When Always On VPN Isn’t

Microsoft Always On VPN is a beautiful thing. VPN profiles are assigned to the user (and, optionally, their device). When users power up their device and log on, they are automatically connected to the corporate network and can access all the applications and data they need on-premises. Until recently, though, end users could disconnect the VPN. Why they would do this is beyond comprehension, but sadly, it happens all too often. When it does, it presents a problem for Always On VPN administrators because they must now rely on the user to re-enable this feature. And until they do, they often suffer productivity loss, and their devices may fall out of compliance.

Connect Automatically

When an Always On VPN profile is provisioned to a user (or a device), the VPN profile has the option to ‘Connect automatically’ enabled by default. Unfortunately, this setting is cleared if a user terminates the VPN.

This setting will remain cleared until the user rechecks the box to enable it. Until then, the VPN will no longer connect automatically.

Workarounds

Instead of relying on the grace of the end user to restore Always On functionality, administrators have a few options to correct this problem programmatically.

Intune Remediation

Administrators can use Intune Remediations to deploy a set of detection and remediation scripts I’ve published to update this setting. Now, administrators can enforce ‘Always On’ VPN connections with the assurance that if the user turns off this feature, it will be quickly re-enabled.

Detect-AutoTriggerDisabledProfile.ps1

Remediate-AutoTriggerDisabledProfile.ps1

SCCM

You can find a standalone version of this script here if you use System Center Configuration Manager (SCCM) or another systems management solution to manage your endpoints.

Clear-AutoTriggerDisabledProfile.ps1

AovpnTools

In addition, you will find the Clear-AutoTriggerDisabledProfile function is included in my AOVPNTools PowerShell module, which can be installed from the PowerShell gallery.

Install-Module -Name AOVPNTools -Force

Disable Disconnect Button

To avoid this pain in the future, Always On VPN administrators can prevent users from disconnecting the VPN using the UI by leveraging the DisableDisconnectButton option in ProfileXML. This setting is supported for both user and device tunnels on Windows 11 and later devices.

Additional Information

AOVPNTools PowerShell Module

AOVPNTools PowerShell Module on GitHub

Always On VPN and Intune Remediations

Leave a comment

6 Comments

  1. victor e bassey

     /  January 15, 2024

    Thanks Richard. This has plagued my current Window 11 deployment for a client. It was not so much of an issue in window 10 though. Would be trying out the remediate scripts.

    Reply
  2. Chris G

     /  January 15, 2024

    Love this concept Richard, however i’m having a difficult time getting the remediation to run. Our vpn is set per user, but the script needs to run in the system context in order to write to the registry. Every time it runs, it can’t see the VPN and generates a Warning: VPN connection “my vpn name” not found. Any help would be great!

    Reply
    • Thanks for the feedback. Indeed, that poses a challenge. I originally created this script for a customer using SCCM, for which it worked without issue. Also, I implemented it as an Intune remediation recently but in that case the user VPN profiles were deployed in the system context.

      For now, the user would need to have the ability to write to the registry. I’ll investigate further and see if there are any options for a workaround to address this.

      Sorry for the trouble!

      Reply
      • Armin

         /  February 27, 2024

        Hi Richard, thanks for your great stuff. In SCCM i got also the Message “VPN Connection xxxxx not found” in a User VPN Scenario. Does the SCCM Script works with User VPN?

      • It does work in the user scenario, but for now it requires the user to have administrative rights on the local machine. Not ideal, I know, but the script is writing to the registry. I’m working to find an alternative, but haven’t had much luck thus far. I’ll update this post when/if I come up with something. 🙂

Leave a Reply

Discover more from Richard M. Hicks Consulting, Inc.

Subscribe now to keep reading and get access to the full archive.

Continue reading