Always On VPN Unable to Create Profile General Error

Always On VPN Unable to Create Profile General ErrorWhen configuring a Windows 10 Always On VPN profile connection using the Microsoft-provided MakeProfile.ps1 PowerShell script or my PowerShell Always On VPN deployment script, the creation of a new connection may fail and the administrator may encounter the following error message.

Unable to create [connection name] profile: A general error occurred that is not covered by a more specific error code.

Always On VPN Unable to Create Profile General Error

This error message is, of course, terribly ambiguous and provides no real actionable information for the administrator to resolve the problem with. This makes troubleshooting this error somewhat challenging.

Probable Cause

In my experience, this error message is almost always related to a syntax error in ProfileXML. For example, to generate the error message above, my XML file included the following error.

Always On VPN Unable to Create Profile General Error

In this example, the setting should be True or False. The setting “foo” is unrecognized and causes the ambiguous error message. It can also happen if mutually exclusive configuration settings are defined. For example, it can occur if the DisableClassBasedDefaultRoutes element is set to true when the RoutingPolicyType element is set to ForceTunneling.

Error Resolution

The only way to resolve this error is to ensure there are no configuration errors for any defined elements in ProfileXML. Review the file carefully for errors such as typos or elements that are out of place. Refer to the VPNv2 Configuration Service Provider (CSP) ProfileXML XSD for detailed syntax examples. In addition, I have some sample ProfileXML configuration files that can be used for reference on my GitHub page.

XML Format Validation

To ensure ProfileXML is properly formatted, it is recommended that an XML editor be used when generating or editing the configuration file. This will ensure that all defined elements are well-formed, and that all tags are properly closed. Use caution though, because some XML editors (including some popular online formatting tools) will insert XML version and encoding information at the beginning of the file. This information must be removed from ProfileXML prior to deployment.

Additional Information

Windows 10 VPNv2 Configuration Service Provider (CSP) Reference

Windows 10 VPNv2 Configuration Service Provider (CSP) ProfileXML XSD Native Profile Examples

Windows 10 Always On VPN PowerShell Scripts and Sample ProfileXML Configuration Files on GitHub

Free Online XML Formatter

Windows 10 Always On VPN Hands-On Training Classes for 2019

Leave a comment

22 Comments

  1. Colin

     /  January 21, 2019

    When I make changes to the profile script I usually copy the entire xml section to a new file in VS Code and then right click and select format document or something like that. It formats all the XML nicely, then I select all, and paste it over the XML code in the pshell script. Keeps the XML clean.

    Reply
    • Fantastic tip! Thanks so much for sharing! I just recently started using Visual Studio Code for PowerShell myself. Didn’t realize it supported XML formatting like that! I’ve been using an online tool, but this is much better. Looks like it requires a plugin, but it’s free so that’s good. I’m definitely going to blog about this. I’m sure others could benefit from this too. 🙂

      Reply
    • FYI, I’ve actually modified the PowerShell script that Microsoft provides to accept an XML file as an input parameter. That allows me to keep the XML configuration separate from the PowerShell code. You can download my scripts and sample XML files on my GitHub, here: https://github.com/richardhicks/aovpn. Enjoy!

      Reply
      • Colin

         /  January 24, 2019

        I think I will do the same going forward.

        I modified the script to disconnect connected tunnels and remove existing profiles that have the same name prior to installing updated profiles. This is the only way I could find to deal with changes.

        We make changes to the profiles…X number of clients need to receive the changes. So the changes are saved and published via SCCM then the clients detect that their is an updated version of the profile via SCCM. The script then runs and disconnects, removes and replaces the profile but keeps the same name.

        I’ve also added an event log entry for when the profiles are installed so it can be searched/referenced with a version number of the profile. I added version numbers inside the profiles to track changes.

        Deploying with SCCM, the script gets cached on the client computer and can be executed/reinstalled offline by the user if something is wrong or they accidentally remove their user profile etc.

      • Sounds like you’ve got a good plan then! 🙂

  2. sebus

     /  March 4, 2019

    While the profile gets created, it takes absolutely NOTHING from specified .xml file, hence creating pretty blank VPN profile

    Reply
  3. I have had exactly the same error in the past. In my case I was trying to recreate a VPN connection with the same name as one I had previously deleted – at least I *thought* I’d deleted it. It turned out that I had to remove all occurrences of it from the following registry key:
    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked\{GUID}\device\default
    After deleting this I was immediately able to create the VPN connection without error.
    I hope that helps.

    Reply
    • Daniel

       /  June 2, 2019

      This response was on point for me, Thank you for sharing 🙂

      Reply
    • Michael Kennedy

       /  June 11, 2019

      Thanks Andy, this was helpful.

      Reply
  4. sveken

     /  June 19, 2019

    I have this error when running it via SCCM,

    I have enabled transcript so i could get an output for why SCCM client wasn’t creating the VPN and this is the error,

    however if i open powershell and manually run the same command line SCCM runs then it works? so i don’t believe it’s a syntax error in this case?

    What else causes it?

    Reply
    • If running the PowerShell script manually works fine I’d say there’s no issue with ProfileXML syntax. However, I would have no idea why SCCM would be failing. :/

      Reply
    • Brian Steele

       /  November 21, 2021

      I have a similar issue with my Device Tunnel VPN script. It will successfully run under an admin account and generate the device tunnel. However if I try to run it under the SYSTEM account (using a scheduled task), I receive the unhelpful “A general error occurred that is not covered by a more specific error code.” I’m still trying to figure out why…

      Reply
      • Can you run the script successfully as SYSTEM using Psexec?

      • Brian Steele

         /  November 21, 2021

        Nope- exactly the same error happens.

        I’ve gone over the XML over and over again and I can’t see anything in it that would cause the issue. And the script supposedly used to run without an issue several months ago to boot. This one really is a head-scratcher, and if it was truly a problem with the XML, why would it successfully run if I use an account with admin privs instead? The only thing that doesn’t happen when I run it with an admin account is the created profile is not available to all users.

      • Very strange. If you’d like to share your XML with me I’d be happy to have a look at it. If so, drop me a note directly and I’ll check it out.

      • Hi Brian, did you ever find a fix for this ? we are seeing similar things, while testing Win11 for deployemnt we are running the PS script via psexec and it fails with “A general error occurred that is not covered by a more specific error code.” run the same sccm package again a win10 box and the vpn installs fine. its bombing out of the powershell script at the
        $session.CreateInstance line with a CIM Exception

  5. John Gilbert

     /  December 13, 2019

    I came across this error and it turned out to be the ProfileName parameter which it did not like.
    It had the same name as the VPN DNS entry; I changed it to MyVPN and it was happy

    Reply
  6. ColbY

     /  January 12, 2022

    We’ve deployed the AlwaysOnVPN via SCCM.
    Now, we are using Intune to deploy the VPN and point our routes, dns etc. to our VPN servers in the Azure Cloud in our custom xml profile.
    We encountered two errors in this particular case:
    1. In the SetupAllUsers.ps1 the $hive is empty. Therefore the appdata path cannot be found and used to edit the rasphone. This could be changed to:
    $username = Gwmi -Class Win32_ComputerSystem | select username
    $objuser = New-Object System.Security.Principal.NTAccount($username.username)
    $sid = $objuser.Translate([System.Security.Principal.SecurityIdentifier])
    $usersid=$sid.value
    $hive = get-itemproperty Registry::HKEY_Users\$usersid
    $regpath = join-path $hive.PSpath “\Volatile Environment”
    $item=get-itemproperty -Path $regpath
    $appdata = $item.APPDATA

    Apparently the powershell is running in a profile based system context which causes this issue.

    2. The much bigger issue we encountered is our XML. Apparently the format of the XML changed when we tryed to deploy it via Intune. In order to get an updated XML, we manually configured a VPN, added manually a couple of configurations from our currently used VPN to the rasphone (such as routings, nrpt rules, dns entries, trustednetworks etc.) and exported the configuration XML from the wmiobject VPNv2_01:
    Get-WmiObject -Namespace root\cimv2\mdm\dmmap -Class MDM_VPNv2_01

    The new XML works with the SetupAllUsers.ps1 without issues and we were able to deploy our VPN.

    Reply
  1. Always On VPN ProfileXML Editing and Formatting with Visual Studio Code | Richard M. Hicks Consulting, Inc.
  2. Removing Always On VPN Connections | Richard M. Hicks Consulting, Inc.

Leave a Reply

%d bloggers like this: