MSEndpointMgr
Home » Windows » Remote Access » Keeping Always On VPN – always on?

Keeping Always On VPN – always on?

The Microsoft Always On VPN Solution that is pushed by Microsoft as the successor to DirectAccess, is a great tool for remote workers and admins alike because it’s always on – or is it?

Despite the high level of skills required to implement this technology, many try out their luck with the official documentation from Microsoft, only to end up at the troubleshooting section at https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-troubleshooting. Which just scratches the surface of some of the woes you will have with this technology…

But setting all the configuration issues aside for a moment… I think that anyone working with Microsoft Always On VPN infrastructure and client configuration has run into an issue where user tunnel connections don’t always auto-connect – despite having configured “AlwaysOn” in the ProfileXML or Intune configuration policy.

Some hacks to fix this, include scheduling the “rasdial <connection name>” command to re-establish the connection, but wouldn’t you rather know why it has stopped auto-connecting?

Why is it not auto connecting then?

This might have happened because the user manually disconnected the user tunnel at some point in time, or because of something that is yet to be explained.

In any case – what happens is, that this lands the VPN connection on a list in the registry called AutoTriggerDisabledProfileList which is a REG_MULTI_SZ property type that you might be interested in clearing out the Always On VPN connection name from.

Registry location of AutoTriggerDisabledProfileList

The AutoTriggerDisabledProfileList property located in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config is a list that will maintain the profiles within the list, in a disconnected state, surviving reboots, and whatnot.

Can Intune help me fix this?

Sure! You could use PowerShell to achieve this goal in a crude fashion or even better create a .intunewin package that removes unwanted entries with a detection rule that looks for a certain value on this registry property.

I have yet to create this package, so please feel free to share in the comments, as I am sure it could save a lot of people some extra time.

For the detection method you could use:

$connectionName = "Always On VPN Connection Name"
if((Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Config | select AutoTriggerDisabledProfilesList -ExpandProperty AutoTriggerDisabledProfilesList) -icontains $connectionName){
    Write-Host "Found connection: $connectionName in disabled profile list!"
    exit 1
}

Final thoughts

Adding a fix via Intune nicely complements the fact that Intune is the preferred distribution mechanism for the Always On VPN profiles. And even though this seems like a bug, it’s a feature, and as such it might never end up on the troubleshooting page.

But I would have liked an option within Intune’s VPN CSP that disables this feature for those organizations with explicit requirements for users to be connected via VPN at all times.

Thats it for me this time – as always I hope you will do me the honor of following me on Twitter (@michael_mardahl).

(1864)

Michael Mardahl

Michael works as a Cloud Architect with APENTO in Denmark. Specializing in customer journeys from classic Infrastructure to Cloud consumption and is certified as a "Microsoft 365 Enterprise Administrator Expert".
He has been in the IT industry for more than 20 years, and has experience from a broad range of IT projects. When not at work, Michael enjoys the value of spending time with family and friends, and BLOG's passionately about Enterprise Mobility whenever he has time to spare.

Add comment

Sponsors

Subscribe

Do you want to be notified of new posts on our site?

Please enter your email address below:

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.