Microsoft recently made available an update for Windows 10 2004 that includes many important fixes for outstanding issues with Windows 10 Always On VPN. KB4571744 (build 19041.488) addresses many challenges faced by Always On VPN administrators today, including the following.
TPM
This update addresses an issue that prevents hash signing from working correctly using the Microsoft Platform Crypto Provider for Trusted Platform Module (TPM). This issue can occur when administrators configure Always On VPN to use Protected Extensible Authentication Protocol (PEAP) with client certificate authentication using a FortiGate security device.
Sleep/Hibernate
This update also addresses issues with Windows 10 Always On VPN failing to automatically reconnect when resuming from sleep or hibernate. I’ve written about issues with Always On VPN and sleep/hibernate in the past. This is an issue that has plagued Always On VPN since its introduction, so let’s hope this finally provides some meaningful relief from this persistent problem.
Certificate Authentication
When both the Always On VPN device tunnel and user tunnel are provisioned to a Windows 10 clients, user tunnel connections may be authenticated using the machine certificate and not EAP/PEAP. This can result in connections that are not validated as intended, and allowing a user to bypass configured NPS policies, MFA requirements, or conditional access rules. This update includes a fix for this issue, restoring proper authentication for the user tunnel when the device tunnel is also provisioned.
Device and User Tunnel Coexistence
A bug that first appeared when Windows 10 2004 was introduced prevented a device tunnel and user tunnel Always On VPN connection from being established to the same VPN server if the user tunnel used Internet Key Exchange Version 2 (IKEv2). This update restores full functionality under those conditions.
Update KB4571744
To resolve these issues with Windows 10 Always On VPN as well as others, download and install update KB4571744 today. If you are experiencing any of these issues with releases of Windows 10 prior to 2004, look for updates for those build to come later this year.
Additional Information
September 3, 2020 – KB4571744 (OS Build 19041.488) Preview
Windows 10 Always On VPN Connection Issues after Sleep or Hibernate
Robin
/ September 8, 2020Hi Richard,
this update should fix the issues described in your other two posts, right?
https://directaccess.richardhicks.com/2020/09/07/always-on-vpn-updates-for-windows-10-2004/
https://directaccess.richardhicks.com/2020/08/10/always-on-vpn-connection-issues-after-sleep-or-hibernate/
Best regards
Robin
Richard M. Hicks
/ September 9, 2020It should, yes. 🙂
Robin
/ September 9, 2020One more thing, the way I read its’ release notes is, that it should be contained in the 2020-09 CU for Windows 10, right?
I can’t find any notes about it on the current CU: https://support.microsoft.com/de-de/help/4571756/windows-10-update-kb4571756
I just updated a device to the 2020-09 CU + LCU and it seems like I can establish a Device and User Tunnel at the same time so I guess this might have been missed in the documentation about the update.
Richard M. Hicks
/ September 10, 2020Yes, that’s my understanding.
FLOVE
/ September 9, 2020This update is still a preview and not automaticall found via regular “Check for updates” button or WSUS.
Richard M. Hicks
/ September 9, 2020You can also download it directly from the update catalog here: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4571744.
FLOVE
/ September 10, 2020Many thx.
Chris A
/ September 10, 2020This patch was only released for 2004 build. Does that mean all of those issues where not applicable for build 1909?
Because I experience the IKEv2 issue (Device and User Tunnel Coexistence) issue also on build 1909.
Richard M. Hicks
/ September 10, 2020In most cases these issues are present in older releases. Microsoft typically makes them available for the latest release first, then backports them to older clients at a later date. If you are having any of these issues in 1909 or earlier, you can expect these updates in the next month or so.
Patrick DB
/ April 11, 2022Hi Richard,
We are using Windows 20H2 with the latest cumulative update (May/2022). We are experiencing the same problem : as soon as the user tunnel (IKEv2) is up, the device tunnel goes down. When we disconnect the user tunnel, the device tunnel comes back. Is there a solution for this problem? Is there any fix for 20H2?
Thanks!
Patrick
Richard M. Hicks
/ April 11, 2022This could be a configuration issue. Does it happen only on Windows 10 20H2 devices?
Patrick DB
/ April 11, 2022Hi Richard,
Thanks for your quick reply.
We have only Windows 20H2 in the PoC.
I see that the DT is continuously disconnect/reconnect and, in the event logs there is the following message :
“The user SYSTEM dialed a connection named GSC Always On VPN Device Tunnel which has terminated. The reason code returned on termination is 828.”
The DT, after multiple disconnections/reconnections, stays several minutes in the state “Unauthenticated” and the restart the flip/flop.
Any idea?
Many thanks!
Richard M. Hicks
/ April 14, 2022This could happen if the VPN public FQDN resolves over the device or the user tunnel to the server’s private, internal IP address. When that happens, the VPN client might try to establish a VPN connection over the established VPN tunnel.
De Buijst
/ April 30, 2022Hi Richard,
Is it possible to use DT and UT both connected to the same VPN server ( Cisco ASA in our case) and both in IKEv2? It seems that our VPN server closes the DT tunnel when the UT is setup.
Richard M. Hicks
/ May 2, 2022It is, yes. This is quite common, in fact. I do get reports that the device tunnel drops when the user tunnel establishes, but I don’t think it’s related to both tunnels using IKEv2. You could confirm this by switching the user tunnel to use SSTP/TLS, if possible.
KpR
/ August 5, 2022Hey Richard,
We are also experienced the same issue.
When the user tunnel connects, the device tunnel disconnects.
Are you experiencing the same behavior ?
Do you have any fix for that ?
Thanks
Richard M. Hicks
/ August 5, 2022I am not. What version of Windows are you running?
Prasanth
/ September 10, 2020Hi Richard
is it possible for only Usertunnel to be configured for AlwaysOn. No Device tunnel. How secure this implementation is? The VPN server have dmz internal and dmz external leg which is controlled by firewall.
Kindly advice
Richard M. Hicks
/ September 15, 2020Absolutely. The Windows 10 Always On VPN device tunnel is optional and not required at all.
sysadminjames
/ September 18, 2020Was looking through updates, this looks to resolve the waking from sleep for 1903
https://support.microsoft.com/en-us/help/4577062
Testing for us today.
Richard M. Hicks
/ September 18, 2020Let us know how it goes!
sysadminjames
/ September 29, 2020It has definitely been a big improvement for me on 1903, I have had it not connect a handful of times but it has been minimal.
Martyn Jones
/ September 29, 2020Hi Richard,
We’ve begun rolling out the Windows 10 2004 Update over the last couple of days and are seeing issues with the users Windows credentials being requested and needing to be typed in every time before the AOVPN User Tunnel will connect.
There are appear to be a couple of Microsoft Answers threads about this, but no actual recognition of fix from Microsoft. e.g. https://answers.microsoft.com/en-us/windows/forum/all/upgrade-to-windows-10-2004-vpn-l2tp-fail/d97f3dc0-f135-4ebe-a8a7-c6e7b6fe9ff9?page=7
Do you have any experience or information about this issue Richard?
Thanks very much for your time,
Martyn.
Richard M. Hicks
/ September 29, 2020This issue was supposed to be resolved in KB4571744. Is this the update you are speaking of?
martynjones87
/ September 29, 2020The update we’ve just rolled out is the update to 2004, we have been holding off for a while whilst we saw if it was safe or not!
I believe we have the KB4571744 installed as part of the updating to 2004, but if it is supposed to be fixed in there, I will double check tomorrow.
Thanks again for your time,
Martyn.
Richard M. Hicks
/ September 29, 2020Let me know what you find!
Christian Fæste
/ October 30, 2020Hi! I am working with a company where a few users experience that Always On VPN never connects automatically. And of course, we are never able to replicate the error on any test-PC we set up.
Most times it connects manually, but sometimes they get a series of messages:
“The specified port is already open”
“Requires action” – select certificate.
It has been like this on Win 10 versions up until 2004. Do you have any tips?
Richard M. Hicks
/ November 1, 2020I’m hearing reports of issues like this more and more unfortunately. Not heard the “port already open” issue, but issues with certificate selection are not uncommon. Quite frustrating too because it works for a while, then doesn’t. Sometimes works again later without any changes, other times deleting the certificate and re-enrolling is required.
Bill Richards
/ November 9, 2020I’ve been able to work around it consistently by un-selecting “Connect Automatically”. Then I can manually connect after i select my certificate.