Always On VPN Windows 11 Issues with Intune

Always On VPN RasMan Errors in Windows 10 1903

Since the introduction of Windows 11, there have been numerous reports of issues with Always On VPN when deployed using Microsoft Endpoint Manager/Intune. Specifically, administrators have been reporting that Always On VPN profiles are being deleted, then later reappearing. Obviously, this is highly disruptive to users in the field.

Causes

According to Microsoft, there are several causes for deleted VPN profiles.

Changes to an Existing Profile

Missing Always On VPN profiles commonly occurs when updating settings for an existing VPN profile applied to Windows 11 endpoints. In this scenario, the VPN profile is deleted but not immediately replaced. Synchronize the device with Microsoft Endpoint Manager/Intune once more to return the VPN profile.

Multiple Profiles

Issues with Always On VPN profiles may also occur if two new VPN profiles are applied to the endpoint simultaneously.

Remove and Replace

Removing and replacing an Always On VPN profile at the same time will also result in connectivity issues.

Reference: https://docs.microsoft.com/en-us/mem/intune/configuration/vpn-settings-configure

Workaround

There is no known workaround for these issues at this time. Microsoft is aware of the problem and is working on a fix, and until then, rolling out Windows 11 with Always On VPN should be avoided.

Additional Issues

There have been reports of other known issues with Windows 11 and Always On VPN. For instance, my PowerShell script that removes an Always On VPN connection doesn’t work with Windows 11. I’m working to resolve that issue as we speak.

Are you experiencing any issues with Always On VPN on Windows 11? Please share them in the comments below!

Leave a comment

23 Comments

  1. Flo

     /  October 28, 2021

    Thanks Richard!

    Reply
  2. Matt

     /  October 28, 2021

    We have found that Win11 is treating certificates for AOVPN with case sensitivity. If the CN or SAN of the cert is SERVER.DOMAIN.COM and the AOVPN script uses server.domain.com, it will not trust the cert. Only by updating the install script to use the proper case-sensitivity are we able to get Win11 AOVPN clients connecting.

    Reply
  3. Nathan Lamonski

     /  October 28, 2021

    Thanks having the exact same issue in my environment with Windows 11.

    Reply
  4. Hi Richard,

    I have noticed that even with Single VPN Profiles created in Intune that it is installing the profile and then within a minutes time it is deleting the profile and event viewer complains about add and remove command. I have seen this issue all throughout the beta and release of Windows 11.

    I have found a workaround and that is to use the older Custom OMA-URI xml file method to deploy the VPN profile, this works flawlessly and I always use this method if a client has issues with the normal Intune VPN profile method.

    Reply
  5. Mike Mathis

     /  October 29, 2021

    We are seeing the connection be applied to the Win 11 client and then remove it at the next Endpoint Manager policy sync.

    Reply
  6. DD

     /  October 29, 2021

    Hi Richard, is this documented publicly by Microsoft anywhere?

    Reply
  7. Paul Warren

     /  November 2, 2021

    We’ve had this issue during the pre-release period of Windows 11 and have been working with Microsoft. A recent fix went into the dev channel insider build (22489) which resulted in the VPN stabilising.

    Reply
    • That’s good news. Hopefully, it makes it to GA soon!

      Reply
    • Lars Knakkergaard.

       /  November 14, 2021

      Hi Paul – could you please update this blog when you get more news – we are struggling with the same and we wish to deploy win11 but not before this is fixed.

      Reply
  8. jeffirvine

     /  November 17, 2021

    I am seeing the same thing. Although for weeks, the device tunnel was typically solid, only very rarely disappearing. The user tunnel (SSTP) only ever provisioned once and then never returned. But some time in the last 2 weeks (?) the device tunnel no longer provisions on the client but the user tunnel is here! The only thing MEM shows is “Remediation failed”. The client log just shows the tunnel being deleted.

    HOWEVER, I just joined this particular laptop into the Insider Beta, rebooted and now both tunnels are provisioned and connected. Fingers crossed they both stick around this time.

    Reply
    • Thanks for the insight. Indeed, I’m hearing that these issues have been fixed in build 22483 and later. I’m testing as we speak, in fact, and it is working flawlessly. Hopefully, the fix makes it to GA soon. 🙂

      Reply
  9. Andrew Turner

     /  November 26, 2021

    Hi
    Taken me a while to find this bug as I’m still running Windows 10, unfortunately with the latest feature update 19044.1387 I have had this problem with case sensitivity of the certificate domain.

    Reply
    • Interesting. It sounds like perhaps some code from Windows 11 was backported to Windows 10. I will do some testing and see what I can learn.

      Reply
  10. hstrang

     /  December 13, 2021

    I am trying to add a VPN connection during Windows Autopilot deployment with the help of your scripts as “AllUserConnection” (not device tunnel). When deploying W10 it works fine every time but not with W11 where the profile ends up corrupted.

    No error messages are logged and I get “created successfully” but the resulting profile seems to be missing the whole XML part. Checking with get-vpnconnection -alluserconnection it says “The VPN connection XXX cannot be retrieved from the global user connections. : A call to EAP Host returned an error.” Fully QualifiedErrorId : EAP -2143158255,Get-VpnConnection

    Deploying the same package to W11 with Intune after the end user setup has been completely finalized creates a working setup, so the profile and the tools are compatible as such. The downside of doing this is that it can take hours before Intune installs the package.

    Reply
    • Indeed, a few of my scripts aren’t working on Windows 11 unfortunately. I’ve also seen the issue where the script creates the profile but it is corrupted and can’t be removed with Remove-VpnConnection. You end up having to delete the rasphone.pbk file. I’m still investigating, but one of the issues has already been tracked to a bug in Windows 11. :/

      Reply
  11. Daniel

     /  December 16, 2021

    We’re seeing issues with IPv6 routes in Windows 11. Our device VPN is routing all IPv6 traffic and ignoring the rules in the xml. Same config works fine with Windows 10. IPv4 is fine and traffic is limited to DCs etc

    Reply
    • Oh, that’s interesting. I’ll do some testing soon and see if I encounter the same behavior.

      Reply
    • I did some testing recently and didn’t have the same experience. How are you provisioning your Always On VPN profiles? Intune or PowerShell? If Intune, is it using the VPN template or custom XML?

      Reply
  12. Matt

     /  January 7, 2022

    Any news on a rough release date for this fix?

    Reply

Leave a Reply to Flo Cancel reply

%d bloggers like this: