Always On VPN PowerShell Script Issues in Windows 11

Many administrators are now beginning to test Always On VPN functionality on the latest Microsoft Windows client operating system, Windows 11. Initially, Microsoft had some issues with provisioning and managing Always On VPN profiles on Windows 11 using Microsoft Endpoint Manager/Intune, but those have been resolved. However, some lingering problems may delay enterprise deployments of Always On VPN on Windows 11 for some organizations, specifically those using PowerShell with Active Directory group policy startup scripts or System Center Configuration Manager (SCCM).

MakeProfile.ps1

Microsoft has published guidance for deploying Always On VPN profiles using PowerShell with their MakeProfile.ps1 script. This script extracts configuration details from a template VPN profile to create another PowerShell script called VPN_Profile.ps1, which is used to create the Always On VPN profile. SCCM administrators commonly use VPN_Proifle.ps1 to deploy Always On VPN profiles. However, running this script on Windows 11 fails and returns the following error message.

“Unable to create [VPN profile name] profile: A general error occurred that is not covered by a more specific code.”

This issue appears to be related to a problem with the WMI-to-CSP bridge, specifically enumerating the MDM_VPNv2_01 class in the root\cimv2\mdm\dmmap namespace. Here you can see the template VPN profile with PowerShell and Get-VpnConnection.

However, attempts to view the MDM_VPNv2_01 class of this VPN profile using PowerShell and Get-CimInstance fail.

New-AovpnConnection.ps1

Interestingly, administrators may find that my Always On VPN PowerShell deployment script works more reliably on Windows 11, although not always. In my experience, I’ve found that it sometimes fails once (profile is loaded, but the configuration is incomplete), then works after deleting the profile and creating it again. If the Microsoft-provided script isn’t working, give mine a try and see if it works better for you.

Note: When deploying Always On VPN profiles using my PowerShell deployment script via Active Directory startup scripts, it seems to fail consistently for some reason. Go figure. 😉

Remove-AovpnConnection.ps1

The issues described previously with Windows 11 are also negatively affecting some of my other PowerShell scripts. For example, running Remove-Aovpnconnection.ps1 on Windows 11 fails and returns the following error message.

“A general error occurred that is not covered by a more specific error code.”

Current Status

Microsoft is currently aware of this issue. However, I am aware of no timeframe for resolution at the time of this writing. Hopefully, Microsoft addresses this soon so organizations can move forward with their Windows 11 migration projects.

Additional Information

Microsoft Windows Always On VPN Windows 11 Issues with Microsoft Endpoint Manager/Intune

Microsoft Windows Always On VPN Profile Deployment Script

Microsoft Windows Always On VPN Remove Always On VPN Profile Script

Always On VPN PowerShell Script Repository on GitHub

Leave a comment

17 Comments

  1. Thanks for the gold mine as always! going to try this ASAP.. i’ve been stuck in this VPNProfile not working for me.

    Reply
  2. I get this error when using your VPN creation script: xmlFilePath: C:\temp\VPN_Profile.xml
    Cannot convert value “System.Object[]” to type “System.Xml.XmlDocument”. Error: “The specified node cannot be inserted as the valid
    child of this node, because the specified node is the wrong type.”
    At C:\DOS\CreateVPNProvileWin11.ps1:120 char:1
    + [xml]$Xml = Get-Content $xmlFilePath
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : MetadataError: (:) [], ArgumentTransformationMetadataException
    + FullyQualifiedErrorId : RuntimeException

    Reply
  3. JamX

     /  February 8, 2022

    Hi!

    Concerning WMI-to-CSP bridge: i found out that the error occurs on my Win11 Installation with 2 (or more) VPN Profiles already installed. I can only remove all those profiles with the PS-Commandlet “Remove-VPNConnection -force” (in SYSTEM Context), and when i start to install the first fresh new profile, it works – but if i start to install a second VPN profile, i get the “general error”.

    Maybe it is also specific to my configuration, but maybe this helps some people, too. Hopefully MS can solve this soon, because i need a device and a user tunnel (2 Profiles), but can live now with one profile 🙂

    Reply
  4. JamX

     /  February 8, 2022

    Correction to my previous posting: i had an error in my script and can confirm that you can install 2 or more profiles – the key to all was the Remove-VPNConnection -AllUserConnection -force PowerShell Commandlet and that the XML’s are seperated from the PS1 script (previously i had them embedded in the PS1)

    Reply
  5. Gareth Wilson

     /  February 10, 2022

    i have also logged a call with MS about this

    Reply
  6. Split tunneling seems to be the cause of why my VPN.ps1 automation isn’t working on Windows 11. apparently no updates as to when or how they’re going to fix this on Windows 11.

    Reply
    • Microsoft is aware of the issue. No ETA on a fix, however. :/

      Reply
    • Thomas

       /  July 8, 2022

      I had the same issue after upgrading my W10 client to W11 the always on user connection didn’t work, deployed by Intune (XML file), I checked my RAS/Radius/Cert server hostname it was set with capital letter (SRVXXX) but in my XML file it was set (srvxxx) after the changing the XML server name to the same name (capital letters) as the server name (SRVXXX) it did solve the problem, it seems in W11 it’s important.

      Reply
  7. a1csmelrose

     /  July 13, 2022

    Still not working for us, even after trying your updated script on GitHub :(.

    As others have said, users doing an in-place upgrade from Win10 keep their existing connections, it’s just a fresh install of Win11 that it isn’t possible to configure.

    We had an idea to try and re-create the VPN config using PowerShell with `Add-VpnConnection` and associated commands, however `Add-VpnConnectionTriggerTrustedNetwork` and `Add-VpnConnectionTriggerDNSConfiguration` don’t support the `-AllUserConnection` flag.

    We also tried to see if it was possible to set the `RASEO2_IsAlwaysOn` flag via `RasSetEntryProperties` (`rasapi32.dll`) so the configured VPN had the Always On trigger, but while it accepted the update with no errors, the flag is silently dropped, as if it’s read-only.

    Reply
    • Sorry to hear that. I’m hoping Microsoft releases their fix for this soon. Expecting something in the next few months. I’ll post something as soon as it is available!

      Reply
      • a1csmelrose

         /  July 25, 2022

        Thank you!

        We’ve been trying Win11 22H2 build 22621 from the Insider program.

        The error message has now changed, instead of it returning:
        “A general error occurred that is not covered by a more specific code.”
        we get
        “Operation cannot be carried out because an object already exists.”

        Same config & install procedure that works on Windows 10, so don’t think there’s actually a duplicate, but it’s interesting to see that something has changed, even though it isn’t fixed.

  8. a1csmelrose

     /  July 25, 2022

    I’ve logged an issue with Microsoft on Feedback Hub, that the issue still persists in the latest builds.

    Can everyone try and help upvote it so they give it a higher priority please?

    https://aka.ms/AAhj7jt

    Reply
  9. Nilis312

     /  August 15, 2022

    We have the same issue. Installation with SCCM/Intune as an application (ps1 script). The profile always installs the first time, but 60-70% of the time the config part is missing. So vpn tries to connect and asks for usr/pwd instead of using cert to connect. I have a case open with MS, but they say no known issue is there for this specific part. Did you have it confirmed by MS that this missing profile part is also an issue?

    Reply
    • This issue is quite common, and I believe it is related to the WMI issue outlined in this post. A fix for this is due out in the next few months. I’m hoping this fix also resolves this issue as well.

      Reply

Leave a Reply

%d bloggers like this: