Removing Always On VPN Connections

Removing Always On VPN ConnectionsMuch has been written about provisioning Windows 10 Always On VPN client connections over the past few years. While the preferred method for deploying Always On VPN is Microsoft Intune, using PowerShell is often helpful for initial testing, and required for production deployment with System Center Configuration Manager (SCCM) or Microsoft Endpoint Manager (MEM). That said, there will invariably come a time when an administrator has to remove an Always On VPN connection. It is not as simple as you might think.

PowerShell

There are a variety of ways to remove an existing Always On VPN connection, with the quickest and simplest being PowerShell and the Remove-VpnConnection cmdlet.

Get-VpnConnection -Name ‘Always On VPN’ | Remove-VpnConnection -Force

There are several limitations to this method, however.

Active Connections

Administrators will quickly realize that PowerShell fails to remove a VPN connection that is currently connected. As shown here, attempting to remove an active VPN connection will return the following error message.

“The VPN connection [connection name] cannot be removed from the local user connections. Cannot delete a connection while it is connected.”

Removing Always On VPN Connections

Registry Artifacts

Removing Always On VPN connections using PowerShell commonly leaves behind registry artifacts that can potentially cause problems. For example, there are several Always On VPN-related registry entries in several locations including the HKLM\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked hive that may not be deleted when removing an Always On VPN connection. When provisioning a new Always On VPN connection after deleting one with the same name previously, the administrator may encounter the following error message.

“Unable to create [connection name] profile: A general error occurred that is not covered by a more specific error code.”

Removing Always On VPN Connections

Note: This error can also be caused by improperly formatted XML configuration files. More details here.

Remove-AovpnConnection Script

Veteran Always On VPN administrators are likely familiar with PowerShell scripts I’ve created called New-AovpnConneciton.ps1 and New-AovpnDeviceConnection.ps1, which are hosted on my GitHub. These scripts are adapted from code samples published by Microsoft to which I have included additional functionality. To address the limitations highlighted in this article I have published a new PowerShell script called Remove-AovpnConnection.ps1. It will remove any Always On VPN connection, even those that are currently active. It also includes logic to remove known registry artifacts common to Always On VPN. Download the script from GitHub and use the following syntax to remove an Always On VPN connection, established or not.

.\Remove-AovpnConnection.ps1 -ProfileName [connection name]

Running this PowerShell command will forcibly remove an Always On VPN connection. Use the -DeviceTunnel switch when removing a device tunnel connection (requires running in the system context). I have also included a -CleanUpOnly switch to remove registry artifacts when the VPN connection was previously removed using another method.

Updated Installation Scripts

I have also updated New-AovpnConnection.ps1 to include these registry clean up steps. This will prevent future errors when provisioning an Always On VPN client where a connection of the same name was removed previously.

Note: New-AovpnConnection.ps1 has also been updated to support device tunnel deployments. As such, I have deprecated New-AovpnDeviceConnection.ps1. Simply use New-AovpnConnection.ps1 with the -DeviceTunnel switch to deploy an Always On VPN device tunnel.

Additional Information

Windows 10 Always On VPN Device Tunnel Configuration using PowerShell

Troubleshooting Always On VPN Unable to Create Profile General Error

 

Leave a comment

11 Comments

  1. Tim

     /  August 24, 2020

    “Registry Artifacts” a brilliant term! They have always proved an issue and sometimes stop new profile from being created on a client but I have found this not just when using Powershell – I have noticed that Custom Profiles in Intune due to their nature of not being a Wi-Fi,Email or Native VPN Profile are unable to be removed cleanly. In fact, removing a user assignment from a Custom ProfileXML VPN in Intune doesn’t do anything and the Profile remains on the client computer. Not very good for staying “in control” of your network. Have you seen this?

    Reply
    • I haven’t seen that, no. I’ll do some testing and see if I can reproduce. But yes, not ideal if you can’t also remove it using Intune!

      Reply
  2. Thanks for the useful info, especially with regard to removing an active connection. I’ve been successfully using rasphone -h but may start using this alternate one.

    Reply
    • While developing this script I tried using both rasphone.exe and rasdial.exe, but had only limited success. Sometimes it worked, others not. Yanking it out by the roots via Remove-CimInstance works every single time though. 🙂

      Reply
      • Yes, I observed the way the tunnel almost instantaneously tries to reconnect after being disconnected by rasphone.exe. I determined that it tries about 3 times then gives up on the fourth disconnection. I built this into my PS script (do..until loop) and it works perfectly. I prefer your ‘pure’ PowerShell method though.

      • I had the same experience. Originally I had a Do/Until loop and would use Get-NetIpInterface to look for the connection (after a slight pause). Couldn’t use Get-VpnConnection to check the status because it is unreliable!

  3. sergiibiletskyi

     /  August 24, 2020

    What about removing them via Intune? I noticed that simply removing people from the groups or disabling Config Profiles do not remove configured tunnel from the client.

    Reply
    • That’s not been my experience. If I delete the VPN profiles in Intune they eventually get removed from the client. Is that not the case for you? I didn’t specifically test removing a client from a device group though. Perhaps that’s different.

      Reply
    • Tim

       /  August 26, 2020

      This is my experience too sergiibiletskyi. Also, when switching a user assignment from a from a Custom ProfileXML based VPN profile group to a Native Intune VPN Profile group, the profile doesn’t show as “Successful” in Intune reporting, instead it shows “Error” with error code 0x80004005 and –2147467259. After searching it turns out this issue occurs when a Profile that wasn’t created by Intune (including a Custom ProfileXML) is overwritten with the same name by a native Intune profile. It’s the same for Email Configurations as described on this website: https://www.itexperience.net/fix-error-0x80004005-in-intune/

      I think if you have created a VPN profile with any other method (and want to use the same name with the native Intune profile) then you must delete the VPN connection manually before syncing again to receive the native Intune profile. Richard has just recently published details of removing User and Device Tunnels cleanly with a Powershell script so I am going to look into using these to see if they help.

      Reply
      • To clarify this, I was testing native Intune configured profiles for both device tunnel and user tunnel. When I deleted those profiles they were removed from the client. However, I didn’t test a VPN profile deployed using custom XML. I don’t know why the behavior would be different though, but perhaps it is.

    • Francesco F

       /  September 18, 2020

      Hi, only native configuration profiles are removed from client when no longer applicable or deleted. https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#what-happens-when-a-profile-is-deleted-or-no-longer-applicable

      You should run or deploy a custom script as Richard describes.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: