Always On VPN client configuration settings are typically deployed in the user’s context. However, this presents a unique challenge when sharing a single device with multiple users who have an Always On VPN profile assigned to them. By design, Windows designates only a single user profile on a shared device to be “always on”. When multiple users with assigned Always On VPN profiles share the same machine, it could yield unexpected results.
Auto Trigger Profile
When an Always On VPN profile is provisioned to a user, Windows records information about this profile in the registry. Specifically, the Always On VPN profile’s name and GUID are recorded, as well as the user’s Security Identifier (SID) and the path to the rasphone.pbk file that contains the Always On VPN profile.
Multiple Users
When a new user logs on to a shared device and receives their Always On VPN profile, Windows overwrites this existing data in the registry with the current user’s information. Each time this user logs on, their Always On VPN connection will establish automatically. Any other users with Always On VPN profiles configured on the same shared device will no longer connect automatically after this. The most recently deployed Always On VPN profile will be designated the “always on” profile.
Connect Automatically
In the above scenario, any user with an assigned Always On VPN profile on the shared device can take over the “always on” designation by opening the VPN connection properties and checking the “Connect automatically” check box.
When this happens, this user will now own the “always on” profile, and other users on the shared device will no longer connect automatically.
Workarounds
If multiple users share a single device requiring Always On VPN connectivity, you have a few options.
Intune
If you are deploying Always On VPN client configuration settings using Intune, you must use the Custom device configuration profile template. Specifically, as shown here, you must deploy your XML configuration file using the ./Device/Vendor/MSFT/VPNv2/ OMA-DM URI.
Unfortunately, the native Intune VPN template does not support deploying Always On VPN profiles in the “all users” context.
PowerShell
When using PowerShell, either natively or with SCCM or another software deployment tool, administrators can use my Always On VPN deployment PowerShell script with the -AllUserConnection parameter.
PowerON DPC
When using PowerON Platforms’ Dynamic Profile Configurator (DPC) to deploy Always On VPN client configuration settings using on-premises Active Directory or via Intune, no changes are required. DPC deploys Always On VPN user profiles in the “all users” context by default.
Additional Information
New-AovpnConnection.ps1 PowerShell Script on GitHub
Ed Morgan
/ April 12, 2023We worked with PowerOn and they had us deploy both the device and user tunnel with All User Connection. It means the deployment must be done under System credentials, but it means any user can login to any machine, as the device tunnel is up, giving AD access, and they get a user certificate, allowing the user tunnel to start and full access.
Doing it any other way seems like a waste of time?
Richard M. Hicks
/ April 12, 2023The device tunnel is always deployed in the ‘all users’ context, so nothing new there. By default, the user tunnel is deployed in the individual user’s context but optionally can also be deployed in the ‘all users’ context. Indeed there are some important benefits in doing that, but the scenario you describe can still be accomplished with the user tunnel in the user’s context. 🙂
Nicolai Nyborg
/ May 24, 2023One issue i have with this, is that i am unable to have both the user tunnel and the device tunnel be always on, since both are installed in the same context. Do you know of any workaround for this?
Works fine if i deploy my user tunnel in user context.
Richard M. Hicks
/ May 24, 2023The device tunnel and user tunnel usually work well together even when deployed in the same context (all users). However, it’s possible that trusted network detection is negatively affecting the operation. Perhaps the user tunnel detects the device tunnel and fails to connect? Or vice versa? You might want to do some testing with trusted network detection disabled to see if that helps.
Max Mueller
/ November 16, 2023We work with the intune based setting for always on vpn and currently we are playing around with shared devices. vpn is deployed correctly but i will not auto connect (by hand works fine) what is the option here?
Richard M. Hicks
/ November 16, 2023In a shared device scenario where the user tunnel is provisioned to multiple users on the same device the user who received the most recent user tunnel will automatically connect. All other users on the same device who have user tunnels will not connect automatically. They can connect manually, however.
The workaround is to deploy the user tunnel using custom XML and deploy the configuration in the ./Device context, as described in this post. That way all users on the device will have a user tunnel that connects automatically.