Merge pull request #310710 from fabferri/patch-8

Document VPN profile issues and solutions for Windows 11

Author: prmerger-automator[bot]

articles/vpn-gateway/vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems.md

@@ -150,6 +150,49 @@ This problem might occur if you're trying to open the site-to-point VPN connecti
 
 Open the VPN package directly instead of opening it from the shortcut.
 
+## VPN profile is repeatedly deleted and recreated on Windows 11
+
+### Symptom
+
+- The VPN connection disconnects during, or shortly after, an Intune synchronization.
+- The VPN profile appears to be deleted and then reprovisioned, even though no configuration changes were made.
+- This behavior is observed primarily on Windows 11 devices.
+
+### Cause
+
+This issue occurs due to differences in how Intune and Windows handle the VPN profile XML:
+- During an Intune sync, Intune compares the VPN profile assigned to the device with the profile currently present on the system.
+- Windows does not store the original VPN profile XML exactly as it was provided to Intune. When queried, Windows regenerates the XML representation of the profile.
+- The regenerated XML may differ in formatting, ordering, or normalization from the original XML uploaded to Intune.
+- Although the effective VPN configuration is the same, these formatting differences can cause Intune to interpret the profile as changed.
+- When Intune detects a difference, it deletes the existing VPN profile and provisions a new one, which causes the VPN connection to disconnect.
+
+### Solution
+
+To prevent unnecessary deletion and recreation of the VPN profile, ensure that the XML profile used in Intune matches the format generated by Windows.
+The recommended approach is to extract the profile XML from a device where the VPN profile is already provisioned and working correctly.
+
+1. Provision a VPN profile through Intune that includes all required settings.
+   
+1. On a Windows device with the correctly applied profile, open PowerShell and retrieve the list of provisioned VPN profiles:
+   ```
+   $vpns = Get-CimInstance -Namespace root\cimv2\mdm\dmmap -ClassName MDM_VPNv2_01
+   ```
+   
+1. Identify the correct profile by reviewing the InstanceID value:
+   ```
+   $vpns[0].InstanceID
+   ```
+   
+1. Export the profile XML to a file:
+   ```
+   [System.IO.File]::WriteAllText("VPN-Corrected.xml", $vpns[0].ProfileXML)
+   ```
+   
+1. Use the exported XML file as the VPN profile definition in Intune
+
+Using the XML generated by Windows helps ensure consistency between the profile stored on the device and the profile evaluated by Intune, reducing the likelihood of profile deletion and VPN disconnections during sync.
+
 ## Can't install the VPN client
 
 ### Cause