Always On VPN administrators migrating their endpoints to Windows 11 may encounter a scenario where Always On VPN randomly disconnects when the VPN profile is deployed using Microsoft Intune. The same configuration deployed to Windows 10 devices works reliably, however. In addition, Always On VPN profiles deployed using PowerShell (natively or with SCCM) or PowerON DPC do not experience this problem.
Troubleshooting
Administrators troubleshooting this issue will find the root cause is associated with the Always On VPN profiles being removed and replaced each time the device syncs with Intune. This occurs even if there are no changes to the configuration. Removing and replacing the Always On VPN profiles on each device sync is unnecessary, of course, but is also highly disruptive to connected users.
Intune and XML
The Intune team identified the issue, and a fix was made available in the August update. However, many of you have reported the issue persists with some Windows 11 clients after installing the latest updates. Further investigation indicates that although the issue has been resolved when using Intune and the native VPN device configuration profile template, the problem still occurs when using the Custom device configuration template.
Workaround
Microsoft is aware of the issues with deploying Always On VPN client configuration settings using XML in Intune, but there’s no indication when or if they will fix it. Until then, administrators have two options to address this problem.
Native VPN Template
When deploying Always On VPN client configuration settings to Windows 11 endpoints, use the native VPN device configuration template, as shown here.
Using the native VPN template does have some limitations, however. The following settings are not exposed using the native VPN template and can only be configured using XML.
- Disable class-based default route
- Application-specific traffic filters
- IPv6 routes (UI doesn’t allow /64 prefix!)
- Exclusion routes
- VPN protocol preferences
XML
If you must use XML, I’ve had some success by ensuring the order of XML settings is exactly as Intune expects. Follow the steps below to confirm the XML settings order in your XML configuration file.
- Deploy your XML file with Intune.
- Run Get-VpnClientProfileXML.ps1 to extract the deployed XML settings.
- Compare the order of settings to your existing XML.
- Make changes to ensure all settings in your XML are in the same order as the extracted XML.
- Publish a new XML configuration file using Intune and test.
I’ll caution you that this workaround doesn’t always work reliably. Some customers report that this solved their problems entirely, while others have indicated it does not. My testing shows the same results. Let us know in the comments below if this works for you!
Joe Bartlett
/ March 15, 2024Hi Richard,
Thanks for writing this article, it’s really helpful (as usual). I thought I was doing something silly with my configuration, so it’s good to know it’s just a bug.
I’ve tried using the Get-VpnClientProfileXML.ps1 script to mirror the configuration on a device in Intune, but unfortunately this doesn’t seem to have helped.
We really need some of the features not available in the Intune template so would prefer to use custom XML if at all possible.
I was wondering if you, or anyone else reading this comment, had any other tips or experiences from the last few months that you might be able to share? Or perhaps some news from MS as to when the bug might be properly fixed?
Thanks again,
Joe
Richard M. Hicks
/ March 15, 2024Hi Joe. Unfortunately, the order and syntax for XML in Windows 11 is more strict than previous versions of Windows. If you’ll reach out to me directly, I’d be happy to review your configuration file and offer any suggestions that might help.
Alex
/ April 8, 2024Hi Richard, i cant leave a commet, “nonce verification failed” mabe over the reply function.
Did you encounter a problem, that the user tunnel doesn’t connect autmatically under windows 11? Currently we are upgrading to Win 11 (22H2) and after that upgrade or reinstall, many users have the problem not to get connected automatically. I enclose the problem, the device tunnel doesnt come up and then the user tunnel can’t connect (after rasdial device tunnel, the user tunnel comes up automatic). There is no Eventlog (RasClient) error, the client just dont notice that there is an internet connection, maybe something with the nlasvc but my client, win 11, always connects automatically. the ncsi log shows no internet connection, but we can’t find out why. LAN or WLAN doesnt matter.
HOpe you have some hints for us.
Thanks
Alex
Richard M. Hicks
/ April 8, 2024Sorry about that error message. It’s related to caching somehow. If you perform a hard refresh (Ctrl-F5) it should work after that.
I’ve heard many reports about Always On VPN connections not connecting automatically after upgrading to Windows 11. I’ve had customers report success after removing and replacing the VPN profiles post upgrade. Also, as you indicated, the client must detect an Internet connection before Always On VPN connections are attempted. If network location awareness isn’t working correctly Windows doesn’t try to establish the VPN.