Always On VPN Windows 11 Issues with Intune

Always On VPN RasMan Errors in Windows 10 1903

Since the introduction of Windows 11, there have been numerous reports of issues with Always On VPN when deployed using Microsoft Endpoint Manager/Intune. Specifically, administrators have been reporting that Always On VPN profiles are being deleted, then later reappearing. Obviously, this is highly disruptive to users in the field.

Update January 25, 2022: Microsoft has released a fix for the issues described in this article. It is included with KB5008353 (build 22000.469).

Causes

According to Microsoft, there are several causes for deleted VPN profiles.

Changes to an Existing Profile

Missing Always On VPN profiles commonly occurs when updating settings for an existing VPN profile applied to Windows 11 endpoints. In this scenario, the VPN profile is deleted but not immediately replaced. Synchronize the device with Microsoft Endpoint Manager/Intune once more to return the VPN profile.

Multiple Profiles

Issues with Always On VPN profiles may also occur if two new VPN profiles are applied to the endpoint simultaneously.

Remove and Replace

Removing and replacing an Always On VPN profile at the same time will also result in connectivity issues.

Reference: https://docs.microsoft.com/en-us/mem/intune/configuration/vpn-settings-configure

Workaround

There is no known workaround for these issues at this time. Microsoft is aware of the problem and is working on a fix, and until then, rolling out Windows 11 with Always On VPN should be avoided.

Additional Issues

There have been reports of other known issues with Windows 11 and Always On VPN. For instance, my PowerShell script that removes an Always On VPN connection doesn’t work with Windows 11. I’m working to resolve that issue as we speak.

Are you experiencing any issues with Always On VPN on Windows 11? Please share them in the comments below!

Always On VPN Device Tunnel and Custom Cryptography Native Support Now in Intune

Always On VPN Device Tunnel and Custom Cryptography Native Support Now in IntuneMicrosoft recently announced support for native Windows 10 Always On VPN device tunnel configuration in Intune. Previously administrators had to use the complicated and error-prone custom XML configuration to deploy the Windows 10 Always On VPN device tunnel to their clients. That is no longer required with this recent Intune update. In addition, administrators may now specify custom cryptography settings for IPsec Security Association (SA) parameters for IKEv2 for both device tunnel and user tunnel connections. This effectively eliminates the requirement to use custom ProfileXML for most deployment scenarios.

Device Tunnel Configuration in Intune

Follow the steps below to configure and deploy a Windows 10 Always On VPN device tunnel using the native Intune user interface.

Create Profile

1. Open the Microsoft Endpoint Manager admin center (devicemanagement.microsoft.com).
2. Navigate to Devices > Configuration Policies.
3. Click Create profile.
4. Choose Windows 10 and later from the Platform drop-down list.
5. Choose VPN from the Profile drop-down list.
6. Click Create.

Profile Settings

Proceed with the profile configuration as you would normally, providing the VPN connection name, VPN server name(s), and choosing the option to register IP addresses with internal DNS. Next use the following steps to define a device tunnel connection and specify custom cryptography for IPsec SA parameters for IKEv2.

Configure a Device Tunnel

1. Select IKEv2 from the Connection type drop-down list.
2. Click Enable in the Always On section.
3. Select Machine Certificates from the Authentication method section.
4. If the computer certificate is provisioned using Intune, select the client authentication certificate (not required if the computer certificate is provisioned using on-premises Active Directory).
5. Click Enable in the Device Tunnel section.

Define Custom Cryptography

Follow the steps below to implement minimum security baseline cryptography settings for IKEv2.

IKE Security Association Parameters

1. Select AES-128 from the Encryption algorithm drop-down list.
2. Select SHA2-256 from the Integrity check algorithm drop-down list.
3. Select 14 from the Diffie-Hellman group drop-down list.

Child Security Association Parameters

1. Select CBC-AES-128 from the Cipher transform algorithm drop-down list.
2. Select HMAC-SHA256-128 from the Authentication transform algorithm drop-down list.
3. Select 14 from the Perfect forward secrecy (pfs) group drop-down list.

Always On VPN Device Tunnel and Custom Cryptography Native Support Now in Intune

Important Note: The IPsec security association parameters outlined above are the minimum recommend security baseline for IKEv2 and are compatible with all supported versions of Windows Server RRAS. It is recommended that authenticated cipher suites (GCM) be used whenever possible. However, GCM ciphers are not supported for encryption prior to Window Server 1803. Administrators should review these security settings and adjust the parameters to meet their specific security requirements.

Server Configuration

When defining custom cryptography settings for IKEv2 for device tunnel deployment, it is critical that the server be configured using identical parameters. Failure to use matching cryptography settings on the client and server will result in error code 13868, which indicates an IPsec policy mismatch.

A PowerShell script to configure IKEv2 security association parameter minimum security baselines on the RRAS server as outlined above can be found here. The commands to make these changes on the Azure VPN gateway can be found in this post.

Caveats

While Microsoft has made great strides to ensure better support for Always On VPN configuration using the native Intune UI, there are a few critical settings are still not supported. In these scenarios the administrator must deploy Always On VPN using custom XML, as described here and here.

Custom Cryptography

IKEv2 custom cryptography settings are only exposed when IKEv2 is selected as the connection type. It appears that defining custom cryptography settings for IKEv2 when the connection type is set to Automatic is not supported at this time. If you wish to specify the Automatic connection type and use custom cryptography settings for IKEv2 you will need to deploy the device tunnel using custom ProfileXML.

IPv6

IPv6 routing when configuring split tunneling for Always On VPN in Intune is not supported.

Always On VPN Device Tunnel and Custom Cryptography Native Support Now in Intune

Additional Information

Windows 10 Always On VPN Policy Mismatch Error

Windows 10 Always On VPN Device Tunnel with Azure VPN Gateway

Windows 10 Always On VPN IKEv2 Load Balancing and NAT

Windows 10 Always On VPN IKEv2 Fragmentation

Windows 10 Always On VPN IKEv2 Security Configuration

Deploying Always On VPN with Intune using Custom ProfileXML

Deploying Always On VPN with Intune using Custom ProfileXMLWhen deploying Windows 10 Always On VPN using Microsoft Intune, administrators have two choices for configuring VPN profiles. They can use the native Intune user interface (UI) or create and upload a custom ProfileXML. The method chosen will depend on which features and settings are required.

Microsoft Intune

Intune has an intuitive user interface (UI) that can be used to configure and deploy Always On VPN profiles to Windows 10 clients. Guidance for using the UI to deploy Windows 10 Always On VPN with Microsoft Intune can be found here. However, Intune does not expose all Always On VPN settings to the administrator, which can be problematic.

Missing from Intune

At the time of this writing (updated March 2021), the following Always On VPN settings cannot be configured natively using the Intune UI.

  • Disable class-based default route
  • Exclusion routes
  • LockDown Mode
  • IPv6 routing (broken in Intune)

To implement any of the above features or settings the administrator must create and upload a custom ProfileXML.

ProfileXML

ProfileXML is a node within the VPNv2 Configuration Service Provider (CSP). When configuring Always On VPN using the Intune UI, each setting is configured individually. By contrast, the ProfileXML node includes all Always On VPN settings in a single configuration file. It can be deployed using Intune or PowerShell. Sample ProfileXML files for both user and device tunnels can be downloaded from my GitHub repository.

ProfileXML and Intune

I’ve already documented how to deploy an Always On VPN device tunnel configuration using Intune, so this post will focus on deploying the user tunnel using ProfileXML.

Once ProfileXML has been configured, open the Intune management console and follow the steps below to deploy it using Intune.

Create Profile

1. In the navigation pane click Device Configuration.
2. Click Profiles.
3. Click Create Profile.
4. Enter a descriptive name for the new VPN profile.
5. Select Windows 10 and later from the Platform drop-down list.
6. Select Custom from the Profile type drop-down list.

Custom OMA-URI Settings

1. In the Custom OMA-URI Settings blade click Add.
2. Enter a descriptive name in the Name field (this name will appear in the Windows UI on the client).
3. Enter ./User/Vendor/MSFT/VPNv2/Always%20On%20VPN/ProfileXML in the OMA-URI field. I’ve used Always On VPN as an example here, but you can use any text you like. If it includes spaces they must be escaped using %20, as shown here. Also, don’t forget to include the leading “.“.
4. Select String (XML file) from the Data type drop-down list.
5. Click the folder next to the Select a file field and select your ProfileXML file.
6. Click Ok.

Deploying Always On VPN with Intune using Custom ProfileXML

Important Note: The File contents window must show the contents of your ProfileXML. If the contents are unreadable the XML file contains encoding that will not work. If this happens, copy the contents of your ProfileXML to another new text file and upload again.

Assign Profile

Follow the steps below to assign the Always On VPN profile to the appropriate user group.

1. Click Assignments.
2. Click Select groups to include.
3. Select the group that includes the target users.
4. Click Select.
5. Click Save.

Deploying Always On VPN with Intune using Custom ProfileXML

Demonstration Video

A demonstration video with guidance for deploying a Windows 10 Always On VPN user tunnel using the native Microsoft Intune UI as well as custom ProfileXML can be found here. The custom ProfileXML guidance starts at 7:52.

Additional Information

Deploying Windows 10 Always On VPN with Microsoft Intune

Deploying Windows 10 Always On VPN Device Tunnel using PowerShell

Windows 10 Always On VPN IKEv2 Security Configuration

Windows 10 Always On VPN LockDown Mode

Windows 10 Always On VPN Scripts and Sample ProfileXML Files on GitHub