<# # It is recommended to test the script on a local machine for its purpose and effects. # ManageEngine Desktop Central will not be responsible for any # damage/loss to the data/setup based on the behavior of the script. # Description: Script to create a L2TP/IPSec with pre-shared key VPN Profile # Parameters: "Profile_Name" "DnsSuffix" "ServerAddress" "l2tppsk" # Remarks: The script has to be deployed as Computer Configuration # Configuration Type - Computer #> if($args.Count -eq 4) { # Configuration Parameters $ProfileName = $args[0] $DnsSuffix = $args[1] $ServerAddress = $args[2] $L2tpPsk = $args[3] # # Build client VPN profile # https://docs.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp # # Define VPN Profile XML $ProfileNameEscaped = $ProfileName -replace ' ', '%20' $ProfileXML = ' true '+$dnsSuffix+' ' + $ServerAddress + ' ForceTunnel l2tp '+$L2tpPsk+' ' $ProfileXML += '' # Convert ProfileXML to Escaped Format $ProfileXML = $ProfileXML -replace '<', '<' $ProfileXML = $ProfileXML -replace '>', '>' $ProfileXML = $ProfileXML -replace '"', '"' # In case we are running this from the SYSTEM account get the SID of the currently logged in user # https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections try { $username = Gwmi -Class Win32_ComputerSystem | select username $objuser = New-Object System.Security.Principal.NTAccount($username.username) $sid = $objuser.Translate([System.Security.Principal.SecurityIdentifier]) $SidValue = $sid.Value } catch [Exception] { $Message = "Unable to get user SID. User may be logged on over Remote Desktop" Write-Host $Message exit } # Define WMI-to-CSP Bridge Properties $nodeCSPURI = './Vendor/MSFT/VPNv2' $namespaceName = 'root\cimv2\mdm\dmmap' $className = 'MDM_VPNv2_01' # Define WMI Session $session = New-CimSession $options = New-Object Microsoft.Management.Infrastructure.Options.CimOperationOptions $options.SetCustomOption("PolicyPlatformContext_PrincipalContext_Type", "PolicyPlatform_UserContext", $false) $options.SetCustomOption("PolicyPlatformContext_PrincipalContext_Id", "$SidValue", $false) # Detect and Delete Previous VPN Profile try { $deleteInstances = $session.EnumerateInstances($namespaceName, $className, $options) foreach ($deleteInstance in $deleteInstances) { $InstanceId = $deleteInstance.InstanceID if ("$InstanceId" -eq "$ProfileNameEscaped") { $session.DeleteInstance($namespaceName, $deleteInstance, $options) Write-Host "Removed '$ProfileName' profile" } } } catch [Exception] { Write-Host "Unable to remove existing outdated instance(s) of $ProfileName profile: $_" exit } # # Create VPN Profile # try { $newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName $property = [Microsoft.Management.Infrastructure.CimProperty]::Create('ParentID', "$nodeCSPURI", 'String', 'Key') $newInstance.CimInstanceProperties.Add($property) $property = [Microsoft.Management.Infrastructure.CimProperty]::Create('InstanceID', "$ProfileNameEscaped", 'String', 'Key') $newInstance.CimInstanceProperties.Add($property) $property = [Microsoft.Management.Infrastructure.CimProperty]::Create('ProfileXML', "$ProfileXML", 'String', 'Property') $newInstance.CimInstanceProperties.Add($property) $session.CreateInstance($namespaceName, $newInstance, $options) | Out-Null Write-Host "Created '$ProfileName' profile." } catch [Exception] { Write-Host "Unable to create $ProfileName profile: $_" exit } # Create registry key to allow connections to an MX behind NAT (Error 809) New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent -Name AssumeUDPEncapsulationContextOnSendRule -Value 2 -PropertyType DWORD -Force | Out-Null # Create a desktop shortcut $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut("$env:Public\Desktop\CG VPN.lnk") $Shortcut.TargetPath = "rasphone.exe" $Shortcut.IconLocation = "C:\DRIVERS\cgivpnlogob.ico" $Shortcut.Save() } else { Write-Host "Please provide all 4 required parameters." }