top of page
Search

(125) Microsoft Intune - Win32 App L2TP Preshared key

  • Writer: Mr B SOE way
    Mr B SOE way
  • May 13, 2024
  • 1 min read

Had a customer who wanted to deploy L2TP with a preshared key via Microsoft Intune to their devices, just to cover what L2TP which can be found here: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/configure-preshared-key-to-use-l2tp where customer provided me with a batch file and powershell script was deployed from SCCM infrastructure.


To ensure it hits detection as a Win32 App, I did the following where I packaged it up with:


Add-VpnConnection -Name "VPN" -ServerAddress sub.servername.com -TunnelType L2tp -RememberCredential -L2tpPsk EnterPreSharedKey -AuthenticationMethod MSChapv2 -EncryptionLevel Maximum -Force
Write-Host "VPN Connection added"
 
# Store path to registry key
$basePath = "HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent\"
 
# Check if property exists
if (-not(Get-ItemProperty -Name 'AssumeUDPEncapsulationContextOnSendRule' -Path $basePath -ErrorAction SilentlyContinue)){
    # If it doesn't exist, create it and set the value to 00000002
    New-ItemProperty -Name AssumeUDPEncapsulationContextOnSendRule -PropertyType dword -Value 00000002 -Path $basePath
} else {
    # If it does exist, set the value to 00000002
    Set-ItemProperty -Name AssumeUDPEncapsulationContextOnSendRule -Value 00000002 -Path $basePath
}
 
Write-Host "Regedit Done [VPN Added]"
$Path = "HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent"
$Name = "AssumeUDPEncapsulationContextOnSendRule"
$Type = "REG_DWORD"
$Value = "2"
 
Try {
    $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
    If ($Registry -eq $Value){
        Write-Output "Detected"
       Exit 0
    } 

    Exit 1
} 

Catch {

    Exit 1
}

## -- Remove registry key for L2TP communications support via double NAT
Remove-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Services\PolicyAgent" -Name "AssumeUDPEncapsulationContextOnSendRule" –Force;

Wrap this up as a Win32 App package where it will have a "User" context install and must be assigned "All users"


End result the VPN profile gets deployed to the device:


 
 
 

Comments

bottom of page