Setting up Always On VPN on Windows so the tunnel is always live.
Windows AOVPN has a Device Tunnel (before user login, for logon and GPO) and a User Tunnel (for personal resources). You need Intune or GPO plus a RasMan template plus RADIUS or certificate auth. Not fun to do by hand on more than 5 laptops.
Try this first
- 1Decide whether you need only User Tunnel or also Device Tunnel: User Tunnel is usually enough for SMB.
- 2Generate the profile XML, easiest route is the Microsoft VPN Profile Designer or an Intune policy template.
- 3Set up cert auth via your AD CS or Intune SCEP profile, password-only auth is not recommended.
- 4Test on one pilot laptop with logs, AOVPN errors live in Event Viewer under Application and Services Logs > Microsoft > Windows > VPN.
When to bring us in
You no longer have domain-joined laptops, everything is Entra-only: classic AOVPN is a fight, choose Microsoft Tunnel, Tailscale or a ZTNA solution instead.
See also
- VPN will not connect or keeps droppingTwo main causes: your home internet or the VPN server. One quick test separates them.
- VPN connects but corporate folders are unreachableConnection says "green" but your network drives will not open. Almost always a DNS or routing issue.
- Home PC slow on VPN, fast at the officeThree suspects: home internet, VPN server limits, or routing that takes a long detour.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.