Always On VPN Windows 11 Issues with Intune

Always On VPN RasMan Errors in Windows 10 1903

Since the introduction of Windows 11, there have been numerous reports of issues with Always On VPN when deployed using Microsoft Endpoint Manager/Intune. Specifically, administrators have been reporting that Always On VPN profiles are being deleted, then later reappearing. Obviously, this is highly disruptive to users in the field.

Causes

According to Microsoft, there are several causes for deleted VPN profiles.

Changes to an Existing Profile

Missing Always On VPN profiles commonly occurs when updating settings for an existing VPN profile applied to Windows 11 endpoints. In this scenario, the VPN profile is deleted but not immediately replaced. Synchronize the device with Microsoft Endpoint Manager/Intune once more to return the VPN profile.

Multiple Profiles

Issues with Always On VPN profiles may also occur if two new VPN profiles are applied to the endpoint simultaneously.

Remove and Replace

Removing and replacing an Always On VPN profile at the same time will also result in connectivity issues.

Reference: https://docs.microsoft.com/en-us/mem/intune/configuration/vpn-settings-configure

Workaround

There is no known workaround for these issues at this time. Microsoft is aware of the problem and is working on a fix, and until then, rolling out Windows 11 with Always On VPN should be avoided.

Additional Issues

There have been reports of other known issues with Windows 11 and Always On VPN. For instance, my PowerShell script that removes an Always On VPN connection doesn’t work with Windows 11. I’m working to resolve that issue as we speak.

Are you experiencing any issues with Always On VPN on Windows 11? Please share them in the comments below!

Leave a comment

16 Comments

  1. Flo

     /  October 28, 2021

    Thanks Richard!

    Reply
  2. Matt

     /  October 28, 2021

    We have found that Win11 is treating certificates for AOVPN with case sensitivity. If the CN or SAN of the cert is SERVER.DOMAIN.COM and the AOVPN script uses server.domain.com, it will not trust the cert. Only by updating the install script to use the proper case-sensitivity are we able to get Win11 AOVPN clients connecting.

    Reply
  3. Nathan Lamonski

     /  October 28, 2021

    Thanks having the exact same issue in my environment with Windows 11.

    Reply
  4. Hi Richard,

    I have noticed that even with Single VPN Profiles created in Intune that it is installing the profile and then within a minutes time it is deleting the profile and event viewer complains about add and remove command. I have seen this issue all throughout the beta and release of Windows 11.

    I have found a workaround and that is to use the older Custom OMA-URI xml file method to deploy the VPN profile, this works flawlessly and I always use this method if a client has issues with the normal Intune VPN profile method.

    Reply
  5. Mike Mathis

     /  October 29, 2021

    We are seeing the connection be applied to the Win 11 client and then remove it at the next Endpoint Manager policy sync.

    Reply
  6. DD

     /  October 29, 2021

    Hi Richard, is this documented publicly by Microsoft anywhere?

    Reply
  7. Paul Warren

     /  November 2, 2021

    We’ve had this issue during the pre-release period of Windows 11 and have been working with Microsoft. A recent fix went into the dev channel insider build (22489) which resulted in the VPN stabilising.

    Reply
    • That’s good news. Hopefully, it makes it to GA soon!

      Reply
    • Lars Knakkergaard.

       /  November 14, 2021

      Hi Paul – could you please update this blog when you get more news – we are struggling with the same and we wish to deploy win11 but not before this is fixed.

      Reply
  8. jeffirvine

     /  November 17, 2021

    I am seeing the same thing. Although for weeks, the device tunnel was typically solid, only very rarely disappearing. The user tunnel (SSTP) only ever provisioned once and then never returned. But some time in the last 2 weeks (?) the device tunnel no longer provisions on the client but the user tunnel is here! The only thing MEM shows is “Remediation failed”. The client log just shows the tunnel being deleted.

    HOWEVER, I just joined this particular laptop into the Insider Beta, rebooted and now both tunnels are provisioned and connected. Fingers crossed they both stick around this time.

    Reply
    • Thanks for the insight. Indeed, I’m hearing that these issues have been fixed in build 22483 and later. I’m testing as we speak, in fact, and it is working flawlessly. Hopefully, the fix makes it to GA soon. 🙂

      Reply
  9. Andrew Turner

     /  November 26, 2021

    Hi
    Taken me a while to find this bug as I’m still running Windows 10, unfortunately with the latest feature update 19044.1387 I have had this problem with case sensitivity of the certificate domain.

    Reply
    • Interesting. It sounds like perhaps some code from Windows 11 was backported to Windows 10. I will do some testing and see what I can learn.

      Reply

Leave a Reply

%d bloggers like this: