Much has been written about provisioning Windows 10 Always On VPN client connections over the past few years. While the preferred method for deploying Always On VPN is Microsoft Intune, using PowerShell is often helpful for initial testing, and required for production deployment with System Center Configuration Manager (SCCM) or Microsoft Endpoint Manager (MEM). That said, there will invariably come a time when an administrator has to remove an Always On VPN connection. It is not as simple as you might think.
Important Note! The PowerShell script mentioned in this post is broken in Windows 11 and some later versions of Windows 10. This is due to an apparent bug whereby the MDM_VPNv2_01 WMI class can’t be enumerated. Microsoft is aware of the issue and hopefully it will be resolved in the near future.
PowerShell
There are a variety of ways to remove an existing Always On VPN connection, with the quickest and simplest being PowerShell and the Remove-VpnConnection cmdlet.
Get-VpnConnection -Name ‘Always On VPN’ | Remove-VpnConnection -Force
There are several limitations to this method, however.
Active Connections
Administrators will quickly realize that PowerShell fails to remove a VPN connection that is currently connected. As shown here, attempting to remove an active VPN connection will return the following error message.
“The VPN connection [connection name] cannot be removed from the local user connections. Cannot delete a connection while it is connected.”
Registry Artifacts
Removing Always On VPN connections using PowerShell commonly leaves behind registry artifacts that can potentially cause problems. For example, there are several Always On VPN-related registry entries in several locations including the HKLM\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked hive that may not be deleted when removing an Always On VPN connection. When provisioning a new Always On VPN connection after deleting one with the same name previously, the administrator may encounter the following error message.
“Unable to create [connection name] profile: A general error occurred that is not covered by a more specific error code.”
Note: This error can also be caused by improperly formatted XML configuration files. More details here.
Remove-AovpnConnection Script
Veteran Always On VPN administrators are likely familiar with PowerShell scripts I’ve created called New-AovpnConneciton.ps1 and New-AovpnDeviceConnection.ps1, which are hosted on my GitHub. These scripts are adapted from code samples published by Microsoft to which I have included additional functionality. To address the limitations highlighted in this article I have published a new PowerShell script called Remove-AovpnConnection.ps1. It will remove any Always On VPN connection, even those that are currently active. It also includes logic to remove known registry artifacts common to Always On VPN. Download the script from GitHub and use the following syntax to remove an Always On VPN connection, established or not.
.\Remove-AovpnConnection.ps1 -ProfileName [connection name]
Running this PowerShell command will forcibly remove an Always On VPN connection. Use the -DeviceTunnel switch when removing a device tunnel connection (requires running in the system context). I have also included a -CleanUpOnly switch to remove registry artifacts when the VPN connection was previously removed using another method.
Updated Installation Scripts
I have also updated New-AovpnConnection.ps1 to include these registry clean up steps. This will prevent future errors when provisioning an Always On VPN client where a connection of the same name was removed previously.
Note: New-AovpnConnection.ps1 has also been updated to support device tunnel deployments. As such, I have deprecated New-AovpnDeviceConnection.ps1. Simply use New-AovpnConnection.ps1 with the -DeviceTunnel switch to deploy an Always On VPN device tunnel.
Additional Information
Windows 10 Always On VPN Device Tunnel Configuration using PowerShell
Troubleshooting Always On VPN Unable to Create Profile General Error
Tim
/ August 24, 2020“Registry Artifacts” a brilliant term! They have always proved an issue and sometimes stop new profile from being created on a client but I have found this not just when using Powershell – I have noticed that Custom Profiles in Intune due to their nature of not being a Wi-Fi,Email or Native VPN Profile are unable to be removed cleanly. In fact, removing a user assignment from a Custom ProfileXML VPN in Intune doesn’t do anything and the Profile remains on the client computer. Not very good for staying “in control” of your network. Have you seen this?
Richard M. Hicks
/ August 24, 2020I haven’t seen that, no. I’ll do some testing and see if I can reproduce. But yes, not ideal if you can’t also remove it using Intune!
Andy Chips
/ August 24, 2020Thanks for the useful info, especially with regard to removing an active connection. I’ve been successfully using rasphone -h but may start using this alternate one.
Richard M. Hicks
/ August 24, 2020While developing this script I tried using both rasphone.exe and rasdial.exe, but had only limited success. Sometimes it worked, others not. Yanking it out by the roots via Remove-CimInstance works every single time though. 🙂
Andy Chips
/ August 25, 2020Yes, I observed the way the tunnel almost instantaneously tries to reconnect after being disconnected by rasphone.exe. I determined that it tries about 3 times then gives up on the fourth disconnection. I built this into my PS script (do..until loop) and it works perfectly. I prefer your ‘pure’ PowerShell method though.
Richard M. Hicks
/ August 25, 2020I had the same experience. Originally I had a Do/Until loop and would use Get-NetIpInterface to look for the connection (after a slight pause). Couldn’t use Get-VpnConnection to check the status because it is unreliable!
sergiibiletskyi
/ August 24, 2020What about removing them via Intune? I noticed that simply removing people from the groups or disabling Config Profiles do not remove configured tunnel from the client.
Richard M. Hicks
/ August 25, 2020That’s not been my experience. If I delete the VPN profiles in Intune they eventually get removed from the client. Is that not the case for you? I didn’t specifically test removing a client from a device group though. Perhaps that’s different.
Kossi
/ July 28, 2022Hi Richard,
I am having issue to remove the old vpn client through Intune. I am using win 11 and can you please assist me with this?
Richard M. Hicks
/ July 28, 2022Did you deploy the VPN profile using the VPN template or the custom template?
Tim
/ August 26, 2020This is my experience too sergiibiletskyi. Also, when switching a user assignment from a from a Custom ProfileXML based VPN profile group to a Native Intune VPN Profile group, the profile doesn’t show as “Successful” in Intune reporting, instead it shows “Error” with error code 0x80004005 and –2147467259. After searching it turns out this issue occurs when a Profile that wasn’t created by Intune (including a Custom ProfileXML) is overwritten with the same name by a native Intune profile. It’s the same for Email Configurations as described on this website: https://www.itexperience.net/fix-error-0x80004005-in-intune/
I think if you have created a VPN profile with any other method (and want to use the same name with the native Intune profile) then you must delete the VPN connection manually before syncing again to receive the native Intune profile. Richard has just recently published details of removing User and Device Tunnels cleanly with a Powershell script so I am going to look into using these to see if they help.
Richard M. Hicks
/ August 26, 2020To clarify this, I was testing native Intune configured profiles for both device tunnel and user tunnel. When I deleted those profiles they were removed from the client. However, I didn’t test a VPN profile deployed using custom XML. I don’t know why the behavior would be different though, but perhaps it is.
Francesco F
/ September 18, 2020Hi, only native configuration profiles are removed from client when no longer applicable or deleted. https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#what-happens-when-a-profile-is-deleted-or-no-longer-applicable
You should run or deploy a custom script as Richard describes.
Dominik
/ November 11, 2020Hi, quick questions, what would be best way to deploy this script to multiple computers. I have some issues trying to deploy it through Intune as it looks like neither system or user option is finding the tunnel. While when I run the script locally as and admin it all works good. I have an option of deploying this through Intune or GP.
Richard M. Hicks
/ November 17, 2020I haven’t tested this script by deploying with Intune, so I’m not sure if there’s some limitation there or not. You can probably run it via group policy startup script for the device tunnel and user tunnel deployed for all users. You could run it as a logon script for the user tunnel but it might require administrative rights. You’ll have to test.
B.Williams
/ January 27, 2021Hello, Has anyone else had issues with Remove-CimInstance no longer working?
Instead the script errors at that line with the error ‘Remove-CimInstance : The requested object could not be found.’
I have tried running the Remove-Ciminstance command manually with the same results even though Get-CimInstance finds and displays the specified profile details
Richard M. Hicks
/ January 27, 2021What version of Windows 10 are you running? Is this a device tunnel or user tunnel? I’m assuming you are using my script then, correct?
B.Williams
/ January 28, 2021Hi Richard, Thank you for replying.
We are using Win10 Enterprise 20H2.
Yes, the script I have used many times last year to remove both Device and User tunnel profiles, but my recent attempts have failed. This is when I looked a little deeper and tried the CimInstance commands directly with the same results.
Strangely enough Get-CimInstance reports and returns the VPN config correctly but the Remove-CimInstance call fails when the results are passed to it.
Richard M. Hicks
/ January 29, 2021Not sure what’s up there. I just tested my script [https://github.com/richardhicks/aovpn/blob/master/Remove-AovpnConnection.ps1] and it seems to work fine on Windows 10 20H2. :/
RainerT
/ February 18, 2021Same here, not working on Windows 10 20H2 (build 19042.746), when it works with at least versions 1809 and 1909. Tested with the latest PS-script today. The error is
Remove-CimInstance : The requested object could not be found.
At \Remove-AovpnConnection.ps1:92 char:5
+ Remove-CimInstance -CimInstance $CimInstance
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (MDM_VPNv2_01 (I…or/MSFT/VPNv2″):CimInstance) [Remove-CimInstance], Ci
mException
+ FullyQualifiedErrorId : MI RESULT 6,Microsoft.Management.Infrastructure.CimCmdlets.RemoveCimInstanceCommand
Richard M. Hicks
/ February 24, 2021That’s really strange. I’ve tested numerous times on Windows 10 20H2 and it works for me every time. :/ Are you running Enterprise Edition? Are you trying to remove a device tunnel or user tunnel? How was the profile implemented initiall? Intune or PowerShell?
RainerT
/ March 8, 2021Yes, Windows 10 Enterprise Edition and domain joined computers. Worked perfectly when removing and installing new device profile when the Win 10 versions were 1809 and 1909. Deployed using SCCM and PowerShell script. But when computers were upgraded to Win 10 20H2, then the device profile removal stopped working with the error above. No other changes made except the Win 10 upgraded to version 20H2 (build 19042.804)
Richard M. Hicks
/ March 9, 2021I’m hearing reports of issues with the script and 20H2, but unfortunately I’m unable to reproduce. It works perfectly every time for me. :/ I’m curious though, were these in place upgrades? All of my testing has been with clean builds to this point.
RainerT
/ March 10, 2021Hi Richard, In my case yes, in-place upgrade from Windows Update. From 1909 to 20H2. Result is running the Remove-AovpnConnection.ps1 PS-script fails every time on ‘Object Not Found’ -error. OS In-place upgrade is a common way of upgrading Windows 10 OS and seems that there is some kind of bug in that version, because the script worked perfectly when upgraded the OS from 1809 to 1909. I haven’t heard from anyone else that it works in 20H2-version
Richard M. Hicks
/ March 10, 2021Good to know. I’ll do some testing and see what I can find.
Sven Schmidt
/ February 22, 2021Hi Richard, thanks for the valuable content on your blog.
On notebooks we currently use roaming profiles which results in the user tunnel not being established. Windows tries to open the rasphone.pbk but does not find it in the profile. The devicetunnel does not open fast enough to make the network profile available again.
Is there a way to redirect the rasphone.pbk completely so that the network profile is not called in the process? Deployment is done via PowerShell. SCCM or Intune are unfortunately not available. Maybe you have an idea. Roaming profiles are important to us and we would hate to do without them.
Richard M. Hicks
/ February 24, 2021Interesting. I’d suggest deploying the user tunnel in the “all users” context. You can do that using my PowerShell script and the -AllUserConnection parameter, or with Intune using some custom configuration. I’m not certain, but I think that would solve the problem because then the rasphone.pbk file is in the ProgramData folder and not under the user’s profile.
Richard M. Hicks
/ February 24, 2021Sorry, forgot to include the link to my PowerShell Always On VPN configuration script. 🙂
https://github.com/richardhicks/aovpn/blob/master/New-AovpnConnection.ps1
Danielle
/ February 23, 2021I’m having an issue where running the RemoveAoVpnConnection.ps1 script from a group policy is not fully removing the connection. Some of the registry artifacts are removed, but the connection still appears under network settings > change adapter options. I’ve tried a scheduled task, immediate task, and startup script. Running as system w/ highest privileges. Using the correct parameters. I had the same problem running a simpler script that just gets the vpn connection, disconnects it and removes it without all the checks and cleanup and it’s the same issue running from policy, but when run locally it correctly deletes the adapter in network settings. Any ideas what that could be?
Richard M. Hicks
/ February 24, 2021I’m not sure, to be honest. This isn’t something I’ve tested, running it via group policy. I’d have to do some testing to see if I can replicate the issue. It sounds like a context issue though.
Zak
/ February 25, 2021On my users (100x staff using SSTP through RRAS + EAP-TLS auth) , I have created a logon script which basically re-creates the VPN profile each time users logon. I use rasphone -R “VPN” to remove the existing VPN config, before the VPN profile is re-created again upon logon. This happens each time a user logs in. The reason I do it this way is because we only have Group Policy available, so a scheduled tasks runs on logon which runs the VPN creation script. Any changes I need to make e.g. add new subnets etc to the VPN config file, I can then do centrally on group policy under the Sysvol folders, and users will automatically download the new VPN config file to their computer once connected to the VPN and once their computer contacts domain controllers to see if any updates are available. It will take a user a reboot or logout/login to update their VPN profile to the new settings.. Pretty crude but has served well for over a year now.
Richard M. Hicks
/ February 27, 2021Glad to hear it. Thanks for sharing that information!
oraat
/ March 9, 2021I have the same problem with 20H2 Enterprise version. I cannot remove the device tunnel. .\Remove-AovpnConnection.ps1 -ProfileName ‘Always On VPN – Device’ -DeviceTunnel.
I get also Remove-CimInstance : The requested object could not be found.
Richard M. Hicks
/ March 9, 2021That’s really strange. I’m unable to reproduce this myself. It works every time for me. Obviously, there is something different about your configuration. Did you deploy the device tunnel using PowerShell or Intune?
oraat
/ March 9, 2021I have clean win10 (en layout) Enterprise installation, domain joined. Manually run your script as a sysem account with powershell and tunnel wac created. But deleting the same tunnel does not work.
Excatly same script was working ok before 20H2 update.
Error is always this “Remove-CimInstance : The requested object could not be found.”
Thanks,
oraat
Richard M. Hicks
/ March 10, 2021A number of folks have reported this issue. I’m looking into it now and will make an update as soon as I’m able to reproduce and identify/resolve the issue.
B Williams
/ March 11, 2021I thought I would share my findings here since encountering this issue. I used a WMI browser to try find where the VPN config is being stored. In my case the namespace of ‘root\cimv2\mdm\dmmap’ was empty but I found the config in ‘root\Microsoft\Windows\RemoteAccess\Client’
Richard M. Hicks
/ March 12, 2021Most interesting. How did you deploy the VPN tunnel? With Intune or PowerShell?
Bert Williams
/ March 22, 2021Hi Richard – In response to how the tunnels were deployed I used Intune CustomXML profiles
Richard M. Hicks
/ March 22, 2021Ok. You’re running the removal script in the SYSTEM context, correct?
oraat
/ March 22, 2021Yes, I’m naturally always running the device tunnel removal in the system context and I understand that this should not be an issue here, since we anyway remove the tunnel with system context. This WMIExplorer stuff is just one observation that something is different with these two 2004 laptops. Is it permissions or what I have no idea.
Richard M. Hicks
/ March 24, 2021Got it. Thanks for the clarification. That is quite unusual, for sure. I’m still unable to reproduce this myself. I’ve tested a dozen times with different 2004 and 20H2 builds and still no luck. Works every time. :/
Bert Williams
/ March 23, 2021Yes – running as System using the psexec method as documented
Richard M. Hicks
/ March 24, 2021Ok, good to know. There shouldn’t be any permissions issue when running as SYSTEM. Others have reported that the device tunnel appears in a different location when viewed with WMI Explorer. I’m looking in to that now.
oraat
/ March 17, 2021Some update for this error: Remove-CimInstance : The requested object could not be found.
I have two Win10 machines in different domains, both have version 2004 through updates.
With another machine scripts work completely ok, I can create and remove the device tunnel as many times I want,
but with another machine I can create the device tunnel once but cannot remove it, I get the error when trying to remove.
Only way I can remove it is:
rasdial /disconnect
Get-VpnConnection -AllUserConnection | Remove-VpnConnection -Force
I’m running scripts manually with system elevated powershell, so no sccm nor Intunes.
Richard M. Hicks
/ March 17, 2021That is really strange! Something must be different, no doubt. What that is I can’t imagine though. :/
oraat
/ March 18, 2021If I start Wmi explorer (run as admin) in the machine where the scripts work, I can see the AO VPN instance in the path root\cimv2\mdm\dmmap\MDM_VPNv2_01.
If I do the same in the machine where scripts do not work, the path root\cimv2\mdm\dmmap seems to be empty.
BUT if run WmiExplorer with system permissions in this machine I can see the MDM_VPNv2_01 instance !
Is this some kind of permission problem ?
Richard M. Hicks
/ March 22, 2021Not sure. However, if you are removing a device tunnel you must run the PowerShell script in the context of SYSTEM. Perhaps that’s the issue?
oraat
/ March 23, 2021My previous comment went to wrong place 🙂 Please remove it, I was suppose to write it here:
Yes, I’m naturally always running the device tunnel removal in the system context and I understand that this should not be an issue here, since we anyway remove the tunnel with system context. This WMIExplorer stuff is just one observation that something is different with these two 2004 laptops. Is it permissions or what I have no idea.
Tee
/ June 10, 2021Hi Richard,
I can’t seem to get this script to disconnect an active session, rasdial /disconnect seems to work for me though so I’m just running that before the remove.
Richard M. Hicks
/ June 11, 2021That will work too! 🙂
A. Barnhard
/ July 2, 2021I’ve also encountered the ‘object not found’ message on an updated 20H2. After clearing left-over entries in registry (Computer\HKEY_USERS\ S-1-5-21domain-500 SID \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections) the removed and then added connection worked.
Richard M. Hicks
/ July 6, 2021Good to know. Thanks for the update!
Ronald Oosterloo
/ August 11, 2021Richard, Thanks for your documentation.
We have a succesful connection on a Windows 10 Pro Device.
Only when we import the exported ProfileXML from the windows 10 device into a windows 11 device we get the error:
The Connection was prevented because of a policy configured on you RAS/VPN Server. Specially, the authentication Method used by the Server to verify your Username and Password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.
Certificates etc are imported on the windows 11 device.
Do you know what we are doing wrong?
Richard M. Hicks
/ August 16, 2021The two most common scenarios when you receive this error are NPS server rejecting the authentication request, or the VPN server can’t communicate to the NPS server. I’d check the event log on the NPS server to see if the request was reject, and if so, why. If it never saw it, I’d check the communication between VPN and NPS servers.
Ronald Oosterloo
/ August 16, 2021Here is a log of the NPS Server:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: xxxxx\xxxxxxxxx
Account Name: [email protected]
Account Domain: xxxxx
Fully Qualified Account Name: xxxxx\xxxxxxxxx
Client Machine:
Security ID: NULL SID
Account Name: –
Fully Qualified Account Name: –
Called Station Identifier: 10.xxx.xxx.xxx
Calling Station Identifier: 86.82.205.xxx
NAS:
NAS IPv4 Address: –
NAS IPv6 Address: –
NAS Identifier: xxxxx
NAS Port-Type: Virtual
NAS Port: 390
RADIUS Client:
Client Friendly Name: AlwaysOn VPN – xxxx
Client IP Address: 10.xxx.xxx.xxx
Authentication Details:
Connection Request Policy Name: AlwaysOn VPN Connections
Network Policy Name: AlwaysOn VPN
Authentication Provider: Windows
Authentication Server: xxxxxxx.xxxxxx.xxx
Authentication Type: PEAP
EAP Type: –
Account Session Identifier: 39313737
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Richard M. Hicks
/ August 24, 2021The most common cause of “credential mismatch” issues is the user authentication certificate being misconfigured. Typically this means either the UPN is missing or incorrect. Have a close look at those. It could also be caused by a missing domain controller authentication certificate on a domain controller. Lastly, make sure the NPS server is correctly configured with your issuing CA in their NTAuth certificate store. Reference articles here:
https://directaccess.richardhicks.com/2018/04/30/always-on-vpn-certificate-requirements-for-ikev2/
https://directaccess.richardhicks.com/2019/05/20/always-on-vpn-clients-prompted-for-authentication-when-accessing-internal-resources/
https://directaccess.richardhicks.com/2021/08/02/troubleshooting-always-on-vpn-error-853/
Ronald Oosterloo
/ August 27, 2021Dear Richard,
We solved the problem.
The servers to verify the idenity were lowcase. We have replaced this servers in Uppercase. After that the VPN will connect succesfully
Richard M. Hicks
/ August 29, 2021Iteresting. Where specifically did you make this change? In the EAP configuration on the client?
Ronald Oosterloo
/ August 30, 2021Dear Richard,
Yes we have changed it in the Protected EAP Properties and in the Smart Card or Other Certificate Properties.
Richard M. Hicks
/ August 31, 2021Good to know!
Andy Brutyn
/ December 15, 2021Hi Richard,
thanks for you help in educating us all.
I have an issue with the Remove-AOVPN script when trying to remove a device tunnel or a usertunnel.
it fails on get-CimInstance -Namespace ‘root\cimv2\mdm\dmmap’ -ClassName ‘MDM_VPNv2_01’
when i run WMI explorer in systemcontext i cant find anything in that namespace, nor can i find it when i run wmi explorer as an admin.
Has something changed on the location the tunnels are located or do you have another idea ?
Richard M. Hicks
/ December 15, 2021Hi Andy. Indeed, this script is broken because of an apparent bug in Windows 11. There have been reports of issues in later versions of Windows 10 as well. The issue has been brought to Microsoft and they are investigating. For now we’ll have to wait until they fix this enumeration issue.
Robert Naylor
/ May 5, 2022Appears this is possible occuring with both 1909/21H2 now – all the scripts to remove the AOVPN profile appear to be failing. Does anyone have one that actually works. We need to push out some new settings via SCCM
Richard M. Hicks
/ May 5, 2022You can always use Remove-VpnConnection, but it doesn’t work well if the VPN tunnel is established, and it doesn’t have the cleanup logic my removal script provides either.
Andy Collins
/ March 3, 2022Hi Richard
Firstly, thanks for all the great content on AOVPN, if it was left purely to the MS documentation, i’d be in a lot worse place than i am right now!
I’m interested to hear your thoughts on how to iterate the installer script? Currently, the install works great on a fresh PC without existing AOVPN connections on it, but we have a situation where on occasion, we need to update the profile.xml to include new routes into the VPN tunnel to accommodate services that have ACL’s that prevent them from being accessed from anywhere where the source is not our main HQ’s Internet IP
If i re-run your install script on machines that already have AOVPN tunnels set up, it detects that the connection names are the same as already installs, and exits
I don’t want to have to start creating “AOVPN User Tunnel 1, 2, 3” etc
Is there a way to simply re-import the xml file to refresh it with the latest routes, without having to change the names of the tunnels?
Richard M. Hicks
/ March 4, 2022This is one of the drawbacks to using PowerShell and not Intune. 🙂 However, some changes to VPN profiles don’t require installing the entire profile again. For example, routes can be added or removed easily using PowerShell and Set-VpnConnectionRoute. You can make changes additional changes using Set-VpnConnection too. If you must remove and replace the profile though, you’ll have to write some logic that first removes the connection, then replaces it. The challenge here is if the user is connected remotely, you’ll need to make sure everything is on the endpoint before initiating the disconnect and removal/replacement.
Hope that helps!
GH
/ June 7, 2023Hi Richard!
First of all, great resources! New to AOVPN and wouldn’t have made it without your scripts!
I’m in the process of deploying User Tunnels to my clients, but there something that isn’t working for me. Our clients aren’t local administrators on their devices, so the New-AovpnConnection running in the user context is failing (because of registry check/edits in HKLM). This is something that is maybe worth investigating for you.
I created a user tunnel in the System context (through 3th party RMM tool) without the -AllUserConnection option. It does create the tunnel, but when trying to remove, it states the ‘the VPN Connection ‘User Tunnel’ does not exists.
The slight disadvantage when deploying the User Tunnel with – AllUserConnection is when the user logs off, the user tunnel remains active. (This is also true when the -AllUserConnection is being used)
What are your thoughts?
ps: Have a great holiday in Valencia 😉
Richard M. Hicks
/ June 7, 2023Does your RMM allow you to run elevated in the user’s context? SCCM does, so perhpas that’s a better alternative. Optionally you could deploy in the all-users context using -AllUserConnection (running as system) and that usually takes care of things. However, the user tunnel in this scenario will disconnect. Not sure why that isn’t happening in your scenario.
Valencia is nice! I’m not on holiday, though. I’m on site with a customer here. Hoping to see more of the city over the weekend though. 🙂
GH
/ June 14, 2023We use DattoRMM. Does not appear to be an option. SCCM is also not an option for us. I will investigate further on the tunnel being active after logging out. Thank u
gerrit97ea1a5b15
/ September 27, 2023Hi Richard, I did some more research.
We are rolling out the AlwaysOn VPN profile via powershell:
.\New-AovpnConnection.ps1 -xmlFilePath .\profile.xml -ProfileName ‘AOVPN – User Tunnel’ -AllUserConnection
When you log out, the User Tunnel remains active. On the login screen you will still see the blue VPN icon on the network connection active at the bottom right. When I log in with a different user, the tunnel gets disconnected.
About removing the User Tunnel:
With your Remove-AovpnConnection.ps1 I cannot remove the VPN tunnel. He indicates that it does not exist. If I run the following command:
Get-VpnConnection ‘AOVPN – User Tunnel’ -AllUserConnection, then it returns the following result:
The profile AOVPN – User Tunnel is not a VPN connection profile. : The data is invalid.
I can run Remove-VpnConnection ‘AOVPN – User Tunnel’ -AllUserConnection to remove the tunnel.
I created the following powershell script for myself to remove an active VPN tunnel. I do use your script to clean up the ‘artifacts’.
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Config -Name AutoTriggerDisabledProfilesList -Value ‘AOVPN – User Tunnel’ -PropertyType MultiString -Force
RASDIAL.exe ‘AOVPN – User Tunnel’ /DISCONNECT
Remove-VpnConnection “AOVPN – User Tunnel” -AllUserConnection -Force
.\Remove-AovpnConnection.ps1 -ProfileName “AOVPN – User Tunnel” -AllUserConnection -CleanUpOnly
Maybe it will help someone.
Richard M. Hicks
/ September 27, 2023Good to know. Thanks for sharing that information!
sai krishna
/ November 28, 2023Hi richard,
while executing the RemoveVPN connection.ps1 script we are getting an error below
PS D:\> set-executionpolicy bypass
PS D:\> .\Remove-AovpnConnection.ps1 -AllUserConnection
cmdlet Remove-AovpnConnection.ps1 at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
ProfileName: TEST
WARNING: This script is not running in the SYSTEM context, as required.
Indeed we set the execution policy as unrestricted but stillwe see the same issue
Richard M. Hicks
/ November 28, 2023The script must be running in the SYSTEM context. To do this you’ll need to use the Sysinternals Psexec tool. Here’s what the command looks like.
psexec.exe -i -s powershell.exe
That will open a new PowerShell command window running in the system context. You can run the removal script there and it should work fine.
You can download Psexec here: https://learn.microsoft.com/en-us/sysinternals/downloads/psexec