VPN Profile not saving / Win10 Settings App crashes

Question

Hi all,

We have to to use the integrated VPN client in Windows 10 in our company. A working VPN Server exists.
Tested on clients with Windows 10 Build 1909 and 20H2.

VPN profile settings:
VPN Type = L2TP with pre-shared key
Authentication = Username and Password

When I try to add a VPN profile on "NBcorpX" under "Settings -> Network and Internet -> VPN -> Add a VPN Connection", the following problems occur:

• When entering the information in the VPN profile (server, pre-shared key, username / password) nothing happens when clicking on Save -> "Save" is grayed out and you can only cancel
• After that you don't see the VPN profile in the overview, only when you open the VPN Settings page again - then you see the new profile.
• If you open the profile and go to "Advanced Options / Edit" either the Settings App crashes completely (if SSTP Service is running) but when I stop the "SSTP Service", the Settings App does not crash - but the settings "Pre-Shared key, Username and password" are not displayed and saved - even if you enter them again.

If the Settings App crashes, the following entry appears in application events:

Name der fehlerhaften Anwendung: SystemSettings.exe, Version: 10.0.19041.1320, Zeitstempel: 0x4aa1ce82
Name des fehlerhaften Moduls: KERNELBASE.dll, Version: 10.0.19041.1466, Zeitstempel: 0xe01c7650
Ausnahmecode: 0xc0000409
Fehleroffset: 0x000000000010b362
ID des fehlerhaften Prozesses: 0x934
Startzeit der fehlerhaften Anwendung: 0x01d81814cb9c829b
Pfad der fehlerhaften Anwendung: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Pfad des fehlerhaften Moduls: C:\WINDOWS\System32\KERNELBASE.dll
Berichtskennung: 9075f736-7083-45d9-933a-680f81ba31de
Vollständiger Name des fehlerhaften Pakets: windows.immersivecontrolpanel_10.0.2.1000_neutral_neutral_cw5n1h2txyewy
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: microsoft.windows.immersivecontrolpanel

Strangely this only happens in this domain / environment, tested it on client NBCorpY in another domain it works without any problems and none of the above mentioned issues occur, on this device im also able to connect with VPN.

For testing, beside ethernet connection the client NBCorpX was also connected to a handy-hotspot to exclude network technical problems (firewall etc.)

The affected devices are installed with a SCCM task sequence, the base image is the standard ISO from Microsoft, nothing has been changed here.
I checked the GPOs - here indeed services like "SSDP Discovery" and "SSTP Service" get disabled, but I adjusted that and currently the following services are running:

• SSDP Discovery (SSDPSRV)
• SSTP Service (SSTPSVC)
• Remote Access Connection Manager (Rasman)
• Telephony (TAPISRV)
• Plug and Play (PlugPlay)
• Remote Procedure Call (RPCSs)

Are there any other services required? Or do you think it has more to do with the Settings App / Windows components itself?

I also tried to open the file Rasphone.pbk (under %appdata%\Microsoft\Network\Connections\Pbk) on NBCorpX - the following error appears:

The "Remote Access Connection Manager" cannot be started. Error 5: Access denied
But no entries in Event viewer
However, on NBCorpY (other domain) it works and Rasphone.pbk opens "network connections -> setup a new connection".

I already tried "sfc /scannow" and "dism /restorehealth" - the AV was also uninstalled, client restarted - same procedure with other applications installed, but no change.
It affects all checked devices in the environment.

I have also tried booting into Safe Mode, however you can't open the Settings app here.

Your help is very appreciated - thanks in advance!

Answer 1

Update:

I checked the Network adapters in Control Panel and the created VPN adapter in Settings app is available -> WAN Miniport (LT2P)

The LT2P pre-shared key is not set, but i can enter the key here and it get saved.

I did not specify any credentials (user, password) in the Settings app during this test.
In the VPN Adapter settings "Remember credentials" is NOT enabled.

When I now try to connect, however, no user / password prompt comes up. It just says "**Connecting to "VPN Profile" and nothing else happens.**

I will test it again with a manually installed client that is not domain joined - if it works here, most likely another setting in the GPOs is responsible for this.

I'll also check again all GPO settings that the client gets assigned at the moment.

If someone could tell me what needs to be running or what services need to be started for a working VPN Connection in Windows 10 I would be very grateful.

Answer 2

Hi there,

Try adding the VPN using Powershell:

Add-VpnConnection -Name "Work VPN" -ServerAddress "8.8.8.8" -TunnelType Pptp -EncryptionLevel Required -AuthenticationMethod MSChapv2 -SplitTunneling -RememberCredential -PassThru

The Set-VpnConnection cmdlet changes the configuration settings of an existing VPN connection profile. If the VPN profile specified does not exist, you see an error. If errors occur when you modify the VPN profile, the cmdlet returns the error information.

Set-VpnConnection
https://learn.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnection?view=windowsserver2022-ps&viewFallbackFrom=win10-ps

Here is a thread as well that discusses the same issue and you can try out some troubleshooting steps from this and see if that helps you to sort the Issue.

VPN settings are not saving in Windows 10
https://social.technet.microsoft.com/Forums/en-US/a6e99b96-c1f2-4def-a8be-81f9bac44db6/vpn-settings-are-not-saving-in-windows-10?forum=win10itpronetworking

-----------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer--

Answer 3

Hi,

Update:

I'm one step further, the Settings app kept crashing and not saving the settings because on certain services (SSTP Service, SSDP Discovery) the permissions were not set properly.

After creating a GPO that sets the permissions correctly, creating a VPN profile now also works in Windows 10 Settings on all clients.
However, the following error appears after a while when connecting:

Error 789:
"The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer."

When I try it on (my) device in another domain / company it works. I have already set the key "AssumeUDPEncapsulationContextOnSendRule" with value 2 in case there is a NAT behind it.
The IPSEC service was restarted, the steps which can be found by Google in many threads for Error 789 were executed - but still the same error.

What else could be the reason for this?

Answer 4

Problem solved:

There was a DNS CNAME entry "vpn.company.com" pointing to an internal 192.168.x.x IP address, so we got error 789.

We tried to set the external IP address in VPN Profile and VPN connection is working now.

So after changing the permissions of SSTP / SSDP services and changing the DNS entry, everything is working.

Answer 5

Update: Unfortunately not solved!

During tests with Ethernet-connection (because I was connected via RDP testing was not possible with hotspot) a connection to the VPN could be established.

We have now tried it today with a hotspot, unfortunately here again the error 789 appears:

"The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer."

Also connected to the WLAN we get this error too (although in the corporate network / domain with WLAN).

What could be the reason that it works with active Ethernet connection, but not with corporate WLAN (or external with hotspot).

PS: On my device (other company / domain) it works without problems.