_96, sha1_96, sha_256_128, aes128Gcm, aes192Gcm, aes256Gcm. | md5_96 , sha1_96 , sha_256_128 , aes128Gcm , aes192Gcm , aes256Gcm |
CipherTransformConstants | Write | String | Cipher Transform Constants. Possible values are: aes256, des, tripleDes, aes128, aes128Gcm, aes256Gcm, aes192, aes192Gcm, chaCha20Poly1305. | aes256 , des , tripleDes , aes128 , aes128Gcm , aes256Gcm , aes192 , aes192Gcm , chaCha20Poly1305 |
DhGroup | Write | String | Diffie Hellman Group. Possible values are: group1, group2, group14, ecp256, ecp384, group24. | group1 , group2 , group14 , ecp256 , ecp384 , group24 |
EncryptionMethod | Write | String | Encryption Method. Possible values are: aes256, des, tripleDes, aes128, aes128Gcm, aes256Gcm, aes192, aes192Gcm, chaCha20Poly1305. | aes256 , des , tripleDes , aes128 , aes128Gcm , aes256Gcm , aes192 , aes192Gcm , chaCha20Poly1305 |
IntegrityCheckMethod | Write | String | Integrity Check Method. Possible values are: sha2_256, sha1_96, sha1_160, sha2_384, sha2_512, md5. | sha2_256 , sha1_96 , sha1_160 , sha2_384 , sha2_512 , md5 |
PfsGroup | Write | String | Perfect Forward Secrecy Group. Possible values are: pfs1, pfs2, pfs2048, ecp256, ecp384, pfsMM, pfs24. | pfs1 , pfs2 , pfs2048 , ecp256 , ecp384 , pfsMM , pfs24 |
MSFT_MicrosoftGraphVpnDnsRule¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
AutoTrigger | Write | Boolean | Automatically connect to the VPN when the device connects to this domain: Default False. | |
Name | Write | String | Name. | |
Persistent | Write | Boolean | Keep this rule active even when the VPN is not connected: Default False | |
ProxyServerUri | Write | String | Proxy Server Uri. | |
Servers | Write | StringArray[] | Servers. |
MSFT_MicrosoftGraphWindows10VpnProxyServer¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
BypassProxyServerForLocalAddress | Write | Boolean | Bypass proxy server for local address. | |
Address | Write | String | Address. | |
AutomaticConfigurationScriptUrl | Write | String | Proxy's automatic configuration script url. | |
Port | Write | UInt32 | Port. Valid values 0 to 65535 | |
AutomaticallyDetectProxySettings | Write | Boolean | Automatically detect proxy settings. | |
odataType | Write | String | The type of the entity. | #microsoft.graph.windows10VpnProxyServer , #microsoft.graph.windows81VpnProxyServer |
MSFT_MicrosoftGraphVpnRoute¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
DestinationPrefix | Write | String | Destination prefix (IPv4/v6 address). | |
PrefixSize | Write | UInt32 | Prefix size. (1-32). Valid values 1 to 32 |
MSFT_MicrosoftGraphExtendedKeyUsage¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
Name | Write | String | Extended Key Usage Name | |
ObjectIdentifier | Write | String | Extended Key Usage Object Identifier |
MSFT_MicrosoftGraphVpnTrafficRule¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
AppId | Write | String | App identifier, if this traffic rule is triggered by an app. | |
AppType | Write | String | App type, if this traffic rule is triggered by an app. Possible values are: none, desktop, universal. | none , desktop , universal |
Claims | Write | String | Claims associated with this traffic rule. | |
LocalAddressRanges | Write | MSFT_MicrosoftGraphIPv4Range[] | Local address range. This collection can contain a maximum of 500 elements. | |
LocalPortRanges | Write | MSFT_MicrosoftGraphNumberRange[] | Local port range can be set only when protocol is either TCP or UDP (6 or 17). This collection can contain a maximum of 500 elements. | |
Name | Write | String | Name. | |
Protocols | Write | UInt32 | Protocols (0-255). Valid values 0 to 255 | |
RemoteAddressRanges | Write | MSFT_MicrosoftGraphIPv4Range[] | Remote address range. This collection can contain a maximum of 500 elements. | |
RemotePortRanges | Write | MSFT_MicrosoftGraphNumberRange[] | Remote port range can be set only when protocol is either TCP or UDP (6 or 17). This collection can contain a maximum of 500 elements. | |
RoutingPolicyType | Write | String | When app triggered, indicates whether to enable split tunneling along this route. Possible values are: none, splitTunnel, forceTunnel. | none , splitTunnel , forceTunnel |
VpnTrafficDirection | Write | String | Specify whether the rule applies to inbound traffic or outbound traffic. Possible values are: outbound, inbound, unknownFutureValue. | outbound , inbound , unknownFutureValue |
MSFT_MicrosoftGraphIPv4Range¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
LowerAddress | Write | String | Lower address. | |
UpperAddress | Write | String | Upper address. | |
CidrAddress | Write | String | IPv4 address in CIDR notation. Not nullable. | |
odataType | Write | String | The type of the entity. | #microsoft.graph.iPv4CidrRange , #microsoft.graph.iPv6CidrRange , #microsoft.graph.iPv4Range , #microsoft.graph.iPv6Range |
MSFT_MicrosoftGraphNumberRange¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
LowerNumber | Write | UInt32 | Lower number. | |
UpperNumber | Write | UInt32 | Upper number. |
MSFT_MicrosoftGraphVpnServer¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
Address | Write | String | Address (IP address, FQDN or URL) | |
Description | Write | String | Description. | |
IsDefaultServer | Write | Boolean | Default server. |
Description¶
Intune Device Configuration Vpn Policy for Windows10
Permissions¶
Microsoft Graph¶
To authenticate with the Microsoft Graph API, this resource required the following permissions:
Delegated permissions¶
-
Read
- DeviceManagementConfiguration.Read.All
-
Update
- DeviceManagementConfiguration.ReadWrite.All
Application permissions¶
-
Read
- DeviceManagementConfiguration.Read.All
-
Update
- DeviceManagementConfiguration.ReadWrite.All
Examples¶
Example 1¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
IntuneDeviceConfigurationVpnPolicyWindows10 'Example'
{
Assignments = @(
MSFT_DeviceManagementConfigurationPolicyAssignments{
deviceAndAppManagementAssignmentFilterType = 'none'
dataType = '#microsoft.graph.allLicensedUsersAssignmentTarget'
}
);
AuthenticationMethod = "usernameAndPassword";
ConnectionName = "Cisco VPN";
ConnectionType = "ciscoAnyConnect";
CustomXml = "";
DisplayName = "VPN";
DnsRules = @(
MSFT_MicrosoftGraphvpnDnsRule{
Servers = @('10.0.1.10')
Name = 'NRPT rule'
Persistent = $True
AutoTrigger = $True
}
);
DnsSuffixes = @("mydomain.com");
EnableAlwaysOn = $True;
EnableConditionalAccess = $True;
EnableDnsRegistration = $True;
EnableSingleSignOnWithAlternateCertificate = $False;
EnableSplitTunneling = $False;
Ensure = "Present";
ProfileTarget = "user";
ProxyServer = MSFT_MicrosoftGraphwindows10VpnProxyServer{
Port = 8081
BypassProxyServerForLocalAddress = $True
AutomaticConfigurationScriptUrl = ''
Address = '10.0.10.100'
};
RememberUserCredentials = $True;
ServerCollection = @(
MSFT_MicrosoftGraphvpnServer{
IsDefaultServer = $True
Description = 'gateway1'
Address = '10.0.1.10'
}
);
TrafficRules = @(
MSFT_MicrosoftGraphvpnTrafficRule{
Name = 'VPN rule'
AppType = 'none'
LocalAddressRanges = @(
MSFT_MicrosoftGraphIPv4Range{
UpperAddress = '10.0.2.240'
LowerAddress = '10.0.2.0'
}
)
RoutingPolicyType = 'forceTunnel'
VpnTrafficDirection = 'outbound'
}
);
TrustedNetworkDomains = @();
ApplicationId = $ApplicationId;
TenantId = $TenantId;
CertificateThumbprint = $CertificateThumbprint;
}
}
}
Example 2¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
IntuneDeviceConfigurationVpnPolicyWindows10 'Example'
{
Assignments = @(
MSFT_DeviceManagementConfigurationPolicyAssignments{
deviceAndAppManagementAssignmentFilterType = 'none'
dataType = '#microsoft.graph.allLicensedUsersAssignmentTarget'
}
);
AuthenticationMethod = "usernameAndPassword";
ConnectionName = "Cisco VPN";
ConnectionType = "ciscoAnyConnect";
CustomXml = "";
DisplayName = "VPN";
DnsRules = @(
MSFT_MicrosoftGraphvpnDnsRule{
Servers = @('10.0.1.10')
Name = 'NRPT rule'
Persistent = $True
AutoTrigger = $True
}
);
DnsSuffixes = @("mydomain.com");
EnableAlwaysOn = $True;
EnableConditionalAccess = $True;
EnableDnsRegistration = $True;
EnableSingleSignOnWithAlternateCertificate = $True; # Updated Property
EnableSplitTunneling = $False;
Ensure = "Present";
ProfileTarget = "user";
ProxyServer = MSFT_MicrosoftGraphwindows10VpnProxyServer{
Port = 8081
BypassProxyServerForLocalAddress = $True
AutomaticConfigurationScriptUrl = ''
Address = '10.0.10.100'
};
RememberUserCredentials = $True;
ServerCollection = @(
MSFT_MicrosoftGraphvpnServer{
IsDefaultServer = $True
Description = 'gateway1'
Address = '10.0.1.10'
}
);
TrafficRules = @(
MSFT_MicrosoftGraphvpnTrafficRule{
Name = 'VPN rule'
AppType = 'none'
LocalAddressRanges = @(
MSFT_MicrosoftGraphIPv4Range{
UpperAddress = '10.0.2.240'
LowerAddress = '10.0.2.0'
}
)
RoutingPolicyType = 'forceTunnel'
VpnTrafficDirection = 'outbound'
}
);
TrustedNetworkDomains = @();
ApplicationId = $ApplicationId;
TenantId = $TenantId;
CertificateThumbprint = $CertificateThumbprint;
}
}
}
Example 3¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
IntuneDeviceConfigurationVpnPolicyWindows10 'Example'
{
DisplayName = "VPN";
Ensure = "Absent";
ApplicationId = $ApplicationId;
TenantId = $TenantId;
CertificateThumbprint = $CertificateThumbprint;
}
}
}