Deploying user or device authentication certificates to support Always On VPN requires installing the Certificate Connector for Microsoft Intune. The same connector can link Intune to on-premises public key infrastructure (PKI) using PKCS or SCEP certificates. The connector can be configured to run in the SYSTEM context or a domain service account.
Configuration Failure
Administrators may encounter the following error message when installing the certificate connector and selecting the option to use a domain service account.
“Configuration failed. Configuring Microsoft Intune Certificate Connector failed. No changes were made to Feature or Proxy settings. Please try again.”
Root Cause
This error occurs because the service account does not have the correct permissions assigned on the server where the connector is being installed. Specifically, the service account must have the Logon as a service right assigned. To do this, open the local group policy editor (gpedit.msc) and perform the following steps.
Expand Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
Double-click Log on as a service.
Click Add User or Group.
Add the service account.
Click OK.
Once complete, remove the Certificate Connector for Intune and re-run the installation again.
When configuring Always On VPN for Windows 10 and Windows 11 clients, administrators may encounter a scenario where an IPv4 route defined in Microsoft Endpoint Manager/Intune or custom XML is not reachable over an established Always On VPN connection. Further investigation indicates the route is added to the configuration on the endpoint but does not appear in the routing table when the connection is active.
Routing Configuration
When split tunneling is enabled, administrators must define routes to IP networks that are reachable over the Always On VPN connection. The method of defining these routes depends on the client configuration deployment method.
Endpoint Manager
Using Microsoft Endpoint Manager, administrators define IP routes in the Split Tunneling section of the configuration settings for the Always On VPN device configuration profile. Routes are defined by entering the destination prefix and prefix size. In this example, the 10.0.0.0/8 and 172.21.12.0/21 IPv4 networks are defined for routing over the Always On VPN tunnel.
Custom XML
Using custom XML deployed using Microsoft Endpoint Manager, System Center Configuration Manager (SCCM), or PowerShell, routes are defined in the XML file using the following syntax.
Client Configuration
Validate the routing configuration has been implemented on the endpoint successfully by running the following PowerShell command.
As you can see here, the IPv4 routes 10.0.0.0/8 and 172.21.12.0/21 are included in the client’s Always On VPN configuration, as shown below.
Missing Route
However, after establishing an Always On VPN connection, the 172.21.12.0/21 network is not reachable. To continue troubleshooting, run the following PowerShell command to view the active routing table.
Get-NetRoute -AddressFamily IPv4
As you can see above, the only IPv4 route in the VPN configuration added to the routing table is the 10.0.0.0/8 network. The 172.21.12.0/21 IPv4 route is missing.
Network Prefix Definition
IPv4 routes missing from the Always On VPN client’s routing table result from incorrect network prefix definition. Specifically, the IPv4 route 172.21.12.0/21 used in the example here is not a valid network address. Rather, it is a host address in the 172.21.8.0/21 network, as shown below.
The Get-Subnet PowerShell cmdlet is part of the Subnet PowerShell module. To install this module, run the following PowerShell command.
Install-Module Subnet
Resolution
Using the example above, enabling access to the 172.21.12.0/21 subnet would require defining the IPv4 prefix in the routing configuration as 172.21.8.0/21. The moral of this story is always validate routing prefixes to ensure they are, in fact, network addresses and not host addresses.
Since the introduction of Windows 11, there have been numerous reports of issues with Always On VPN when deployed using Microsoft Endpoint Manager/Intune. Specifically, administrators have been reporting that Always On VPN profiles are being deleted, then later reappearing. Obviously, this is highly disruptive to users in the field.
Update January 25, 2022: Microsoft has released a fix for the issues described in this article. It is included with KB5008353 (build 22000.469).
Causes
According to Microsoft, there are several causes for deleted VPN profiles.
Changes to an Existing Profile
Missing Always On VPN profiles commonly occurs when updating settings for an existing VPN profile applied to Windows 11 endpoints. In this scenario, the VPN profile is deleted but not immediately replaced. Synchronize the device with Microsoft Endpoint Manager/Intune once more to return the VPN profile.
Multiple Profiles
Issues with Always On VPN profiles may also occur if two new VPN profiles are applied to the endpoint simultaneously.
Remove and Replace
Removing and replacing an Always On VPN profile at the same time will also result in connectivity issues.
There is no known workaround for these issues at this time. Microsoft is aware of the problem and is working on a fix, and until then, rolling out Windows 11 with Always On VPN should be avoided.
Additional Issues
There have been reports of other known issues with Windows 11 and Always On VPN. For instance, my PowerShell script that removes an Always On VPN connection doesn’t work with Windows 11. I’m working to resolve that issue as we speak.
Are you experiencing any issues with Always On VPN on Windows 11? Please share them in the comments below!
