VPN_Profile_DeviceTunnel.ps1

# NOTES
# And sorry... you will have to do a find and replace as this script was created very quickly and a lot of items are hard-coded.
#
# Change "COMPANYNAME" to your company name.
# Change your routes and traffic filter ranges (I used random ones below).
# Change your server(s) list.
# Change trusted network detection domain.
# Make any other desired changes to $ProfileXML variable.

###################################

# Set Version of Settings. Increase the version number to redeploy updates.
$VPNVersion = "1.0"

# Check if already updated to latest version
if ($null -eq (Get-ItemProperty -Path "HKLM:\Software\COMPANYNAME\AlwaysOnVPN" -Name $VPNVersion -ErrorAction SilentlyContinue))
{
  Write-Host "Latest Version Not Installed. Will attempt to install..."
}
else
{
  Write-Host "Latest Version Already Installed. Exiting..."
  Exit
}

$ProfileName = 'COMPANYNAME Device AlwaysOn VPN'
$ProfileNameEscaped = $ProfileName -replace ' ', '%20'

$ProfileXML = '
<VPNProfile>
  <NativeProfile>
    <Servers>ao.COMPANYNAME.com</Servers>
    <NativeProtocolType>IKEv2</NativeProtocolType>
    <Authentication>
      <MachineMethod>Certificate</MachineMethod>
    </Authentication>
    <RoutingPolicyType>SplitTunnel</RoutingPolicyType>
    <DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
  </NativeProfile>
  <Route>
    <Address>172.16.0.0</Address>
    <PrefixSize>16</PrefixSize>
  </Route>
  <Route>
    <Address>172.17.0.0</Address>
    <PrefixSize>16</PrefixSize>
  </Route>
  <TrafficFilter>
    <RemoteAddressRanges>172.16.0.0/16,172.17.0.0/16</RemoteAddressRanges>
  </TrafficFilter>
  <AlwaysOn>true</AlwaysOn>
  <TrustedNetworkDetection>COMPANYNAME.org</TrustedNetworkDetection>
  <DeviceTunnel>true</DeviceTunnel>
  <RegisterDNS>true</RegisterDNS>
</VPNProfile>
'

$ProfileXML = $ProfileXML -replace '<', '&lt;'
$ProfileXML = $ProfileXML -replace '>', '&gt;'
$ProfileXML = $ProfileXML -replace '"', '&quot;'

$nodeCSPURI = './Vendor/MSFT/VPNv2'
$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_VPNv2_01"

$session = New-CimSession
try
{
  $deleteInstances = $session.EnumerateInstances($namespaceName, $className)
  foreach ($deleteInstance in $deleteInstances)
  {
    $InstanceId = $deleteInstance.InstanceID
    if ("$InstanceId" -eq "$ProfileNameEscaped")
    {
      $session.DeleteInstance($namespaceName, $deleteInstance)
      $Message = "Removed $ProfileName profile $InstanceId"
      Write-Host "$Message"
    }
    else
    {
      $Message = "Ignoring existing VPN profile $InstanceId"
      Write-Host "$Message"
    }
  }
}
catch [Exception]
{
  $Message = "Unable to remove existing outdated instance(s) of $ProfileName profile: $_"
  Write-Host "$Message"
  exit
}

try
{
  $newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName
  $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", "$nodeCSPURI", 'String', 'Key')
  $newInstance.CimInstanceProperties.Add($property)
  $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", "$ProfileNameEscaped", 'String', 'Key')
  $newInstance.CimInstanceProperties.Add($property)
  $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ProfileXML", "$ProfileXML", 'String', 'Property')
  $newInstance.CimInstanceProperties.Add($property)

  $session.CreateInstance($namespaceName, $newInstance)

  # COMPANYNAME EDIT TO TRACK VERSION INSTALLS FOR DEPLOYMENT SCRIPT
  if (-not (Test-Path "HKLM:\Software\COMPANYNAME\AlwaysOnVPN"))
  {
    New-Item -Path "HKLM:\Software\COMPANYNAME\AlwaysOnVPN" -Force
  }
  Set-ItemProperty -Path "HKLM:\Software\COMPANYNAME\AlwaysOnVPN" -Name $VPNVersion -Value $(Get-Date -Format "yyyy-MM-dd-HHmmss")

  $Message = "Created $ProfileName profile."
  Write-Host "$Message"
}
catch [Exception]
{
  $Message = "Unable to create $ProfileName profile: $_"
  Write-Host "$Message"
  exit
}

$Message = "Complete."
Write-Host "$Message"