Always On VPN Device Tunnel Fails to Connect Automatically

After the April 2024 Microsoft security updates were released, many Always On VPN administrators noticed that the device tunnel suddenly stopped connecting automatically for many, if not all, their endpoints.

Note: There were additional problems with the April 2024 security update that affected the Always On VPN device tunnel. Details here.

Troubleshooting

When this problem occurs, administrators can establish the device tunnel connection successfully if it is initiated manually. This indicates that there are no issues with the IKEv2 VPN connection or security configuration.

Subscription Activation

The root cause of this issue is related to a subscription activation issue broken in the April 2024 security updates. In this case, Windows 10/11 Enterprise Edition devices that were initially provisioned using Professional Edition and used a step-up upgrade (subscription activation) to Enterprise Edition are reverting to Professional Edition. The Always On VPN device tunnel requires Enterprise Edition to work correctly. Although you can deploy a device tunnel to Windows Professional, it will not connect automatically. It will, however, connect manually.

KB5040527

On July 25, 2024, Microsoft released a preview of updates (KB5040527), including a fix for this subscription activation issue. Administrators experiencing problems with Always On VPN device tunnels where their devices revert to Professional Edition can install this update to resolve this issue.

Additional Information

Always On VPN Device Tunnel Issue with the Microsoft April 2024 Security Update

Always On VPN Device Tunnel Status Indicator

Always On VPN Devcie Tunnel Only Deployment Considerations

Workplace Ninja Summit Switzerland 2024

I’m excited to announce that I’ll be presenting at the upcoming Workplace Ninja Summit in beautiful Lucerne, Switzerland. The event takes place from September 16-19, 2024, and covers topics such as Microsoft Intune, System Center Configuration Manager (SCCM), Entra, PowerShell, Azure Virtual Desktop (AVD), Windows 365, and more.

My Sessions

I will be delivering two talks at this year’s conference.

  • Simplified Certificate Management with Cloud PKI for Microsoft Intune
  • Strong Authentication with Entra Certificate-Based Authentication

I will provide links to the sessions with dates and times when they are available.

Let’s Connect!

Will you be attending the conference? Let’s get together! Drop me a note on X or LinkedIn, or fill out the form below, and we’ll discuss anything you’d like. Hope to see you there!

Contact Me

Cloud PKI for Microsoft Intune on RunAs Radio

Recently, I joined my good friend Richard Campbell on his popular RunAs Radio podcast. In this episode, we discussed Microsoft’s new Cloud PKI for Intune service. Cloud PKI for Intune is a PKI-as-a-service solution that allows organizations to issue and manage digital certificates without deploying on-premises infrastructure. Optionally, Cloud PKI for Intune supports integration with an existing on-premises PKI. Cloud PKI for Intune isn’t without a few drawbacks, though. We discuss all the benefits and limitations during this podcast, so be sure to listen!

Additional Information

Cloud PKI for Microsoft Intune on RunAs Radio Episode 943

Overview of Cloud PKI for Microsoft Intune

Cloud PKI for Microsoft Intune and Active Directory

Cloud PKI for Microsoft Intune SCEP URL

Cloud PKI for Microsoft Intune and Certificate Templates