Windows 11 includes a feature called Always-On VPN that keeps a persistent connection to your corporate network. When the Device Tunnel stops reconnecting after a network drop, remote users lose access to domain resources and management tools. This failure often happens because of misconfigured VPN profile settings, incorrect DNS resolution, or missing certificate trust. This article explains why the Device Tunnel fails to reconnect and provides the exact steps to fix the connection.

Key Takeaways: Fixing Always-On VPN Device Tunnel Reconnection

VPN profile XML with <AlwaysOn>true</AlwaysOn> and <DeviceTunnel>true</DeviceTunnel> Ensures the tunnel is set to always-on and uses the device tunnel instead of user tunnel.


PowerShell cmdlet Add-VpnConnectionTriggerDnsConfiguration: Configures DNS suffixes that trigger automatic VPN reconnection when name resolution fails.
Settings > Network & internet > VPN > [profile name] > Advanced > Remember credentials: Saves the machine certificate or user credentials so the tunnel does not prompt for authentication after a disconnect.


ADVERTISEMENT
Why the Windows 11 Device Tunnel Does Not Reconnect Automatically
The Always-On VPN Device Tunnel in Windows 11 relies on a combination of profile configuration, network trigger settings, and authentication trust. When any of these components fails, the tunnel does not re-establish after a temporary network outage.
The most common root causes are:
Missing Always-On and Device Tunnel Flags in the Profile XML
The VPN profile XML must contain two specific elements: <AlwaysOn>true</AlwaysOn> and <DeviceTunnel>true</DeviceTunnel>. If either is missing or set to false, Windows treats the profile as a user tunnel or as a manual connection that does not auto-reconnect. Many administrators deploy profiles without these flags because they rely on older templates or forget to include them.
Incorrect DNS Trigger Configuration
Windows 11 uses DNS name resolution as a trigger to re-establish the VPN tunnel. When a network interface loses connectivity, the system attempts to resolve a configured DNS suffix. If the resolution fails, it starts the VPN connection. Without the correct DNS suffix in the trigger list, the system never attempts to reconnect.
Certificate or Credential Expiration
Device Tunnel authentication uses machine certificates or pre-shared keys. If the certificate has expired, is revoked, or is not trusted by the VPN server, the tunnel cannot authenticate after a disconnect. User credentials stored in the Windows Credential Manager may also expire or become corrupted.
Windows Filtering Platform Blocking the Tunnel
Third-party firewall or security software that hooks into the Windows Filtering Platform can block the VPN adapter or the IKEv2 protocol. This prevents the tunnel from reconnecting even when the profile and triggers are correct.
Steps to Restore Automatic Reconnection of the Device Tunnel
Follow these steps in order. After each step, test the reconnection by disconnecting the network interface and waiting 30 seconds.
Step 1: Verify the VPN Profile XML Contains the Required Flags

Open PowerShell as Administrator
Press Windows + X and select Terminal (Admin).
Export the VPN profile to an XML file
Run the command: Get-VpnConnection -Name "YourVPNProfileName" | Select-Object -ExpandProperty ServerList | ForEach-Object { $_.ServerAddress } | Out-File -FilePath C:\VPNProfile.xml. Replace YourVPNProfileName with the exact name of your VPN connection.
Open the XML file in Notepad
Run notepad C:\VPNProfile.xml. Look for the <AlwaysOn> and <DeviceTunnel> elements. If they are missing or set to false, edit the file to include them:

<VPNProfile>
  <AlwaysOn>true</AlwaysOn>
  <DeviceTunnel>true</DeviceTunnel>
  <!-- other settings -->
</VPNProfile>


Reapply the corrected profile
Run: Set-VpnConnection -Name "YourVPNProfileName" -AllUserConnection -Force -PassThru. Then import the updated XML with Import-VpnConnection -Name "YourVPNProfileName" -AllUserConnection -FilePath C:\VPNProfile.xml.

Step 2: Configure DNS Trigger Suffixes

Open PowerShell as Administrator
Press Windows + X and select Terminal (Admin).
Add a DNS suffix that triggers VPN reconnection
Run: Add-VpnConnectionTriggerDnsConfiguration -ConnectionName "YourVPNProfileName" -DnsSuffix "corp.example.com". Replace corp.example.com with a DNS suffix that is only resolvable through the VPN. Use multiple suffixes if needed by repeating the command.
Verify the trigger list
Run: Get-VpnConnectionTrigger -ConnectionName "YourVPNProfileName". Confirm the DnsSuffix property lists the suffixes you added.

Step 3: Check and Refresh Machine Certificate Trust

Open the Certificates snap-in for the local machine
Press Windows + R, type certlm.msc, and press Enter.
Locate the VPN client certificate
Navigate to Personal > Certificates. Find the certificate issued by your VPN server or CA. Double-click it and check the Valid from and Valid to dates. If expired, request a new certificate from your CA.
Verify the trusted root CA
Navigate to Trusted Root Certification Authorities > Certificates. Ensure the CA that issued the VPN server certificate is present. If missing, import the CA certificate from your network administrator.

Step 4: Clear and Re-Store Credentials in Credential Manager

Open Credential Manager
Press Windows + R, type control /name Microsoft.CredentialManager, and press Enter.
Delete old VPN credentials
Click Windows Credentials. Look for entries that contain your VPN server name or VPN profile name. Click the arrow and select Remove.
Reconnect the VPN manually
Open Settings > Network & internet > VPN. Click your VPN profile and select Connect. Enter credentials if prompted and check Remember my credentials.

Step 5: Disable Third-Party Firewall Temporarily for Testing

Identify the third-party security software
Press Ctrl + Shift + Esc to open Task Manager. Go to the Startup tab and look for firewall or antivirus entries.
Disable the software temporarily
Right-click the icon in the system tray and select Disable or Exit. Alternatively, go to Settings > Apps > Installed apps, find the software, and click Advanced options > Terminate.
Test the VPN reconnection
Disconnect the network cable or disable Wi-Fi. Wait 30 seconds and re-enable the network. If the tunnel reconnects, the security software was blocking the VPN. Add an exception for the IKEv2 protocol and the VPN adapter in the firewall rules.

ADVERTISEMENT
If the Device Tunnel Still Does Not Reconnect
No VPN Adapter Appears After Network Restoration
If the VPN adapter does not appear in Network Connections after reconnecting the network, the Windows Filtering Platform driver may be corrupted. Open PowerShell as Administrator and run netsh int ip reset followed by netsh winsock reset. Restart the computer and test again.
Event ID 20227 or 20230 in the System Log
These events indicate IKEv2 authentication failures. Open Event Viewer > Windows Logs > System. Look for source RasClient or RemoteAccess. The error message usually states the reason, such as certificate not trusted or certificate expired. Follow Step 3 to refresh the certificate trust chain.
VPN Profile Is Not Applied to All Users
Device Tunnel profiles must be deployed as all-user connections. Open PowerShell as Administrator and run Get-VpnConnection -AllUserConnection. If your profile does not appear in the output, it is a per-user connection. Use Add-VpnConnection -AllUserConnection with the correct parameters to create a new all-user profile.
Always-On VPN Device Tunnel vs User Tunnel: Reconnection Behavior



Item
Device Tunnel
User Tunnel




Authentication
Machine certificate or pre-shared key
User credentials or certificate


Trigger method
DNS suffix resolution failure
User logon or app request


Auto-reconnect after network drop
Yes, if DNS trigger and certificate are valid
No, requires user action or app trigger


Profile scope
All-user connection
Per-user connection


Common failure point
Missing AlwaysOn or DeviceTunnel flag in XML
Expired user password or credential corruption



The Device Tunnel is designed for machine-level connectivity before user logon. The User Tunnel handles per-user traffic after authentication. For reliable reconnection, the Device Tunnel requires the correct XML flags, a valid machine certificate, and at least one DNS trigger suffix. The User Tunnel depends on user credential validity and application-level triggers.
You can now verify and repair the Always-On VPN Device Tunnel reconnection on Windows 11. Start by checking the profile XML for the <AlwaysOn> and <DeviceTunnel> flags, then configure DNS triggers with the Add-VpnConnectionTriggerDnsConfiguration cmdlet. For persistent failures, examine Event ID 20227 in the System log to identify certificate or authentication issues. As an advanced tip, use Get-VpnConnection -AllUserConnection | Format-List  to dump every property of the VPN profile and spot misconfigurations that the GUI hides.
ADVERTISEMENT


  
    🏙️
    
      Take a Break — Higher or Lower?
      Tallest Buildings Game
      Burj Khalifa is huge. What is second?
    
    
      Play Now ▶
      All 50+ Games
    
  

ABOUT THE EDITORIAL TEAM
WiseChecker Editorial Team
Operated by Shadowcity LLC, Tokyo
WiseChecker is an international reference for everyday problem solving, IT troubleshooting, and life decision frameworks. Our editorial approach is evidence-based, regularly updated, and independent from corporate interests.
Meet the editorial team →
← Back to WiseChecker HomeMore in Windows & PC
🔍 Recommended for You
Bluesky Handle TXT Record Propagation Delay: How Long to WaitWhen you set up a custom domain as your Bluesky handle, you must add a TXT record to…Mastodon Sidekiq Queue Backlog Error: How to ClearWhen you run a Mastodon instance, Sidekiq processes background tasks like delivering posts to remote servers, sending notifications,…