(How TO) Deploying IKEv2 with EAP-MSCHAPv2 in Domain with group policy



  • Bye Bye Shrewsoft!!!

    I am now able to deploy the Native Windows VPN to any employee laptop without having to manually configure!  I had to choose this over openVPN so that users could connect via VPN prior to logging into PC.  This is very important for group policy to get applied and also folder redirection sync!

    I created a group policy called DeployVPN

    I added the CRT (CA Certificate) to the following location:

    Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities

    This will add the certificate automatically to all machines that the GP applies to.  If you remove it it will also remove it from the machines if you perform gpupdate /all no reboot required.  This is great for updating the cert if you need to!

    After creating the VPN on 1 machine, browse to C:\ProgramData\Microsoft\Network\Connections\Pbk and copy the rasphone.pbk to a network share that has read capability from all machines.

    Within the same policy go to:

    Computer Configuration -> Preferences -> Windows Settings -> Files

    Select the source using UNC path (Location of the pbk file), and enter the following under Target: C:\ProgramData\Microsoft\Network\Connections\Pbk

    Apply gpupdate to all machines.  I use my RMM tool to do this. and VPN is now available on all machines which are associated with this policy!

    BEWARE  This will overwrite any vpn's which may be stored in this location!  For my purposes this is ok since users do not have other "all user VPN's configured.  This does not overwrite the user stored VPN's in the users appdata folder.



  • Worked perfectly! thank you.