Windows 11 Always on VPN device tunnel removed on reboot

%3CLINGO-SUB%20id%3D%22lingo-sub-2668670%22%20slang%3D%22en-US%22%3EWindows%2011%20Always%20on%20VPN%20device%20tunnel%20removed%20on%20reboot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2668670%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20having%20an%20issue%20with%20the%20always%20on%20device%20tunnels%20being%20removed%20on%20device%20start.%20Once%20logged%20in%20to%20windows%2C%20we%20have%20to%20do%20a%20manual%20sync%20with%20Intune%20for%20it%20to%20restore%20the%20connection.%20When%20the%20connection%20is%20available%20it%20runs%20as%20it%20normally%20would%20and%20does%20appear%20to%20stay%20there%2C%20but%20as%20soon%20as%20you%20reboot%20it%20deletes%20itself.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20VPN%20is%20deployed%20via%20intune%2C%20and%20is%20setup%20with%20machine%20certs%20connecting%20to%20a%20RRAS%20server%20running%20on%202019.%20Works%20fine%20on%20all%20of%20our%20windows%2010%20devices%2C%20and%20worked%20fine%20on%20our%20test%20device%20before%20upgrading%20to%2011.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2668670%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAlways%20on%20VPN%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Evpn%20connection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%2011%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2669240%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%2011%20Always%20on%20VPN%20device%20tunnel%20removed%20on%20reboot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2669240%22%20slang%3D%22en-US%22%3EJust%20confirm%2C%20this%20problem%20get%20started%20after%20upgrading%20to%20the%20Windows%2011%2C%20is%20that%20correct%3F%3CBR%20%2F%3EIf%20yes%2C%20check%20the%20event%20viewer%20and%20see%20if%20there%20is%20any%20relevant%20log%20files%20there.%3CBR%20%2F%3EI%20believe%20this%20is%20a%20bug%20and%20try%20open%20Feedback%20Hub%20app%20in%20Windows%2011%20and%20report%20this%20issue.%3C%2FLINGO-BODY%3E
Occasional Contributor

We are having an issue with the always on device tunnels being removed on device start. Once logged in to windows, we have to do a manual sync with Intune for it to restore the connection. When the connection is available it runs as it normally would and does appear to stay there, but as soon as you reboot it deletes itself. 

The VPN is deployed via intune, and is setup with machine certs connecting to a RRAS server running on 2019. Works fine on all of our windows 10 devices, and worked fine on our test device before upgrading to 11. 

7 Replies
Just confirm, this problem get started after upgrading to the Windows 11, is that correct?
If yes, check the event viewer and see if there is any relevant log files there.
I believe this is a bug and try open Feedback Hub app in Windows 11 and report this issue.

@Reza_Ameri 

Yes that's correct, admittedly we haven't tried on a fresh install of windows 11 only on an upgrade (for our environment 90% will be upgraded in the future).

I have been playing with it over the weekend as well and can also confirm i can replicate the issue if the device goes to sleep too. 

As for event view logs, i am seeing event id 233, the first being - The operation 'Delete' succeeded on nic 539A6C2E-3B4E-4AE3-9FA4-45218E7CB927 (Friendly Name: Always On VPN -), Instance Id {6da09a8c-62a3-4fdd-87b9-15904318d2b9}. 

with subsequent redeploy events of: 
The operation 'Create' succeeded on nic 247A8E96-70BB-4EE5-88F1-8C0012190023 (Friendly Name: Always On VPN -), Instance Id {00000000-0000-0000-0000-000000000000}.

Miniport NIC 247A8E96-70BB-4EE5-88F1-8C0012190023 (Friendly Name: Always On VPN -) successfully initialized.

NIC 247A8E96-70BB-4EE5-88F1-8C0012190023 (Friendly Name: Always On VPN -) successfully connected to port 13370ECB-0D6A-4E9C-8DB0-F64170BDC969 (Friendly Name: Container NIC 23ca8c04) on switch C08CB7B8-9B3C-408E-8E30-5E16A3AEB444(Friendly Name: Default Switch).

on the intune logs i can see a couple of errors which could relate (although i am not entirely sure what they mean...)

MDM ConfigurationManager: Command failure status. Configuration Source ID: (C664FCF1-D9FD-4FC4-8258-AF86250964CB), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (VPNv2), Command Type: (Clear: first phase of Delete), CSP URI: (./Device/Vendor/MSFT/VPNv2/Always On VPN - Device Tunnel), Result: (An attempt was made to reference a token that does not exist.).

MDM ConfigurationManager: Command failure status. Configuration Source ID: (C664FCF1-D9FD-4FC4-8258-AF86250964CB), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (VPNv2), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/VPNv2/Always On VPN - Device Tunnel), Result: (The specified quota list is internally inconsistent with its descriptor.).



From what you discussed, this is a bug in Windows 11 and I advise you to report this issue using Feedback Hub app so the Windows team would be able to investigate it.
Already raised :) thanks Reza
Welcome, glad you did.
I'm facing the same issue. Is there a public link to the issue you filed?
Hi Martijn,

kind of good to know we are not the only one's having the issue. I raised it through the feedback up link to that is https://aka.ms/AAdko4f