Microsoft Always On VPN is a beautiful thing. VPN profiles are assigned to the user (and, optionally, their device). When users power up their device and log on, they are automatically connected to the corporate network and can access all the applications and data they need on-premises. Until recently, though, end users could disconnect the VPN. Why they would do this is beyond comprehension, but sadly, it happens all too often. When it does, it presents a problem for Always On VPN administrators because they must now rely on the user to re-enable this feature. And until they do, they often suffer productivity loss, and their devices may fall out of compliance.
Connect Automatically
When an Always On VPN profile is provisioned to a user (or a device), the VPN profile has the option to ‘Connect automatically’ enabled by default. Unfortunately, this setting is cleared if a user terminates the VPN.
This setting will remain cleared until the user rechecks the box to enable it. Until then, the VPN will no longer connect automatically.
Workarounds
Instead of relying on the grace of the end user to restore Always On functionality, administrators have a few options to correct this problem programmatically.
Intune Remediation
Administrators can use Intune Remediations to deploy a set of detection and remediation scripts I’ve published to update this setting. Now, administrators can enforce ‘Always On’ VPN connections with the assurance that if the user turns off this feature, it will be quickly re-enabled.
Detect-AutoTriggerDisabledProfile.ps1
Remediate-AutoTriggerDisabledProfile.ps1
SCCM
You can find a standalone version of this script here if you use System Center Configuration Manager (SCCM) or another systems management solution to manage your endpoints.
Clear-AutoTriggerDisabledProfile.ps1
AovpnTools
In addition, you will find the Clear-AutoTriggerDisabledProfile function is included in my AOVPNTools PowerShell module, which can be installed from the PowerShell gallery.
Install-Module -Name AOVPNTools -Force
Disable Disconnect Button
To avoid this pain in the future, Always On VPN administrators can prevent users from disconnecting the VPN using the UI by leveraging the DisableDisconnectButton option in ProfileXML. This setting is supported for both user and device tunnels on Windows 11 and later devices.
Additional Information
AOVPNTools PowerShell Module
AOVPNTools PowerShell Module on GitHub
Always On VPN and Intune Remediations
Like this:
Like Loading...