Always On VPN Windows 11 Issues with Intune

Always On VPN RasMan Errors in Windows 10 1903

Since the introduction of Windows 11, there have been numerous reports of issues with Always On VPN when deployed using Microsoft Endpoint Manager/Intune. Specifically, administrators have been reporting that Always On VPN profiles are being deleted, then later reappearing. Obviously, this is highly disruptive to users in the field.

Update January 25, 2022: Microsoft has released a fix for the issues described in this article. It is included with KB5008353 (build 22000.469).

Causes

According to Microsoft, there are several causes for deleted VPN profiles.

Changes to an Existing Profile

Missing Always On VPN profiles commonly occurs when updating settings for an existing VPN profile applied to Windows 11 endpoints. In this scenario, the VPN profile is deleted but not immediately replaced. Synchronize the device with Microsoft Endpoint Manager/Intune once more to return the VPN profile.

Multiple Profiles

Issues with Always On VPN profiles may also occur if two new VPN profiles are applied to the endpoint simultaneously.

Remove and Replace

Removing and replacing an Always On VPN profile at the same time will also result in connectivity issues.

Reference: https://docs.microsoft.com/en-us/mem/intune/configuration/vpn-settings-configure

Workaround

There is no known workaround for these issues at this time. Microsoft is aware of the problem and is working on a fix, and until then, rolling out Windows 11 with Always On VPN should be avoided.

Additional Issues

There have been reports of other known issues with Windows 11 and Always On VPN. For instance, my PowerShell script that removes an Always On VPN connection doesn’t work with Windows 11. I’m working to resolve that issue as we speak.

Are you experiencing any issues with Always On VPN on Windows 11? Please share them in the comments below!

Leave a comment

50 Comments

  1. Flo

     /  October 28, 2021

    Thanks Richard!

    Reply
  2. Matt

     /  October 28, 2021

    We have found that Win11 is treating certificates for AOVPN with case sensitivity. If the CN or SAN of the cert is SERVER.DOMAIN.COM and the AOVPN script uses server.domain.com, it will not trust the cert. Only by updating the install script to use the proper case-sensitivity are we able to get Win11 AOVPN clients connecting.

    Reply
  3. Nathan Lamonski

     /  October 28, 2021

    Thanks having the exact same issue in my environment with Windows 11.

    Reply
  4. Hi Richard,

    I have noticed that even with Single VPN Profiles created in Intune that it is installing the profile and then within a minutes time it is deleting the profile and event viewer complains about add and remove command. I have seen this issue all throughout the beta and release of Windows 11.

    I have found a workaround and that is to use the older Custom OMA-URI xml file method to deploy the VPN profile, this works flawlessly and I always use this method if a client has issues with the normal Intune VPN profile method.

    Reply
  5. Mike Mathis

     /  October 29, 2021

    We are seeing the connection be applied to the Win 11 client and then remove it at the next Endpoint Manager policy sync.

    Reply
  6. DD

     /  October 29, 2021

    Hi Richard, is this documented publicly by Microsoft anywhere?

    Reply
  7. Paul Warren

     /  November 2, 2021

    We’ve had this issue during the pre-release period of Windows 11 and have been working with Microsoft. A recent fix went into the dev channel insider build (22489) which resulted in the VPN stabilising.

    Reply
    • That’s good news. Hopefully, it makes it to GA soon!

      Reply
    • Lars Knakkergaard.

       /  November 14, 2021

      Hi Paul – could you please update this blog when you get more news – we are struggling with the same and we wish to deploy win11 but not before this is fixed.

      Reply
  8. jeffirvine

     /  November 17, 2021

    I am seeing the same thing. Although for weeks, the device tunnel was typically solid, only very rarely disappearing. The user tunnel (SSTP) only ever provisioned once and then never returned. But some time in the last 2 weeks (?) the device tunnel no longer provisions on the client but the user tunnel is here! The only thing MEM shows is “Remediation failed”. The client log just shows the tunnel being deleted.

    HOWEVER, I just joined this particular laptop into the Insider Beta, rebooted and now both tunnels are provisioned and connected. Fingers crossed they both stick around this time.

    Reply
    • Thanks for the insight. Indeed, I’m hearing that these issues have been fixed in build 22483 and later. I’m testing as we speak, in fact, and it is working flawlessly. Hopefully, the fix makes it to GA soon. 🙂

      Reply
  9. Andrew Turner

     /  November 26, 2021

    Hi
    Taken me a while to find this bug as I’m still running Windows 10, unfortunately with the latest feature update 19044.1387 I have had this problem with case sensitivity of the certificate domain.

    Reply
    • Interesting. It sounds like perhaps some code from Windows 11 was backported to Windows 10. I will do some testing and see what I can learn.

      Reply
  10. hstrang

     /  December 13, 2021

    I am trying to add a VPN connection during Windows Autopilot deployment with the help of your scripts as “AllUserConnection” (not device tunnel). When deploying W10 it works fine every time but not with W11 where the profile ends up corrupted.

    No error messages are logged and I get “created successfully” but the resulting profile seems to be missing the whole XML part. Checking with get-vpnconnection -alluserconnection it says “The VPN connection XXX cannot be retrieved from the global user connections. : A call to EAP Host returned an error.” Fully QualifiedErrorId : EAP -2143158255,Get-VpnConnection

    Deploying the same package to W11 with Intune after the end user setup has been completely finalized creates a working setup, so the profile and the tools are compatible as such. The downside of doing this is that it can take hours before Intune installs the package.

    Reply
    • Indeed, a few of my scripts aren’t working on Windows 11 unfortunately. I’ve also seen the issue where the script creates the profile but it is corrupted and can’t be removed with Remove-VpnConnection. You end up having to delete the rasphone.pbk file. I’m still investigating, but one of the issues has already been tracked to a bug in Windows 11. :/

      Reply
  11. Daniel

     /  December 16, 2021

    We’re seeing issues with IPv6 routes in Windows 11. Our device VPN is routing all IPv6 traffic and ignoring the rules in the xml. Same config works fine with Windows 10. IPv4 is fine and traffic is limited to DCs etc

    Reply
    • Oh, that’s interesting. I’ll do some testing soon and see if I encounter the same behavior.

      Reply
    • I did some testing recently and didn’t have the same experience. How are you provisioning your Always On VPN profiles? Intune or PowerShell? If Intune, is it using the VPN template or custom XML?

      Reply
  12. Matt

     /  January 7, 2022

    Any news on a rough release date for this fix?

    Reply
  13. Thanks for your really helpful articles. We fixed the case sensitivity issue. Updated to the latest dev build and managed to get 2 vpn profiles to install and connect on W11. They don’t show compliant in Intune though. I have raised a ticket with MS and they are looking at it.,

    Reply
  14. Trying to create an image to roll out to my testing users but ran into this Always ON VPN not working as well. installing the latest updates now to see if that solves this problem currently testing it on Windows 11 Version 21H2 (OS Build 22000.376)

    Reply
  15. Jacob Normand Olesen

     /  January 26, 2022

    Hi i can see ms has announced a fix in KB5008353 the prewiev for February

    Reply
  16. Andreas

     /  January 31, 2022

    Microsoft released the preview patch who fix the Always On issue with intune.
    https://support.microsoft.com/en-au/topic/january-25-2022-kb5008353-os-build-22000-469-preview-920e6297-567b-4b95-afe9-35d17de02c3a
    Tested here with 2 notebooks and works fine. Will be available on the february patch day.

    Reply
  17. Nathan Lamonski

     /  January 31, 2022

    Looks like it is fixed in KB5008353. Going to test it out on a test device to see if this is the case.

    https://support.microsoft.com/en-us/topic/january-25-2022-kb5008353-os-build-22000-469-preview-920e6297-567b-4b95-afe9-35d17de02c3a

    Addresses an issue that might cause VPN profiles to disappear. This issue occurs when you use Microsoft Intune or a third-party mobile device management (MDM) tool to deploy VPN profiles on Windows 11 (original release).

    Reply
  18. Nathan Lamonski

     /  January 31, 2022

    Looks like Microsoft addressed this in KB5008353 for Windows 11.

    https://support.microsoft.com/en-us/topic/january-25-2022-kb5008353-os-build-22000-469-preview-920e6297-567b-4b95-afe9-35d17de02c3a

    Addresses an issue that might cause VPN profiles to disappear. This issue occurs when you use Microsoft Intune or a third-party mobile device management (MDM) tool to deploy VPN profiles on Windows 11 (original release).

    Going to try it out on a test device to see if it corrects the issue.

    Reply
  19. Rene Buedinger

     /  February 7, 2022

    Hi Richard, I appreciate what you do here and share your knowledge with us. Thank you very much!
    I started to roll out W11 recently on a few devices, and I indeed have some issues I can not wrap my head around yet. We do not use Intune, but roll out the VPN Profiles via SCCM and PowerShell Scripts.
    We roll out 2 Profiles. Machine Tunnel (IKEv2) and User Tunnel (IKEv2 with SSTP Fallback).
    I recently got our First Surface Pro 8 with W11 preinstalled. Domain joined it, packed on all Software via SCCM we need + the VPN Profiles. It did not work, but I found the solution in the comments in your blog and in one of your posts: It was the case sensitivity issue with the Certificates. I fixed that and adjusted the Profile that SCCM rolls out. I was remotely on the Surface when the profile rolled out and immediately the User Tunnel and the Device Tunnel (although that one was NOT changed) came up.
    A few days later the User called me and said that the VPN is not working anymore (it did for a few days). That was about 2 weeks ago and since then I was not able to get it back up working again. It always complains that no certificate can be found, although it is there and valid.
    So I went on and upgraded my W10 Surface Pro 7 to W11 via an SCCM Upgrade package, faced the same case sensitivity issue, which got fixed with the new profile and since then the User and Device Tunnel is working flawless for me.
    In the meantime I received a new Laptop with W10, did an OSD via SCCM for W11 and that one also works flawless.
    Then I upgraded another Laptop from W10 to W11 and that one works flawless too.
    So it is only the Surface Pro 8 with the Preinstalled W11 from Microsoft that has issues at the moment.
    Studying the Event Logs of all those systems I could spot that the Event ID 20222 (The User xyz tries to establish a connection to the RAS-Server for the Connection with the name “AlwaysOn VPN”….) is different on the various systems. On my System, which works fine the User xyz lists my Domain User. On the Surface Pro 8 with the Issues, it lists as User Name. So I thought that if AO VPN tries to establish the Connection as “System”, of course there is no AlwaysOn capable Certificate available. But on one of the other Laptops I upgraded from W10 to 11, the message also states “System” and the tunnel works for the Users.
    Then I spotted that maybe mine is always capable of doing IKEv2, that the Surface Pro 8 can not do that (probably due to the Users Router at home) and the SSTP Fallback might not work on W11. But one of the upgraded Laptops does fine with SSTP.
    The funny thing is, if the User with the Surface Pro 8 with the issues goes to one of our Remote Offices, he can connect via Always On VPN to our Datacenter fine. So the issue seems to be from home… where it worked for a few days in W11 and for years in W10.
    So whenever I thought I found the issue, it turns out it is not because another System shows the same message but works. It is just that single Surface Pro 8 that I can not get up and running yet.
    I am waiting for the USB-C Network adapter I ordered and I am thinking of just doing an OSD via SCCM to get rid of the Microsoft preinstalled W11. But since it is the Same W11 Build Number and Edition it would make no sense if that helps.

    Reply
    • Odd that it is only affecting one specific installation of Windows 11, for sure. Let us know what happens if you install Windows 11 via OSD. Curious to know if it behaves any differently!

      Reply
  20. End of Jan, nothing here still dead in the water with Powershell VPN profile creation.

    Reply
  21. Keith

     /  February 10, 2022

    new release fixed the issue

    Reply
    • Great to hear! 🙂

      Reply
    • I’ve joined the first release and still nothing can someone post the build this new release has to allow things to flow automatically with sccm?

      Reply
    • I’m on Windows 11 Build 22000.526 and still having the issue. What build includes the fix?

      Reply
      • Wander

         /  March 4, 2022

        I have the same issue on Build 22000.527 installed via a custom OMA-URI: ./user/vendor/MSFT/VPNv2//ProfileXML. The connection randomly disconnects.

        10:08:04 Event 20226 RasClient: The user Dailed a connection named which has terminated. The reason code returned on termination is 631.

        10:08:03 Event 200 DeviceManagement-Enterprise-Diagnostics-Provider: MDM Session: OMA-DM server message received and parsed successfully.

        10:08:01 Event 200 DeviceManagement-Enterprise-Diagnostics-Provider: MDM Session: OMA-DM message sent.

        Most of the times when I manually sync the device the VPN is disconnected.

      • This can happen if changes are detected on the profile. However, if there are no changes, syncing shouldn’t cause a VPN disconnect. It’s possible this could be related to some of the issues Microsoft is having with Windows 11 and Intune, but again, those were supposedly addressed in build 22000.469.

  22. Chris G

     /  April 13, 2022

    I’m experiencing a slightly painful one. The VPN profile, which was the same for our Windows 10 devices deployed to Windows 11 are showing in endpoint as having errors, (yet the vpn works just fine). I can accept false errors, however, endpoint keeps trying to reinstall it to fix the errors, which is causing it to overwrite our rasphone which is reconfigured using proactive remediation to get SSO to work on our non domain joined systems. This keeps causing a chicken and egg problem and intermittent SSO workings for the users. I’m not sure if there is something missing or something new with windows 11 VPN profile that is not in my xml. Using the VPN profile in intune with the vpn template. Have you seen this yet, where the same profile reports failed on windows 11 that is successful on windows 10, even though it’s working?

    Reply
    • I’ve encountered scenarios where a device configuration profile reports an error for a working device, yes. Mostly with certificates, though. I don’t think I’ve come across this with Always On VPN profiles. If it is working on Windows 10 clients, it should certainly work on Windows 11. I’m not aware of any compatibility issues between the two for Always On VPN.

      Reply
      • Chris G

         /  April 21, 2022

        So, i decided to write a powershell script to create the VPN and import my exhaustive routing table. interestingly, and i have not tested it against windows 10 yet, only on my windows 11 that was giving me problems, but i’m getting an error after 200 entries are successful saying “The number of routes cannot be more than 200 when using the add-vpnconnectionroute command.. Next week i’ll reduce my intune VPN profile for windows 11 to only have 199 routes and see if that still errors out.

      • I must say I have never even come close to configuring that many routes for an Always On VPN connection. Interesting to know there’s an upper limit for routes though!

  23. Mathias Heimberg

     /  April 14, 2022

    Hello Richard, dear friends of the AOVPN, first of all many thanks for all the info which can be found in this corner of the web. This is great.
    But unfortunately we have a situation which cannot be solved so far, at least for us. We are using AOVPN in the Device Tunnel with IKEv2. For this we use the XML based WMI import to create the profiles in the AllUser Context.
    With both tunnels everything is ok so far. Our problem is that for the update we have to remove the profiles and create them again. This also works fine so far. Except for one thing: if we don’t restart Windows between removing and re-adding the Device Tunnel, then the Device Tunnel doesn’t start automatically anymore. It can be started by the user as well as via SYSTEM account, but it does not start automatically. This only works if we do a system reboot between removing and adding the device profile.
    We have now tried many lines of PowerShell in which we restart services and try various things. But nothing works and we are not able to give the user a “silent” VPN config update without a forced, intermediate reboot of the OS. Does anyone here have a tip, experience?

    (sorry, we’re using W10 19042 currently)

    Reply
    • Wow, that’s intersting. I’m not aware of any specific requirements to reboot to get the device tunnel to start automatically. I’m curious though, have you checked the following registry key to ensure the device tunnel profile is not listed here?

      HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Config\AutoTriggerDisabledProfilesList

      VPN profiles listed here won’t start automatically.

      Reply
  24. Matt

     /  July 28, 2022

    Hi,

    I am still experiencing issues on Build 22000.795. I don’t see anything in the event logs like we did back in February but whenever I manually initiate a sync from the Company Portal the VPN will disconnect & reconnect as it reapplies the VPN config.

    In the Intune portal, any Windows 11 device with a VPN profile does show an error “-2016281112 Error code: (0x87d1fde8)”

    Is this issue widespread / acknowledged by Microsoft?

    Reply
    • This is a known issue. Microsoft is aware, but that’s all the information I have right now. If you open a support case, I’d be happy to let my contacts at Microsoft know. The more organizations that have open cases for this issue the quicker it will be resolved. 🙂

      Reply

Leave a Reply

%d bloggers like this: