I have tried several times to get this to recover including the GP Logonas a service, but I cannot VPN back to functioning.
Ok, Ok, I'll admit it. I tried the TLS 1.2 trick. However, when attempting to reset or repair the Remote Access VPN wizard, guess what? I had to re-enable TLS 1.0 on both client and server in IISCrypto. I had tried just the server, but it has to be both in order to the wizard to finish. After the wizard finished I reran the perfectforwardsecrecy script and still had VPN working. Yikes, what a bucket.
This experience affirms what Mariette has strongly implied all along, that TLS 1.0 is embedded in the Essentials role in crucial ways. Basically, the Configure Anywhere Access wizard will not function correctly without TLS 1.0 being enabled, certainly for VPN. When enabled, it works, when disabled, it doesn't work. However, after the wizard runs. TLS 1.0 can be disabled and as long as the clients are setup the connections should still work, maybe. Thats my story and I'm stickin to it.
Thanks Eugene for the honest answer.