Windows 11 Always on VPN device tunnel removed on reboot

Copper Contributor

We are having an issue with the always on device tunnels being removed on device start. Once logged in to windows, we have to do a manual sync with Intune for it to restore the connection. When the connection is available it runs as it normally would and does appear to stay there, but as soon as you reboot it deletes itself. 

The VPN is deployed via intune, and is setup with machine certs connecting to a RRAS server running on 2019. Works fine on all of our windows 10 devices, and worked fine on our test device before upgrading to 11. 

14 Replies
Just confirm, this problem get started after upgrading to the Windows 11, is that correct?
If yes, check the event viewer and see if there is any relevant log files there.
I believe this is a bug and try open Feedback Hub app in Windows 11 and report this issue.

@Reza_Ameri 

Yes that's correct, admittedly we haven't tried on a fresh install of windows 11 only on an upgrade (for our environment 90% will be upgraded in the future).

I have been playing with it over the weekend as well and can also confirm i can replicate the issue if the device goes to sleep too. 

As for event view logs, i am seeing event id 233, the first being - The operation 'Delete' succeeded on nic 539A6C2E-3B4E-4AE3-9FA4-45218E7CB927 (Friendly Name: Always On VPN -), Instance Id {6da09a8c-62a3-4fdd-87b9-15904318d2b9}. 

with subsequent redeploy events of: 
The operation 'Create' succeeded on nic 247A8E96-70BB-4EE5-88F1-8C0012190023 (Friendly Name: Always On VPN -), Instance Id {00000000-0000-0000-0000-000000000000}.

Miniport NIC 247A8E96-70BB-4EE5-88F1-8C0012190023 (Friendly Name: Always On VPN -) successfully initialized.

NIC 247A8E96-70BB-4EE5-88F1-8C0012190023 (Friendly Name: Always On VPN -) successfully connected to port 13370ECB-0D6A-4E9C-8DB0-F64170BDC969 (Friendly Name: Container NIC 23ca8c04) on switch C08CB7B8-9B3C-408E-8E30-5E16A3AEB444(Friendly Name: Default Switch).

on the intune logs i can see a couple of errors which could relate (although i am not entirely sure what they mean...)

MDM ConfigurationManager: Command failure status. Configuration Source ID: (C664FCF1-D9FD-4FC4-8258-AF86250964CB), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (VPNv2), Command Type: (Clear: first phase of Delete), CSP URI: (./Device/Vendor/MSFT/VPNv2/Always On VPN - Device Tunnel), Result: (An attempt was made to reference a token that does not exist.).

MDM ConfigurationManager: Command failure status. Configuration Source ID: (C664FCF1-D9FD-4FC4-8258-AF86250964CB), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (VPNv2), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/VPNv2/Always On VPN - Device Tunnel), Result: (The specified quota list is internally inconsistent with its descriptor.).



From what you discussed, this is a bug in Windows 11 and I advise you to report this issue using Feedback Hub app so the Windows team would be able to investigate it.
Already raised :) thanks Reza
Welcome, glad you did.
I'm facing the same issue. Is there a public link to the issue you filed?
Hi Martijn,

kind of good to know we are not the only one's having the issue. I raised it through the feedback up link to that is https://aka.ms/AAdko4f
Also happening in our environment!
From the discussion here, I believe this is a bug and make sure file a bug report.
Can confirm this issue on Windows 11. At Intune Sync the VPN gets removed, next sync created, next sync deleted etc etc in a loop.
Event ID 601: MDM ResourceManager: DeleteResource EnrollmentID: (47D9D99A-C0C6-4AD1-978B-D1BE2126AXXX) UserSID: (S-1-12-1-1214335156-1177976991-1889557148-3126361797) URI: (./Vendor/MSFT/VPNv2/AOVPN).

and than:
Event ID 404: MDM ConfigurationManager: Command failure status. Configuration Source ID: (47D9D99A-C0C6-4AD1-978B-D1BE2126XXXX), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (VPNv2), Command Type: (Add: from Replace or Add), CSP URI: (./User/Vendor/MSFT/VPNv2/AOVPN), Result: (The specified quota list is internally inconsistent with its descriptor.).

@jjeffries Seeing this also on our corporate devices, have had to suspend rollout as our engineers require VPN to provide on call emergency cover.

I have created a workaround by using a custom Profile XML from scratch. This one does work! During a sync the profile gets replaced every time, causing it to miss one ping. As far as I can remember this was also the case in Win10. This way the sync does not log any errors and the VPN is operational.
Meanwhile I am waiting for MS support to pick up the case and fix the VPN profile issue in Win11..

Just received from Microsoft: "I would like to inform you that the issue which you are facing is an ongoing issue in Windows 11 and our team is working to fix it soon. For more details you can refer to the article https://docs.microsoft.com/en-us/mem/intune/configuration/vpn-settings-configure"

 

Below is the Custom Config profile XML I have used to create a working (without errors during sync) IKEv2 Split tunnel VPN with RADIUS authentication of user certificates. Beware: almost everything is case sensitive. Like the RADIUS servernames, the XML labels etc.

 

<VPNProfile>
	<ProfileName>AOVPN</ProfileName>
	<AlwaysOn>true</AlwaysOn>
	<DnsSuffix>domain.com</DnsSuffix>
	<TrustedNetworkDetection>domain.com</TrustedNetworkDetection>
	<NativeProfile>
		<Servers>vpn.domain.com</Servers>
		<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
		<NativeProtocolType>IKEv2</NativeProtocolType>
		<DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
		<CryptographySuite>
			<EncryptionMethod>AES128</EncryptionMethod>
			<IntegrityCheckMethod>SHA256</IntegrityCheckMethod>
			<CipherTransformConstants>AES128</CipherTransformConstants>
			<AuthenticationTransformConstants>SHA256128</AuthenticationTransformConstants>
			<PfsGroup>PFS2048</PfsGroup>
			<DHGroup>Group14</DHGroup>
		</CryptographySuite>
		<Authentication>
		  <UserMethod>Eap</UserMethod> 
		  <Eap>
			<Configuration>
				<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
					<EapMethod>
						<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
						<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
						<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
						<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
					</EapMethod>
					<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
						<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
							<Type>13</Type>
							<EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
								<CredentialsSource>
									<CertificateStore>
										<SimpleCertSelection>true</SimpleCertSelection>
									</CertificateStore>
								</CredentialsSource>
								<ServerValidation>
									<DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation>
									<ServerNames>RADIUS1.domain.com;RADIUS2.domain.com</ServerNames>
									<TrustedRootCA>xxxxxxxxxxxxxxxx Root CA hash xxxxxxxxxxxxxxxxxxxxxxxxxx </TrustedRootCA>
								</ServerValidation>
								<DifferentUsername>false</DifferentUsername>
								<PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation>
								<AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</AcceptServerName>
								<TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">
									<FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">
										<CAHashList Enabled="true">
											<IssuerHash>xxxxxxxxxxx Issuing CA hash xxxxxxxxx </IssuerHash>
										</CAHashList>
									</FilteringInfo>
								</TLSExtensions>
							</EapType>
						</Eap>
					</Config>
				</EapHostConfig>
			</Configuration>
		  </Eap>
		</Authentication>
	</NativeProfile>
	<DomainNameInformation>
		<DomainName>.domain.com</DomainName>
		<DnsServers>192.168.1.1,192.168.1.2</DnsServers>
	</DomainNameInformation>
	<Route>
		<Address>192.168.1.0</Address>
		<PrefixSize>24</PrefixSize>
	</Route>
</VPNProfile>