Troubleshooting VPN profile issues in Microsoft Intune

Applies to: Microsoft Intune


This guide helps you understand and troubleshoot VPN profile issues that you may encounter when you use Microsoft Intune.

This article is divided into the following sections:

The examples in this guide use SCEP certificate authentication for these profiles and assume that the Trusted Root and SCEP profiles work correctly on the device. In the examples, the Trusted Root and SCEP profiles are named as follows.

  Android iOS Windows
Trusted Root Profile AndroidRoot iOSRoot WindowsRoot2
SCEP profile AndroidSCEP iOSSCEP WindowsSCEP2

Overview of VPN profiles

Virtual private networks (VPNs) give your users secure remote access to your organization network. Devices use a VPN connection profile to start a connection with the VPN server. VPN profiles in Microsoft Intune assign VPN settings to users and devices in your organization so that they can easily and securely connect to your organizational network.

For example, you want to configure all iOS devices to have the required settings to connect to a file share on the organization network. You create a VPN profile that includes these settings. Then, you assign this profile to all users who have iOS devices. The users see the VPN connection in the list of available networks and can connect with minimal effort.

You can create VPN profiles by using different VPN connection types.

Note Before you can use VPN profiles that are assigned to a device, you must install the applicable VPN app for the profile.

Creating VPN Profiles

To create a VPN profile, follow the steps in the "Create a device profile" section of the following Microsoft Docs article:

Create VPN profiles to connect to VPN servers in Intune

The Properties screen on the supported platforms resembles the following examples:

Note In the examples, the connection type for Android and iOS VPN profile is Cisco AnyConnect, and the one for Windows 10 is Automatic.  Also, the VPN profile is linked to the SCEP profile.

For more information about how to create an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile, see EAP configuration.

Assigning VPN Profiles

After you create the VPN profile, assign the profile to selected groups.

See the following Assignments screen examples.

What successful VPN profiles look like on your device

Entries in Company Portal logs of successful VPN profile deployment

Troubleshooting common issues

Issue 1: The VPN profile isn't deployed to the device

Issue 2: The VPN profile is deployed to the device, but the device can't connect to the network

Typically, this is not an Intune issue. There can be multiple causes of a connectivity issue. The following items that may help you understand and troubleshoot the issue:

  • Can you manually connect to the network by using a certificate by using the same criteria that's specified in the VPN profile?

    If so, examine the properties of the certificate that you used in the manual connection, and make change to the Intune VPN profile accordingly.
  • For Android and iOS devices, did the VPN client Application logs show that the device tried to connect by using the VPN profile? Usually, connectivity errors are logged in the VPN client Application logs.

    For Windows devices, did the Radius server log show that the device tried to connect by using the VPN profile? Usually. connectivity errors are logged in the Radius server log.

More information

If you’re still looking for a solution to a related problem, or if you want more information about Intune, post a question in our Microsoft Intune forum. Many support engineers, MVPs, and members of our development team visit the forums. So, there’s a good chance that you can find someone who has the information that you need.

If you want to open a support request with the Microsoft Intune Support team, see the following article:

How to get support for Microsoft Intune

For more information about VPN profiles in Microsoft Intune, see the following articles:

For all the latest news, information, and tech tips, visit our official blogs: