Always On VPN PowerShell Script Issues in Windows 11

Many administrators are now beginning to test Always On VPN functionality on the latest Microsoft Windows client operating system, Windows 11. Initially, Microsoft had some issues with provisioning and managing Always On VPN profiles on Windows 11 using Microsoft Endpoint Manager/Intune, but those have been resolved. However, some lingering problems may delay enterprise deployments of Always On VPN on Windows 11 for some organizations, specifically those using PowerShell with Active Directory group policy startup scripts or System Center Configuration Manager (SCCM).

MakeProfile.ps1

Microsoft has published guidance for deploying Always On VPN profiles using PowerShell with their MakeProfile.ps1 script. This script extracts configuration details from a template VPN profile to create another PowerShell script called VPN_Profile.ps1, which is used to create the Always On VPN profile. SCCM administrators commonly use VPN_Proifle.ps1 to deploy Always On VPN profiles. However, running this script on Windows 11 fails and returns the following error message.

“Unable to create [VPN profile name] profile: A general error occurred that is not covered by a more specific code.”

This issue appears to be related to a problem with the WMI-to-CSP bridge, specifically enumerating the MDM_VPNv2_01 class in the root\cimv2\mdm\dmmap namespace. Here you can see the template VPN profile with PowerShell and Get-VpnConnection.

However, attempts to view the MDM_VPNv2_01 class of this VPN profile using PowerShell and Get-CimInstance fail.

New-AovpnConnection.ps1

Interestingly, administrators may find that my Always On VPN PowerShell deployment script works more reliably on Windows 11, although not always. In my experience, I’ve found that it sometimes fails once (profile is loaded, but the configuration is incomplete), then works after deleting the profile and creating it again. If the Microsoft-provided script isn’t working, give mine a try and see if it works better for you.

Note: When deploying Always On VPN profiles using my PowerShell deployment script via Active Directory startup scripts, it seems to fail consistently for some reason. Go figure. 😉

Remove-AovpnConnection.ps1

The issues described previously with Windows 11 are also negatively affecting some of my other PowerShell scripts. For example, running Remove-Aovpnconnection.ps1 on Windows 11 fails and returns the following error message.

“A general error occurred that is not covered by a more specific error code.”

Current Status

Microsoft is currently aware of this issue. However, I am aware of no timeframe for resolution at the time of this writing. Hopefully, Microsoft addresses this soon so organizations can move forward with their Windows 11 migration projects.

Additional Information

Microsoft Windows Always On VPN Windows 11 Issues with Microsoft Endpoint Manager/Intune

Microsoft Windows Always On VPN Profile Deployment Script

Microsoft Windows Always On VPN Remove Always On VPN Profile Script

Always On VPN PowerShell Script Repository on GitHub

Leave a comment

43 Comments

  1. Thanks for the gold mine as always! going to try this ASAP.. i’ve been stuck in this VPNProfile not working for me.

    Reply
  2. I get this error when using your VPN creation script: xmlFilePath: C:\temp\VPN_Profile.xml
    Cannot convert value “System.Object[]” to type “System.Xml.XmlDocument”. Error: “The specified node cannot be inserted as the valid
    child of this node, because the specified node is the wrong type.”
    At C:\DOS\CreateVPNProvileWin11.ps1:120 char:1
    + [xml]$Xml = Get-Content $xmlFilePath
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : MetadataError: (:) [], ArgumentTransformationMetadataException
    + FullyQualifiedErrorId : RuntimeException

    Reply
  3. JamX

     /  February 8, 2022

    Hi!

    Concerning WMI-to-CSP bridge: i found out that the error occurs on my Win11 Installation with 2 (or more) VPN Profiles already installed. I can only remove all those profiles with the PS-Commandlet “Remove-VPNConnection -force” (in SYSTEM Context), and when i start to install the first fresh new profile, it works – but if i start to install a second VPN profile, i get the “general error”.

    Maybe it is also specific to my configuration, but maybe this helps some people, too. Hopefully MS can solve this soon, because i need a device and a user tunnel (2 Profiles), but can live now with one profile 🙂

    Reply
  4. JamX

     /  February 8, 2022

    Correction to my previous posting: i had an error in my script and can confirm that you can install 2 or more profiles – the key to all was the Remove-VPNConnection -AllUserConnection -force PowerShell Commandlet and that the XML’s are seperated from the PS1 script (previously i had them embedded in the PS1)

    Reply
  5. Gareth Wilson

     /  February 10, 2022

    i have also logged a call with MS about this

    Reply
  6. Split tunneling seems to be the cause of why my VPN.ps1 automation isn’t working on Windows 11. apparently no updates as to when or how they’re going to fix this on Windows 11.

    Reply
    • Microsoft is aware of the issue. No ETA on a fix, however. :/

      Reply
    • Thomas

       /  July 8, 2022

      I had the same issue after upgrading my W10 client to W11 the always on user connection didn’t work, deployed by Intune (XML file), I checked my RAS/Radius/Cert server hostname it was set with capital letter (SRVXXX) but in my XML file it was set (srvxxx) after the changing the XML server name to the same name (capital letters) as the server name (SRVXXX) it did solve the problem, it seems in W11 it’s important.

      Reply
  7. a1csmelrose

     /  July 13, 2022

    Still not working for us, even after trying your updated script on GitHub :(.

    As others have said, users doing an in-place upgrade from Win10 keep their existing connections, it’s just a fresh install of Win11 that it isn’t possible to configure.

    We had an idea to try and re-create the VPN config using PowerShell with `Add-VpnConnection` and associated commands, however `Add-VpnConnectionTriggerTrustedNetwork` and `Add-VpnConnectionTriggerDNSConfiguration` don’t support the `-AllUserConnection` flag.

    We also tried to see if it was possible to set the `RASEO2_IsAlwaysOn` flag via `RasSetEntryProperties` (`rasapi32.dll`) so the configured VPN had the Always On trigger, but while it accepted the update with no errors, the flag is silently dropped, as if it’s read-only.

    Reply
    • Sorry to hear that. I’m hoping Microsoft releases their fix for this soon. Expecting something in the next few months. I’ll post something as soon as it is available!

      Reply
      • a1csmelrose

         /  July 25, 2022

        Thank you!

        We’ve been trying Win11 22H2 build 22621 from the Insider program.

        The error message has now changed, instead of it returning:
        “A general error occurred that is not covered by a more specific code.”
        we get
        “Operation cannot be carried out because an object already exists.”

        Same config & install procedure that works on Windows 10, so don’t think there’s actually a duplicate, but it’s interesting to see that something has changed, even though it isn’t fixed.

    • Brian Baker

       /  January 27, 2023

      Have you made any progress on switching the code up to use add-vpnconnection cmdlets for deployment instead of the WMI bridge? It seems like Microsoft has a full powershell method possibility here, but of course the documentation hasn’t changed.

      Is there a possibility MS revises their documentation to use the new provisioning cmdlets? I’m trying to think of the implications if we manage to get working code with these newer cmdlets. We wouldn’t be using the “documented” AOVPN provisioning methods, but still using MS powershell.

      (I really appreciate this resource and Richard’s efforts over the years. After several DirectAccess and AOVPN projects, all have gone pretty well.)

      Reply
      • Add-VpnConnection can’t be used to configure an Always On VPN connection. You can certainly create on-demand or ad-hoc VPN connections using that command, though.

  8. a1csmelrose

     /  July 25, 2022

    I’ve logged an issue with Microsoft on Feedback Hub, that the issue still persists in the latest builds.

    Can everyone try and help upvote it so they give it a higher priority please?

    https://aka.ms/AAhj7jt

    Reply
  9. Nilis312

     /  August 15, 2022

    We have the same issue. Installation with SCCM/Intune as an application (ps1 script). The profile always installs the first time, but 60-70% of the time the config part is missing. So vpn tries to connect and asks for usr/pwd instead of using cert to connect. I have a case open with MS, but they say no known issue is there for this specific part. Did you have it confirmed by MS that this missing profile part is also an issue?

    Reply
    • This issue is quite common, and I believe it is related to the WMI issue outlined in this post. A fix for this is due out in the next few months. I’m hoping this fix also resolves this issue as well.

      Reply
  10. James

     /  September 20, 2022

    Do we know if there is an ETA for the Win 11 fix?
    Only machines we have preventing our completion of AOPVN rollout are Windows 11, and I’m not really sure what to search for online to monitor for a release of a fix for this.

    Reply
    • End of this month (September). 🙂

      Reply
      • Sorry to disappoint everyone, but this fix was pulled from the September update. :/ Hoping Microsoft includes it in the October update. No promises, though.

      • James Edmonds

         /  September 29, 2022

        Thanks Richard!

        I had upgraded my machine to 22H2 this morning and thought I’d test, but found it to still not work.

        Here’s hoping it arrives in October, as my Win 11 machine is the only one preventing old VPN server decommission, and upgrade of user devices to Windows 11.

        Thanks for your ongoing updates!

      • a1csmelrose

         /  October 31, 2022

        Any news on if this made it into the October updates?

        And are there any bug references we can look out for in the updates as they are published if not?

      • Not to my knowledge. :/

      • A quick update for everyone on this thread. I’m hearing the update for this issue is not coming until February 2023. Sorry to rain on everyone’s parade. :/

      • SteveI

         /  November 4, 2022

        Hi, before i start testing AoVPN/SCCM scripts….did the fix appear in the October 2022 updates ?

      • It did not. Microsoft has indicated they plan to release the update in February 2023. :/

      • Mr Stephen ion

         /  November 8, 2022

        Hi, has anyone heard of October… or November updates have fixed the issue ?

      • Neither the October or November updates have this fix included. Microsoft has rescheduled its release for February 2023. :/

    • Same here split tunneling is preventing the script to work I believe they released an OS that doesn’t support Split tunneling.

      Reply
      • It most definitely supports split tunneling. I’m using it myself and have implemented for other customers too. My guess is there’s a syntax error in your XML. Have a close look at that.

  11. Andy

     /  November 9, 2022

    Any update on the fix? I am still having this issue — haven’t tried Nov. update yet.

    Reply
    • The update has again been delayed. It is now expected in February 2023.

      Reply
      • Mr Stephen ion

         /  November 15, 2022

        Hi, just wondering if you have any Microsoft KB article, or similar I can reference when I speak to our Microsoft account manager about this scripts/aovpn issue, other than this very helpful blog.

      • I don’t have any specific published reference for this. However, Microsoft has already fixed this issue. They just aren’t releasing the update until February 2023, unfortunately. :/

      • Sorry if this duplicated. I don’t think it submitted my first reply.

        I would also appreciate to know if there is anything I can reference. I would like to go back to our gold partner and have a strongly worded conversation about this. 🙂

        Is there another way to remove tunnels? Device tunnels specifically. On all of my systems I can create just not remove tunnels.

        Thanks!

      • No worries! Microsoft hasn’t publicly commented on this issue, unfortunately. It is not acknowledged anywhere on their site that I’m aware of. If you reach out to me directly I’m happy to provide you with a support case number that could be referenced for this bug/fix.

        As for alternatives to removing the device tunnel, you can always try using Remove-VpnConnection. You’ll need to ensure the VPN isn’t connected at the time, of course.

      • I have to test however I am pretty sure I tried this. Is there a non-powershell way?

        I will message you directly.

        Thank you for all of the help! Hopefully if a Gold partner brings this up, we can all get some traction on this.

      • Perhaps using an API, but I’m not familiar with that. I can reach out to some of my developer friends and find out, though. I’ll post here if I learn anything interesting.

      • Hi Richard, for some reason this is the only comment i can reply to. 🙂

        Is this still planned for Feb? I messaged you directly and haven’t heard about that ticket number.

      • The last I heard, this was still on track for the end of February. I’ll post an update here if it is delayed further.

  12. RufusF

     /  January 8, 2023

    I have found that if I delete traffic filters from my XML files when using Richard’s New-AovpnConnection.ps1 script for Windows 11 deployments then I get consistent successful deployments.

    Also, with respect to the Remove-AovpnConnection.ps1 script on both Windows 10 and 11 I consistently get an error relating to the line in the script:
    $User = New-Object System.Security.Principal.NTAccount($UserName.UserName)

    As a result, I have to manually find and delete all the stale registry entries.

    Reply

Leave a Reply

%d bloggers like this: