Always On VPN is Microsoft's replacement for DirectAccess. Always On VPN device tunnels securely extend your domain to internet-connected clients.

Have you had someone try to log into a laptop at a conference and then receive the "no logon servers are available" error? Ever wish your remote devices could easily update policies, install deployed applications, or configure changes? If so, you will love Always On VPN device tunnels!

When Microsoft first released Always On VPN, it only allowed user connections and did not support device connections. Windows 10 1709 introduced device tunnels, Windows 10 1803 improved the implementation, and development toward Windows 10 1809 ironed out some remaining bugs. Before you dive into the steps below, make sure you have followed this core Always On VPN setup guide.

Requirements for Always On VPN device tunnels

Windows 10 currently supports device tunnels on two editions: Education and Enterprise. Unlike user tunnels, device tunnels require a domain-joined client. Although you can use Windows 10 1709, it is better to use clients that are either Windows 10 1803 (fully patched) or Windows 10 1809.

The next requirement is that all remote clients have a machine certificate issued by your public key infrastructure (PKI) for the purpose of client authentication. You can check this by running certlm.msc and opening the local computer's personal certificate store. View the details of the certificate and check that Enhanced Key Usage contains the Client Authentication value.

This client has the correct certification for Always On VPN device tunnels

If you do not see a certificate or do not have one for Client Authentication, you can issue the default machine certificate template and configure client auto-enrollment with these steps.

Finally, no other device VPN profile can exist on the computer. If you are not sure if another profile exists, open PowerShell as an administrator and run this command:

Get-VpnConnection ‑AllUserConnection

Configuring RRAS for Always On VPN device tunnels

Open the Routing and Remote Access service (RRAS) Microsoft Management Console (MMC) and connect to your VPN server. On the left side of the RRAS console, right-click on your server name and select Properties.

Under Properties, select Security and then select Authentication Methods. Check the Allow machine certificate authentication for IKEv2 box and click OK. Restart RRAS.

Enabling device tunnels over IKEv2

Enabling device tunnels over IKEv2

By default, any valid certificate from any trusted certificate authority (CA) can complete machine certificate authentication to your environment. Just guessing here, but you probably only want machines with a certificate from your CA to be able to authenticate. To restrict access to just your CA, run these PowerShell commands on your VPN server:

$VPNRootCertAuthority = "Common Name of trusted root certification authority"
$RootCACert = (Get-ChildItem -Path cert:LocalMachine\root | Where-Object {$_.Subject -Like "*$VPNRootCertAuthority*" })
Set-VpnAuthProtocol -UserAuthProtocolAccepted Certificate, EAP -RootCertificateNameToAccept $RootCACert -PassThru
#Source -

For reference, you can find the CA common name in the Issuer attribute of the machine certificate you checked earlier. Right-click on the certificate, select Details, and click on the Issuer attribute. The common name is on the first line and is to the right of CN =.

Creating the Always On device tunnel profile

Copy this text and save it as an XML file in a location accessible to domain computers:

<!-- disable the addition of a class-based route for the assigned IP address on the VPN interface -->
<!-- use host routes(/32) to prevent routing conflicts -->
<!-- traffic filters for the routes specified above so that only this traffic can go over the device tunnel -->
<!-- need to specify always on = true -->
<!-- new node to specify that this is a device tunnel -->
<!--new node to register client IP address in DNS to enable manage out -->
<!-- inside/outside detection -->

Edit the XML file and change the <Servers> line and the <TrustedNetworkDetection> line to the correct values in your environment.

Next, list any IP your remote clients will need to access in the <Route> and <RemoteAddressRanges> sections. The sample profile you copied lists four IPs as examples. Ideally, your profile will only contain the critical services a client needs. These might include domain controllers, WSUS/SCCM, or network policy servers. Even though you can include subnets by changing the PrefixSize line below an IP, I recommend scoping route lines down to a single IP.

In the same folder where you saved the XML file, create a new PowerShell script and paste in the following code:

$ProfileName = 'Always On VPN - Device'


$ProfileNameEscaped = $ProfileName -replace ' ', '%20'

$ProfileXML = $ProfileXML -replace '<', '&lt;'
$ProfileXML = $ProfileXML -replace '>', '&gt;'
$ProfileXML = $ProfileXML -replace '"', '&quot;'

$nodeCSPURI = './Vendor/MSFT/VPNv2'
$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_VPNv2_01"

$session = New-CimSession

try {
    $newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName
    $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", "$nodeCSPURI", 'String', 'Key')
    $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", "$ProfileNameEscaped", 'String', 'Key')
    $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ProfileXML", "$ProfileXML", 'String', 'Property')

    $session.CreateInstance($namespaceName, $newInstance)
    $Message = "Created $ProfileName profile."
    Write-Host "$Message"
catch [Exception] {
    $Message = "Unable to create $ProfileName profile: $_"
    Write-Host "$Message"
$Message = "Complete."
Write-Host "$Message"

Be sure to copy and paste your device profile XML in the $ProfileXML portion of the PowerShell script. You should now have two files in your folder. The first one is an XML file. The second one is a PowerShell script with the contents of your XML file pasted into it.

Deploying the Always On device tunnel profile

To deploy your profile, you just need to run the PowerShell script you created under the System account of a client. There are a few options for doing this.

For a single machine (or for testing), you can use the PSExec tool. Run it with the -S parameter and start PowerShell. Finally, run the PowerShell script you created previously.

The second option is to deploy the PowerShell script as a startup script in Group Policy. Startup and shutdown scripts process under the computer's account and run with the required permissions needed to create the VPN profile.

Always On VPN device profile deployment with Group Policy

Always On VPN device profile deployment with Group Policy

Finally, you can deploy it with SCCM. Create a package for your script and allow it to run with administrative rights whether or not a user is logged on.

Always On VPN device profile deployment with SCCM

Always On VPN device profile deployment with SCCM

After using any of these options, verify that the VPN profile is installed. You can verify that the connection is installed with the Get-VPNConnection -AllUserConnection command.

Subscribe to 4sysops newsletter!

You should then be able to connect to an external network and communicate with one the IPs listed in the Route section of your profile. If you included a domain controller in that list, restart the client, connect to a remote network, and log on with a new user. It is a beautiful sight to see that a logon server is indeed available!

  1. Avatar
    pieter72 (Rank 1) 5 years ago

    Hello Joseph

    Interesting article, thanks for that!

    Have you tried the device tunnel over the Internet? I have a fully functional AlwaysOn VPN in lab. The User Tunnel dials in perfectly over the Internet, but the Device Tunnel keeps on failing. Error 809, indicating connectivity problems, but since the User Tunnel works over the same IKEv2 we can rule that out. Device Tunnel does connect on premise.

  2. Avatar
    Nick W 5 years ago


    Thank you for this article, its great.  But one problem.

    I can make this work with system elevated PSExec, but NOT with the GPO.  You say “run with the required permissions needed to create the VPN profile.” but what exactly can I do in the GPO that allows me to change settings?

    I would have thought that simply adding the ps1 script and XML to the server share and calling that in the Computer startup should work?

    • Avatar Author

      For a device profile, your  method should work! Try calling PSExec through a batch file – using a startup script (talk about a convoluted solution though).

  3. Avatar
    Luca Fidanza 5 years ago

    Hi, when using Always On VPN configuration how a laptop can undestand that it is connected to the corporate network and so it must not activate the VPN? Viceversa how it can understand that it is outside corporate network so it must activate the VPN?

  4. Avatar
    Bryan Hall 5 years ago

    @Luca – this is what the <TrustedNetworkDetection> element is used for.   See


  5. Avatar
    Ryan Bunce 5 years ago

    Great article, thanks very much.

    I have both device and user tunnels up and running.  After login both a tunnel for the device and one for the user is established and two IPs are given.

    Presuming that's normal behavior – I'm able to ping and interact (RDP, SMB) with the machine using the IP associated with the user tunnel but not the device tunnel.

    Is this also normal?  If so – how does an admin access a machine that is turned on but no one is yet logged in?  If not normal – looking for some troubleshooting steps.

    Thanks much!

  6. Avatar
    Shawn Morris 5 years ago

    @Ryan Bunce –  we have Always On configured for user connection now using a machine cert. You said you have both a machine connection and a user connection. We would like to have this as well, can you provide any links or information to set up Always On this way?

  7. Avatar
    T.J. Smith 5 years ago

    We have this up and running – sort of. 

    If we run the Powershell script using PSExec, the profile gets installed and works like we want. If we run the Powershell script using the newer scripts feature in SCCM, it again works like we want. However, when I deploy the script as a package and have it run as administrator whether a user is logged in or not, it creates the profile but it doesn’t actually work. It doesn’t connect on its own and if you try to manually connect it, it just pops open the list of WiFi signals around you. 

    I have no idea what I’m doing wrong. 

  8. Avatar
    Greg 5 years ago

    So i have user tunnels with both SSTp and IKEV2 working fine

    however i am getting error 809 with the device tunnel, 
    i can also get error 809 if i switch to machine certificates on the user tunnel settings, 

    For our site we already have another computer certificate CA on the laptops that is used for Wi-FI authentication, this is in the computer certificate section, unfortunately when we enroll a computer authentication cert via our CA the wireless profile stops working, so we can't add our certificate and we can't remove the certificate we use for our wifi (its a state wide wifi network) 

    So on our VPN server i just installed the CA the wireless network uses and ran the commands above to only allow that CA to join, 

    Is this what causes a error 809? do i need to install this seperate CA on our NPS for client machine certificate authentication? i dont see any errors in event vewier on the NPS or RAS server, just the client, 

  9. Avatar
    louis 4 years ago

    Is certain traffic restricted to certain tunnels? ie are updates restricted to the computer authenticated tunnel?

    Or is it just a way of authenticating? eg you can just use computer authentication rather than user authentication?

    We also use radius authentication for our wired/wireless clients so I'm wondering if we can use the same certs?

  10. Avatar
    Patrick Pinto 4 years ago

    Hi, great artile. It is working however it does not display under network connections for anyone. If we run get-uservpnconnection it does show up in the list but not displayed in the network connections applet in the bottom right? Any idea why?

    • Avatar Author

      Hi Patrick, what did you find out about your problem? Was it due to an older client version of Windows 10?

  11. Avatar
    S 4 years ago

    Great article thank you!

    The powershell script for the device tunnel is missing Get-Content

    $ProfileXML = Get-Content 'file.xml'

  12. Avatar 4 years ago

    Configuring and provisioning a Windows 10 Always On VPN device tunnel is similar to the process for the Always On VPN connection itself. A VPN profileXML file is created and then deployed via a Mobile Device Management (MDM) solution such as Microsoft Intune. Optionally, the VPN profileXML can be deployed using SCCM or PowerShell. Additional information about Windows 10 Always On VPN device tunnel configuration, including a sample profileXML and PowerShell script, can be found here .

  13. Avatar
    Maga 4 years ago

    Is an NPS Server needed for Always On VPN device tunnels?

    As the RRAS Server locally authenticates the clients using a certificate, where is the use of NPS?

    • Avatar
      Maga 4 years ago

      Just found the confirmation in this conversation at another forum:

      That’s correct. NPS is not involved at all on the device tunnel. The machine certificate used for device tunnel authentication is evaluated on the VPN server only.




  14. Avatar
    Tristan 4 years ago

    Something isnt right here, when configuring a device tunnel it doesnt connect automatically and prompts for credentials when trying to dial up the connection manually (have followed these instructions to the letter). Anyone else experienced this?

    • Avatar
      Ryan Young 4 years ago

      I also am getting this same thing.  Did you ever resolve this?

  15. Avatar
    TheWizard1002 4 years ago

    Tristan, T.J Smith

    The solution was a couple of posts up. See below.

    The powershell script for the device tunnel is missing Get-Content.  Add the Get-Content text to the $ProfileXML line in your powershell script as seen below.  As posted it is not putting the information into the VPN that is being created from your xml file.

    $ProfileXML = Get-Content 'file.xml'

    If you want to use DEVICE TUNNELS / Device Authentication then make the following changes.

    – auto enroll Computer certificates

    – RAS > Properties > Security > Auth Methods > Allow Machine Certificate…for IKEv2
    – On Windows 10 client – under Security > Auth > Instead of EAP – simply choose “use machine certificates”

    • Avatar
      Tristan 4 years ago

      Thanks for the update, i worked through the issues myself and have a working solution as of a week ago 🙂

  16. Avatar
    Lee Martin 4 years ago

    Hi, Having reviewed this, I cannot seem to get this to work with a VM that I have turned into an Internet client having followed all the steps here. Is there nothing on the DNS front required to make this work?


  17. Avatar
    FarazBeh 4 years ago



    Is there any way to setup Device or User Tunnel as Full Tunnel not Split Tunnel?

  18. Avatar
    Ryan 3 years ago

    Once I create the tunnel via the script using psexec -s  this is my output.  Should I see the rest of the fields populated?


    AlwaysOn                :
    ByPassForLocal          :
    DeviceTunnel            :
    DnsSuffix               :
    EdpModeId               :
    InstanceID              : Always%20On%20VPN%20-%20Device
    LockDown                :
    ParentID                : ./Vendor/MSFT/VPNv2
    ProfileXML              :
    RegisterDNS             :
    RememberCredentials     :
    TrustedNetworkDetection :
    PSComputerName          :

    • Avatar Author

      That output looks right. The device profile should appear if you run Get-VPNConnection -AllUserConnection . You should also see it as a network adapter in Control Panel.

      • Avatar
        Ryan Berenji 3 years ago


        I have always on device tunnels working.  However one important aspect is not functioning, I cannot communicate with VPN connected devices from internal resources.  However I can communicate with all internal resources from the device tunnel.  Is there a route I need to publish to my core switch?  Right now both of my NICs on the vpn server are on the same subnet, should the external one be on a separate subnet in the dmz?  I've tried adding routes to the VPN server, but to no avail.  I see aside from the two NICs I have on the VM, RRAS creates a virtual NIC I assume as the gateway for VPN connected devices.



  19. Avatar
    Clin 3 years ago

    How is it possible to autoconnect Always on vpn client when windows startup? So the user does not have todo anything.

    • Avatar Author

      This should be the default behavior. In the XML, do you have <AlwaysOn>true</AlwaysOn> ?

      • Avatar
        Lufaa 3 years ago

        Hi Joseph, can you tell me where I can see what the XML contains. An external party has set up our Intune config, but the device tunnel is not connecting automatically when booting the devices.

        Hope you can assist.

        Thanks en greetz,

  20. Avatar
    Mitch 3 years ago

    Thank you for all this info! One weird "issue" I have is when I run the script for the device profile, it does exactly as it should but the script "hangs" for a few minutes then the catch exception kicks in with "Unable to create DeviceTunnel profile: The remote procedure call failed.". Even though it did all the work and it functions. This is causing very long delays in log on times (deployed through startup GPO)

  21. Avatar
    Mitch 3 years ago

    Specifically, this part hangs: $session.CreateInstance($namespaceName, $newInstance)

  22. Avatar
    Robert Meany 2 years ago

    Does this article still apply with the latest version of windows? For a while, SCCM supported deploying VPN profiles via Company Resource Access, but they have since deprecated that and are now saying that InTune *must* be used to deploy VPN profiles. I’m trying to avoid intune at all costs.

Leave a reply to pieter72 (Rank 1) Click here to cancel the reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account