Always On VPN administrators may find that their device tunnel connections no longer connect automatically after applying the April 2024 security updates. The device tunnel connection is optional and only required under specific conditions, so end users may not be immediately impacted. However, administrators should be aware of this issue.
Note: The issues outlined in this post have been resolved with the May 14, 2024, security updates.
Error Messages
When manually establishing an Always On VPN device tunnel connection using rapshone.exe or rasdial.exe, you may receive one of the following error messages.
Rasphone.exe
Error 0x80070057: The parameter is incorrect.
Rasdial.exe
Connecting to <Name of Device Tunnel>…The parameter is incorrect.
Affected Devices
The issue affects all supported versions of Windows with an Always On VPN device tunnel connection configured to require a specific Enhanced Key Usage (EKU) OID. Administrators can run the following PowerShell command to identify this configuration.
Get-VpnConnection -AllUserConnection -Name <Name of Device Tunnel> | Select-Object MachineCertificateEkuFilter
If the output of this PowerShell command returns data, it is affected by this issue.
Workaround
To restore Always On VPN device tunnel functionality on devices with the April 2024 security updates installed, open an elevated PowerShell command window and run the following command.
Set-VpnConnection -AllUserConnection -Name ‘Always On VPN Device Tunnel’ -MachineCertificateEKUFilter $Null
After running this command, the output should now be blank.
Caveat
The problem with implementing the workaround described here is that you likely enabled this configuration to address an issue where the wrong certificate was selected for use with the device tunnel. In this case, the workaround may result in unexpected behavior and may not restore full functionality.
Known Issue Rollback
Currently, Microsoft is aware of the issue and is actively working to resolve it. If you are experiencing this issue, open a support case with Microsoft, and they will provide you with more information and possibly a private Known Issue Rollback (KIR). I will update this post as soon as Microsoft publishes a permanent fix.
Additional Information
Always On VPN Device Tunnel Operation and Best Practices
Always On VPN Device Tunnel Only Deployment Considerations
Considerations for Always On VPN with Azure VPN Gateway and Virtual WAN