Microsoft Always On VPN is a beautiful thing. VPN profiles are assigned to the user (and, optionally, their device). When users power up their device and log on, they are automatically connected to the corporate network and can access all the applications and data they need on-premises. Until recently, though, end users could disconnect the VPN. Why they would do this is beyond comprehension, but sadly, it happens all too often. When it does, it presents a problem for Always On VPN administrators because they must now rely on the user to re-enable this feature. And until they do, they often suffer productivity loss, and their devices may fall out of compliance.
Connect Automatically
When an Always On VPN profile is provisioned to a user (or a device), the VPN profile has the option to ‘Connect automatically’ enabled by default. Unfortunately, this setting is cleared if a user terminates the VPN.
This setting will remain cleared until the user rechecks the box to enable it. Until then, the VPN will no longer connect automatically.
Workarounds
Instead of relying on the grace of the end user to restore Always On functionality, administrators have a few options to correct this problem programmatically.
Intune Remediation
Administrators can use Intune Remediations to deploy a set of detection and remediation scripts I’ve published to update this setting. Now, administrators can enforce ‘Always On’ VPN connections with the assurance that if the user turns off this feature, it will be quickly re-enabled.
Detect-AutoTriggerDisabledProfile.ps1
Remediate-AutoTriggerDisabledProfile.ps1
SCCM
You can find a standalone version of this script here if you use System Center Configuration Manager (SCCM) or another systems management solution to manage your endpoints.
Clear-AutoTriggerDisabledProfile.ps1
AovpnTools
In addition, you will find the Clear-AutoTriggerDisabledProfile function is included in my AOVPNTools PowerShell module, which can be installed from the PowerShell gallery.
Install-Module -Name AOVPNTools -Force
Disable Disconnect Button
To avoid this pain in the future, Always On VPN administrators can prevent users from disconnecting the VPN using the UI by leveraging the DisableDisconnectButton option in ProfileXML. This setting is supported for both user and device tunnels on Windows 11 and later devices.
victor e bassey
/ January 15, 2024Thanks Richard. This has plagued my current Window 11 deployment for a client. It was not so much of an issue in window 10 though. Would be trying out the remediate scripts.
Richard M. Hicks
/ January 15, 2024Awesome. Let me know how it goes!
Chris G
/ January 15, 2024Love this concept Richard, however i’m having a difficult time getting the remediation to run. Our vpn is set per user, but the script needs to run in the system context in order to write to the registry. Every time it runs, it can’t see the VPN and generates a Warning: VPN connection “my vpn name” not found. Any help would be great!
Richard M. Hicks
/ January 15, 2024Thanks for the feedback. Indeed, that poses a challenge. I originally created this script for a customer using SCCM, for which it worked without issue. Also, I implemented it as an Intune remediation recently but in that case the user VPN profiles were deployed in the system context.
For now, the user would need to have the ability to write to the registry. I’ll investigate further and see if there are any options for a workaround to address this.
Sorry for the trouble!
Armin
/ February 27, 2024Hi Richard, thanks for your great stuff. In SCCM i got also the Message “VPN Connection xxxxx not found” in a User VPN Scenario. Does the SCCM Script works with User VPN?
Richard M. Hicks
/ February 27, 2024It does work in the user scenario, but for now it requires the user to have administrative rights on the local machine. Not ideal, I know, but the script is writing to the registry. I’m working to find an alternative, but haven’t had much luck thus far. I’ll update this post when/if I come up with something. 🙂