EDIT: This issue seem to have been fixed with the Windows 11 22H2 update - on the same device updated via Intune to 22H2 (no reinstall) the VPN profile no longer is removed and reapplied with every sync - hurray!
So, about half a year ago we started to make the transition to Windows 11, or at least - we wanted to.However, we ran into an issue with Windows 11 VPN Profiles pushed from Intune, where the profile will disappear and reapply between each Device sync/Check-in with Intune.
Multiple articles and reddit threads later, it appears to be a bug in Windows 11 caused by the new VPNv2 CSP.
Now, over half a year later, this still does not appear to be fixed.
The VPN profile is working on all our Windows 10 clients and Intune registers the configuration as “Success”.Windows 11 Clients get the profile and the VPN Connection appear and will connect just as expected - UNTIL the user either manually starts a Sync from the Company Portal, or the device automatically check in with Intune - then the VPN Profile gets removed and re-added, and now an error in Intune appears:
“Setting name: Windows10VpnConfiguration - Status: Error - Error code: -2016281112 - 0x87d1fde8”
This appear to “Just” be a generic remediation error, and from what I can gather it’s refering to an XML mismatch.Intune expects the EAP-XML to return in a specific way, but after being applied the return XML does not match the configuration Intune-expects. Which means on the next sync/check in with intune - the Profile will be re-applied, which causes outage for the users.
A work around seems to be either scripting the VPN configuration, or packaging it - but surely this cannot be true, even after Microsoft claimed to fixed it with a KB back in February.
This is one of the reasons we have not migrated to Windows 11. Running it on a few test devices and this behavior of vpn disconnecting (pbk gets recreated) during policy sync is happening constantly.
I am still experiencing this, not the same errors as earlier in the year but it’s still broke.
If you see the comments here: Always On VPN Windows 11 Issues with Intune | Richard M. Hicks Consulting, Inc.
You can see it’s very much still a thing. I guess all we can do is log it with Microsoft.
I keep meaning to create a W11 machine on an insider release 22h2 to see if that behaves the same.
I installed w11 22H2 today - it seems like this has now been fixed
Thanks for getting back on this! Did you test 22H2 on the same machine, or is it another device?
We are still seeing this issue on 22H2 where syncing will delete and re-create our tunnel interfaces. Are you using the GUI or custom OMA-URI method on your profile?
Same machine, I now get a nice healthy green tick. I’ll be deploying the feature update to a small pilot next week. Looking positive to me.
Just to update, same for me with GUI. I’m guessing will have to do OMA-URI method.
Awesome, I will be testing this out myself - happy to have feedback on this thread - my sincere thanks, It could’ve been MONTHS before online articles would reflect this.
Alright lads u/Dumbysysadmin u/itshighernoon, how have you been getting on with 22H2 on your Windows 11 clients with AOVPN? Just deployed to a test ring today and we’re seeing better reliability but not perfect, the connection appears to be more persistent and I don’t see myself reaching for rasdial as often to reconnect.
Just thought I’d ask as Microsoft still have the note on the KB advising the issue is still present.
Mine all seem to be pretty solid. I can’t recreate the issue my syncing comp portal anymore.