none
Windows ICD package for VPN Provisioning keeps failing

    Question

  • I've been trying for days to provision a simple IKEv2 EAP vpn profile using windows ICD (1607 version) without success.

    It seems there's something broken with the VPNv2 CSP provider and the packages created with windows ICD because I've successfully been able to deploy certificates and EAP-TLS WiFi settings with eap blob with the very same tool, but VPN seems to fail no matter the settings i'm using. I tried a dummy simplest as possible MSCHAP-V2 vpn but still no luck. Maybe i'm doing something wrong, unfortunately the documentation regarding ICD is really scarce.

    Debugging the installation process with the DeviceManagement-Enterprise-Diagnostic-Provider as per this article returns no logs while installing the package. It seems like the CSP provider isn't called at all. Logs are successfully shown when installing other working packages for certificates and WLAN.

    I've tried with different windows 10 editions (pro, mobile and a fresh vm enterprise trial edition) all 1607 with latest update and it always fails.

    Error is generic as shown below (IDs are different from xml configuration file because I made several attempts, but the result is always the same.)

    This is the customization.xml file generated with ICD (personal informations and eap blob removed).

    <?xml version="1.0" encoding="utf-8"?>
    <WindowsCustomizations>
      <PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0">
        <ID>{6496f1bf-8a12-4ad9-a0ea-b2c49ad2fea7}</ID>
        <Name>Vpn</Name>
        <Version>1.0</Version>
        <OwnerType>ITAdmin</OwnerType>
        <Rank>0</Rank>
        <Notes></Notes>
      </PackageConfig>
      <Settings xmlns="urn:schemas-microsoft-com:windows-provisioning">
        <Customizations>
          <Common>
            <ConnectivityProfiles>
              <VPN>
                <VPNSetting>
                  <VPNConfig VPNProfileName="Home" Name="Home">
                    <VPNSettings>
                      <AlwaysOn>True</AlwaysOn>
                      <AuthenticationMachineMethod>EAP</AuthenticationMachineMethod>
                      <AuthenticationUserMethod>EAP</AuthenticationUserMethod>
                      <DnsSuffix></DnsSuffix>
                      <LockDown>False</LockDown>
                      <NativeProtocolType>IKEv2</NativeProtocolType>
                      <ProfileType>Native</ProfileType>
                      <RememberCredentials>True</RememberCredentials>
                      <RoutingPolicyType>Split Tunnel</RoutingPolicyType>
                      <Server>home.domain.com</Server>
                    </VPNSettings>
                  </VPNConfig>
                </VPNSetting>
              </VPN>
            </ConnectivityProfiles>
          </Common>
        </Customizations>
      </Settings>
    </WindowsCustomizations>
    Has anyone successfully deployed VPN settings with ICD? I need them to configure a windows 10 mobile VPN with split tunnels and custom routes, which isn't possible using standard Windows Mobile GUI.

    Thanks for help in advance.


    Homines, dum docent, discunt.


    • Edited by Alberto Semenzato Thursday, March 16, 2017 10:41 AM Added a note about different ids from config and screenshots.
    Thursday, March 16, 2017 10:39 AM

All replies

  • Dear Alberto,

    Please refer to this documentation and follow its guide to build your provisioning package.

    In my opinion, try to import a provisioning package.

    Create a provisioning package for Windows 10

    https://technet.microsoft.com/itpro/windows/deploy/provisioning-create-package

    Besides, check the ICD.log under c:\users\[you user account]\Documents\Windows Imaging and Configuration Designer (WICD)\[Project name]\ to see if can find out some hints.

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 17, 2017 1:51 AM
    Moderator
  • Hello Teemo,

    I've already followed the guide for creating a package (which by the way, is really scarce), and if you read carefully my post, I've successfully provisioned certificates and WLAN settings with EAP-TLS already, and they work perfectly.

    Issues arises when I try to add VPN settings to the package (or create a dedicated new one for VPN settings). The package builds correctly, but fails to install on ANY device I tried, Win 10 pro, Win 10 Ent, Win 10 Mobile, also freshly installed. All 1607 latest build.

    I also tried troubleshooting, but nothing is written in the DeviceManagement-Enterprise-Diagnostic-Provider debug log when I try to install the VPN package: it's like the VPN CSP is not even called to process the request. If I made a mistake it's with the VPN settings, that's why I posted the full configuration.xml file. I honestly don't think this is related to the ICD itself, but i'll try to install it on a fresh VM with the latest build.

    FYI, the ICD log returns:

    3/16/2017 11:22:50 AM Info Project 'Vpn' created successfully and added to workspace

    If you have any other help or even better, a working VPN package I can try, it would be much help.


    Homines, dum docent, discunt.

    Friday, March 17, 2017 7:19 AM
  • Anyone else having problems with VPN deployed through windows ICD?

    Homines, dum docent, discunt.

    Saturday, March 25, 2017 8:00 AM
  • Yes, i'm having the same issue. This is the same behavior on 1803.
    Tuesday, May 15, 2018 10:34 PM