Removing Always On VPN Connections

Removing Always On VPN ConnectionsMuch has been written about provisioning Windows 10 Always On VPN client connections over the past few years. While the preferred method for deploying Always On VPN is Microsoft Intune, using PowerShell is often helpful for initial testing, and required for production deployment with System Center Configuration Manager (SCCM) or Microsoft Endpoint Manager (MEM). That said, there will invariably come a time when an administrator has to remove an Always On VPN connection. It is not as simple as you might think.

PowerShell

There are a variety of ways to remove an existing Always On VPN connection, with the quickest and simplest being PowerShell and the Remove-VpnConnection cmdlet.

Get-VpnConnection -Name ‘Always On VPN’ | Remove-VpnConnection -Force

There are several limitations to this method, however.

Active Connections

Administrators will quickly realize that PowerShell fails to remove a VPN connection that is currently connected. As shown here, attempting to remove an active VPN connection will return the following error message.

“The VPN connection [connection name] cannot be removed from the local user connections. Cannot delete a connection while it is connected.”

Removing Always On VPN Connections

Registry Artifacts

Removing Always On VPN connections using PowerShell commonly leaves behind registry artifacts that can potentially cause problems. For example, there are several Always On VPN-related registry entries in several locations including the HKLM\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked hive that may not be deleted when removing an Always On VPN connection. When provisioning a new Always On VPN connection after deleting one with the same name previously, the administrator may encounter the following error message.

“Unable to create [connection name] profile: A general error occurred that is not covered by a more specific error code.”

Removing Always On VPN Connections

Note: This error can also be caused by improperly formatted XML configuration files. More details here.

Remove-AovpnConnection Script

Veteran Always On VPN administrators are likely familiar with PowerShell scripts I’ve created called New-AovpnConneciton.ps1 and New-AovpnDeviceConnection.ps1, which are hosted on my GitHub. These scripts are adapted from code samples published by Microsoft to which I have included additional functionality. To address the limitations highlighted in this article I have published a new PowerShell script called Remove-AovpnConnection.ps1. It will remove any Always On VPN connection, even those that are currently active. It also includes logic to remove known registry artifacts common to Always On VPN. Download the script from GitHub and use the following syntax to remove an Always On VPN connection, established or not.

.\Remove-AovpnConnection.ps1 -ProfileName [connection name]

Running this PowerShell command will forcibly remove an Always On VPN connection. Use the -DeviceTunnel switch when removing a device tunnel connection (requires running in the system context). I have also included a -CleanUpOnly switch to remove registry artifacts when the VPN connection was previously removed using another method.

Updated Installation Scripts

I have also updated New-AovpnConnection.ps1 to include these registry clean up steps. This will prevent future errors when provisioning an Always On VPN client where a connection of the same name was removed previously.

Note: New-AovpnConnection.ps1 has also been updated to support device tunnel deployments. As such, I have deprecated New-AovpnDeviceConnection.ps1. Simply use New-AovpnConnection.ps1 with the -DeviceTunnel switch to deploy an Always On VPN device tunnel.

Additional Information

Windows 10 Always On VPN Device Tunnel Configuration using PowerShell

Troubleshooting Always On VPN Unable to Create Profile General Error

 

Leave a comment

59 Comments

  1. Tim

     /  August 24, 2020

    “Registry Artifacts” a brilliant term! They have always proved an issue and sometimes stop new profile from being created on a client but I have found this not just when using Powershell – I have noticed that Custom Profiles in Intune due to their nature of not being a Wi-Fi,Email or Native VPN Profile are unable to be removed cleanly. In fact, removing a user assignment from a Custom ProfileXML VPN in Intune doesn’t do anything and the Profile remains on the client computer. Not very good for staying “in control” of your network. Have you seen this?

    Reply
    • I haven’t seen that, no. I’ll do some testing and see if I can reproduce. But yes, not ideal if you can’t also remove it using Intune!

      Reply
  2. Thanks for the useful info, especially with regard to removing an active connection. I’ve been successfully using rasphone -h but may start using this alternate one.

    Reply
    • While developing this script I tried using both rasphone.exe and rasdial.exe, but had only limited success. Sometimes it worked, others not. Yanking it out by the roots via Remove-CimInstance works every single time though. 🙂

      Reply
      • Yes, I observed the way the tunnel almost instantaneously tries to reconnect after being disconnected by rasphone.exe. I determined that it tries about 3 times then gives up on the fourth disconnection. I built this into my PS script (do..until loop) and it works perfectly. I prefer your ‘pure’ PowerShell method though.

      • I had the same experience. Originally I had a Do/Until loop and would use Get-NetIpInterface to look for the connection (after a slight pause). Couldn’t use Get-VpnConnection to check the status because it is unreliable!

  3. sergiibiletskyi

     /  August 24, 2020

    What about removing them via Intune? I noticed that simply removing people from the groups or disabling Config Profiles do not remove configured tunnel from the client.

    Reply
    • That’s not been my experience. If I delete the VPN profiles in Intune they eventually get removed from the client. Is that not the case for you? I didn’t specifically test removing a client from a device group though. Perhaps that’s different.

      Reply
    • Tim

       /  August 26, 2020

      This is my experience too sergiibiletskyi. Also, when switching a user assignment from a from a Custom ProfileXML based VPN profile group to a Native Intune VPN Profile group, the profile doesn’t show as “Successful” in Intune reporting, instead it shows “Error” with error code 0x80004005 and –2147467259. After searching it turns out this issue occurs when a Profile that wasn’t created by Intune (including a Custom ProfileXML) is overwritten with the same name by a native Intune profile. It’s the same for Email Configurations as described on this website: https://www.itexperience.net/fix-error-0x80004005-in-intune/

      I think if you have created a VPN profile with any other method (and want to use the same name with the native Intune profile) then you must delete the VPN connection manually before syncing again to receive the native Intune profile. Richard has just recently published details of removing User and Device Tunnels cleanly with a Powershell script so I am going to look into using these to see if they help.

      Reply
      • To clarify this, I was testing native Intune configured profiles for both device tunnel and user tunnel. When I deleted those profiles they were removed from the client. However, I didn’t test a VPN profile deployed using custom XML. I don’t know why the behavior would be different though, but perhaps it is.

    • Francesco F

       /  September 18, 2020

      Hi, only native configuration profiles are removed from client when no longer applicable or deleted. https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#what-happens-when-a-profile-is-deleted-or-no-longer-applicable

      You should run or deploy a custom script as Richard describes.

      Reply
  4. Dominik

     /  November 11, 2020

    Hi, quick questions, what would be best way to deploy this script to multiple computers. I have some issues trying to deploy it through Intune as it looks like neither system or user option is finding the tunnel. While when I run the script locally as and admin it all works good. I have an option of deploying this through Intune or GP.

    Reply
    • I haven’t tested this script by deploying with Intune, so I’m not sure if there’s some limitation there or not. You can probably run it via group policy startup script for the device tunnel and user tunnel deployed for all users. You could run it as a logon script for the user tunnel but it might require administrative rights. You’ll have to test.

      Reply
  5. B.Williams

     /  January 27, 2021

    Hello, Has anyone else had issues with Remove-CimInstance no longer working?
    Instead the script errors at that line with the error ‘Remove-CimInstance : The requested object could not be found.’
    I have tried running the Remove-Ciminstance command manually with the same results even though Get-CimInstance finds and displays the specified profile details

    Reply
    • What version of Windows 10 are you running? Is this a device tunnel or user tunnel? I’m assuming you are using my script then, correct?

      Reply
      • B.Williams

         /  January 28, 2021

        Hi Richard, Thank you for replying.
        We are using Win10 Enterprise 20H2.
        Yes, the script I have used many times last year to remove both Device and User tunnel profiles, but my recent attempts have failed. This is when I looked a little deeper and tried the CimInstance commands directly with the same results.
        Strangely enough Get-CimInstance reports and returns the VPN config correctly but the Remove-CimInstance call fails when the results are passed to it.

      • Not sure what’s up there. I just tested my script [https://github.com/richardhicks/aovpn/blob/master/Remove-AovpnConnection.ps1] and it seems to work fine on Windows 10 20H2. :/

      • RainerT

         /  February 18, 2021

        Same here, not working on Windows 10 20H2 (build 19042.746), when it works with at least versions 1809 and 1909. Tested with the latest PS-script today. The error is
        Remove-CimInstance : The requested object could not be found.
        At \Remove-AovpnConnection.ps1:92 char:5
        + Remove-CimInstance -CimInstance $CimInstance
        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo : ObjectNotFound: (MDM_VPNv2_01 (I…or/MSFT/VPNv2″):CimInstance) [Remove-CimInstance], Ci
        mException
        + FullyQualifiedErrorId : MI RESULT 6,Microsoft.Management.Infrastructure.CimCmdlets.RemoveCimInstanceCommand

      • That’s really strange. I’ve tested numerous times on Windows 10 20H2 and it works for me every time. :/ Are you running Enterprise Edition? Are you trying to remove a device tunnel or user tunnel? How was the profile implemented initiall? Intune or PowerShell?

      • RainerT

         /  March 8, 2021

        Yes, Windows 10 Enterprise Edition and domain joined computers. Worked perfectly when removing and installing new device profile when the Win 10 versions were 1809 and 1909. Deployed using SCCM and PowerShell script. But when computers were upgraded to Win 10 20H2, then the device profile removal stopped working with the error above. No other changes made except the Win 10 upgraded to version 20H2 (build 19042.804)

      • I’m hearing reports of issues with the script and 20H2, but unfortunately I’m unable to reproduce. It works perfectly every time for me. :/ I’m curious though, were these in place upgrades? All of my testing has been with clean builds to this point.

      • RainerT

         /  March 10, 2021

        Hi Richard, In my case yes, in-place upgrade from Windows Update. From 1909 to 20H2. Result is running the Remove-AovpnConnection.ps1 PS-script fails every time on ‘Object Not Found’ -error. OS In-place upgrade is a common way of upgrading Windows 10 OS and seems that there is some kind of bug in that version, because the script worked perfectly when upgraded the OS from 1809 to 1909. I haven’t heard from anyone else that it works in 20H2-version

      • Good to know. I’ll do some testing and see what I can find.

  6. Sven Schmidt

     /  February 22, 2021

    Hi Richard, thanks for the valuable content on your blog.
    On notebooks we currently use roaming profiles which results in the user tunnel not being established. Windows tries to open the rasphone.pbk but does not find it in the profile. The devicetunnel does not open fast enough to make the network profile available again.

    Is there a way to redirect the rasphone.pbk completely so that the network profile is not called in the process? Deployment is done via PowerShell. SCCM or Intune are unfortunately not available. Maybe you have an idea. Roaming profiles are important to us and we would hate to do without them.

    Reply
  7. Danielle

     /  February 23, 2021

    I’m having an issue where running the RemoveAoVpnConnection.ps1 script from a group policy is not fully removing the connection. Some of the registry artifacts are removed, but the connection still appears under network settings > change adapter options. I’ve tried a scheduled task, immediate task, and startup script. Running as system w/ highest privileges. Using the correct parameters. I had the same problem running a simpler script that just gets the vpn connection, disconnects it and removes it without all the checks and cleanup and it’s the same issue running from policy, but when run locally it correctly deletes the adapter in network settings. Any ideas what that could be?

    Reply
    • I’m not sure, to be honest. This isn’t something I’ve tested, running it via group policy. I’d have to do some testing to see if I can replicate the issue. It sounds like a context issue though.

      Reply
  8. On my users (100x staff using SSTP through RRAS + EAP-TLS auth) , I have created a logon script which basically re-creates the VPN profile each time users logon. I use rasphone -R “VPN” to remove the existing VPN config, before the VPN profile is re-created again upon logon. This happens each time a user logs in. The reason I do it this way is because we only have Group Policy available, so a scheduled tasks runs on logon which runs the VPN creation script. Any changes I need to make e.g. add new subnets etc to the VPN config file, I can then do centrally on group policy under the Sysvol folders, and users will automatically download the new VPN config file to their computer once connected to the VPN and once their computer contacts domain controllers to see if any updates are available. It will take a user a reboot or logout/login to update their VPN profile to the new settings.. Pretty crude but has served well for over a year now.

    Reply
  9. oraat

     /  March 9, 2021

    I have the same problem with 20H2 Enterprise version. I cannot remove the device tunnel. .\Remove-AovpnConnection.ps1 -ProfileName ‘Always On VPN – Device’ -DeviceTunnel.
    I get also Remove-CimInstance : The requested object could not be found.

    Reply
    • That’s really strange. I’m unable to reproduce this myself. It works every time for me. Obviously, there is something different about your configuration. Did you deploy the device tunnel using PowerShell or Intune?

      Reply
      • oraat

         /  March 9, 2021

        I have clean win10 (en layout) Enterprise installation, domain joined. Manually run your script as a sysem account with powershell and tunnel wac created. But deleting the same tunnel does not work.
        Excatly same script was working ok before 20H2 update.
        Error is always this “Remove-CimInstance : The requested object could not be found.”

        Thanks,
        oraat

      • A number of folks have reported this issue. I’m looking into it now and will make an update as soon as I’m able to reproduce and identify/resolve the issue.

      • B Williams

         /  March 11, 2021

        I thought I would share my findings here since encountering this issue. I used a WMI browser to try find where the VPN config is being stored. In my case the namespace of ‘root\cimv2\mdm\dmmap’ was empty but I found the config in ‘root\Microsoft\Windows\RemoteAccess\Client’

      • Most interesting. How did you deploy the VPN tunnel? With Intune or PowerShell?

      • Bert Williams

         /  March 22, 2021

        Hi Richard – In response to how the tunnels were deployed I used Intune CustomXML profiles

      • Ok. You’re running the removal script in the SYSTEM context, correct?

      • oraat

         /  March 22, 2021

        Yes, I’m naturally always running the device tunnel removal in the system context and I understand that this should not be an issue here, since we anyway remove the tunnel with system context. This WMIExplorer stuff is just one observation that something is different with these two 2004 laptops. Is it permissions or what I have no idea.

      • Got it. Thanks for the clarification. That is quite unusual, for sure. I’m still unable to reproduce this myself. I’ve tested a dozen times with different 2004 and 20H2 builds and still no luck. Works every time. :/

      • Bert Williams

         /  March 23, 2021

        Yes – running as System using the psexec method as documented

      • Ok, good to know. There shouldn’t be any permissions issue when running as SYSTEM. Others have reported that the device tunnel appears in a different location when viewed with WMI Explorer. I’m looking in to that now.

  10. oraat

     /  March 17, 2021

    Some update for this error: Remove-CimInstance : The requested object could not be found.

    I have two Win10 machines in different domains, both have version 2004 through updates.
    With another machine scripts work completely ok, I can create and remove the device tunnel as many times I want,
    but with another machine I can create the device tunnel once but cannot remove it, I get the error when trying to remove.

    Only way I can remove it is:
    rasdial /disconnect
    Get-VpnConnection -AllUserConnection | Remove-VpnConnection -Force

    I’m running scripts manually with system elevated powershell, so no sccm nor Intunes.

    Reply
    • That is really strange! Something must be different, no doubt. What that is I can’t imagine though. :/

      Reply
      • oraat

         /  March 18, 2021

        If I start Wmi explorer (run as admin) in the machine where the scripts work, I can see the AO VPN instance in the path root\cimv2\mdm\dmmap\MDM_VPNv2_01.

        If I do the same in the machine where scripts do not work, the path root\cimv2\mdm\dmmap seems to be empty.
        BUT if run WmiExplorer with system permissions in this machine I can see the MDM_VPNv2_01 instance !

        Is this some kind of permission problem ?

      • Not sure. However, if you are removing a device tunnel you must run the PowerShell script in the context of SYSTEM. Perhaps that’s the issue?

  11. oraat

     /  March 23, 2021

    My previous comment went to wrong place 🙂 Please remove it, I was suppose to write it here:

    Yes, I’m naturally always running the device tunnel removal in the system context and I understand that this should not be an issue here, since we anyway remove the tunnel with system context. This WMIExplorer stuff is just one observation that something is different with these two 2004 laptops. Is it permissions or what I have no idea.

    Reply
  12. Tee

     /  June 10, 2021

    Hi Richard,

    I can’t seem to get this script to disconnect an active session, rasdial /disconnect seems to work for me though so I’m just running that before the remove.

    Reply
  13. A. Barnhard

     /  July 2, 2021

    I’ve also encountered the ‘object not found’ message on an updated 20H2. After clearing left-over entries in registry (Computer\HKEY_USERS\ S-1-5-21domain-500 SID \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections) the removed and then added connection worked.

    Reply
  14. Ronald Oosterloo

     /  August 11, 2021

    Richard, Thanks for your documentation.
    We have a succesful connection on a Windows 10 Pro Device.
    Only when we import the exported ProfileXML from the windows 10 device into a windows 11 device we get the error:
    The Connection was prevented because of a policy configured on you RAS/VPN Server. Specially, the authentication Method used by the Server to verify your Username and Password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

    Certificates etc are imported on the windows 11 device.

    Do you know what we are doing wrong?

    Reply
    • The two most common scenarios when you receive this error are NPS server rejecting the authentication request, or the VPN server can’t communicate to the NPS server. I’d check the event log on the NPS server to see if the request was reject, and if so, why. If it never saw it, I’d check the communication between VPN and NPS servers.

      Reply
      • Ronald Oosterloo

         /  August 16, 2021

        Here is a log of the NPS Server:

        Network Policy Server denied access to a user.

        Contact the Network Policy Server administrator for more information.

        User:
        Security ID: xxxxx\xxxxxxxxx
        Account Name: [email protected]
        Account Domain: xxxxx
        Fully Qualified Account Name: xxxxx\xxxxxxxxx

        Client Machine:
        Security ID: NULL SID
        Account Name: –
        Fully Qualified Account Name: –
        Called Station Identifier: 10.xxx.xxx.xxx
        Calling Station Identifier: 86.82.205.xxx

        NAS:
        NAS IPv4 Address: –
        NAS IPv6 Address: –
        NAS Identifier: xxxxx
        NAS Port-Type: Virtual
        NAS Port: 390

        RADIUS Client:
        Client Friendly Name: AlwaysOn VPN – xxxx
        Client IP Address: 10.xxx.xxx.xxx

        Authentication Details:
        Connection Request Policy Name: AlwaysOn VPN Connections
        Network Policy Name: AlwaysOn VPN
        Authentication Provider: Windows
        Authentication Server: xxxxxxx.xxxxxx.xxx
        Authentication Type: PEAP
        EAP Type: –
        Account Session Identifier: 39313737
        Logging Results: Accounting information was written to the local log file.
        Reason Code: 16
        Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

      • The most common cause of “credential mismatch” issues is the user authentication certificate being misconfigured. Typically this means either the UPN is missing or incorrect. Have a close look at those. It could also be caused by a missing domain controller authentication certificate on a domain controller. Lastly, make sure the NPS server is correctly configured with your issuing CA in their NTAuth certificate store. Reference articles here:

        https://directaccess.richardhicks.com/2018/04/30/always-on-vpn-certificate-requirements-for-ikev2/
        https://directaccess.richardhicks.com/2019/05/20/always-on-vpn-clients-prompted-for-authentication-when-accessing-internal-resources/
        https://directaccess.richardhicks.com/2021/08/02/troubleshooting-always-on-vpn-error-853/

      • Ronald Oosterloo

         /  August 27, 2021

        Dear Richard,
        We solved the problem.

        The servers to verify the idenity were lowcase. We have replaced this servers in Uppercase. After that the VPN will connect succesfully

      • Iteresting. Where specifically did you make this change? In the EAP configuration on the client?

      • Ronald Oosterloo

         /  August 30, 2021

        Dear Richard,

        Yes we have changed it in the Protected EAP Properties and in the Smart Card or Other Certificate Properties.

      • Good to know!

Leave a Reply

%d bloggers like this: