1. Always On VPN Randomly Disconnects (Windows 11 + Intune)

This is a known bug when deploying AOVPN profiles using Intune + custom XML. The issue is that Intune replaces the entire VPN profile every time it syncs, even if no settings changed.

Root Cause:

• Windows 11 is picky about XML. If the tags or order aren’t exactly right, Intune wipes the profile and makes a new one, which kicks users off while it’s rebuilt.

Workarounds:

1. Use the native VPN profile template in Intune where possible.

If XML is necessary (for advanced settings), extract your working profile using:

Get-VpnClientProfileXML.ps1

2. Match the order and structure exactly in your deployment XML.

3. Add an extra carriage return at the end of the XML file—yes, seriously. That fixed the issue for several admins.

4. Use remediation scripts in Intune to patch settings post-deployment.

These disconnect problems can also happen on mobile devices. For step-by-step fixes on Android, check out this Always On VPN Android troubleshooting guide.

2. Always On VPN Device Tunnel Doesn’t Connect Automatically

Root Cause:

• Device tunnel issues are often tied to Microsoft domain/Azure policies:

These device tunnel problems are especially common in hybrid Azure AD setups. For a detailed walkthrough of configuring Always On VPN with Microsoft services, see this Microsoft AOVPN guide.”

• For cloud-only devices (AADJ), device tunnel must be launched manually unless special configuration is used (e.g., Entra Private Access).

Fix:

• Ensure rasphone.pbk has UseRasCredentials=0

• Set DNS suffix in certificate SAN:

  • Example: DNS = device123.corp.domain.com

• Use PowerShell script or registry key to set InterfaceMetric = 3 for VPN connections, ensuring traffic flows correctly.

3. VPN Connects but Can’t Reach Internal Resources

If the VPN is on but you still can’t open internal files or servers, it usually comes down to routing. It can happen when split tunneling is set wrong, when user and device tunnels overlap, or when the network is picking the local connection instead of the VPN.

Fix:

• Use /32 host routes for critical infrastructure in both tunnels

• Set user tunnel metrics to 1, and device tunnel to 2

• Avoid broad routes like 10.0.0.0/8 unless absolutely needed

• Configure DomainName in XML with a leading dot (.corp.local) to include the entire namespace

4. Error 853: Certificate Not Valid

Error 853 almost always relates to certificate trust, especially with PEAP authentication.

Causes:

• Missing CA cert in NTAuth store on the NPS server

• Capitalization mismatch between certificate Subject and the FQDN in your VPN profile

• Client cert not marked for Client Authentication

Fix:

Check NTAuth store:
certutil -enterprise -viewstore NTAuth

 If your issuing CA is missing:
certutil -enterprise -addstore NTAuth <path-to-cert>

1. Verify the NPS server cert Subject matches case-sensitive FQDN in PEAP config:

   • "nps.domain.com" ≠ "NPS.domain.com" in Windows 11

2. Restart NPS service after re-adding CA certs.

5. VPN Doesn’t Start on Ethernet but Works on Wi-Fi

This is often a metric issue. When Ethernet is connected, Windows may route traffic outside the VPN tunnel if it thinks it’s more “efficient.”

Fix:

• Set InterfaceMetric=3 for the VPN in rasphone.pbk

• Adjust metrics using a remediation script post-Intune deployment

• Verify Get-NetIPInterface shows VPN with the lowest metric

6. Intune Keeps Replacing the VPN Profile

This one drives people nuts.

Root Cause:

• Your XML structure does not match what Intune expects.

• Every sync → Intune thinks the profile changed → deletes and replaces

Fix:

• Extract the “golden” XML from a working machine

• Match the structure 1:1 in your deployment XML

• Include even "empty" settings if they appear in the original

• Avoid reordering sections arbitrarily

• Always deploy separate XMLs for device and user tunnels. Mixing routes can cause overlap.

• Avoid using PIN sign-ins for users needing on-prem Kerberos — use password login instead.

• If your user tunnel requires onpremtgt, double-check Azure AD Kerberos and Hybrid Join status.

Use logging: eventvwr.msc → RasClient → Look for Event IDs 20227, 829, 619, 631.

Always On VPN is incredibly powerful when deployed correctly—but troubleshooting it requires patience, attention to detail, and often a few registry hacks.

If you’ve battled through the bugs, the profile issues, the GUIDs changing after Intune sync, or the maddening case-sensitive cert problems—just know you’re not alone. Thousands of admins are in the same boat, and solutions are out there.

And sometimes... it really is just a missing newline at the end of your XML file.

1. Why does my Always On VPN disconnect randomly on Windows 11?

Random disconnections in Windows 11 are often caused by the Intune configuration profile being reapplied during sync, especially if you’re using custom XML. This removal and redeployment of the profile interrupts the tunnel. To fix this, use the native VPN profile in Intune or ensure your XML structure exactly matches what Intune expects — including setting orders and syntax correctly.

2. How can I fix Always On VPN Error 853?

Error 853 typically means the client certificate used for authentication is not trusted by the server. Most often, this is due to the issuing CA certificate being missing from the NTAuth certificate store on the NPS server. To resolve this, import the issuing CA into the NTAuth store using:

certutil.exe -enterprise -addstore NTAuth <certificatefile>

Afterward, restart the NPS service and try reconnecting.

3. What’s the difference between the device tunnel and user tunnel in Always On VPN?

The device tunnel connects before user logon and enables domain authentication and basic access to domain resources, while the user tunnel starts after login and enables full access based on user credentials and policies. In hybrid environments, both are used together, with careful routing priority management to avoid conflicts.

4. Why doesn’t my VPN DNS registration work?

DNS registration can fail due to misconfigured DNS suffixes, lack of proper name resolution policies, or because the client doesn’t have permission to update DNS records. Make sure:

• The VPN connection is set to register DNS.

• The DNS suffix is properly set (e.g., .yourdomain.com).

• The DHCP or static IP settings allow dynamic updates.

Also, check if the interface metric is properly configured — a high metric may cause Windows to ignore the DNS of the VPN interface.

5. My Always On VPN was working, but now it suddenly fails — what should I check first?

Start by checking the following:

1. Certificate Expiration: Make sure the device or user certificates haven’t expired.

2. Recent Updates: A Windows update or Intune policy change may have caused the issue.

3. RasClient Logs: Look for Event IDs 20227, 631, or 829 for detailed error info.

4. GUID Mismatch: Run (Get-VpnConnection).Guid before and after sync — if it changes, the profile is being replaced incorrectly.

5. Interface Metrics: Check and adjust to ensure the VPN interface is preferred.