Since the introduction of Windows 11, there have been numerous reports of issues with Always On VPN when deployed using Microsoft Endpoint Manager/Intune. Specifically, administrators have been reporting that Always On VPN profiles are being deleted, then later reappearing. Obviously, this is highly disruptive to users in the field.
Update January 25, 2022: Microsoft has released a fix for the issues described in this article. It is included with KB5008353 (build 22000.469).
Causes
According to Microsoft, there are several causes for deleted VPN profiles.
Changes to an Existing Profile
Missing Always On VPN profiles commonly occurs when updating settings for an existing VPN profile applied to Windows 11 endpoints. In this scenario, the VPN profile is deleted but not immediately replaced. Synchronize the device with Microsoft Endpoint Manager/Intune once more to return the VPN profile.
Multiple Profiles
Issues with Always On VPN profiles may also occur if two new VPN profiles are applied to the endpoint simultaneously.
Remove and Replace
Removing and replacing an Always On VPN profile at the same time will also result in connectivity issues.
Reference: https://docs.microsoft.com/en-us/mem/intune/configuration/vpn-settings-configure
Workaround
There is no known workaround for these issues at this time. Microsoft is aware of the problem and is working on a fix, and until then, rolling out Windows 11 with Always On VPN should be avoided.
Additional Issues
There have been reports of other known issues with Windows 11 and Always On VPN. For instance, my PowerShell script that removes an Always On VPN connection doesn’t work with Windows 11. I’m working to resolve that issue as we speak.
Are you experiencing any issues with Always On VPN on Windows 11? Please share them in the comments below!
Flo
/ October 28, 2021Thanks Richard!
Matt
/ October 28, 2021We have found that Win11 is treating certificates for AOVPN with case sensitivity. If the CN or SAN of the cert is SERVER.DOMAIN.COM and the AOVPN script uses server.domain.com, it will not trust the cert. Only by updating the install script to use the proper case-sensitivity are we able to get Win11 AOVPN clients connecting.
Richard M. Hicks
/ October 28, 2021I’m seeing the same thing. This is causing problems for organizations performing in-place upgrades to Windows 11. Details here: https://directaccess.richardhicks.com/2021/09/23/always-on-vpn-error-853-on-windows-11/.
Nathan Lamonski
/ October 28, 2021Thanks having the exact same issue in my environment with Windows 11.
Matthew Green
/ October 29, 2021Hi Richard,
I have noticed that even with Single VPN Profiles created in Intune that it is installing the profile and then within a minutes time it is deleting the profile and event viewer complains about add and remove command. I have seen this issue all throughout the beta and release of Windows 11.
I have found a workaround and that is to use the older Custom OMA-URI xml file method to deploy the VPN profile, this works flawlessly and I always use this method if a client has issues with the normal Intune VPN profile method.
Richard M. Hicks
/ October 29, 2021Interesting. Good to know that using OMA-URI works for you!
Mike Mathis
/ October 29, 2021We are seeing the connection be applied to the Win 11 client and then remove it at the next Endpoint Manager policy sync.
DD
/ October 29, 2021Hi Richard, is this documented publicly by Microsoft anywhere?
Richard M. Hicks
/ October 29, 2021Yes, here: https://docs.microsoft.com/en-us/mem/intune/configuration/vpn-settings-configure.
Paul Warren
/ November 2, 2021We’ve had this issue during the pre-release period of Windows 11 and have been working with Microsoft. A recent fix went into the dev channel insider build (22489) which resulted in the VPN stabilising.
Richard M. Hicks
/ November 2, 2021That’s good news. Hopefully, it makes it to GA soon!
Lars Knakkergaard.
/ November 14, 2021Hi Paul – could you please update this blog when you get more news – we are struggling with the same and we wish to deploy win11 but not before this is fixed.
jeffirvine
/ November 17, 2021I am seeing the same thing. Although for weeks, the device tunnel was typically solid, only very rarely disappearing. The user tunnel (SSTP) only ever provisioned once and then never returned. But some time in the last 2 weeks (?) the device tunnel no longer provisions on the client but the user tunnel is here! The only thing MEM shows is “Remediation failed”. The client log just shows the tunnel being deleted.
HOWEVER, I just joined this particular laptop into the Insider Beta, rebooted and now both tunnels are provisioned and connected. Fingers crossed they both stick around this time.
Richard M. Hicks
/ November 17, 2021Thanks for the insight. Indeed, I’m hearing that these issues have been fixed in build 22483 and later. I’m testing as we speak, in fact, and it is working flawlessly. Hopefully, the fix makes it to GA soon. 🙂
Andrew Turner
/ November 26, 2021Hi
Taken me a while to find this bug as I’m still running Windows 10, unfortunately with the latest feature update 19044.1387 I have had this problem with case sensitivity of the certificate domain.
Richard M. Hicks
/ November 29, 2021Interesting. It sounds like perhaps some code from Windows 11 was backported to Windows 10. I will do some testing and see what I can learn.
hstrang
/ December 13, 2021I am trying to add a VPN connection during Windows Autopilot deployment with the help of your scripts as “AllUserConnection” (not device tunnel). When deploying W10 it works fine every time but not with W11 where the profile ends up corrupted.
No error messages are logged and I get “created successfully” but the resulting profile seems to be missing the whole XML part. Checking with get-vpnconnection -alluserconnection it says “The VPN connection XXX cannot be retrieved from the global user connections. : A call to EAP Host returned an error.” Fully QualifiedErrorId : EAP -2143158255,Get-VpnConnection
Deploying the same package to W11 with Intune after the end user setup has been completely finalized creates a working setup, so the profile and the tools are compatible as such. The downside of doing this is that it can take hours before Intune installs the package.
Richard M. Hicks
/ December 13, 2021Indeed, a few of my scripts aren’t working on Windows 11 unfortunately. I’ve also seen the issue where the script creates the profile but it is corrupted and can’t be removed with Remove-VpnConnection. You end up having to delete the rasphone.pbk file. I’m still investigating, but one of the issues has already been tracked to a bug in Windows 11. :/
dg38
/ January 17, 2024Hi hstrang, Richard,
Do you still experience this issue where the VPN profile is not applied correctly using a Powershell script ? With this error : “The VPN connection XXX cannot be retrieved from the global user connections. : A call to EAP Host returned an error.” Fully QualifiedErrorId : EAP -2143158255,Get-VpnConnection ?
Did you get an answer from Microsoft ?
Richard M. Hicks
/ January 17, 2024That’s an unusual error. It could be caused by malformed XML. It might also be caused by a corrupted rapshone.pbk file too. Also, if you have removed a VPN profile with the same name previously there could be artifacts left over that can cause problems. I’d suggest using my Remove-AovpnConnection script with the -CleanUpOnly switch to ensure proper removal of the old profile.
https://github.com/richardhicks/aovpn/blob/master/Remove-AovpnConnection.ps1
Daniel
/ December 16, 2021We’re seeing issues with IPv6 routes in Windows 11. Our device VPN is routing all IPv6 traffic and ignoring the rules in the xml. Same config works fine with Windows 10. IPv4 is fine and traffic is limited to DCs etc
Richard M. Hicks
/ December 16, 2021Oh, that’s interesting. I’ll do some testing soon and see if I encounter the same behavior.
Richard M. Hicks
/ December 19, 2021I did some testing recently and didn’t have the same experience. How are you provisioning your Always On VPN profiles? Intune or PowerShell? If Intune, is it using the VPN template or custom XML?
Matt
/ January 7, 2022Any news on a rough release date for this fix?
Richard M. Hicks
/ January 7, 2022Expected at the end of January.
Richard Knight (@_RichardKnight)
/ January 26, 2022Thanks for your really helpful articles. We fixed the case sensitivity issue. Updated to the latest dev build and managed to get 2 vpn profiles to install and connect on W11. They don’t show compliant in Intune though. I have raised a ticket with MS and they are looking at it.,
Richard M. Hicks
/ January 27, 2022Yes, hearing reports that this update makes things much better for Always On VPN on Windows 11. 🙂
Humberto
/ January 26, 2022Trying to create an image to roll out to my testing users but ran into this Always ON VPN not working as well. installing the latest updates now to see if that solves this problem currently testing it on Windows 11 Version 21H2 (OS Build 22000.376)
Jacob Normand Olesen
/ January 26, 2022Hi i can see ms has announced a fix in KB5008353 the prewiev for February
Richard M. Hicks
/ January 27, 2022Indeed. Available now here: https://support.microsoft.com/en-us/topic/january-25-2022-kb5008353-os-build-22000-469-preview-920e6297-567b-4b95-afe9-35d17de02c3a. Will roll out automatically next month.
Andreas
/ January 31, 2022Microsoft released the preview patch who fix the Always On issue with intune.
https://support.microsoft.com/en-au/topic/january-25-2022-kb5008353-os-build-22000-469-preview-920e6297-567b-4b95-afe9-35d17de02c3a
Tested here with 2 notebooks and works fine. Will be available on the february patch day.
Nathan Lamonski
/ January 31, 2022Looks like it is fixed in KB5008353. Going to test it out on a test device to see if this is the case.
https://support.microsoft.com/en-us/topic/january-25-2022-kb5008353-os-build-22000-469-preview-920e6297-567b-4b95-afe9-35d17de02c3a
Addresses an issue that might cause VPN profiles to disappear. This issue occurs when you use Microsoft Intune or a third-party mobile device management (MDM) tool to deploy VPN profiles on Windows 11 (original release).
Nathan Lamonski
/ January 31, 2022Looks like Microsoft addressed this in KB5008353 for Windows 11.
https://support.microsoft.com/en-us/topic/january-25-2022-kb5008353-os-build-22000-469-preview-920e6297-567b-4b95-afe9-35d17de02c3a
Addresses an issue that might cause VPN profiles to disappear. This issue occurs when you use Microsoft Intune or a third-party mobile device management (MDM) tool to deploy VPN profiles on Windows 11 (original release).
Going to try it out on a test device to see if it corrects the issue.
Rene Buedinger
/ February 7, 2022Hi Richard, I appreciate what you do here and share your knowledge with us. Thank you very much!
I started to roll out W11 recently on a few devices, and I indeed have some issues I can not wrap my head around yet. We do not use Intune, but roll out the VPN Profiles via SCCM and PowerShell Scripts.
We roll out 2 Profiles. Machine Tunnel (IKEv2) and User Tunnel (IKEv2 with SSTP Fallback).
I recently got our First Surface Pro 8 with W11 preinstalled. Domain joined it, packed on all Software via SCCM we need + the VPN Profiles. It did not work, but I found the solution in the comments in your blog and in one of your posts: It was the case sensitivity issue with the Certificates. I fixed that and adjusted the Profile that SCCM rolls out. I was remotely on the Surface when the profile rolled out and immediately the User Tunnel and the Device Tunnel (although that one was NOT changed) came up.
A few days later the User called me and said that the VPN is not working anymore (it did for a few days). That was about 2 weeks ago and since then I was not able to get it back up working again. It always complains that no certificate can be found, although it is there and valid.
So I went on and upgraded my W10 Surface Pro 7 to W11 via an SCCM Upgrade package, faced the same case sensitivity issue, which got fixed with the new profile and since then the User and Device Tunnel is working flawless for me.
In the meantime I received a new Laptop with W10, did an OSD via SCCM for W11 and that one also works flawless.
Then I upgraded another Laptop from W10 to W11 and that one works flawless too.
So it is only the Surface Pro 8 with the Preinstalled W11 from Microsoft that has issues at the moment.
Studying the Event Logs of all those systems I could spot that the Event ID 20222 (The User xyz tries to establish a connection to the RAS-Server for the Connection with the name “AlwaysOn VPN”….) is different on the various systems. On my System, which works fine the User xyz lists my Domain User. On the Surface Pro 8 with the Issues, it lists as User Name. So I thought that if AO VPN tries to establish the Connection as “System”, of course there is no AlwaysOn capable Certificate available. But on one of the other Laptops I upgraded from W10 to 11, the message also states “System” and the tunnel works for the Users.
Then I spotted that maybe mine is always capable of doing IKEv2, that the Surface Pro 8 can not do that (probably due to the Users Router at home) and the SSTP Fallback might not work on W11. But one of the upgraded Laptops does fine with SSTP.
The funny thing is, if the User with the Surface Pro 8 with the issues goes to one of our Remote Offices, he can connect via Always On VPN to our Datacenter fine. So the issue seems to be from home… where it worked for a few days in W11 and for years in W10.
So whenever I thought I found the issue, it turns out it is not because another System shows the same message but works. It is just that single Surface Pro 8 that I can not get up and running yet.
I am waiting for the USB-C Network adapter I ordered and I am thinking of just doing an OSD via SCCM to get rid of the Microsoft preinstalled W11. But since it is the Same W11 Build Number and Edition it would make no sense if that helps.
Richard M. Hicks
/ February 9, 2022Odd that it is only affecting one specific installation of Windows 11, for sure. Let us know what happens if you install Windows 11 via OSD. Curious to know if it behaves any differently!
Humberto
/ February 8, 2022End of Jan, nothing here still dead in the water with Powershell VPN profile creation.
Richard M. Hicks
/ February 9, 2022There’s no ETA for the PowerShell profile creation issue at this point, unfortunately. :/
Keith
/ February 10, 2022new release fixed the issue
Richard M. Hicks
/ February 10, 2022Great to hear! 🙂
Humberto
/ February 19, 2022I’ve joined the first release and still nothing can someone post the build this new release has to allow things to flow automatically with sccm?
jeffirwin402
/ February 28, 2022I’m on Windows 11 Build 22000.526 and still having the issue. What build includes the fix?
Richard M. Hicks
/ March 1, 2022Build 22000.469.
https://support.microsoft.com/en-us/topic/january-25-2022-kb5008353-os-build-22000-469-preview-920e6297-567b-4b95-afe9-35d17de02c3a
Wander
/ March 4, 2022I have the same issue on Build 22000.527 installed via a custom OMA-URI: ./user/vendor/MSFT/VPNv2//ProfileXML. The connection randomly disconnects.
10:08:04 Event 20226 RasClient: The user Dailed a connection named which has terminated. The reason code returned on termination is 631.
10:08:03 Event 200 DeviceManagement-Enterprise-Diagnostics-Provider: MDM Session: OMA-DM server message received and parsed successfully.
10:08:01 Event 200 DeviceManagement-Enterprise-Diagnostics-Provider: MDM Session: OMA-DM message sent.
Most of the times when I manually sync the device the VPN is disconnected.
Richard M. Hicks
/ March 4, 2022This can happen if changes are detected on the profile. However, if there are no changes, syncing shouldn’t cause a VPN disconnect. It’s possible this could be related to some of the issues Microsoft is having with Windows 11 and Intune, but again, those were supposedly addressed in build 22000.469.
Chris G
/ April 13, 2022I’m experiencing a slightly painful one. The VPN profile, which was the same for our Windows 10 devices deployed to Windows 11 are showing in endpoint as having errors, (yet the vpn works just fine). I can accept false errors, however, endpoint keeps trying to reinstall it to fix the errors, which is causing it to overwrite our rasphone which is reconfigured using proactive remediation to get SSO to work on our non domain joined systems. This keeps causing a chicken and egg problem and intermittent SSO workings for the users. I’m not sure if there is something missing or something new with windows 11 VPN profile that is not in my xml. Using the VPN profile in intune with the vpn template. Have you seen this yet, where the same profile reports failed on windows 11 that is successful on windows 10, even though it’s working?
Richard M. Hicks
/ April 14, 2022I’ve encountered scenarios where a device configuration profile reports an error for a working device, yes. Mostly with certificates, though. I don’t think I’ve come across this with Always On VPN profiles. If it is working on Windows 10 clients, it should certainly work on Windows 11. I’m not aware of any compatibility issues between the two for Always On VPN.
Chris G
/ April 21, 2022So, i decided to write a powershell script to create the VPN and import my exhaustive routing table. interestingly, and i have not tested it against windows 10 yet, only on my windows 11 that was giving me problems, but i’m getting an error after 200 entries are successful saying “The number of routes cannot be more than 200 when using the add-vpnconnectionroute command.. Next week i’ll reduce my intune VPN profile for windows 11 to only have 199 routes and see if that still errors out.
Richard M. Hicks
/ April 21, 2022I must say I have never even come close to configuring that many routes for an Always On VPN connection. Interesting to know there’s an upper limit for routes though!
Mathias Heimberg
/ April 14, 2022Hello Richard, dear friends of the AOVPN, first of all many thanks for all the info which can be found in this corner of the web. This is great.
But unfortunately we have a situation which cannot be solved so far, at least for us. We are using AOVPN in the Device Tunnel with IKEv2. For this we use the XML based WMI import to create the profiles in the AllUser Context.
With both tunnels everything is ok so far. Our problem is that for the update we have to remove the profiles and create them again. This also works fine so far. Except for one thing: if we don’t restart Windows between removing and re-adding the Device Tunnel, then the Device Tunnel doesn’t start automatically anymore. It can be started by the user as well as via SYSTEM account, but it does not start automatically. This only works if we do a system reboot between removing and adding the device profile.
We have now tried many lines of PowerShell in which we restart services and try various things. But nothing works and we are not able to give the user a “silent” VPN config update without a forced, intermediate reboot of the OS. Does anyone here have a tip, experience?
(sorry, we’re using W10 19042 currently)
Richard M. Hicks
/ April 14, 2022Wow, that’s intersting. I’m not aware of any specific requirements to reboot to get the device tunnel to start automatically. I’m curious though, have you checked the following registry key to ensure the device tunnel profile is not listed here?
HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Config\AutoTriggerDisabledProfilesList
VPN profiles listed here won’t start automatically.
Matt
/ July 28, 2022Hi,
I am still experiencing issues on Build 22000.795. I don’t see anything in the event logs like we did back in February but whenever I manually initiate a sync from the Company Portal the VPN will disconnect & reconnect as it reapplies the VPN config.
In the Intune portal, any Windows 11 device with a VPN profile does show an error “-2016281112 Error code: (0x87d1fde8)”
Is this issue widespread / acknowledged by Microsoft?
Richard M. Hicks
/ July 28, 2022This is a known issue. Microsoft is aware, but that’s all the information I have right now. If you open a support case, I’d be happy to let my contacts at Microsoft know. The more organizations that have open cases for this issue the quicker it will be resolved. 🙂
Neil Clarke
/ October 18, 2022Hi Richard. do you have any more info on this we still see this on the new 22h2 update for windows 11. Every time we do a sync the VPN is dropped and reconnected/ reprovisioned. It’s a little frustrating as it’s the only thing holding us back from deploying Windows 11
Richard M. Hicks
/ October 21, 2022I don’t have any more information other than Microsoft is aware of the issue. I’m curious though, how are you provisioning Always On VPN client configuration settings with Intune? Are you using the native UI or custom XML?
neil clarke
/ October 31, 2022Custom XML, i will try and test with the Native UI to see if that fixes it
Richard M. Hicks
/ October 31, 2022Most reports I get are using custom XML. Let me know what you find using native UI. 🙂
Neil Clarke
/ January 13, 2023Well i finally had some time to test using the Native UI instead of the Custom XML. It made no difference it still removed and re-adds the connections on a sync.
Richard M. Hicks
/ January 13, 2023My testing proves the same. The good news is that Microsoft is aware of the issue and is working to address it. No ETA, though.
Chris Grondin
/ January 13, 2023issue seems resolved with windows 11 22h2, however, a new problem has creeped up, where the initial install of the profile after autopilot gets corrupted and misconfigured. a delete and sync will allow it to reinstall properly.
Richard M. Hicks
/ January 13, 2023Interesting. So you do not see the sync issues with Windows 11 22H2? I’ll test again and see if I can reproduce. Also, the issue with the corrupted profile is quite common. I usually see that the profile gets installed, but the EAP configuration is incorrect. Removing/replacing or simply changing the EAP authentication settings resolves the issue.
Chris Grondin
/ January 13, 2023Exactly the behavior. however, once it is installed via sync, rather than ESP, it seems to be stable, reports correctly back in intune as being installed correctly, and does not try to reinstall due to remediation errors.
Richard M. Hicks
/ January 13, 2023Interesting. Good to know! I’ll do some more testing and see how it goes. 🙂
Stefan Kumli
/ January 17, 2023@Chris Grondin
We have exactly the same issue here: after the first creating the profile a “get-vpnconnection” is not working and a vpn connection can’t established. after deleting the profile and resync the client in company profile everything is working as excepted including allwayson connected immediately.
@Richards
thanks for your really helpful work. It seems to be a missconfigured eap profile. do you have some more informations about this issue? is microsoft also working on it?
Has anyone other a solution for this behaviour?
BR Stefan
Richard M. Hicks
/ January 18, 2023I’m not sure if Microsoft is aware of this issue or not. It seems to happen infrequently, so it’s difficult to troubleshoot. You can certainly open a support case with Microsoft if you can report reliably. Let me know the case number if you do and I’ll reach out to my contacts there and try to expedite.
WednesdayFrog
/ October 14, 2022Thanks for the great work – your book really helped us out!
When deploying with the VPN-Configuration-Template we observe the following:
– The Profile is applied – but the EAP-Settings do not seem to apply. Instead of PEAP the Connection is set to use MSCHAPv2. A Connection is not possible.
– In Intune get see error „0x80004005“ for the VPN-Profile.
– When the VPN-Profile is manually deleted it get’s reapplied correctly on the next sync.
– Devices already deployed with this Profile have no problems and are set to use PEAP.
We already re-exported the EAP.xml and verified the formatting. To me it doesn’t make any sense that the Profile loads correctly after manually deleting it on the client. This Problem only occurs on the first sync but is only fixed by manually deleting the profile.
When deployed with a custom-XML the Profile ist initially applied correctly but reapplied at every sync. This causes a temporarily drop of the connection. We also tried to use the example XML provided by Microsoft to ensure there are no formatting errors.
The same profile works flawlessly on W10…
Clients are on latest 22H2 Patch.
We already tried changing Split-Tunnel to Force-Tunnel – no difference 🙁
Any Ideas?
Richard M. Hicks
/ October 14, 2022I believe there’s an issue in Windows 11 where the VPN profile isn’t loaded correctly for some reason. I typically see this when deploying XML using PowerShell for testing. It won’t error out, but the EAP configuration is incorrect. I can change the setting to use PEAP and it works fine. Also, I’ve found that if I delete the profile and run the script again (with the same XML) it will work fine. So, something seems wrong in Windows 11. I don’t see this in Windows 10, BTW.
That said, there is a known issue in Windows 11 with WMI that prevents some PowerShell functions from working correctly. A fix is pending release from Microsoft, but it hasn’t yet been published. I’m hoping that fix will resolve some of these other seemingly related issues.
RKast
/ November 6, 2022I’m facing the wrong EAP config on Windows 11 also. I deploy an AO VPN config with Intune and XML. Tried everything from Automatic, IKEv2, assign to user/device etc. but it always applies CHAP instead of PEAP on Windows 11 (and gives an Error in Intune portal). Removing the vpn and then it applies correctly. When i enroll a Windows 10 device and target same AO VPN policy it works and gets correct EAP config. Any solution or fix for this with Intune & Windows 11 ?
Richard M. Hicks
/ November 6, 2022Not that I’m aware of. It seems to be a Windows 11 issue, though. I’ve had the same experience as you where the same profile applied to Windows 10 works fine, but Windows 11 it doesn’t. Also, quite odd that just removing the profile and re-applying corrects the problem!
RKast
/ November 8, 2022Thanks Richard, i created a remediation script that removes the vpn from rasphone when get-vpnconnection errors out. This way repaired vpn are not hit. Also created a case with Microsoft. Lets see what it brings
Richard M. Hicks
/ November 8, 2022Great. Let me know if you learn anything interesting from Microsoft!
RKast
/ November 16, 2022Microsoft (as we already knew) confirmed its a bug in Windows 11 and will be fixed in next KB. Timeline for KB as always unknown.
MHF
/ January 29, 2023Does the KB5008353 also fix the problem of incorrect profile settings be deployed, chapv2 instead of peap?
Richard M. Hicks
/ January 29, 2023Not to my knowledge. It’s certainly worth testing, though. It’s always possible that the same underlying issue was the root cause.
Humberto
/ January 30, 2023We were able to get the profile creation to work using the powershell and xml sample on your website the new profile works on both 11/10. Looks like expecting a fix from Microsoft for the current profile xml file to work is just not going to be a thing.
Stefan Kumli
/ February 6, 2023We repair the connection with a “proactive remediation” -> you have to put the eap configuration stream to the VPN Profile “Set-VpnConnection -Name $vpnName -AuthenticationMethod Eap -EapConfigXmlStream $EAPConfig -EncryptionLevel Required -PassThru” – in the same remediation, we correct the vpn strategy and the UseRASCredantials. At the end connect with rasdial. All done from Intune.
Gertjan van de Kolk
/ March 3, 2023Hello,
Same problems with Autopilot Deployment Windows 11 22H2 (AAD Joined)
– In Intune get see errorcode -2147467259
and 0x80004005“ for the VPN-Profile
– When the VPN-Profile is manually deleted it get’s reapplied correctly on the next sync.
– User of the GUI Intune profile. With Custom profile other problems (it lookes better, but we manually or through Remediation change the value of UseRasCredentials=0 to 1 on reconnect vpn, so prefered is GUI for now….)
Tried a call with MS for this, hope we get a fix for this and maybe some extra information in this comments
Gertjan van de Kolk
/ March 3, 2023Hello,
I see same problems during Windows 11 Autopilot enrollment on several AAD joined devices.
– In Intune get see error „0x80004005“ for the VPN-Profile.
– When the VPN-Profile is manually deleted it get’s reapplied correctly on the next sync.
OS is Win11 22H2 and we make use of Intune profile through GUI (we also tested with Custom profile. It looks to work better but we see another problem. We change the value in de rasphone.pbk UseRasCredentials=0, but on every reconnect it change back to value =1. We changed this manually and/or through Remediation).
I have created a MS call, hope for this or on a reply in this communications.
Richard M. Hicks
/ March 3, 2023Thanks for the feedback. No question that Intune is having problems with Windows 11 right now. This might be related to a known issue where VPN profiles are replaced each time a device sync occurs, even without changes to the profile. This would explain why UseRasCredentials is being reset all the time.
Microsoft is aware of the issue. No ETA on when it will be fixed, however.
Morten Wiingreen
/ April 11, 2023Hi, Any news regarding AOVPN and Device Configuration profile?
As it is now, I an deploying with a custom powershell script. this works fine, but I am interested in using the configuration profile option instead.
Best regards
Morten Wiingreen
Richard M. Hicks
/ April 11, 2023As far as I know, the issues with Intune-managed Windows 11 deployments persist. I know that Microsoft is aware of the issue, but I don’t have any timeline for a fix, unfortunately.
Grondin, Chris
/ April 11, 2023All indication point to a windows patch 4th quarter to address the issue. in the meantime, a proactive remediation script is about the only viable solution.
Nick
/ May 24, 2023We have the same issue and MS confirmed no fix as yet 🙁
Richard M. Hicks
/ May 24, 2023Microsoft is targeting end of June for this fix. Stay tuned!
Nick Webb
/ August 15, 2023Hi Richard , dont suppose you have heard anythng from MS re a fix for this?
Richard M. Hicks
/ August 15, 2023The fix came out at the end of July. However, some folks are still reporting issues. Are you still experiencing the problem after applying the end of July update? If so, are you using the VPN device configuration profile or the Custom profile in Intune to deploy your Always On VPN client configuratiosn ettings?
Neil Clarke
/ August 15, 2023We still have the issue, BUT we are using the custom XML method to get the config out. is the only solution to migrate to the config profile? or will your article help?
Richard M. Hicks
/ August 15, 2023Ok, good to know. There may be some changes to XML required to make this work. I’m testing that as we speak. Watch the blog for more information soon. 🙂
pat77upg
/ May 24, 2023Hi, is it currently still so that the VPN profile is removed and created again during re-synch?
OS Win11 22H2 May Patch
AlwaysOn User Tunnel
Intune by Custom XML
Richard M. Hicks
/ May 24, 2023Microsoft is targeting end of June for this fix. Hoping they come through on this one!
Wednesdayfrog
/ July 13, 2023Sadly KB5028185 does not fix this issue. Profile is still removed during sync. Really hope that we can deploy a Custom XML with Intune in the future. We have some shared devices and thus a connection with “-alluser” is needed for autoconnect to work.
Until then we will continue to use your powershell-script.
Richard M. Hicks
/ July 13, 2023The fix was pushed back again for some reason. Microsoft is now saying end of July. Hopefully it comes this time!
golfperson
/ August 14, 2023It looks like this did not make it into the 2023-08 cumulative update either unfortunately. 🙁
We are using a proactive remediation to lower the interface metric of our device tunnel for DNS purposes so this bug has been hurting us, hopefully Microsoft gets it into the next rollup
Richard M. Hicks
/ August 15, 2023Actually, it did. 🙂 If you are using the VPN device configuration profile in Intune it works. However, if you are using the Custom profile with your own XML, it does not. Working with Microsoft and a customer of mine who had an open support case for this issue we’ve identified the problem, though. I’m working to finalize some testing and hope to have an article published soon. Stay tuned!
WednesdayFrog
/ August 25, 2023That sounds very promising! Still a bummer that Microsoft has not been able to fix this issue for all supported ways of deployment. The XML-Method is even officially documented. They could at least expose all of the crucial options (like AllUsers) in the GUI. Looking forward to your solution.
coors22
/ September 13, 2023Hey Richard, any update on this problem?
We are having the same issue when deploying with a custom XML profile…
Richard M. Hicks
/ September 14, 2023The fix for this was released with the August updates for Windows 11. However, there can still be issues with deployments using custom XML. Reach out to me directly and I’ll provide you with more details and help you fix this issue.
Dinesh
/ September 21, 2023Aovpn is not automatically “ON” during provisioning of WINDOW 11 hybrid AP devices but its ON for window 10 devices. same aovpn config profile worked for win 10 but not for win 11. for win 11 devices we can complete AP provisioning under office network and after reached home screen then manually we can ON aovpn by using Rasphone command thereafter my device able to connect to right domain.
Please help how i can resolve it for win 11… I tried custom profile that even not worked.
Richard M. Hicks
/ September 21, 2023I’m not aware of any ongoing issues with Windows 11 that would cause this problem. If you are using trusted network detection, I’d suggest removing that setting and testing again to see if that helps.
vpner
/ October 1, 2023Hi Richard, We’re seeing thesame issues when we deploy a customXML policy, everytime there’s a intune policy sync, the vpn connection is disconnected briefly. Can you provide us with the fix fo this issue?
Richard M. Hicks
/ October 2, 2023This issue seems to be related to the order in which your XML is configured. This is obviously new to Windows 11. I suggest deploying the profile with Intune as you would normally, then using the following PowerShell script to extract the deployed XML.
https://github.com/richardhicks/aovpn/blob/master/Get-VPNClientProfileXML.ps1
Compare the output from that script to your configuration. Make sure the elements in your XML are in the same exact order as the output XML.
Let me know if that helps at all!
WednesdayFrog
/ October 2, 2023Wow, this seems to fix it. Extracted the xml and compared it with VS-Code. We also removed all comments. Awesome work, Richard!
vpner
/ October 2, 2023hi wensdayfrog, can you post an XML file without the real connection values so we can compare ours?
WednesdayFrog
/ October 2, 2023Hey, you can use the script Richard posted on a client where you deployed the profile to. It needs to run as System (could use scheduled task). You will see that the order in the extracted XML is quite different and in our case there were metrics on the routes. NativeType was also missing – I think it should resort to „automatic“ which matches our config.
We basically just used the output after a quick test.
WednesdayFrog
/ October 2, 2023NativeType was included in a second test – not sure why it was missing in the first extraction.
WednesdayFrog
/ October 4, 2023It seems that the line for NativeProfileType is only present on freshly deployed profiles. Seems like we will have to deploy a fresh profile with a new name to get a consistent fix.
WednesdayFrog
/ October 4, 2023We set NativeProtocolType to “SSTP”. This gives us consistent results on old and fresh profiles. Automatic seems to result in some clients with this option missing in the extracted XML. This caused the issue in our case.
Richard M. Hicks
/ October 4, 2023That’s interesting, as SSTP isn’t a supported value for the NativeProtocolType setting in the CSP.
https://learn.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp#deviceprofilenamenativeprofilenativeprotocoltype
Did you use the new ProtocolList option instead?
https://learn.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp#deviceprofilenamenativeprofileprotocollist
WednesdayFrog
/ October 4, 2023Hey Richard, we used “SSTP”. This results in “VpnStrategy=5” which means SSTP only. Maybe this is not documented ? The extracted XML also contains this setting and we don’t get any disconnects during sync.
Richard M. Hicks
/ October 4, 2023Right. But SSTP isn’t valid for the NativeProtocolType setting in XML (see the CSP reference earlier). You can set it to Automatic, which is effectively SSTP. Alternatively you can change the VpnStrategy setting in rasphone.pbk. Is that what you did? Just curious. 🙂
WednesdayFrog
/ October 4, 2023Oh it removed the xml-part from my comment. No, we used “SSTP” directly in the XML as NativeProfileType. It is also listed as an allowed Value on the link you posted. I’ve also checked on freshly deployed clients – VPN-Strategy is set to 5 without using a remediation.
Richard M. Hicks
/ October 4, 2023My apologies. They must have updated the CSP recently to support SSTP. It was not supported in the past. Sorry for the confusion. 🙂
Grant Sagear
/ January 15, 2024Using custom XML deployment via intune. Works perfectly in Windows 10 does NOT work on WIndows 11 23H2 (build 22631.2861). Ran your script and re-ordered my XML file to match the output of the script, does not matter. On an intune sync the AOVPN disconnects and has to reconnect. What am I missing ? Any assistance appreciated ?
Richard M. Hicks
/ January 15, 2024Known issue. I’ve had some success re-ordering custom XML, but it doesn’t work every time for some reason. The only thing I can suggest is to open a support case with Microsoft. Hopefully they are working to address this soon. More support cases put pressure on them to do so. 🙂
DG38
/ February 13, 2024Hello Richard,
We are still experiencing the ordering issue in the XML custom profile with Windows 11 and Intune. How did you manage to fix this ? You exported the created profile with the Get-VPNClientProfileXML.ps1 script and reordering the Intune XML profile the same way ?
Sadly, we are using this to force SSTP over IKEv2 :
ProtocolList
SSTP
IKEv2
0
It prevents us to export the XML profile with Powershell… Do you have a workaround ?
Is there a way to trace what order Intune expects ?
Richard M. Hicks
/ February 13, 2024Unfortunately, this has not been fixed by Microsoft. If you’d like to send me your XML file I’d be happy to have a look and see what I can suggest. Otherwise, it’s pretty much trial and error to see if you can find something Intune is happy with. :/
coors22
/ September 13, 2023Hi Richard,
Any update on this? We are seeing the same problem when using a CustomXML Profile…
Flo-TPG
/ November 27, 2023We also struggle with UseRasCredentials is getting set to =1.
We’re using custom XML via Intune.
We run your famous remediation script hourly. A few users have issues with SQL and SSPI errors like:
“The Service Principal Name (Delegation) configuration has been set incorrectly
Server Connect URL: “net.tcp://server01.domain.local:7146/NAVProd01/Service”.
SPN Identity: “DynamicsNAV/server01.domain.local:7146″
A call to SSPI failed, see inner exception”
Setting UseRasCredentials=0 helps to fix this but it looks like, it’s getting set back to =1 (not sure when, you mentioned on every VPN connect?)
https://directaccess.richardhicks.com/tag/profilexml/page/2/
Here you mentioned “false
” – is this available now in 23h2? The documentation still says its available since 21h2 which you mentioned isn’t true:
https://learn.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp#deviceprofilenameuserascredentials
Richard M. Hicks
/ November 28, 2023I don’t believe the UseRasCredentials setting in XML is supported in any current release of Windows today. I haven’t tested 23H2, though.
You can use Intune Remediations to update rasphone.pbk, but this has limitations. For example, if the setting is changed while the VPN is connected, the change won’t take effect until the VPN is restarted. Also, if the VPN profile is removed and replaced (a known issue when using Windows 11 with custom XML) you end up with a new VPN profile each time the device syncs. This restores the default setting for UseRasCredentials which means the remediation must run again (and potentially another VPN restart will be required).
Alternatively, you could implement the setting using group policy by enabling the following setting.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network access: Do not allow storage of passwords and credentials for network authentication = Enabled
Ultimately this is a registry setting somewhere, but I can’t seem to find that reference right now. I’ll post it when I find it, though.
Hope that helps!
jgledsona67123ba15
/ May 8, 2024We have Windows 11 with Eap(peap) xml profile, connecting to Entra Conditional Access VPN for the 1 hour certificate. This connects the aovpn, but as soon as there is a synch the vpn connection drops
Richard M. Hicks
/ May 8, 2024This is a known issue if you are using custom XML. You will need to review your XML and ensure that it is exactly what Intune expects. Extract the VPN XML using the following PowerShell script.
https://github.com/richardhicks/aovpn/blob/master/Get-VPNClientProfileXML.ps1
Compare it to your XML and if something doesn’t match (anything at all!) then update yours to match. It should work fine after that. 🙂
jgledsona67123ba15
/ June 7, 2024Thanks, I ran the script but it comes back saying the vpn connection i put in does not exist. It is a user tunnel, running the script as admin. I am using the same name that comes up when running get-vpnconnection
Richard M. Hicks
/ June 7, 2024If you are elevating as a different user, you won’t have access to the VPN profile. Try running Get-VpnConnection and once you see your VPN profile, hit the up arrow and pipe the command to Get-VpnClientProfileXML.ps1.
Let me know if that helps!