Deleting an Always On VPN Device Tunnel

Deleting an Always On VPN Device TunnelWindows 10 Always On VPN supports both a user tunnel for corporate network access, and a device tunnel typically used to provide pre-logon network connectivity and to support manage out scenarios. The process of testing Always On VPN is often an iterative one involving trial and error testing to fine tune the configuration parameters to achieve the best experience. As a part of this process it will often be necessary to delete a connection at some point. For the user tunnel the process is simple and straightforward. Simply disconnect the session and delete the connection in the UI.

Deleting an Always On VPN Device Tunnel

Deleting a device tunnel connection presents a unique challenge though. Specifically, there is no VPN connection in the UI to disconnect and remove. To delete an Always On VPN device tunnel, open an elevated PowerShell window and enter the following command.

Get-VpnConnection -AllUserConnection | Remove-VpnConnection -Force

If the device tunnel is connected when you try to remove it, you will receive the following error message.

The VPN connection [connection_name] cannot be removed from the global user connections. Cannot
delete a connection while it is connected.

Deleting an Always On VPN Device Tunnel

The device tunnel must first be disconnected to resolve this issue. Enter the following command to disconnect the device tunnel.

rasdial.exe [connection_name] /disconnect

Remove the device tunnel connection using PowerShell once complete.

Deleting an Always On VPN Device Tunnel
Additional Resources

Windows 10 Always On VPN Device Tunnel Step-by-Step Configuration using PowerShell

What’s The Difference Between DirectAccess and Always On VPN?

Windows 10 Always On VPN Recommendations for Windows Server 2016 Routing and Remote Access Service (RRAS)

Windows 10 Always On VPN Hands-On Training

Leave a comment

49 Comments

  1. Andy

     /  April 6, 2018

    rasphone -R “Device Tunnel” seems to work with one command

    Reply
    • Thanks for the tip. I’ll have to give that a try! 🙂

      Reply
    • FYI: On my Windows 10 build 1803 i had to use:
      rasphone -h “VPN-Tunnel-Name”

      Reply
      • Phi

         /  March 19, 2019

        How do I remove a “LockDown” VPN DeviceTunnel? I cannot do it the same as a normal DeviceTunnel -> disconnect with rasdial and then delete in powershell, because even with psexec in a system context I get an error that I do not have enough permission. Has anyone ever had to delete a LockDown VPN connection?

      • I’ve never used or even tested that LockDown option for Windows 10 Always On VPN. However, someone who follows this blog sent me the following PowerShell code that should remove it.

        PsExec.exe -s C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe (do NOT use the -i switch!)

        $namespaceName = “root\cimv2\mdm\dmmap”
        $className = “MDM_VPNv2_01”

        $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
        Remove-CimInstance -CimInstance $obj

        Let me know how it goes!

      • phi

         /  March 20, 2019

        Hey Richard
        Thank you for the answer, it worked!
        Of course we need to edit this over the wmi/csp bridge… I found a series of articles by Microsoft explaining the whole WMI bridge thing. Maybe it is of help for someone: https://blogs.technet.microsoft.com/tip_of_the_day/2016/10/06/tip-of-the-day-configure-vpn-profiles-using-the-sccmwmi-bridge-part-1/
        About the LockDown VPN, you did not miss out. We decided to no use it, the reason being: it does not support “TrustedNetworkDetection”. So if your inside your organisation and the vpn does not connect (which is ok) LockDown actually prevents you from accessing anything in the network. We just wanted to have that behavior when the clients are outside the organisation. This way we would have to rebuild the whole network to have a kind of “zero trust” environment, maybe next time.
        Thanks again for the Help.

      • Great to hear! I agree, LockDown VPN sounds intriguing initially, but when you look at the list of challenges it poses (lack of trusted network detection being one of them!) then you start to realize it is a bit heavy-handed. And making matters worse, it is difficult to actually remove the connection once it is deployed (as you found out!). I’ll have to do a write of this and perhaps save other some pain of going down the testing path only to learn this same thing. Look for that soon. 🙂

  2. Mike

     /  May 14, 2018

    If I run the command to disconnect the Device Tunnel, it says “No Connections”. Then if I try to remove it, it says it “cannot delete a connection while it is connected”. 1803.

    Reply
    • Odd. Make sure that if your VPN connection name has spaces in it that you use quotes for it. Other than that, disconnecting with rasdial.exe should absolutely work. 🙂

      Reply
      • Daniel Bolton

         /  November 8, 2018

        Hi, is there a way to close a devicetunnel without running the command as administrator? I seem to be unable to close the tunnel unless I execute the commend from an elevated command prompt? Thanks 🙂

      • I don’t believe so. As the device tunnel runs in the context of the system account, you’ll almost certainly required administrative rights to do anything with it.

  3. Daniel Bolton

     /  November 12, 2018

    Thanks Richard, that was my feeling also 🙂 Could I ask another question. We have managed to deploy both Device and User tunnels without any issues. My understanding from MS is that you can run a Device tunnel, then launch a User tunnel at the same time on the same machine; perhaps to allow additional access to internal systems based upon VPN IP address/subnet. The User tunnel launches fine, the Device tunnel drops….then the User tunnel drops and the Device tunnel connects again. We have logged this issue with MS and it is looking like a bug, but I wondered if you had seen this yourself and if you had any information or guidance? Thanks, Danny

    Reply
  4. Petter

     /  April 16, 2019

    Hello Richard,

    It sometimes seems like the device tunnel reconnects right away when disconnecting with rasidal /disconnect. Is this expected?

    Also, is there any other way to disconnect from a device tunnel other than using that rasdial-command?

    Thanks!

    Reply
    • Yes. I have the same experience. I’m not aware of any way to disconnect the device tunnel other than with rasdial.exe. If you’re trying to delete it using Remove-VPNConnection for example you have to disconnect than immediately and quickly run the command to remove it before it reconnects. Alternatively you could use PowerShell and WMI to forcibly remove the connection even while it’s connected, much as you would with a LockDown VPN connection.

      Reply
  5. sccm2012site

     /  October 22, 2019

    I found this combination run together at the same time worked for me.

    rasdial /disconnect
    Get-VpnConnection -AllUserConnection | Remove-VpnConnection -Force

    Reply
  6. Geir Helge Nygjerde

     /  November 30, 2019

    I have successfully configured Always on VPN Device Tunnel in my lab. Going from DirectAccess, where the connection showed connected or disconnected when switching between domain networks (trusted network) and external networks.
    With my AOVPN Device Tunnel, I can see that the vpn connection is connecting and is working as it should, but when I switch back to domain network (trusted network), the VPN connection stays connected and the traffic is still routed through my RRAS server. Is this the default behaviour, or have I done something wrong?

    Reply
  7. sebus

     /  April 20, 2020

    Is there a way to DISABLE the machine tunnel from command line (but not remove it)?

    Reply
  8. Ross Aveling

     /  May 5, 2020

    As others have noted, once disconnected the VPN could come up again very quickly before we have a chance to remove it. If those two commands are run a couple of times it usually works.

    I’ve now used a loop in PowerShell to ensure an existing Always On VPN is removed before re-adding it (ideal when you want to update the settings of the VPN);

    #Check to see if VPN already exists and remove
    Do
    {
    Write-host “VPN profile $ProfileName already exists.”
    Start-Process -FilePath rasdial.exe -ArgumentList “`”$ProfileName`””, ‘/disconnect’ -Wait #Disconnect
    Remove-VpnConnection -Name $ProfileName -Force -AllUserConnection #Remove
    } While (Get-VpnConnection -Name $ProfileName -AllUserConnection)

    Reply
    • Ross Aveling

       /  May 5, 2020

      Actually, the existence of the VPN should be evaluated first, now change to;

      While (Get-VpnConnection -Name $ProfileName -AllUserConnection)
      {
      Write-host “VPN profile $ProfileName already exists.”
      Start-Process -FilePath rasdial.exe -ArgumentList “`”$ProfileName`””, ‘/disconnect’ -Wait #Disconnect
      #Start-Process -FilePath rasphone.exe -ArgumentList ‘-r’, “`”$ProfileName`”” -Wait #Remove using rasphone.exe
      Remove-VpnConnection -Name $ProfileName -Force -AllUserConnection #Remove using PowerShell
      }

      Reply
  9. James Holder

     /  June 18, 2020

    Hi Richard, ever seen the issue whereby the Device Tunnel is disconnected, Windows Network view shows it as Disconnected and Get-VpnConnection shows the status as Disconnected, but when you do Remove-VpnConnection it says it is still connected so can’t be deleted…?!

    Reply
    • I have not! Odd for sure. If you try to disconnect using rasdial.exe or rasphone.exe can you delete it then?

      Reply
      • James Holder

         /  June 19, 2020

        Hey Richard, so yes, it was rasdial.exe doing the disconnect command in the WHILE loop (posted in an earlier comment) with the Remove-VpnConnection command straight after. It would appear rasdial.exe does disconnect the Device Tunnel, yet Remove-VpnConnection fails stating it is still connected. I thought it was odd as well… It’s happened to me a few times now. Yet other times, it works OK. Not to worry though, thanks. 🙂

      • Very strange, and quite frustrating for sure. Not sure if it will help, but you might want to try using rasphone.exe -h [VPN profile name] as I’ve had better luck getting it to reliably disconnect VPN sessions. 🙂

  10. Hi Richard, do you know if there’s a way to prevent the users from removing the user tunnel? I’ve had a few support calls now where the user has managed to do that ..

    Reply
    • I’ve had a few people ask about this, and I think the best way to do this is to hide the VPN settings in the control panel. It might not be perfect, but it may help. I’ll have to write something about this soon, but for now a Bing/Google search should yield some information on the specific policy settings reuqired.

      Reply
  11. Panos83

     /  July 24, 2020

    Hello,i face a weird problem when trying to delete the always on VPN.
    Get-CimInstance : A general error occurred that is not covered by a more specific error code.
    At C:\Remove-LockDownVPN.ps1:136 char:16
    + … mInstance = Get-CimInstance -Namespace ‘root\cimv2\mdm\dmmap’ -ClassN …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-CimInstance], CimException
    + FullyQualifiedErrorId : MI RESULT 1,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInstanceCommand
    Removing LockDown VPN Connection “AONVPN”…
    Remove-CimInstance : Cannot bind argument to parameter ‘InputObject’ because it is null.
    At C:\Remove-LockDownVPN.ps1:144 char:33
    + Remove-CimInstance -CimInstance $CimInstance
    + ~~~~~~~~~~~~
    + CategoryInfo : InvalidData: (:) [Remove-CimInstance], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.Management.Infrastructure.CimCm
    dlets.RemoveCimInstanceCommand

    Any suggestions?

    Reply
    • Are you specifically trying to remove a lockdown VPN profile? Or just a regular user or device tunnel?

      Reply
      • Panos83

         /  July 24, 2020

        Hello,a device tunnel correct!in some workstations the script works!

      • Ok. That script is specifically for lockdown VPN profiles. Not sure if it will work for a regular device tunnel. I’m working on a script now that I haven’t published. I’m happy to share if you’d like to test. 🙂

      • Panos83

         /  July 24, 2020

        Sorry did not read well your previous comment.it is a lockdown device tunnel I would like to remove.in most workstations work but 1-2 cannot remove the tunnel.

      • Ok, that script should work. Not sure why it is failing in some cases.

  12. Panos83

     /  July 24, 2020

    hello,thanks for your answers ae really helpful.
    So is there any way to delete the aonvpn locked or any possible logs to check in order to delete it?
    Thank you!

    Reply
    • If it is a lockdown VPN profile my script should work. Not sure why it isn’t. I’d suggest deleting the entry in rasphone.pbk and and rebooting to see if that does the trick.

      Reply
  13. Erik Jansson

     /  October 1, 2020

    Hi, have anyone experienced issues with automatic-reconnection after using: rasdial.exe [connection_name] /disconnect ?
    I was using it in a script and since that, users have to connect manually!? I have checked autoconnect-properties in rasphone.pbk and “AutoTriggerDisabledProfileList” in the registry but no changes. I can’t figure out what rasdial is modifying when it simply should disconnect.

    Cheers!
    Erik

    Reply
  14. David White

     /  October 5, 2020

    Hi Richard.

    Did you complete the device tunnel removal script you were working on?

    We need to update the device tunnel but are getting somewhat mixed (mostly failure) results with rasphone -h and rasdial /disconnect (rasdial hangs the script when run in system context).

    Thanks.
    David

    Reply
  1. Always On VPN RasMan Device Tunnel Failure | Richard M. Hicks Consulting, Inc.
  2. Always On VPN Device Tunnel Missing in Windows 10 UI | Richard M. Hicks Consulting, Inc.
  3. Always On VPN Device Tunnel Does Not Connect Automatically | Richard M. Hicks Consulting, Inc.
  4. Always On VPN Device Tunnel Configuration using Intune | Richard M. Hicks Consulting, Inc.
  5. Always On VPN Device Tunnel Operation and Best Practices | Richard M. Hicks Consulting, Inc.
  6. Always On VPN Device Tunnel Only Deployment Considerations | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: