question

BrandonMelton-9043 avatar image
0 Votes"
BrandonMelton-9043 asked ·

Azure VPN works, except with Intune Security Baseline - failure in acquiring AAD token

Azure VPN works great on any laptop with a group of users in Azure AD (myself included). However, when I use a particular set of laptops that are receiving any of the 3 security baselines for Windows 10, I get the following:

In the Azure VPN Client, failure reason shows:
Failures in acquiring AAD Token:Provider Error 2147942756:

In the status logs it shows:
[‎2‎/‎11‎/‎2021‎ ‎4‎:‎05‎:‎47‎ ‎PM] PId:[00016148] TId:[00016336] [ApplicationX] [] [Verbose] Dialing VPN connection **
[‎2‎/‎11‎/‎2021‎ ‎4‎:‎05‎:‎47‎ ‎PM] PId:[00016148] TId:[00016336] [ApplicationX] [] [Verbose] Requested AccountsManager dialog.
[‎2‎/‎11‎/‎2021‎ ‎4‎:‎05‎:‎50‎ ‎PM] PId:[00016148] TId:[00016336] [ApplicationX] [] [Error] Provider Error 2147942756:
[‎2‎/‎11‎/‎2021‎ ‎4‎:‎05‎:‎50‎ ‎PM] PId:[00016148] TId:[00016336] [ApplicationX] [] [Error] Provider Error 2147942756:

And diagnosis tool shows:
Internet Access - Result: Available
Client Credentials - Result: AAD Endpoint Reachable
Server Resolvable - Result: DNS Name Resolved as **
Server Reachable - Result: Socket Connected

I can literally have my wife's home laptop right beside this one on the same wireless network, and login to Azure VPN with the imported profile flawlessly. But this laptop, once I click any of the login option, I don't even get a login prompt, or MFA'd, just immediately get the failure in acquiring AAD token.

Troubleshooting so far:
- I've uninstalled and reinstalled the Azure VPN client several times
- I've uninstalled and reinstalled the profile several times
- I've cleared saved accounts several times
- I've rebooted
- I've checked updates, applied everything, and ensured no updates are pending



mem-intune-generalazure-vpn-gateway
· 3
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@BrandonMelton-9043, From your description, I know the Azure VPN get Provider Error 2147942756 when 3 security baselines are applied. Research in both Intranet and Internet, didn't find related issue.

For such issue, to narrow down, we can unapply these policies one by one to find the affected settings. The test will take a little long time.

On the other hand, we can look into some more logs to see if there's any finding. As log analysis is limited in Q&A, we suggest to open case to work on this. Here is a link about how to open case for your reference:
https://docs.microsoft.com/en-us/mem/get-support

Thanks for the understanding and have a nice day!

0 Votes 0 ·

Hello @BrandonMelton-9043 ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,
Gita

0 Votes 0 ·

Hello @BrandonMelton-9043 ,

I'm following up to check for the current status on this issue. Could you please let us know if you are still facing an issue?

Thanks,
Gita

0 Votes 0 ·

1 Answer

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered ·

Hello @BrandonMelton-9043 ,

I did an internal research on the error message you provided and below is the RCA which I found:

Issue:

Issue connecting through Azure VPN Client on some machines but works for others.
Error code: Failure in acquiring AAD Token: Provider Error 2147942756

Cause:

The issue occurs when deployment is completed with Intune and the error in Azure VPN log (Error 2147942756) comes back as Windows Information Protection Policy.

Resolution:

Confirm that you are using the recommended configuration for the VPN policy following the article below and if everything is correctly configured please try to set a new policy for test users to discard any problem with the policy. This worked in several previous cases related to WIP:
https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


· 8 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you, but that didn't work for me. I sync'd and rebooted until it showed it had applied and still gave exact same answer. I also found this article though that was more specific with how to do Azure VPN Client and Intune policies - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-profile-intune.

I followed it's recommendation as well, same results. I'll post my configs below. Sorry I didn't respond sooner but I wanted to ensure these policies had enough time to make it to my machine and through several reboots the same issues existed before going to next step.


OMA URI - ./Vendor/MSFT/VPNv2/*/EDPModeId


Value - (can't post this, says my character limit is reached)

0 Votes 0 ·

<VPNProfile>
<!--<EdpModeId>corp.contoso.com</EdpModeId>-->
<RememberCredentials>true</RememberCredentials>
<AlwaysOn>true</AlwaysOn>
<TrustedNetworkDetection>,,,</TrustedNetworkDetection>
<DeviceTunnel>false</DeviceTunnel>
<RegisterDNS>false</RegisterDNS>
<PluginProfile>
<ServerUrlList>azuregateway-.vpn.azure.com</ServerUrlList>
<CustomConfiguration>

  </CustomConfiguration>
  <PluginPackageFamilyName>Microsoft.AzureVpn_8wekyb3d8bbwe</PluginPackageFamilyName>

</PluginProfile>
</VPNProfile>

0 Votes 0 ·

I just now realized I didn't have the full-original VPN profile xml file in between CustomConfiguration tags. I just fixed that and am waiting for it to deploy to my laptop. I also added the Azure VPN Client store app to my protected apps WIP profile. Will see if this works...

0 Votes 0 ·
Show more comments