Always On VPN Updates for Windows 10 2004

Always On VPN Updates for Windows 10 2004Microsoft recently made available an update for Windows 10 2004 that includes many important fixes for outstanding issues with Windows 10 Always On VPN. KB4571744 (build 19041.488) addresses many challenges faced by Always On VPN administrators today, including the following.

TPM

This update addresses an issue that prevents hash signing from working correctly using the Microsoft Platform Crypto Provider for Trusted Platform Module (TPM). This issue can occur when administrators configure Always On VPN to use Protected Extensible Authentication Protocol (PEAP) with client certificate authentication using a FortiGate security device.

Sleep/Hibernate

This update also addresses issues with Windows 10 Always On VPN failing to automatically reconnect when resuming from sleep or hibernate. I’ve written about issues with Always On VPN and sleep/hibernate in the past. This is an issue that has plagued Always On VPN since its introduction, so let’s hope this finally provides some meaningful relief from this persistent problem.

Certificate Authentication

When both the Always On VPN device tunnel and user tunnel are provisioned to a Windows 10 clients, user tunnel connections may be authenticated using the machine certificate and not EAP/PEAP. This can result in connections that are not validated as intended, and allowing a user to bypass configured NPS policies, MFA requirements, or conditional access rules. This update includes a fix for this issue, restoring proper authentication for the user tunnel when the device tunnel is also provisioned.

Device and User Tunnel Coexistence

A bug that first appeared when Windows 10 2004 was introduced prevented a device tunnel and user tunnel Always On VPN connection from being established to the same VPN server if the user tunnel used Internet Key Exchange Version 2 (IKEv2). This update restores full functionality under those conditions.

Update KB4571744

To resolve these issues with Windows 10 Always On VPN as well as others, download and install update KB4571744 today. If you are experiencing any of these issues with releases of Windows 10 prior to 2004, look for updates for those build to come later this year.

Additional Information

September 3, 2020 – KB4571744 (OS Build 19041.488) Preview

Windows 10 Always On VPN Connection Issues after Sleep or Hibernate

Windows 10 Always On VPN Bug in Windows 10 2004

Leave a comment

22 Comments

  1. FLOVE

     /  September 9, 2020

    This update is still a preview and not automaticall found via regular “Check for updates” button or WSUS.

    Reply
  2. Chris A

     /  September 10, 2020

    This patch was only released for 2004 build. Does that mean all of those issues where not applicable for build 1909?
    Because I experience the IKEv2 issue (Device and User Tunnel Coexistence) issue also on build 1909.

    Reply
    • In most cases these issues are present in older releases. Microsoft typically makes them available for the latest release first, then backports them to older clients at a later date. If you are having any of these issues in 1909 or earlier, you can expect these updates in the next month or so.

      Reply
  3. Prasanth

     /  September 10, 2020

    Hi Richard
    is it possible for only Usertunnel to be configured for AlwaysOn. No Device tunnel. How secure this implementation is? The VPN server have dmz internal and dmz external leg which is controlled by firewall.
    Kindly advice

    Reply
  4. sysadminjames

     /  September 18, 2020

    Was looking through updates, this looks to resolve the waking from sleep for 1903

    https://support.microsoft.com/en-us/help/4577062

    Testing for us today.

    Reply
  5. Martyn Jones

     /  September 29, 2020

    Hi Richard,

    We’ve begun rolling out the Windows 10 2004 Update over the last couple of days and are seeing issues with the users Windows credentials being requested and needing to be typed in every time before the AOVPN User Tunnel will connect.

    There are appear to be a couple of Microsoft Answers threads about this, but no actual recognition of fix from Microsoft. e.g. https://answers.microsoft.com/en-us/windows/forum/all/upgrade-to-windows-10-2004-vpn-l2tp-fail/d97f3dc0-f135-4ebe-a8a7-c6e7b6fe9ff9?page=7

    Do you have any experience or information about this issue Richard?

    Thanks very much for your time,

    Martyn.

    Reply
    • This issue was supposed to be resolved in KB4571744. Is this the update you are speaking of?

      Reply
      • martynjones87

         /  September 29, 2020

        The update we’ve just rolled out is the update to 2004, we have been holding off for a while whilst we saw if it was safe or not!

        I believe we have the KB4571744 installed as part of the updating to 2004, but if it is supposed to be fixed in there, I will double check tomorrow.

        Thanks again for your time,

        Martyn.

      • Let me know what you find!

  6. Christian Fæste

     /  October 30, 2020

    Hi! I am working with a company where a few users experience that Always On VPN never connects automatically. And of course, we are never able to replicate the error on any test-PC we set up.

    Most times it connects manually, but sometimes they get a series of messages:

    “The specified port is already open”
    “Requires action” – select certificate.

    It has been like this on Win 10 versions up until 2004. Do you have any tips?

    Reply
    • I’m hearing reports of issues like this more and more unfortunately. Not heard the “port already open” issue, but issues with certificate selection are not uncommon. Quite frustrating too because it works for a while, then doesn’t. Sometimes works again later without any changes, other times deleting the certificate and re-enrolling is required.

      Reply
      • Bill Richards

         /  November 9, 2020

        I’ve been able to work around it consistently by un-selecting “Connect Automatically”. Then I can manually connect after i select my certificate.

  1. Always On VPN Fails with Windows 10 2004 Build 610 | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: