Always On VPN PowerShell Script Issues in Windows 11

Many administrators are now beginning to test Always On VPN functionality on the latest Microsoft Windows client operating system, Windows 11. Initially, Microsoft had some issues with provisioning and managing Always On VPN profiles on Windows 11 using Microsoft Endpoint Manager/Intune, but those have been resolved. However, some lingering problems may delay enterprise deployments of Always On VPN on Windows 11 for some organizations, specifically those using PowerShell with Active Directory group policy startup scripts or System Center Configuration Manager (SCCM).

MakeProfile.ps1

Microsoft has published guidance for deploying Always On VPN profiles using PowerShell with their MakeProfile.ps1 script. This script extracts configuration details from a template VPN profile to create another PowerShell script called VPN_Profile.ps1, which is used to create the Always On VPN profile. SCCM administrators commonly use VPN_Proifle.ps1 to deploy Always On VPN profiles. However, running this script on Windows 11 fails and returns the following error message.

“Unable to create [VPN profile name] profile: A general error occurred that is not covered by a more specific code.”

This issue appears to be related to a problem with the WMI-to-CSP bridge, specifically enumerating the MDM_VPNv2_01 class in the root\cimv2\mdm\dmmap namespace. Here you can see the template VPN profile with PowerShell and Get-VpnConnection.

However, attempts to view the MDM_VPNv2_01 class of this VPN profile using PowerShell and Get-CimInstance fail.

New-AovpnConnection.ps1

Interestingly, administrators may find that my Always On VPN PowerShell deployment script works more reliably on Windows 11, although not always. In my experience, I’ve found that it sometimes fails once (profile is loaded, but the configuration is incomplete), then works after deleting the profile and creating it again. If the Microsoft-provided script isn’t working, give mine a try and see if it works better for you.

Note: When deploying Always On VPN profiles using my PowerShell deployment script via Active Directory startup scripts, it seems to fail consistently for some reason. Go figure. 😉

Remove-AovpnConnection.ps1

The issues described previously with Windows 11 are also negatively affecting some of my other PowerShell scripts. For example, running Remove-Aovpnconnection.ps1 on Windows 11 fails and returns the following error message.

“A general error occurred that is not covered by a more specific error code.”

Current Status

Microsoft is currently aware of this issue. However, I am aware of no timeframe for resolution at the time of this writing. Hopefully, Microsoft addresses this soon so organizations can move forward with their Windows 11 migration projects.

Additional Information

Microsoft Windows Always On VPN Windows 11 Issues with Microsoft Endpoint Manager/Intune

Microsoft Windows Always On VPN Profile Deployment Script

Microsoft Windows Always On VPN Remove Always On VPN Profile Script

Always On VPN PowerShell Script Repository on GitHub

Leave a comment

9 Comments

  1. Thanks for the gold mine as always! going to try this ASAP.. i’ve been stuck in this VPNProfile not working for me.

    Reply
  2. I get this error when using your VPN creation script: xmlFilePath: C:\temp\VPN_Profile.xml
    Cannot convert value “System.Object[]” to type “System.Xml.XmlDocument”. Error: “The specified node cannot be inserted as the valid
    child of this node, because the specified node is the wrong type.”
    At C:\DOS\CreateVPNProvileWin11.ps1:120 char:1
    + [xml]$Xml = Get-Content $xmlFilePath
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : MetadataError: (:) [], ArgumentTransformationMetadataException
    + FullyQualifiedErrorId : RuntimeException

    Reply
  3. JamX

     /  February 8, 2022

    Hi!

    Concerning WMI-to-CSP bridge: i found out that the error occurs on my Win11 Installation with 2 (or more) VPN Profiles already installed. I can only remove all those profiles with the PS-Commandlet “Remove-VPNConnection -force” (in SYSTEM Context), and when i start to install the first fresh new profile, it works – but if i start to install a second VPN profile, i get the “general error”.

    Maybe it is also specific to my configuration, but maybe this helps some people, too. Hopefully MS can solve this soon, because i need a device and a user tunnel (2 Profiles), but can live now with one profile 🙂

    Reply
  4. JamX

     /  February 8, 2022

    Correction to my previous posting: i had an error in my script and can confirm that you can install 2 or more profiles – the key to all was the Remove-VPNConnection -AllUserConnection -force PowerShell Commandlet and that the XML’s are seperated from the PS1 script (previously i had them embedded in the PS1)

    Reply
  5. Gareth Wilson

     /  February 10, 2022

    i have also logged a call with MS about this

    Reply
  6. Split tunneling seems to be the cause of why my VPN.ps1 automation isn’t working on Windows 11. apparently no updates as to when or how they’re going to fix this on Windows 11.

    Reply

Leave a Reply

%d bloggers like this: