
Administrators can deploy Always On VPN client configuration settings in several ways. The simplest method is to use the native Microsoft Intune UI and the VPN device configuration profile template. Optionally, administrators can create an XML file that can be deployed with Intune using the Custom template. In addition, the XML file can be deployed using PowerShell, either interactively or with System Center Configuration Manager (SCCM). Administrators can also deploy the XML file using PowerShell via Active Directory group policy startup script or another software provisioning platform.
Custom XML
While using the native Intune VPN device configuration template to deploy and manage Always On VPN client configuration settings is easy and convenient, it lacks support for many crucial configuration settings. Deploying Always On VPN client settings using the Custom template is helpful to overcome these limitations as it enables additional configuration settings not exposed in the Intune VPN template.
VPNv2CSP
The VPNv2 Configuration Service Provider (CSP) is the interface used by Intune to deploy Always On VPN client configuration settings to the endpoint. The WMI-to-CSP bridge enables settings deployment using PowerShell. In either scenario, administrators must create an XML file that includes the settings used for the Always On VPN profile. A reference for all supported settings in the VPNv2 CSP can be found here.
New Settings
Microsoft recently introduced some new settings in the VPNv2 CSP. Beginning with Windows 11 22H2, administrators can disable the disconnect button and prevent access to the advanced settings menu for device and user tunnels in the Windows UI by adding the following entries in the XML configuration file.
<DisableDisconnectButton>true</DisableDisconnectButton>

<DisableAdvancedOptionsEditButton>true
</DisableAdvancedOptionsEditButton>

Additional Updates
Microsoft also added options to define encryption settings, disable IKEv2 fragmentation support, update IPv4 and IPv6 interface metrics, adjust IKEv2 network outage time, and disable the use of RAS credentials in XML for device and user tunnels. These new options eliminate the need to use Intune Proactive Remediation to adjust these VPN client configuration settings post-deployment.
Unfortunately, these settings are not supported in any current release of Windows 10 or 11 today. However, they are available in the latest Windows Insider build (development channel) if you want to test them. I’ve provided example settings below. These settings will be supported in a public release of Windows in the future.
<DataEncryption>Max</DataEncryption>
<DisableIKEv2Fragmentation>true</DisableIKEv2Fragmentation>
<IPv4InterfaceMetric>3</IPv4InterfaceMetric>
<IPv6InterfaceMetric>3</IPv6InterfaceMetric>
<NetworkOutageTime>0</NetworkOutageTime>
<UseRasCredentials>false</UseRasCredentials>
Note: At the time of this writing, the VPNv2 CSP indicates these settings apply to Windows 11 21H2 and later. That is incorrect. Microsoft is aware of the issue and will hopefully correct it soon.
Intune Support
At some point, Microsoft may add these features to the Intune VPN device configuration template. However, XML with the Custom template is the only way to enable these new settings today.
Additional Information
Always On VPN VPNv2 CSP Reference
Deploying Always On VPN with Intune using Custom ProfileXML
Always On VPN and Intune Proactive Remediation
Microsoft Intune Learning Resources for Always On VPN Administrators
Beau McMahon
/ March 22, 2023Kinda wishing they did this a year ago, as I’ve already implemented interface metric configuration when my tunnels are configured/updated. Was a complete pain in the butt. Hopefully their implementation works as well and I can remove my extra code eventually.
Fantastic to hear they’re providing a way to remove the Disable and Advice options. Hopefully this isn’t just a GUI thing and it also stops it from working via RASPHONE and RASDIAL.
Richard M. Hicks
/ March 22, 2023For sure. However, I think it is just a GUI thing. I don’t believe it does anything to prevent you from disconnecting using rasdial.exe or rasphone.exe. For that, you’ll have to use LockDown VPN, but that often causes more problems than it solves. :/
https://directaccess.richardhicks.com/2019/04/08/always-on-vpn-lockdown-mode/
Nicolai Nyborg
/ March 24, 2023Hey Richard,
You previously wrote an article about issues with the VPNv2 CSP settings on Windows 11, causing random disconnects (most likely from the profile being deleted and recreated multiple times a day).
Are you aware if this still an ongoing issue? I think some of my users have been impacted by this, but i haven’t been able to figure out if that is actually our issue.
Richard M. Hicks
/ March 24, 2023Yes, this is still an ongoing issue with Windows 11 and Intune. Microsoft is aware of the issue but has not provided an ETA for a fix.
DamianPL
/ April 1, 2023Hi Ryszard, some time ago I decided to implement POC for Always On VPN, which will be based on my PowerShell scripts and Task Scheduler. Scripts allow you to:
1. There is no need to use Windows Enterprise for Device Tunnel
2. Ability to define parameters not available in Intune
I described my idea on the website: admin-center.pl/blog
What do you think about this approach?
Now for the post question:
Do you know what value should be added to rasphone.pbk to hide the “Disconnect” button?
Richard M. Hicks
/ April 3, 2023Hi Damian. Looks interesting, for sure. 🙂 Unfortunately, there is no option to disable the disconnect button in rasphone.pbk. However, this feature is coming to a future release of Windows 11. It might only be exposed through the CSP and not in rasphone.pbk, though.
Niol
/ May 2, 2023Great to see UseRasCredentials parameter in VPNv2 CSP , it will avoid “post processing” of pbk files.
Richard M. Hicks
/ May 5, 2023Indeed. However, this setting won’t be supported until sometime in the future. It’s working with Insider builds now, so hopefully it will hit GA in the near future.