Always On VPN Part 4 – Deploy

Always On VPN Part 4 – Deploy

10 June 2023 Windows 0

In order to create an installation package, please follow these steps:

  1. Ensure that the required Root Certification Authority certificates are installed on the workstations. In an Active Directory (AD) environment, this step is usually not necessary.
  2. Replace the Root-CA.cer file with the correct certificate issued by the certification authority for establishing the VPN connection.
  3. In the EAP-Config-UserTunnel.xml file, replace the string “XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX” with the fingerprint from the certificate mentioned in step 2. You can also generate the fingerprint as described in the previous posts.
  4. In the Install-AlwaysOnVPN.ps1 file, replace the FQDN “” with the correct VPN gateway address.
  5. The task schedule files included in the installation package are examples. To use them, remove the “#” character from the appropriate section in the installation file.
  6. It is recommended to digitally sign all the script files used with a certificate from the local certification authority. You can learn more about signing scripts in the Microsoft Learn article about Signing in PowerShell.

Implementation based on WSUS Packet Publisher:

The necessary files for creating the installation package can be downloaded from this location. Please note that antivirus programs might detect the package as a virus due to its nature.

The presented solution enables the creation of custom application packages through the Windows Update service. This solution is free, and more information can be found on the GitHub page: GitHub – DCourtel/Wsus_Package_Publisher: Publish third-party applications into your WSUS.


To deploy the custom installation package, follow these steps:

In the WSUS Package Publisher, select the “Updates” node and click on “Create a Custom Update” in the Actions pane.

  • In the next window, select “Execute > Run PowerShell Script.” In the “Path to the file” field, enter the name of the executable file, which in this case is “Install-AlwaysOnVPN.ps1.”
  • In the following step, indicate all the files required to create the package. Specify all the files contained in the attached archive.
  • Provide a package description and set Return Code 0 as “Succeeded.”
  • Configure when the package should be delivered by the WSUS service. Choose the parameter that should be checked to determine if the update is already installed. Various options are available, but in this case, the option to check if the specified file exists has been selected.
  • Before finalizing the process, define the conditions that must be met for the update to be available. In this case, select “Product Type: Workstation.”
  • At this stage, specify the WSUS group to which the update should be available.

From now on, the update will be available for the specified computers through WSUS.


Leave a Reply

Your email address will not be published. Required fields are marked *