blog post

Microsoft Endpoint Manager: Windows 11 VPN Profile Issue WORKAROUND

Introduction - Configuration Profile for VPN

For those who are now adopting Windows 11 devices and rolling them out in general as well as through Intune via Windows Autoprofile, alongside various baseline company standard settings around base applications, windows update rings and other user profile settings, another part of this is also those who utilize an Always On VPN connection for those devices.

The process to create a configuration profile for VPN settings will apply to Windows 10 and Windows 11. However in this case there seems to be a known issue in where when you rollout the profile to Windows 11 devices the profile disappears.

Further explanation on the issue

Troubleshooting the issue slightly further, it seems that it’s related to some of the known uncertainties where regular syncs if minor properties are changed within the configuration profile, seems to be the moment the profile is gone, or will disappear after a period of time.

There have been cases where the profile may not even show up at all, but as an example I’ve included a screenshot in Figure 1.1 which shows the VPN profile there.

It’s worth noting that even creating multiple VPN profiles manually can also remove the profile as well.

Figure 1.1 - Template Always On VPN Profile pushed via Intune

Workaround for the Windows 11 VPN Profile Issue

The best way to resolve this I have found is to replicate the same structure within your VPN configuration profile and to construct a PowerShell Script package which can create this specifically on the devices.

There are a few moving parts to this which we will illustrate.

VPN Profile Script

For the actual VPN connection to be created itself you can simply run the following line below

Add-VpnConnection -Name “Template” -ServerAddress template.com -TunnelType Ikev2 -EncryptionLevel Required -AuthenticationMethod MSChapv2 -DnsSuffix template.com -SplitTunneling -RememberCredential

This line is of course an example, but this would be a line you would run in order to create the VPN profile on your machine, you would need to use the correct configurations and switches according to the VPN you have or you can duplicate the configuration from your existing configuration profile. To see more on the CMDLets for this you can view this article here

This will get you the result similar to what you see in Figure 1.1

VPN Detection Script

You’ve guessed it! We are going to encapsulate this solution as a Proactive Remediation script. So with that being said we now need to have the logic which will detect the VPN profile already exists on the endpoint.

Figure 1.2 - VPN Detection Logic Script

Quite simple logic to find out if the profile exists which will help from duplicating or causing further issues. Now we need to build the Proactive Remediation script package.

Proactive Remediation Script Configuration

  1. Go to Reports
  2. Go to Endpoint Analytics
  3. Go to Proactive Remediation Scripts
  4. Click Create Script Package
  5. Create Custom Script: Name Basics – Provide a meaningful name and description. In this example case I would put something like the company name and description of the VPN i.e. Template VPN. Click next
  6. Create Custom Script: Settings – For the detection script click the folder button and select the script for the VPN detection. Then do the same for the Remediation Script but select the script which contains the PowerShell line to create the profile.
    Now the important part of these settings is to make sure you click yes for “Run this script using the logged-on credentials”. Reason being is because you ideally want the user of the laptop to see this profile. When running a proactive remediation script it will be ran as a SYSTEM account so you may see issues if your remediation stats show it as successful when it isn’t
Figure 1.3 - Settings of Proactive Remediation Script

So you can go through to the assignments section. Now when it comes to the scheduling, you can use something like daily going forward. If you are wanting to test then you can of course set it to hourly.

Summary

Overall this will hold as a great alternative when wanting to push a VPN profile to your Windows 11 devices in the meantime until a more permanent solution arrives. This can of course work on Windows 10 devices too, but as this issue specifically causes issues for Windows 11 devices then it’s best suited for these.

Share this post on Linkedin
linkedin share post icon
Insights
Related posts
orange gradient shield with protectorg logo

Simplify your world...

Speak to an expert to find out which plan is best for you. Security & compliance management solutions.
Get in touch
Expert advice
Easy implementation
Compliance verification