Windows 10 Always On VPN supports both a user tunnel for corporate network access, and a device tunnel typically used to provide pre-logon network connectivity and to support manage out scenarios. The process of testing Always On VPN is often an iterative one involving trial and error testing to fine tune the configuration parameters to achieve the best experience. As a part of this process it will often be necessary to delete a connection at some point. For the user tunnel the process is simple and straightforward. Simply disconnect the session and delete the connection in the UI.
Deleting a device tunnel connection presents a unique challenge though. Specifically, there is no VPN connection in the UI to disconnect and remove. To delete an Always On VPN device tunnel, open an elevated PowerShell window and enter the following command.
Get-VpnConnection -AllUserConnection | Remove-VpnConnection -Force
If the device tunnel is connected when you try to remove it, you will receive the following error message.
The VPN connection [connection_name] cannot be removed from the global user connections. Cannot
delete a connection while it is connected.
The device tunnel must first be disconnected to resolve this issue. Enter the following command to disconnect the device tunnel.
rasdial.exe [connection_name] /disconnect
Remove the device tunnel connection using PowerShell once complete.
Additional Resources
Windows 10 Always On VPN Device Tunnel Step-by-Step Configuration using PowerShell
What’s The Difference Between DirectAccess and Always On VPN?
Andy
/ April 6, 2018rasphone -R “Device Tunnel” seems to work with one command
Richard M. Hicks
/ April 6, 2018Thanks for the tip. I’ll have to give that a try! 🙂
andychips
/ January 14, 2019FYI: On my Windows 10 build 1803 i had to use:
rasphone -h “VPN-Tunnel-Name”
Phi
/ March 19, 2019How do I remove a “LockDown” VPN DeviceTunnel? I cannot do it the same as a normal DeviceTunnel -> disconnect with rasdial and then delete in powershell, because even with psexec in a system context I get an error that I do not have enough permission. Has anyone ever had to delete a LockDown VPN connection?
Richard M. Hicks
/ March 19, 2019I’ve never used or even tested that LockDown option for Windows 10 Always On VPN. However, someone who follows this blog sent me the following PowerShell code that should remove it.
PsExec.exe -s C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe (do NOT use the -i switch!)
$namespaceName = “root\cimv2\mdm\dmmap”
$className = “MDM_VPNv2_01”
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
Remove-CimInstance -CimInstance $obj
Let me know how it goes!
phi
/ March 20, 2019Hey Richard
Thank you for the answer, it worked!
Of course we need to edit this over the wmi/csp bridge… I found a series of articles by Microsoft explaining the whole WMI bridge thing. Maybe it is of help for someone: https://blogs.technet.microsoft.com/tip_of_the_day/2016/10/06/tip-of-the-day-configure-vpn-profiles-using-the-sccmwmi-bridge-part-1/
About the LockDown VPN, you did not miss out. We decided to no use it, the reason being: it does not support “TrustedNetworkDetection”. So if your inside your organisation and the vpn does not connect (which is ok) LockDown actually prevents you from accessing anything in the network. We just wanted to have that behavior when the clients are outside the organisation. This way we would have to rebuild the whole network to have a kind of “zero trust” environment, maybe next time.
Thanks again for the Help.
Richard M. Hicks
/ March 20, 2019Great to hear! I agree, LockDown VPN sounds intriguing initially, but when you look at the list of challenges it poses (lack of trusted network detection being one of them!) then you start to realize it is a bit heavy-handed. And making matters worse, it is difficult to actually remove the connection once it is deployed (as you found out!). I’ll have to do a write of this and perhaps save other some pain of going down the testing path only to learn this same thing. Look for that soon. 🙂
Mike
/ May 14, 2018If I run the command to disconnect the Device Tunnel, it says “No Connections”. Then if I try to remove it, it says it “cannot delete a connection while it is connected”. 1803.
Richard M. Hicks
/ May 16, 2018Odd. Make sure that if your VPN connection name has spaces in it that you use quotes for it. Other than that, disconnecting with rasdial.exe should absolutely work. 🙂
Daniel Bolton
/ November 8, 2018Hi, is there a way to close a devicetunnel without running the command as administrator? I seem to be unable to close the tunnel unless I execute the commend from an elevated command prompt? Thanks 🙂
Richard M. Hicks
/ November 9, 2018I don’t believe so. As the device tunnel runs in the context of the system account, you’ll almost certainly required administrative rights to do anything with it.
Daniel Bolton
/ November 12, 2018Thanks Richard, that was my feeling also 🙂 Could I ask another question. We have managed to deploy both Device and User tunnels without any issues. My understanding from MS is that you can run a Device tunnel, then launch a User tunnel at the same time on the same machine; perhaps to allow additional access to internal systems based upon VPN IP address/subnet. The User tunnel launches fine, the Device tunnel drops….then the User tunnel drops and the Device tunnel connects again. We have logged this issue with MS and it is looking like a bug, but I wondered if you had seen this yourself and if you had any information or guidance? Thanks, Danny
Richard M. Hicks
/ November 17, 2018Device tunnel/user tunnel coexistence has been problematic for a while now. Be sure you are running Windows 10 1803 with at least the September 26, 2018 update as it included a fix for this specific issue. Details here: https://support.microsoft.com/en-us/help/4458469.
Daniel Bolton
/ November 19, 2018Thanks Richard. I can confirm that we have the latest updates (Now November) and despite some performance improvements, the issue still exists. I can only assume Microsoft are still working on it?
Thanks
Danny
Richard M. Hicks
/ November 20, 2018I certainly hope so. :/
Petter
/ April 16, 2019Hello Richard,
It sometimes seems like the device tunnel reconnects right away when disconnecting with rasidal /disconnect. Is this expected?
Also, is there any other way to disconnect from a device tunnel other than using that rasdial-command?
Thanks!
Richard M. Hicks
/ April 16, 2019Yes. I have the same experience. I’m not aware of any way to disconnect the device tunnel other than with rasdial.exe. If you’re trying to delete it using Remove-VPNConnection for example you have to disconnect than immediately and quickly run the command to remove it before it reconnects. Alternatively you could use PowerShell and WMI to forcibly remove the connection even while it’s connected, much as you would with a LockDown VPN connection.
sccm2012site
/ October 22, 2019I found this combination run together at the same time worked for me.
rasdial /disconnect
Get-VpnConnection -AllUserConnection | Remove-VpnConnection -Force
Geir Helge Nygjerde
/ November 30, 2019I have successfully configured Always on VPN Device Tunnel in my lab. Going from DirectAccess, where the connection showed connected or disconnected when switching between domain networks (trusted network) and external networks.
With my AOVPN Device Tunnel, I can see that the vpn connection is connecting and is working as it should, but when I switch back to domain network (trusted network), the VPN connection stays connected and the traffic is still routed through my RRAS server. Is this the default behaviour, or have I done something wrong?
Richard M. Hicks
/ December 5, 2019Have you enabled Trusted Network Detection? If not, add this element to your ProfileXML and test again.
sebus
/ April 20, 2020Is there a way to DISABLE the machine tunnel from command line (but not remove it)?
Richard M. Hicks
/ April 20, 2020Not to my knowledge.
Ross Aveling
/ May 5, 2020As others have noted, once disconnected the VPN could come up again very quickly before we have a chance to remove it. If those two commands are run a couple of times it usually works.
I’ve now used a loop in PowerShell to ensure an existing Always On VPN is removed before re-adding it (ideal when you want to update the settings of the VPN);
#Check to see if VPN already exists and remove
Do
{
Write-host “VPN profile $ProfileName already exists.”
Start-Process -FilePath rasdial.exe -ArgumentList “`”$ProfileName`””, ‘/disconnect’ -Wait #Disconnect
Remove-VpnConnection -Name $ProfileName -Force -AllUserConnection #Remove
} While (Get-VpnConnection -Name $ProfileName -AllUserConnection)
Ross Aveling
/ May 5, 2020Actually, the existence of the VPN should be evaluated first, now change to;
While (Get-VpnConnection -Name $ProfileName -AllUserConnection)
{
Write-host “VPN profile $ProfileName already exists.”
Start-Process -FilePath rasdial.exe -ArgumentList “`”$ProfileName`””, ‘/disconnect’ -Wait #Disconnect
#Start-Process -FilePath rasphone.exe -ArgumentList ‘-r’, “`”$ProfileName`”” -Wait #Remove using rasphone.exe
Remove-VpnConnection -Name $ProfileName -Force -AllUserConnection #Remove using PowerShell
}
Richard M. Hicks
/ May 5, 2020Thanks! 🙂
James Holder
/ June 18, 2020Hi Richard, ever seen the issue whereby the Device Tunnel is disconnected, Windows Network view shows it as Disconnected and Get-VpnConnection shows the status as Disconnected, but when you do Remove-VpnConnection it says it is still connected so can’t be deleted…?!
Richard M. Hicks
/ June 18, 2020I have not! Odd for sure. If you try to disconnect using rasdial.exe or rasphone.exe can you delete it then?
James Holder
/ June 19, 2020Hey Richard, so yes, it was rasdial.exe doing the disconnect command in the WHILE loop (posted in an earlier comment) with the Remove-VpnConnection command straight after. It would appear rasdial.exe does disconnect the Device Tunnel, yet Remove-VpnConnection fails stating it is still connected. I thought it was odd as well… It’s happened to me a few times now. Yet other times, it works OK. Not to worry though, thanks. 🙂
Richard M. Hicks
/ June 22, 2020Very strange, and quite frustrating for sure. Not sure if it will help, but you might want to try using rasphone.exe -h [VPN profile name] as I’ve had better luck getting it to reliably disconnect VPN sessions. 🙂
Ben Taylor (@btjtaylor)
/ July 16, 2020Hi Richard, do you know if there’s a way to prevent the users from removing the user tunnel? I’ve had a few support calls now where the user has managed to do that ..
Richard M. Hicks
/ July 16, 2020I’ve had a few people ask about this, and I think the best way to do this is to hide the VPN settings in the control panel. It might not be perfect, but it may help. I’ll have to write something about this soon, but for now a Bing/Google search should yield some information on the specific policy settings reuqired.
Panos83
/ July 24, 2020Hello,i face a weird problem when trying to delete the always on VPN.
Get-CimInstance : A general error occurred that is not covered by a more specific error code.
At C:\Remove-LockDownVPN.ps1:136 char:16
+ … mInstance = Get-CimInstance -Namespace ‘root\cimv2\mdm\dmmap’ -ClassN …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-CimInstance], CimException
+ FullyQualifiedErrorId : MI RESULT 1,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInstanceCommand
Removing LockDown VPN Connection “AONVPN”…
Remove-CimInstance : Cannot bind argument to parameter ‘InputObject’ because it is null.
At C:\Remove-LockDownVPN.ps1:144 char:33
+ Remove-CimInstance -CimInstance $CimInstance
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Remove-CimInstance], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.Management.Infrastructure.CimCm
dlets.RemoveCimInstanceCommand
Any suggestions?
Richard M. Hicks
/ July 24, 2020Are you specifically trying to remove a lockdown VPN profile? Or just a regular user or device tunnel?
Panos83
/ July 24, 2020Hello,a device tunnel correct!in some workstations the script works!
Richard M. Hicks
/ July 24, 2020Ok. That script is specifically for lockdown VPN profiles. Not sure if it will work for a regular device tunnel. I’m working on a script now that I haven’t published. I’m happy to share if you’d like to test. 🙂
Panos83
/ July 24, 2020Sorry did not read well your previous comment.it is a lockdown device tunnel I would like to remove.in most workstations work but 1-2 cannot remove the tunnel.
Richard M. Hicks
/ July 24, 2020Ok, that script should work. Not sure why it is failing in some cases.
Panos83
/ July 24, 2020hello,thanks for your answers ae really helpful.
So is there any way to delete the aonvpn locked or any possible logs to check in order to delete it?
Thank you!
Richard M. Hicks
/ July 24, 2020If it is a lockdown VPN profile my script should work. Not sure why it isn’t. I’d suggest deleting the entry in rasphone.pbk and and rebooting to see if that does the trick.
Erik Jansson
/ October 1, 2020Hi, have anyone experienced issues with automatic-reconnection after using: rasdial.exe [connection_name] /disconnect ?
I was using it in a script and since that, users have to connect manually!? I have checked autoconnect-properties in rasphone.pbk and “AutoTriggerDisabledProfileList” in the registry but no changes. I can’t figure out what rasdial is modifying when it simply should disconnect.
Cheers!
Erik
Richard M. Hicks
/ October 1, 2020I’ve seen this before, but no idea why it happens to be honest. :/
Louis Paretti
/ December 16, 2020Have you found a resolution for this? I am in the same boat. rasdial /disconnect, disconnects the vpn and also unchecks the Connect automatically box. You need to manually re-check the box.
What I did find is when you uncheck the connect automatically box is adds the vpn name in the AutoTriggerDisabledProfileList and removes some other values here: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config
When you re-check the box, it adds those values back and removes the vpn from the AutoTriggerDisabledProfileList
David White
/ October 5, 2020Hi Richard.
Did you complete the device tunnel removal script you were working on?
We need to update the device tunnel but are getting somewhat mixed (mostly failure) results with rasphone -h and rasdial /disconnect (rasdial hangs the script when run in system context).
Thanks.
David
Richard M. Hicks
/ October 13, 2020I did, yes! You can find it here: https://github.com/richardhicks/aovpn/blob/master/Remove-AovpnConnection.ps1. Enjoy!