Always On VPN LockDown Mode

Always On VPN LockDown ModeWhen an Always On VPN connection is provisioned to a Windows 10 client, there’s nothing to prevent a user from disconnecting or even deleting the connection. Some administrators have expressed concern about this, fearful that users may disable the VPN to improve performance or circumvent access controls when force tunneling is enabled. Also, administrators may wish to prevent users from accidentally or purposefully making changes to the configuration, or even deleting the connection entirely.

LockDown Mode

To address these concerns, Microsoft included a feature called LockDown mode for Always On VPN. Once enabled, the following conditions apply.

  • The LockDown VPN connection is always on.
  • The LockDown VPN connection cannot be disabled.
  • The user can’t make changes to or delete the LockDown connection.
  • No other VPN connections can exist on the client.
  • Force tunneling is enabled by default (split tunneling in LockDown mode is not supported).

Challenges with LockDown Mode

Always On VPN LockDown mode brings with it some unique challenges, however. Consider the following.

Limited Protocol Support

LockDown mode only supports IKEv2 and the native (built-in) VPN client. Third-party plug-in provider clients are not supported. IKEv2 is an excellent VPN protocol in terms of security, but operationally speaking it has some serious drawbacks.

Force Tunneling Only

LockDown mode uses force tunneling exclusively. All network traffic must go over the VPN connection. However, if the VPN connection is not available, the client will be unable to access any network resources at all, local or remote.

Captive Portal Issues

LockDown mode prevents clients from connecting to network resources from a network with a captive portal.

On-premises Connectivity

In LockDown mode all network traffic must flow over the VPN tunnel even if the client is on the internal network. This also means that if the VPN server is not reachable internally (unable to resolve public hostname, protocols/ports blocked by internal firewall, unable to route to VPN server, etc.) the client will not be able to access any internal or external network resources at all.

Deleting a LockDown VPN Connection

Deleting a LockDown VPN connection is also challenging. Administrators will find that trying to delete it using the UI or PowerShell often fails. To delete a LockDown Always On VPN connection, use psexec.exe to open an elevated PowerShell command window running in the system context using the following command.

.\psexec.exe -i -s C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe

In the new elevated PowerShell window run the following commands to delete the LockDown VPN connection.

$Namespace = “root\cimv2\mdm\dmmap”
$ClassName = “MDM_VPNv2_01”

$obj = Get-CimInstance -Namespace $Namespace -ClassName $ClassName
Remove-CimInstance -CimInstance $obj

Optionally, download and run Remove-LockDownVPN.ps1 here.

Summary

While Always On VPN LockDown mode might seem like a good idea initially, its implementation is heavy-handed and practically speaking ends up causing more problems than it solves. For administrators that plan to enable this feature, carefully consider the drawbacks and limitations outlined above and their impact on supportability and the user experience.

Additional Information

Windows Always On VPN Device Tunnel Config using Microsoft Intune

Windows 10 Always On VPN Security Configuration 

Windows 10 Always On VPN Hands-On Training

 

Leave a comment

11 Comments

  1. Flo TPG

     /  April 8, 2019

    I was so excited when I read the headline… practically this is useless. The only use case I can imagine would be tunneling wireless lan clients on the corporate campus (if you’re that paranoid).

    Nice conclusion: “causing more problems than it solves”

    Reply
    • Hannan

       /  April 12, 2019

      Exactly, I have also used purevpn windows vpn for tunneling wireless lan clients it was useful,,,

      Reply
  2. What if you hide the settings-page with group policy: ms-settings:network-vpn. The “users” are not able to delete the VPN connection anymore… 99.9% of our users are not able to use PowerShell I think.

    Reply
  3. IL73

     /  June 6, 2019

    Hi,

    We have deployed AOVPN using a user profile and a ForceTunnel option. Yet still users are able to access resources on their local network and not all traffic is being routed down the VPN.

    Has anyone else experienced this?

    Thanks.

    Reply
  4. IL73

     /  June 7, 2019

    Has anyone successfully deployed lockdown mode? If so was this deployed as a device or user profile? Does anyone have a sample xml file?

    Thanks.

    Reply
    • I’ve only ever deployed in test and PoC for evaluation purposes. No customer of mine has opted for it yet. LockDown mode is implemented as a device tunnel only. I don’t have a sample XML file to share, but it’s enabled by adding the LockDown element and setting it to “true”.

      Reply
  5. Michael van der Burg

     /  August 29, 2019

    I have a customer who really wants this, I tried to convince them not to, but anyway. I’m testing it now, but when the notebook with a VPN lockdown connection is in the Corporate LAN it still wants to lockdown and networks are not accessable. The doesnt seem to work 😦

    Doe somebody know how to resolve this issue?

    Reply
    • There’s nothing to resolve. It is inherent in the design. When LockDown mode is enabled the client will only ever connect to the network (any network) if the VPN connection is established. That includes the internal network. This is one of the things that makes LockDown mode undesirable in most deployment scenarios.

      Reply
  1. Deploying Always On VPN with Intune using Custom ProfileXML | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: