Many administrators are now beginning to test Always On VPN functionality on the latest Microsoft Windows client operating system, Windows 11. Initially, Microsoft had some issues with provisioning and managing Always On VPN profiles on Windows 11 using Microsoft Endpoint Manager/Intune, but those have been resolved. However, some lingering problems may delay enterprise deployments of Always On VPN on Windows 11 for some organizations, specifically those using PowerShell with Active Directory group policy startup scripts or System Center Configuration Manager (SCCM).
Important Note: The issues outlined in this article have been resolved! The fix for the WMI enumeration bug is addressed in the following updates:
Windows 11 21H2 – KB5022905 (build 22000.1641)
Windows 11 22H2 – KB5026446 (build 22621.1778)
MakeProfile.ps1
Microsoft has published guidance for deploying Always On VPN profiles using PowerShell with their MakeProfile.ps1 script. This script extracts configuration details from a template VPN profile to create another PowerShell script called VPN_Profile.ps1, which is used to create the Always On VPN profile. SCCM administrators commonly use VPN_Proifle.ps1 to deploy Always On VPN profiles. However, running this script on Windows 11 fails and returns the following error message.
“Unable to create [VPN profile name] profile: A general error occurred that is not covered by a more specific code.”
This issue appears to be related to a problem with the WMI-to-CSP bridge, specifically enumerating the MDM_VPNv2_01 class in the root\cimv2\mdm\dmmap namespace. Here you can see the template VPN profile with PowerShell and Get-VpnConnection.
However, attempts to view the MDM_VPNv2_01 class of this VPN profile using PowerShell and Get-CimInstance fail.
New-AovpnConnection.ps1
Interestingly, administrators may find that my Always On VPN PowerShell deployment script works more reliably on Windows 11, although not always. In my experience, I’ve found that it sometimes fails once (profile is loaded, but the configuration is incomplete), then works after deleting the profile and creating it again. If the Microsoft-provided script isn’t working, give mine a try and see if it works better for you.
Note: When deploying Always On VPN profiles using my PowerShell deployment script via Active Directory startup scripts, it seems to fail consistently for some reason. Go figure. 😉
Remove-AovpnConnection.ps1
The issues described previously with Windows 11 are also negatively affecting some of my other PowerShell scripts. For example, running Remove-Aovpnconnection.ps1 on Windows 11 fails and returns the following error message.
“A general error occurred that is not covered by a more specific error code.”
Current Status
Microsoft is currently aware of this issue. However, I am aware of no timeframe for resolution at the time of this writing. Hopefully, Microsoft addresses this soon so organizations can move forward with their Windows 11 migration projects.
Additional Information
Microsoft Windows Always On VPN Windows 11 Issues with Microsoft Endpoint Manager/Intune
Microsoft Windows Always On VPN Profile Deployment Script
Microsoft Windows Always On VPN Remove Always On VPN Profile Script
NetMotion Software and Microsoft have now partnered to integrate NetMotion Mobility with Microsoft Endpoint Manager and Intune. NetMotion Mobility is a purpose-built enterprise VPN solution that has many advantages over competing remote access technologies. Using Microsoft Endpoint Manager or Intune, organizations can now quickly and easily provision NetMotion client software to their managed devices.
In its default configuration, NetMotion Mobility connections are established at the user level. In most cases this level of access is sufficient, but there are some common uses cases that require VPN connectivity before the user logs on. Examples include provisioning a new device to a user who has never logged on before, or to allow support engineers to connect to a remote device without requiring a user to log in first.
