After deploying or upgrading to Windows 10 1903, administrators may find that Windows 10 Always On VPN connections fail to establish successfully. Always On VPN connections continue to work for Windows 10 1809 and earlier clients, however.
Important Note: The issue described in this article has been addressed in KB4505903 (build 18362.267) released July 26, 2019.
RasMan Event Log Errors
When this occurs, the application event log contains an error with Event ID 1000 that includes the following information.
“Faulting application name: svchost.exe_RasMan…”, “Faulting module name: rasmans.dll”, and “Exception code: 0xc0000005”
Root Cause
RasMan failures can occur in Windows 10 1903 clients when telemetry is disabled via group policy or the registry. Microsoft has identified the issue and is currently working on a fix.
Workaround
As a temporary workaround to restore Always On VPN connectivity, enable telemetry on Windows 10 1903 using Active Directory or local group policy, the local registry, or PowerShell.
Group Policy
Create a new GPO or edit an existing one by opening the group policy management console (gpmc.msc) and performing the following steps.
1. Expand Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds
2. Double-click Allow Telemetry.
3. Select Enabled.
4. Choose 1-Basic, 2-Enhanced, or 3-Full (do not select 0-Security).
5. Click Ok.
Registry
Telemetry can also be enabled locally by opening the registry editor (regedit.exe) and modifying the following registry setting.
HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection\AllowTelemetry DWORD = 1
Note: The AllowTelemetry value can be removed entirely, if desired.
PowerShell
PowerShell can also be used modify or remove the AllowTelemetry value on Windows 10 1903 clients. Run the following PowerShell command to update the AllowTelemetry setting.
New-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection\’ -Name AllowTelemetry -PropertyType DWORD -Value 1 -Force
Optionally, run the following PowerShell command to remove the AllowTelemetry setting entirely.
Remove-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection\’ -Name AllowTelemetry
Service Restart Required
Once these changes have been made, restart the Remote Access Connection Manager service (RasMan) using the Services mnagement console (services.msc) or by running the following PowerShell command.
Restart-Service RasMan -PassThru
Optionally, the client can be rebooted to apply these changes.
Additional Information
Karsten Hentrup
/ July 3, 2019OMG, this Information saved me today, got this error in one customer Installation. Thx for sharing, I also saw the Microsoft article, but apperently didn’t remember…
Richard M. Hicks
/ July 3, 2019Great to hear! 🙂
Paul Maranzano
/ July 3, 2019Has anyone noticed any differences between the agressiveness of autodial with Always On VPN between 1803 and above? We’re noticing 1809 and 1903 both hit and miss with regards to auto dialing once going off a trusted network. Where 1803 is very agressive with dialing. Even on an 1803 machine on a non-trusted network, once you disconnect from the VPN it will instantly connect again,
Louis
/ July 10, 2019I seem to be having a bit of a different issue and it looks like it is 1903 as all other versions can connect. The DA client connects and then immediately disconnects (I can get 1 successful ping of a server on our network)
Client complains about not being able to bind IPv6 and in the DA server logs, there is an schannel error stating that a client doesn’t have the right ciphers for TLS 1.2. I’ve checked with IIS Crypto tool and they match. This is only happening on 1903
Richard M. Hicks
/ July 14, 2019That’s very odd. It certainly could be another issue specific to 1903, although I’m not aware of anything other than the RasMan error at this time. I’d suggest opening a support case with Microsoft to have them look at it. Perhaps they are aware of this and have a workaround or fix for the problem.
louis mills
/ July 15, 2019Took the clients back to a vanilla 1803 and they worked. Did an upgrade to 1903 and the same error so definitely something in 1903.
Richard M. Hicks
/ July 15, 2019Sure sounds like it. Let me know if you open a support case with Microsoft and if they provide any insight on the issue.
Allan M
/ August 9, 2019We had telemetry enabled allready, but still cannot get A.O VPN to connect after updating to 1903. Have not tried our DA setup yet, but I will test that too and report back :-/
Richard M. Hicks
/ August 13, 2019Keep me posted!