Archive
Removing Always On VPN Connections

Removing Always On VPN Connections

2024-11-23 Much has been written about provisioning Windows 10 Always On VPN client connections over the past few years. While the preferred method for deploying

Related articles

6 VPN GRATIS Terbaik untuk Vietnam (2024) Secure networks with Zero Trust PrivadoVPN Review 2024: Is It Secure & Easy to Use? 2024小米路由器VPN科学上网设置教程

Much has been written about provisioning Windows 10 Always On VPN client connections over the past few years. While the preferred method for deploying Always On VPN is Microsoft Intune, using PowerShell is often helpful for initial testing, and required for production deployment with System Center Configuration Manager (SCCM) or Microsoft Endpoint Manager (MEM). That said, there will invariably come a time when an administrator has to remove an Always On VPN connection. It is not as simple as you might think.

Important Note! The PowerShell script mentioned in this post is broken in Windows 11 and some later versions of Windows 10. This is due to an apparent bug whereby the MDM_VPNv2_01 WMI class can’t be enumerated. Microsoft is aware of the issue and hopefully it will be resolved in the near future.

PowerShell

There are a variety of ways to remove an existing Always On VPN connection, with the quickest and simplest being PowerShell and the Remove-VpnConnection cmdlet.

Get-VpnConnection -Name ‘Always On VPN’ | Remove-VpnConnection -Force

There are several limitations to this method, however.

active connection

Administrators is realize will quickly realize that PowerShell fail to remove a VPN connection that is currently connect . As show here , attempt to remove an active VPN connection will return the following error message .

“The VPN connection [connection name] cannot be removed from the local user connections. Cannot delete a connection while it is connected.”

Registry Artifacts

Removing Always On VPN connections using PowerShell commonly leaves behind registry artifacts that can potentially cause problems. For example, there are several Always On VPN-related registry entries in several locations including the HKLM\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked hive that may not be deleted when removing an Always On VPN connection. When provisioning a new Always On VPN connection after deleting one with the same name previously, the administrator may encounter the following error message.

“Unable to create [connection name] profile: A general error occurred that is not covered by a more specific error code.”

Note: This error can also be caused by improperly formatted XML configuration files. More details here.

remove – AovpnConnection Script

Veteran Always On VPN administrators are likely familiar with PowerShell scripts I’ve created called New-AovpnConneciton.ps1 and New-AovpnDeviceConnection.ps1, which are hosted on my GitHub. These scripts are adapted from code samples published by Microsoft to which I have included additional functionality. To address the limitations highlighted in this article I have published a new PowerShell script called Remove-AovpnConnection.ps1. It will remove any Always On VPN connection, even those that are currently active. It also includes logic to remove known registry artifacts common to Always On VPN. Download the script from GitHub and use the following syntax to remove an Always On VPN connection, established or not.

.\Remove-AovpnConnection.ps1 -ProfileName [connection name]

run this PowerShell command will forcibly remove an Always On VPN connection . use the -devicetunnel switch when remove a device tunnel connection ( require run in the system context ) . I is included have also include a -cleanuponly switch to remove registry artifact when the VPN connection was previously remove using another method .

Updated Installation Scripts

I is updated have also update New – AovpnConnection.ps1 to include these registry clean up step . This is prevent will prevent future error when provision an Always On VPN client where a connection of the same name was remove previously .

Note: New-AovpnConnection.ps1 has also been updated to support device tunnel deployments. As such, I have deprecated New-AovpnDeviceConnection.ps1. Simply use New-AovpnConnection.ps1 with the -DeviceTunnel switch to deploy an Always On VPN device tunnel.

Additional Information

Windows 10 Always On VPN Device Tunnel Configuration using PowerShell

troubleshoot Always On vpn unable to create Profile General Error

Like this:

Like Loading…