Many administrators are now beginning to test Always On VPN functionality on the latest Microsoft Windows client operating system, Windows 11. Initially, Microsoft had some issues with provisioning and managing Always On VPN profiles on Windows 11 using Microsoft Endpoint Manager/Intune, but those have been resolved. However, some lingering problems may delay enterprise deployments of Always On VPN on Windows 11 for some organizations, specifically those using PowerShell with Active Directory group policy startup scripts or System Center Configuration Manager (SCCM).
Important Note: The issues outlined in this article have been resolved! The fix for the WMI enumeration bug is addressed in the following updates:
Windows 11 21H2 – KB5022905 (build 22000.1641)
Windows 11 22H2 – KB5026446 (build 22621.1778)
MakeProfile.ps1
Microsoft has published guidance for deploying Always On VPN profiles using PowerShell with their MakeProfile.ps1 script. This script extracts configuration details from a template VPN profile to create another PowerShell script called VPN_Profile.ps1, which is used to create the Always On VPN profile. SCCM administrators commonly use VPN_Proifle.ps1 to deploy Always On VPN profiles. However, running this script on Windows 11 fails and returns the following error message.
“Unable to create [VPN profile name] profile: A general error occurred that is not covered by a more specific code.”
This issue appears to be related to a problem with the WMI-to-CSP bridge, specifically enumerating the MDM_VPNv2_01 class in the root\cimv2\mdm\dmmap namespace. Here you can see the template VPN profile with PowerShell and Get-VpnConnection.
However, attempts to view the MDM_VPNv2_01 class of this VPN profile using PowerShell and Get-CimInstance fail.
New-AovpnConnection.ps1
Interestingly, administrators may find that my Always On VPN PowerShell deployment script works more reliably on Windows 11, although not always. In my experience, I’ve found that it sometimes fails once (profile is loaded, but the configuration is incomplete), then works after deleting the profile and creating it again. If the Microsoft-provided script isn’t working, give mine a try and see if it works better for you.
Note: When deploying Always On VPN profiles using my PowerShell deployment script via Active Directory startup scripts, it seems to fail consistently for some reason. Go figure. 😉
Remove-AovpnConnection.ps1
The issues described previously with Windows 11 are also negatively affecting some of my other PowerShell scripts. For example, running Remove-Aovpnconnection.ps1 on Windows 11 fails and returns the following error message.
“A general error occurred that is not covered by a more specific error code.”
Current Status
Microsoft is currently aware of this issue. However, I am aware of no timeframe for resolution at the time of this writing. Hopefully, Microsoft addresses this soon so organizations can move forward with their Windows 11 migration projects.
Additional Information
Microsoft Windows Always On VPN Windows 11 Issues with Microsoft Endpoint Manager/Intune
Microsoft Windows Always On VPN Profile Deployment Script
Microsoft Windows Always On VPN Remove Always On VPN Profile Script
Humberto
/ February 7, 2022Thanks for the gold mine as always! going to try this ASAP.. i’ve been stuck in this VPNProfile not working for me.
Humber
/ February 8, 2022I get this error when using your VPN creation script: xmlFilePath: C:\temp\VPN_Profile.xml
Cannot convert value “System.Object[]” to type “System.Xml.XmlDocument”. Error: “The specified node cannot be inserted as the valid
child of this node, because the specified node is the wrong type.”
At C:\DOS\CreateVPNProvileWin11.ps1:120 char:1
+ [xml]$Xml = Get-Content $xmlFilePath
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : MetadataError: (:) [], ArgumentTransformationMetadataException
+ FullyQualifiedErrorId : RuntimeException
Richard M. Hicks
/ February 9, 2022It might be an XML syntax error, though I’m not certain. Have you validated the XML to ensure it is correct? https://www.freeformatter.com/xml-formatter.html
JamX
/ February 8, 2022Hi!
Concerning WMI-to-CSP bridge: i found out that the error occurs on my Win11 Installation with 2 (or more) VPN Profiles already installed. I can only remove all those profiles with the PS-Commandlet “Remove-VPNConnection -force” (in SYSTEM Context), and when i start to install the first fresh new profile, it works – but if i start to install a second VPN profile, i get the “general error”.
Maybe it is also specific to my configuration, but maybe this helps some people, too. Hopefully MS can solve this soon, because i need a device and a user tunnel (2 Profiles), but can live now with one profile 🙂
JamX
/ February 8, 2022Correction to my previous posting: i had an error in my script and can confirm that you can install 2 or more profiles – the key to all was the Remove-VPNConnection -AllUserConnection -force PowerShell Commandlet and that the XML’s are seperated from the PS1 script (previously i had them embedded in the PS1)
Gareth Wilson
/ February 10, 2022i have also logged a call with MS about this
Richard M. Hicks
/ February 10, 2022Fantastic. Keep me posted on how things go!
Humberto
/ February 21, 2022Split tunneling seems to be the cause of why my VPN.ps1 automation isn’t working on Windows 11. apparently no updates as to when or how they’re going to fix this on Windows 11.
Richard M. Hicks
/ February 22, 2022Microsoft is aware of the issue. No ETA on a fix, however. :/
Thomas
/ July 8, 2022I had the same issue after upgrading my W10 client to W11 the always on user connection didn’t work, deployed by Intune (XML file), I checked my RAS/Radius/Cert server hostname it was set with capital letter (SRVXXX) but in my XML file it was set (srvxxx) after the changing the XML server name to the same name (capital letters) as the server name (SRVXXX) it did solve the problem, it seems in W11 it’s important.
Richard M. Hicks
/ July 8, 2022Good to know!
a1csmelrose
/ July 13, 2022Still not working for us, even after trying your updated script on GitHub :(.
As others have said, users doing an in-place upgrade from Win10 keep their existing connections, it’s just a fresh install of Win11 that it isn’t possible to configure.
We had an idea to try and re-create the VPN config using PowerShell with `Add-VpnConnection` and associated commands, however `Add-VpnConnectionTriggerTrustedNetwork` and `Add-VpnConnectionTriggerDNSConfiguration` don’t support the `-AllUserConnection` flag.
We also tried to see if it was possible to set the `RASEO2_IsAlwaysOn` flag via `RasSetEntryProperties` (`rasapi32.dll`) so the configured VPN had the Always On trigger, but while it accepted the update with no errors, the flag is silently dropped, as if it’s read-only.
Richard M. Hicks
/ July 13, 2022Sorry to hear that. I’m hoping Microsoft releases their fix for this soon. Expecting something in the next few months. I’ll post something as soon as it is available!
a1csmelrose
/ July 25, 2022Thank you!
We’ve been trying Win11 22H2 build 22621 from the Insider program.
The error message has now changed, instead of it returning:
“A general error occurred that is not covered by a more specific code.”
we get
“Operation cannot be carried out because an object already exists.”
Same config & install procedure that works on Windows 10, so don’t think there’s actually a duplicate, but it’s interesting to see that something has changed, even though it isn’t fixed.
Brian Baker
/ January 27, 2023Have you made any progress on switching the code up to use add-vpnconnection cmdlets for deployment instead of the WMI bridge? It seems like Microsoft has a full powershell method possibility here, but of course the documentation hasn’t changed.
Is there a possibility MS revises their documentation to use the new provisioning cmdlets? I’m trying to think of the implications if we manage to get working code with these newer cmdlets. We wouldn’t be using the “documented” AOVPN provisioning methods, but still using MS powershell.
(I really appreciate this resource and Richard’s efforts over the years. After several DirectAccess and AOVPN projects, all have gone pretty well.)
Richard M. Hicks
/ January 27, 2023Add-VpnConnection can’t be used to configure an Always On VPN connection. You can certainly create on-demand or ad-hoc VPN connections using that command, though.
a1csmelrose
/ July 25, 2022I’ve logged an issue with Microsoft on Feedback Hub, that the issue still persists in the latest builds.
Can everyone try and help upvote it so they give it a higher priority please?
https://aka.ms/AAhj7jt
Nilis312
/ August 15, 2022We have the same issue. Installation with SCCM/Intune as an application (ps1 script). The profile always installs the first time, but 60-70% of the time the config part is missing. So vpn tries to connect and asks for usr/pwd instead of using cert to connect. I have a case open with MS, but they say no known issue is there for this specific part. Did you have it confirmed by MS that this missing profile part is also an issue?
Richard M. Hicks
/ August 15, 2022This issue is quite common, and I believe it is related to the WMI issue outlined in this post. A fix for this is due out in the next few months. I’m hoping this fix also resolves this issue as well.
James
/ September 20, 2022Do we know if there is an ETA for the Win 11 fix?
Only machines we have preventing our completion of AOPVN rollout are Windows 11, and I’m not really sure what to search for online to monitor for a release of a fix for this.
Richard M. Hicks
/ September 20, 2022End of this month (September). 🙂
Richard M. Hicks
/ September 29, 2022Sorry to disappoint everyone, but this fix was pulled from the September update. :/ Hoping Microsoft includes it in the October update. No promises, though.
James Edmonds
/ September 29, 2022Thanks Richard!
I had upgraded my machine to 22H2 this morning and thought I’d test, but found it to still not work.
Here’s hoping it arrives in October, as my Win 11 machine is the only one preventing old VPN server decommission, and upgrade of user devices to Windows 11.
Thanks for your ongoing updates!
a1csmelrose
/ October 31, 2022Any news on if this made it into the October updates?
And are there any bug references we can look out for in the updates as they are published if not?
Richard M. Hicks
/ October 31, 2022Not to my knowledge. :/
Richard M. Hicks
/ November 1, 2022A quick update for everyone on this thread. I’m hearing the update for this issue is not coming until February 2023. Sorry to rain on everyone’s parade. :/
SteveI
/ November 4, 2022Hi, before i start testing AoVPN/SCCM scripts….did the fix appear in the October 2022 updates ?
Richard M. Hicks
/ November 4, 2022It did not. Microsoft has indicated they plan to release the update in February 2023. :/
Mr Stephen ion
/ November 8, 2022Hi, has anyone heard of October… or November updates have fixed the issue ?
Richard M. Hicks
/ November 8, 2022Neither the October or November updates have this fix included. Microsoft has rescheduled its release for February 2023. :/
mario
/ September 21, 2022Same here split tunneling is preventing the script to work I believe they released an OS that doesn’t support Split tunneling.
Richard M. Hicks
/ September 23, 2022It most definitely supports split tunneling. I’m using it myself and have implemented for other customers too. My guess is there’s a syntax error in your XML. Have a close look at that.
Andy
/ November 9, 2022Any update on the fix? I am still having this issue — haven’t tried Nov. update yet.
Richard M. Hicks
/ November 13, 2022The update has again been delayed. It is now expected in February 2023.
Mr Stephen ion
/ November 15, 2022Hi, just wondering if you have any Microsoft KB article, or similar I can reference when I speak to our Microsoft account manager about this scripts/aovpn issue, other than this very helpful blog.
Richard M. Hicks
/ November 15, 2022I don’t have any specific published reference for this. However, Microsoft has already fixed this issue. They just aren’t releasing the update until February 2023, unfortunately. :/
Andy
/ November 16, 2022Sorry if this duplicated. I don’t think it submitted my first reply.
I would also appreciate to know if there is anything I can reference. I would like to go back to our gold partner and have a strongly worded conversation about this. 🙂
Is there another way to remove tunnels? Device tunnels specifically. On all of my systems I can create just not remove tunnels.
Thanks!
Richard M. Hicks
/ November 16, 2022No worries! Microsoft hasn’t publicly commented on this issue, unfortunately. It is not acknowledged anywhere on their site that I’m aware of. If you reach out to me directly I’m happy to provide you with a support case number that could be referenced for this bug/fix.
As for alternatives to removing the device tunnel, you can always try using Remove-VpnConnection. You’ll need to ensure the VPN isn’t connected at the time, of course.
Andy
/ November 16, 2022I have to test however I am pretty sure I tried this. Is there a non-powershell way?
I will message you directly.
Thank you for all of the help! Hopefully if a Gold partner brings this up, we can all get some traction on this.
Richard M. Hicks
/ November 16, 2022Perhaps using an API, but I’m not familiar with that. I can reach out to some of my developer friends and find out, though. I’ll post here if I learn anything interesting.
Andy
/ January 9, 2023Hi Richard, for some reason this is the only comment i can reply to. 🙂
Is this still planned for Feb? I messaged you directly and haven’t heard about that ticket number.
Richard M. Hicks
/ January 9, 2023The last I heard, this was still on track for the end of February. I’ll post an update here if it is delayed further.
RufusF
/ January 8, 2023I have found that if I delete traffic filters from my XML files when using Richard’s New-AovpnConnection.ps1 script for Windows 11 deployments then I get consistent successful deployments.
Also, with respect to the Remove-AovpnConnection.ps1 script on both Windows 10 and 11 I consistently get an error relating to the line in the script:
$User = New-Object System.Security.Principal.NTAccount($UserName.UserName)
As a result, I have to manually find and delete all the stale registry entries.
Daniel
/ February 22, 2023Hi Richard, Do you know if was included in Feb 14th Cumulative update? Or will it be released as a separate update to download and install?
Richard M. Hicks
/ February 27, 2023We were expecting it in the February 21 release. However, it doesn’t appear to have been included. I’m chasing this down now. I’ll post more information when I have it.
Richard M. Hicks
/ February 27, 2023UPDATE: I spoke with Microsoft today, and they indicated this fix was released last week, but only for Windows 11 22H1. The fix was not posted for Windows 11 22H2.
Andy
/ February 27, 2023Any info on Win10? Both OSes are exhibiting the same issue on my systems.
Richard M. Hicks
/ February 27, 2023This fix was for Windows 11 specifically. I’m not aware of this issue affecting Windows 10.
Andy
/ February 27, 2023I get the exact same issue on Win10. It starts to exhibit the issue at the exact same time my Win11 machines did. I’m not in front of my notes but as soon as I install the Jan or Feb 2022 update on either OSes, you cannot manage the connection via Powershell.
Richard M. Hicks
/ February 27, 2023Wow, that’s interesting. Let me know what build specifically you have, and I’ll test. I’ve not heard anyone else reporting this issue on Windows 10, though.
Andy
/ February 27, 2023The system I have in front of me currently is Win 10 22h2 build 19045.2604.
SCCM reports that I have another test laptop that hasn’t been updated in a bit: 19045.2006
I have five machines on 19045.2486,
Andy
/ February 27, 2023Lol, sorry!
I have another six machines on 19045.2604.
The rest are Win11 22h2.
Richard M. Hicks
/ February 27, 2023Ok, thanks. I’ll do some testing and see how it goes. 🙂
Russel Riley
/ March 14, 2023KB5022905, which is for Windows 11 21H2 includes this comment:
This update addresses an issue that affects the MDM_VPNv2_01 class. Enumerating this class fails. The error messages is, “Generic Error”.
I was able to test AOVPN with this update installed and everything is working properly for me. Now we just have to wait until MS applies the same fix to 22H2!
Thanks!
Richard M. Hicks
/ March 14, 2023Hope to see this update available in the next month or so. I’ll be sure to post something here when I learn more.
Stefan Schipper
/ April 16, 2023Hi Richard, it looks like they did not include this fix in the April 2023 patch for Win 11 22H2 🙁
Do you have any news on that? This prevents our customers from migrating to Win 11, not sure why Microsoft is not able to handle that…
Richard M. Hicks
/ April 16, 2023The latest information I have is that the update for Windows 11 22H2 is scheduled for late May. Keep an eye out for it then. 🙂
Stefan Schipper
/ May 25, 2023Seems like KB5026446, released yesterday, did not include the fix 🙁
Richard M. Hicks
/ May 25, 2023That’s interesting. I did some testing and it worked for me!
Stefan Schipper
/ June 12, 2023Did you also test it on a client where the deployment of the VPN failed before, or only on a fresh installed one? I tested on my “old” production client where i tested the VPN installation several times in the past. Maybe this is the reason why i still get “… A general error occurred that is not covered by a more specific code.”
Ingo Aus Wörrstadt
/ October 5, 2023Hello,
the issue still persists for us with a new fully patched installation of Windows 11. Is there any chance to get this working? Do you have any further information on this @Richard? Thanks
Richard M. Hicks
/ October 5, 2023The issue described in this post has been resolved. However, there could be something else causing problems. How specifically are you deploying Always On VPN? Using my PowerShell script and an XML configuration file? If so, what error are you receiving?
Ingo Aus Wörrstadt
/ October 6, 2023I tried the Microsoft script and yours as well with an XML configuration file. The error is: “Unable to create “Always On VPN Device Tunnel” profile: Exception calling “CreateInstance” with “2” argument(s): “A general error occurred that is not covered by a more specific error code.””
Richard M. Hicks
/ October 6, 2023Ok, good to know. I can only assume there is a syntax error in your XML configuration file. I’d be happy to review it if you want to send it to me. 🙂
Ingo Aus Wörrstadt
/ October 10, 2023Is there a limit to 60 comments? I can only see my comments when clicking on the reply button within the e-mail I got once you respond. At the moment I cannot see my last comment on this.
Richard M. Hicks
/ October 10, 2023Not to my knowledge! 🙂
Ingo Aus Wörrstadt
/ October 10, 2023I used our Windows 10 XML. Here is the link for it:
https://pastebin.com/iNuLLNAS
Richard M. Hicks
/ October 10, 2023The formatting looks correct, so that’s good. However, you do have a traffic filter configured. Can you test without the traffic filter and tell me if it works without it?
Andy
/ October 16, 2023Richard, i removed my traffic filters and now it appears that my win11 clients are now installing the device tunnel again. At least two so far, one that has been failing since it broke and one fresh win11 install.
Richard M. Hicks
/ October 18, 2023Great to hear. Using traffic filters is hit and miss, to be honest. There are many known isssues/limitations with them. I try to avoid them as much as possible. 🙂