I am testing the deployment of AOVPN using Intune. I am using the GUI VPN profile in Intune and deploying a machine tunnel only. We have a split DNS setup, so I need to alter the Interface metric of the VPN connection. I have followed the guidance here:
https://directaccess.richardhicks.com/2023/09/25/always-on-vpn-and-interface-metrics/
Using the PowerShell script, I can successfully change the metric. The issue I am having is that anytime a sync happens with Intune, the metric resets to the default of 0. Has anyone else come across this?
This is a known issue with Windows 11 when using XML.
https://directaccess.richardhicks.com/2023/10/09/always-on-vpn-disconnects-in-windows-11/
I’ve had some success resolving this issue by ensuring the order of elements in the XML file is exactly as Intune expects. However, sometimes this doesn’t work. The other option is to use the native Intune device policy template and update the settings post-deployment using a remediation script. I have sample scripts for that here.
https://github.com/richardhicks/endpointmanager/
I read that article as well as other similar ones that describe the profile overwrite issues. Most of them were from over a year ago (or older) and I made the incorrect assumption that Microsoft had fixed it by now. It’s kind of unbelievable they haven’t. I tried the XML order suggestion, but unfortunately that didn’t help. I am going to switch to deploying it with Group Policy using the PowerShell script on your GitHub.
Thank you for all of the amazing free content you have provided on this topic!! It has been instrumental in my successful deployment.
Yes, sadly, Microsoft hasn’t yet fixed this issue. I don’t expect they will if they haven’t at this point. 
