Forum Discussion

Peter Holland's avatar
Peter Holland
Iron Contributor
Apr 28, 2021
Solved

Prevent users from disconnecting AOVPN user tunnel

Hi,   Is there any client configuration I can apply, registry entries or other policies, to remove the 'disconnect' button from the AOVPN user tunnel?   It's not very 'always on' if users can dec...
  • Peter Holland's avatar
    Peter Holland
    Mar 06, 2023
    Microsoft have implemented the required change (just needs to filter into Windows 10 and the intune management profiles)
    https://learn.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp#deviceprofilenamedisabledisconnectbutton

    posted for anyone else seeking this info in the future
    also see the blog post by the incomparable Richard Hicks https://directaccess.richardhicks.com/2023/03/06/always-on-vpn-csp-updates/
Mousefluff's avatar
Mousefluff
Iron Contributor
Feb 24, 2023

Peter Holland Here's another example of a batch file that utilizes PowerShell, disables bypassing / inbound outbound firewall rules, and blocks all traffic in either directions. You can script it in almost the same way as you would on Windows Server, although I'm using this on a running operating system image. The only difference is probably a few cmdlets that don't exist on Windows 11 Home:

@ECHO OFF
SETLOCAL
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Get-NetFirewallProfile | Set-NetFirewallProfile -Enabled True -DefaultInboundAction Block -DefaultOutboundAction Block -AllowUnicastResponseToMulticast False -NotifyOnListen True -EnableStealthModeForIPsec True}"
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Get-NetFirewallRule -Enabled True | Disable-NetFirewallRule}"
ENDLOCAL

Here's another one that automatically creates and enables a firewall rule for the Windows Time Service:

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'Windows Time Service' -Profile Any -Protocol UDP -LocalPort 123 -RemotePort 123 -Service W32Time}"

Windows Defender Firewall with Advanced Security Administration with Windows PowerShell -> https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell

 

Service overview and network port requirements for Windows -> https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements

 

Configure network infrastructure to support the NLB ( Network Load Balancing ) operation mode -> https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-network-to-support-nlb-operation-mode

 

Windows Admin Center -> https://www.microsoft.com/en-us/windows-server/windows-admin-center

Resources