Always On VPN Security Updates June 2024

The Microsoft security updates for June 2024 have now been published. Reviewing the list of bulletins shows three security updates of importance to Always On VPN administrators. Two affect the Windows Server Routing and Remote Access (RRAS) service, and one affects the Remote Access Connection Manager (RasMan) service. None of the updates are critical this month, which is good news.


The following are the two security updates from this month’s cycle affecting Windows Server RRAS.

CVE-2024-30094 – Windows RRAS Remote Code Execution Vulnerability (Important)

CVE-2024-30095 – Windows RRAS Remote Code Execution Vulnerability (Important)


The following security update affects the Remote Access Connection Manager (RasMan) service on Windows Server systems.

CVE-2024-30069 – Windows Remote Access Connection Manager Information Disclosure Vulnerability (Important)


None of the security vulnerabilities disclosed this month are critical and require local access to the system to take advantage of the exploit. However, administrators should update their systems as soon as possible.

Additional Information

Microsoft June 2024 Security Updates

Always On VPN May 2024 Security Updates

Always On VPN RasMan Errors in Windows 10 1903

Once again, Microsoft has released its monthly security updates. For May 2024, there are several vulnerabilities in services related to Always On VPN that administrators will want to pay close attention to. Microsoft has identified known issues in the Routing and Remote Access Service (RRAS) and the Remote Access Connection Manager (RasMan) service for this release cycle.


This month, Microsoft published seven security fixes for vulnerabilities discovered in RRAS. All seven are Remote Code Execution (RCE) vulnerabilities rated Important. In addition, all vulnerabilities in RRAS require specific information about the environment for compromise, mitigating some of the exposure.









In addition to the updates for vulnerabilities in RRAS, Microsoft also released a security fix for issues identified in the Remote Access Connection Manager (RasMan) service. This update is marked Important but is not an RCE.



Although the vulnerabilities in RRAS are remotely exploitable, they will require specific information for an attacker to compromise. The risk of targeted attacks is lower than opportunistic ones, but administrators are still urged to update as soon as possible.

Additional Information

May 2024 Security Updates

Always On VPN Device Tunnel Issues with April 2024 Security Update

Always On VPN administrators may find that their device tunnel connections no longer connect automatically after applying the April 2024 security updates. The device tunnel connection is optional and only required under specific conditions, so end users may not be immediately impacted. However, administrators should be aware of this issue.

Note: The issues outlined in this post have been resolved with the May 14, 2024, security updates.

Error Messages

When manually establishing an Always On VPN device tunnel connection using rapshone.exe or rasdial.exe, you may receive one of the following error messages.


Error 0x80070057: The parameter is incorrect.


Connecting to <Name of Device Tunnel>…The parameter is incorrect.

Affected Devices

The issue affects all supported versions of Windows with an Always On VPN device tunnel connection configured to require a specific Enhanced Key Usage (EKU) OID. Administrators can run the following PowerShell command to identify this configuration.

Get-VpnConnection -AllUserConnection -Name <Name of Device Tunnel> | Select-Object MachineCertificateEkuFilter

If the output of this PowerShell command returns data, it is affected by this issue.


To restore Always On VPN device tunnel functionality on devices with the April 2024 security updates installed, open an elevated PowerShell command window and run the following command.

Set-VpnConnection -AllUserConnection -Name ‘Always On VPN Device Tunnel’ -MachineCertificateEKUFilter $Null

After running this command, the output should now be blank.


The problem with implementing the workaround described here is that you likely enabled this configuration to address an issue where the wrong certificate was selected for use with the device tunnel. In this case, the workaround may result in unexpected behavior and may not restore full functionality.

Known Issue Rollback

Currently, Microsoft is aware of the issue and is actively working to resolve it. If you are experiencing this issue, open a support case with Microsoft, and they will provide you with more information and possibly a private Known Issue Rollback (KIR). I will update this post as soon as Microsoft publishes a permanent fix.

Additional Information

Always On VPN Device Tunnel Operation and Best Practices

Always On VPN Device Tunnel Only Deployment Considerations

Considerations for Always On VPN with Azure VPN Gateway and Virtual WAN