Fix VPN Disconnect Issues on Windows 11 After Intune Configuration
If your VPN keeps disconnecting after being deployed through Microsoft Intune, you’re not alone.
Many IT admins face this issue after setting up built-in Windows VPN profiles, Always On VPN, or third-party clients like Cisco AnyConnect or FortiClient.
This guide explains why it happens and how to fix it step by step.
🧭 Step 1: Identify the VPN Setup Type
First, figure out how the VPN was deployed through Intune.
Each method behaves differently, and the fix depends on it.
| Deployment Method | Where to Check |
|---|---|
| Built-in VPN profile | Intune Admin Center → Devices → Configuration Profiles → VPN |
| Custom XML (OMA-URI / CSP) | Configuration Profiles → Custom |
| Third-party VPN app | Deployed as Win32 or store app |
| Always On VPN | Managed via VPNv2 CSP profile or PowerShell script |
👉 Why this matters: built-in VPNs handle reconnects differently than Always On VPN, and XML-based profiles often lose credentials after a reboot.
⚙️ Step 2: Review Key VPN Policy Settings in Intune
Go to Intune Admin Center → Devices → Configuration Profiles → [Your VPN Profile] → Settings
and check the following:
| Setting | Recommended |
|---|---|
| Connection Type | Matches your VPN (IKEv2, SSTP, L2TP, etc.) |
| Authentication Method | Matches VPN server (EAP, certificate, user credentials) |
| Split Tunneling | Disable temporarily (test with full tunnel) |
| Remember Credentials | Enabled |
| Always On VPN | Use only if certificates and device tunnel support it |
| Device Tunnel | Use for hybrid-joined devices only |
A mismatch here can cause session drops or immediate disconnects.
🔐 Step 3: Validate Certificates and Authentication
If your VPN uses certificate-based authentication (SCEP, PKCS, or Cloud PKI), confirm the right certificate exists on the device.
- Open Settings → Privacy & Security → Certificates
- Check the Personal (User) or Computer (Device) store
- Verify expiry date and issuer
If missing, check Intune → Devices → [Device] → Managed Certificates to confirm successful delivery.
Tip:
Ensure the Trusted Root and SCEP profiles are deployed before the VPN profile. Without them, authentication fails and the tunnel drops after a few seconds.
🧩 Step 4: Check Event Viewer for VPN Logs
Press Win + X → Event Viewer → Applications and Services Logs → Microsoft → Windows → RasClient → Operational.
Look for these error codes:
| Event ID | Meaning |
|---|---|
| 20226 | Disconnected – authentication failure |
| 20227 | Connection attempt failed |
| 20228 | VPN tunnel terminated unexpectedly |
Most of these point to bad credentials, expired certificates, or wrong protocols.
🌐 Step 5: Verify Network and DNS
Sometimes the VPN connects but fails due to DNS or routing issues.
Run these commands in PowerShell or CMD:
ipconfig /all
route print
Confirm that:
- The VPN interface shows a valid IP address.
- DNS servers are reachable.
- Internal routes are listed correctly.
If not, update the VPN profile in Intune → DNS Settings and Traffic Filters.
🧰 Step 6: Test a Manual VPN Connection
Create a temporary manual VPN:
- Settings → Network & Internet → VPN → Add VPN
- Enter the same server name, protocol, and auth method
- Connect manually
If it stays connected, the problem lies in your Intune profile (CSP mismatch, missing cert, or policy conflict).
🧠 Step 7: Check for Policy Conflicts
Hybrid devices often receive both Group Policy and MDM policy.
Use Device Diagnostics → Policy Conflicts in Intune to confirm only one policy controls your VPN settings.
If conflicts exist:
- Disable overlapping GPOs.
- Redeploy your Intune VPN profile.
🧩 Step 8: Fix Patterns Based on Symptoms
| Symptom | Fix |
|---|---|
| Disconnects after 30–60 sec | Check cert auth and EAP protocol |
| Drops when idle | Set “Idle Timeout” = 0 |
| Works on Wi-Fi only | Verify split tunnel and firewall rules |
| Keeps reconnecting (Always On VPN) | Reinstall root cert or disable Trusted Network Detection |
| Broke after Windows update | Remove and re-deploy the VPN profile |
🔄 Step 9: Re-Sync and Export Logs
If all looks right but the VPN still disconnects:
- Open Intune Admin Center → Devices → [Device] → Sync
- Wait 10 minutes
- On the device, go to
Settings → Accounts → Access Work or School → [Org Account] → Info → Export Logs
These logs help pinpoint which policy or certificate is failing.
✅ Summary
| Area | Common Cause | Fix |
|---|---|---|
| Policy conflict | GPO vs MDM | Disable GPO and re-deploy Intune VPN |
| Auth failure | Certificate missing or expired | Reissue certs via Intune SCEP/PKCS |
| DNS or routes | Incorrect network rules | Update DNS settings in VPN profile |
| Idle timeouts | Default session limit | Set timeout to 0 (no limit) |
| Autopatch devices | Trusted Network Detection loop | Temporarily disable Always On |
💬 Final Thoughts
VPN disconnections after Intune deployment usually trace back to one of three issues:
bad authentication, missing certificates, or conflicting policies.
Once those are fixed, Windows 11’s built-in VPN and Always On VPN become very stable.
Start with verifying your telemetry, certificates, and profile alignment, and you’ll likely have your VPN connections running smoothly again.
