Microsoft recently released Windows 11 24H2. Not long after the release there have been numerous reports of DirectAccess failing after performing an in-place upgrade from previous versions of Windows 11. New installations of Windows 11 24H2 experience the same problem.
Update 10/28/2024: This issue is resolved with KB5044384.
Testing
After downloading and configuring a Windows 11 24H2 test client I was able to quickly reproduce the issue. While previous versions of Windows 11 can connect to my test DirectAccess server without issue, the Windows 11 24H2 client fails.
Troubleshooting
Looking at the DirectAccess status indicator in the UI the DirectAccess connection remains ‘Connecting’ perpetually. Further investigation indicates an IP-HTTPS interface error. Running the command netsh.exe interface httpstunnel show interface reveals an error code 0x57 (invalid parameter) with the following error message.
Failed to connect to the IPHTTPS server. Waiting to reconnect.
Workaround
Currently there is no known root cause for this issue and there is no available workaround. Administrators should delay upgrading to Windows 11 24H2 if DirectAccess is deployed in the organization. I will continue to investigate and post additional information as I learn more. Stay tuned!
Always On VPN administrators may find that their device tunnel connections no longer connect automatically after applying the April 2024 security updates. The device tunnel connection is optional and only required under specific conditions, so end users may not be immediately impacted. However, administrators should be aware of this issue.
Note: The issues outlined in this post have been resolved with the May 14, 2024, security updates.
Error Messages
When manually establishing an Always On VPN device tunnel connection using rapshone.exe or rasdial.exe, you may receive one of the following error messages.
Rasphone.exe
Error 0x80070057: The parameter is incorrect.
Rasdial.exe
Connecting to <Name of Device Tunnel>…The parameter is incorrect.
Affected Devices
The issue affects all supported versions of Windows with an Always On VPN device tunnel connection configured to require a specific Enhanced Key Usage (EKU) OID. Administrators can run the following PowerShell command to identify this configuration.
Get-VpnConnection -AllUserConnection -Name <Name of Device Tunnel> | Select-Object MachineCertificateEkuFilter
If the output of this PowerShell command returns data, it is affected by this issue.
Workaround
To restore Always On VPN device tunnel functionality on devices with the April 2024 security updates installed, open an elevated PowerShell command window and run the following command.
Set-VpnConnection -AllUserConnection -Name ‘Always On VPN Device Tunnel’ -MachineCertificateEKUFilter $Null
After running this command, the output should now be blank.
Caveat
The problem with implementing the workaround described here is that you likely enabled this configuration to address an issue where the wrong certificate was selected for use with the device tunnel. In this case, the workaround may result in unexpected behavior and may not restore full functionality.
Known Issue Rollback
Currently, Microsoft is aware of the issue and is actively working to resolve it. If you are experiencing this issue, open a support case with Microsoft, and they will provide you with more information and possibly a private Known Issue Rollback (KIR). I will update this post as soon as Microsoft publishes a permanent fix.
The Microsoft Intune Certificate Connector enables the provisioning and de-provisioning of on-premises PKI certificates for Intune-managed devices. Always On VPN administrators using Intune to deploy certificates with the Intune Certificate Connector using either PKCS or SCEP may encounter a scenario where certificates are no longer being provisioned to users or devices after working reliably previously.
Certificate Not Found
When this issue occurs, users will no longer be able to access the VPN and receive a “certificate could not be found that can be used with this Extensible Authentication Protocol” error message.
Connector Status
To determine the status of the Intune Certificate Connector, open the Microsoft Intune Admin Center (https://intune.microsoft.com) and navigate to Tenant Administration > Connectors and Tokens > Certificate Connectors. The status of the certificate connector server will be in Error.
Event Log
Open the event log on the server where the Intune Certificate Connector is installed. Navigate to Applications and Services Logs > Microsoft > Intune > CertificateConnectors > Operational. Here, you will find a variety of warning and error messages.
Event ID 5001
This is a warning from the CertificateConnectors source with event ID 5001 in the Task Category HealthMessageUploadFailedAttempt with the following details.
PKI Create Service:
Failed to upload health messages. Requeuing messages.
Event ID 1003
This is an error from the CertificateConnectors source with event ID 1003 in the Task Category PkcsDownloadFailure with the following details.
PKI Create Service:
Failed to download PKCS requests.
Event ID 2
This is an error from the CertificateConnectors source with event ID 2 in the Task Category Exception with the following details.
PKI Create Service:
Microsoft.Intune.Connectors.PkiCreateProcessor.Process threw an exception.
Expired Certificate
The warning and error messages recorded in the event log indicate an expired certificate on the Intune Certificate Connector server. Open the local computer certificate store (certlm.msc) on the server where the Intune Certificate Connector is installed. Review the expiration date of the certificate issued by Microsoft Intune ImportPFX Connector CA. It is most likely expired.
Click on the Certification Path tab to view the certificate status.
Renew Certificate
To renew this certificate, you must reinstall the Intune Certificate Connector. However, you do not have to uninstall it first. To renew the certificate, navigate to C:\Program Files\Microsoft Intune\PFXCertificateConnector\ConnectorUI and double-click on PFXCertificateConnectorUI.exe. Follow the prompts without making changes to the existing configuration. You’ll be prompted for the service account password (if using a domain account) and proxy credentials (if using a proxy server). In addition, you’ll be asked to sign in to Entra ID (formerly Azure AD). Be sure to provide credentials that are a global administrator and have an Intune license assigned. Once the process is complete, a new certificate will be installed in the local computer certificate store.
Intune Configuration
After updating the Intune Certificate Connector, a new certificate connector appears in the Intune Admin Center. You can now safely delete the old connector and rename the new one accordingly.
Redundancy
Deploying multiple instances of the Intune Certificate Connector is an excellent way to avoid future outages! It’s also a good idea to stagger their installation by a few months to ensure that a future certificate expiration doesn’t result in lost functionality. If you’ve deployed Intune Certificate Connectors recently, consider updating them at rotating intervals so certificates expire at different times.