After the April 2024 Microsoft security updates were released, many Always On VPN administrators noticed that the device tunnel suddenly stopped connecting automatically for many, if not all, their endpoints.
Note: There were additional problems with the April 2024 security update that affected the Always On VPN device tunnel. Details here.
Troubleshooting
When this problem occurs, administrators can establish the device tunnel connection successfully if it is initiated manually. This indicates that there are no issues with the IKEv2 VPN connection or security configuration.
Subscription Activation
The root cause of this issue is related to a subscription activation issue broken in the April 2024 security updates. In this case, Windows 10/11 Enterprise Edition devices that were initially provisioned using Professional Edition and used a step-up upgrade (subscription activation) to Enterprise Edition are reverting to Professional Edition. The Always On VPN device tunnel requires Enterprise Edition to work correctly. Although you can deploy a device tunnel to Windows Professional, it will not connect automatically. It will, however, connect manually.
KB5040527
On July 25, 2024, Microsoft released a preview of updates (KB5040527), including a fix for this subscription activation issue. Administrators experiencing problems with Always On VPN device tunnels where their devices revert to Professional Edition can install this update to resolve this issue.
Additional Information
Always On VPN Device Tunnel Issue with the Microsoft April 2024 Security Update