Deleting an Always On VPN Device Tunnel

Deleting an Always On VPN Device TunnelWindows 10 Always On VPN supports both a user tunnel for corporate network access, and a device tunnel typically used to provide pre-logon network connectivity and to support manage out scenarios. The process of testing Always On VPN is often an iterative one involving trial and error testing to fine tune the configuration parameters to achieve the best experience. As a part of this process it will often be necessary to delete a connection at some point. For the user tunnel the process is simple and straightforward. Simply disconnect the session and delete the connection in the UI.

Deleting an Always On VPN Device Tunnel

Deleting a device tunnel connection presents a unique challenge though. Specifically, there is no VPN connection in the UI to disconnect and remove. To delete an Always On VPN device tunnel, open an elevated PowerShell window and enter the following command.

Get-VpnConnection -AllUserConnection | Remove-VpnConnection -Force

If the device tunnel is connected when you try to remove it, you will receive the following error message.

The VPN connection [connection_name] cannot be removed from the global user connections. Cannot
delete a connection while it is connected.

Deleting an Always On VPN Device Tunnel

The device tunnel must first be disconnected to resolve this issue. Enter the following command to disconnect the device tunnel.

rasdial.exe [connection_name] /disconnect

Remove the device tunnel connection using PowerShell once complete.

Deleting an Always On VPN Device Tunnel
Additional Resources

Windows 10 Always On VPN Device Tunnel Step-by-Step Configuration using PowerShell

What’s The Difference Between DirectAccess and Always On VPN?

Windows 10 Always On VPN Recommendations for Windows Server 2016 Routing and Remote Access Service (RRAS)

Windows 10 Always On VPN Hands-On Training

Leave a comment


  1. Andy

     /  April 6, 2018

    rasphone -R “Device Tunnel” seems to work with one command

    • Thanks for the tip. I’ll have to give that a try! πŸ™‚

    • FYI: On my Windows 10 build 1803 i had to use:
      rasphone -h “VPN-Tunnel-Name”

      • Phi

         /  March 19, 2019

        How do I remove a “LockDown” VPN DeviceTunnel? I cannot do it the same as a normal DeviceTunnel -> disconnect with rasdial and then delete in powershell, because even with psexec in a system context I get an error that I do not have enough permission. Has anyone ever had to delete a LockDown VPN connection?

      • I’ve never used or even tested that LockDown option for Windows 10 Always On VPN. However, someone who follows this blog sent me the following PowerShell code that should remove it.

        PsExec.exe -s C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe (do NOT use the -i switch!)

        $namespaceName = “root\cimv2\mdm\dmmap”
        $className = “MDM_VPNv2_01”

        $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
        Remove-CimInstance -CimInstance $obj

        Let me know how it goes!

      • phi

         /  March 20, 2019

        Hey Richard
        Thank you for the answer, it worked!
        Of course we need to edit this over the wmi/csp bridge… I found a series of articles by Microsoft explaining the whole WMI bridge thing. Maybe it is of help for someone:
        About the LockDown VPN, you did not miss out. We decided to no use it, the reason being: it does not support “TrustedNetworkDetection”. So if your inside your organisation and the vpn does not connect (which is ok) LockDown actually prevents you from accessing anything in the network. We just wanted to have that behavior when the clients are outside the organisation. This way we would have to rebuild the whole network to have a kind of “zero trust” environment, maybe next time.
        Thanks again for the Help.

      • Great to hear! I agree, LockDown VPN sounds intriguing initially, but when you look at the list of challenges it poses (lack of trusted network detection being one of them!) then you start to realize it is a bit heavy-handed. And making matters worse, it is difficult to actually remove the connection once it is deployed (as you found out!). I’ll have to do a write of this and perhaps save other some pain of going down the testing path only to learn this same thing. Look for that soon. πŸ™‚

  2. Mike

     /  May 14, 2018

    If I run the command to disconnect the Device Tunnel, it says “No Connections”. Then if I try to remove it, it says it “cannot delete a connection while it is connected”. 1803.

    • Odd. Make sure that if your VPN connection name has spaces in it that you use quotes for it. Other than that, disconnecting with rasdial.exe should absolutely work. πŸ™‚

      • Daniel Bolton

         /  November 8, 2018

        Hi, is there a way to close a devicetunnel without running the command as administrator? I seem to be unable to close the tunnel unless I execute the commend from an elevated command prompt? Thanks πŸ™‚

      • I don’t believe so. As the device tunnel runs in the context of the system account, you’ll almost certainly required administrative rights to do anything with it.

  3. Daniel Bolton

     /  November 12, 2018

    Thanks Richard, that was my feeling also πŸ™‚ Could I ask another question. We have managed to deploy both Device and User tunnels without any issues. My understanding from MS is that you can run a Device tunnel, then launch a User tunnel at the same time on the same machine; perhaps to allow additional access to internal systems based upon VPN IP address/subnet. The User tunnel launches fine, the Device tunnel drops….then the User tunnel drops and the Device tunnel connects again. We have logged this issue with MS and it is looking like a bug, but I wondered if you had seen this yourself and if you had any information or guidance? Thanks, Danny

  4. Petter

     /  April 16, 2019

    Hello Richard,

    It sometimes seems like the device tunnel reconnects right away when disconnecting with rasidal /disconnect. Is this expected?

    Also, is there any other way to disconnect from a device tunnel other than using that rasdial-command?


    • Yes. I have the same experience. I’m not aware of any way to disconnect the device tunnel other than with rasdial.exe. If you’re trying to delete it using Remove-VPNConnection for example you have to disconnect than immediately and quickly run the command to remove it before it reconnects. Alternatively you could use PowerShell and WMI to forcibly remove the connection even while it’s connected, much as you would with a LockDown VPN connection.

  5. sccm2012site

     /  October 22, 2019

    I found this combination run together at the same time worked for me.

    rasdial /disconnect
    Get-VpnConnection -AllUserConnection | Remove-VpnConnection -Force

  6. Geir Helge Nygjerde

     /  November 30, 2019

    I have successfully configured Always on VPN Device Tunnel in my lab. Going from DirectAccess, where the connection showed connected or disconnected when switching between domain networks (trusted network) and external networks.
    With my AOVPN Device Tunnel, I can see that the vpn connection is connecting and is working as it should, but when I switch back to domain network (trusted network), the VPN connection stays connected and the traffic is still routed through my RRAS server. Is this the default behaviour, or have I done something wrong?

  1. Always On VPN RasMan Device Tunnel Failure | Richard M. Hicks Consulting, Inc.
  2. Always On VPN Device Tunnel Missing in Windows 10 UI | Richard M. Hicks Consulting, Inc.
  3. Always On VPN Device Tunnel Does Not Connect Automatically | Richard M. Hicks Consulting, Inc.
  4. Always On VPN Device Tunnel Configuration using Intune | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: