Always On VPN Windows 11 Issues with Intune

Always On VPN RasMan Errors in Windows 10 1903

Since the introduction of Windows 11, there have been numerous reports of issues with Always On VPN when deployed using Microsoft Endpoint Manager/Intune. Specifically, administrators have been reporting that Always On VPN profiles are being deleted, then later reappearing. Obviously, this is highly disruptive to users in the field.

Causes

According to Microsoft, there are several causes for deleted VPN profiles.

Changes to an Existing Profile

Missing Always On VPN profiles commonly occurs when updating settings for an existing VPN profile applied to Windows 11 endpoints. In this scenario, the VPN profile is deleted but not immediately replaced. Synchronize the device with Microsoft Endpoint Manager/Intune once more to return the VPN profile.

Multiple Profiles

Issues with Always On VPN profiles may also occur if two new VPN profiles are applied to the endpoint simultaneously.

Remove and Replace

Removing and replacing an Always On VPN profile at the same time will also result in connectivity issues.

Reference: https://docs.microsoft.com/en-us/mem/intune/configuration/vpn-settings-configure

Workaround

There is no known workaround for these issues at this time. Microsoft is aware of the problem and is working on a fix, and until then, rolling out Windows 11 with Always On VPN should be avoided.

Additional Issues

There have been reports of other known issues with Windows 11 and Always On VPN. For instance, my PowerShell script that removes an Always On VPN connection doesn’t work with Windows 11. I’m working to resolve that issue as we speak.

Are you experiencing any issues with Always On VPN on Windows 11? Please share them in the comments below!

Leave a comment

11 Comments

  1. Flo

     /  October 28, 2021

    Thanks Richard!

    Reply
  2. Matt

     /  October 28, 2021

    We have found that Win11 is treating certificates for AOVPN with case sensitivity. If the CN or SAN of the cert is SERVER.DOMAIN.COM and the AOVPN script uses server.domain.com, it will not trust the cert. Only by updating the install script to use the proper case-sensitivity are we able to get Win11 AOVPN clients connecting.

    Reply
  3. Nathan Lamonski

     /  October 28, 2021

    Thanks having the exact same issue in my environment with Windows 11.

    Reply
  4. Hi Richard,

    I have noticed that even with Single VPN Profiles created in Intune that it is installing the profile and then within a minutes time it is deleting the profile and event viewer complains about add and remove command. I have seen this issue all throughout the beta and release of Windows 11.

    I have found a workaround and that is to use the older Custom OMA-URI xml file method to deploy the VPN profile, this works flawlessly and I always use this method if a client has issues with the normal Intune VPN profile method.

    Reply
  5. Mike Mathis

     /  October 29, 2021

    We are seeing the connection be applied to the Win 11 client and then remove it at the next Endpoint Manager policy sync.

    Reply
  6. DD

     /  October 29, 2021

    Hi Richard, is this documented publicly by Microsoft anywhere?

    Reply
  7. Paul Warren

     /  November 2, 2021

    We’ve had this issue during the pre-release period of Windows 11 and have been working with Microsoft. A recent fix went into the dev channel insider build (22489) which resulted in the VPN stabilising.

    Reply

Leave a Reply

%d bloggers like this: