SOLVED

Prevent users from disconnecting AOVPN user tunnel

Iron Contributor

Hi,

 

Is there any client configuration I can apply, registry entries or other policies, to remove the 'disconnect' button from the AOVPN user tunnel?

 

It's not very 'always on' if users can decide to just drop and establish the connection, that's more just VPN.

 

I get that some organisations can be fine with users having the autonomy to drop and establish the user tunnel as they see fit, but this is surely potentially show stopping for a lot of organisations.

 

I have seen the unusable and pointless dumpster fire that is "lockdown VPN" and this really isn't the answer... unless the question is "how can I make it so that all client computer connectivity is completely useless even when connected to the internal LAN?"

 

There are registry settings that put the device tunnel in the networking flyout, are there others that I haven't found that remove the disconnect button?

 

worst case scenario can we hide the user tunnel and it's connect/disconnect as the device tunnel is, whilst retaining the user tunnel configuration?

 

Another thing is the option to prevent users from deselecting the 'automatically connect' checkbox. is there a control for that?

 

Usually we have admin control of a daft amount of things, how is there so little (at least at face value) in the way of options for something as potentially business critical as AOVPN?

 

mini-rant/questions over 🙂

 

Pete

18 Replies
I've created a feedback entry for making "Always On VPN" always ON
https://aka.ms/AAjrdy3

@Peter HollandMost in your situation would set up the router handle everything, and not the client, such as network service configuration, including the VPN login / tunneling, as well as DNS filtering ( which is necessary to block proxies / DoH / 3rd party resolvers from bypassing the endpoint filtering. )

@Peter Holland Routers allow you to create VLANs where you can partition each device on the network. Obviously if you're worried about a client not being able to see a LAN address, then of course you could enable that network service, but block all the rest, so the client is forced to tunnel through the VPN to get to a WAN address ( all incoming connections MUST be blocked. ) The most basic service configuration has Unicast DNS ( UDP 53, ) Multicast DNS / mDNS ( UDP 5353, ) HTTP ( TCP 80, ) HTTPS / SSL / TLS 1.3+ ( TCP 443, ) and maybe WireGuard ( UDP 51820. ) In a rare situation, it would be UDP 123 for NTS / NTP ( Network Time Security / Network Time Protocol. ) Often you can tunnel almost any other service, including NTP, over the VPN, other than using DNS to bootstrap a DNS Stub Resolver, which in turn feeds a DNS server. In actuality, you could block all outgoing connections that don't utilize WireGuard ( UDP port 51820, ) and it would still work, although it will fail if the timestamps are inaccurate, or the system clock is not up to date. This is for the router though, not the operating system's firewall. You could even use a 3rd-party service to update the system clock if you're REALLY worried about security. Don't try to offload EVERYTHING to a software firewall, unless you want really high latency, and high power usage. That is a really big mistake. Even if you have interrupt moderation enabled for the network adapter, tons of receive buffers, and a decent multi-core CPU, it won't be anywhere near as fast as the ASIC / ASSP ( in this case a form of applications processor that has hard-IP blocks specifically made for encryption ) that comes with the VPN Router. A CPU is a general purpose processor, and will always be slower and less efficient at this task ( networking 101. )


"I would still expect split tunnel to work, the point of most of our AOVPN deployments to be solely to ensure clients can reach internally hosted services."


Most commercial-grade entry-level SOHO routers have VPN support, and VPN passthrough, which is above and beyond the speed of any desktop computer you have. The method you have chosen ensures maximum lag for anyone on your network, if you were wondering. Nobody does that. You have to see the VPN is just an extra layer, a virtual one at that, in which packets / traffic are encapsulated over / through, and they traverse this one layer, to reach this specific endpoint. All you're doing is tunneling traffic from the router to the VPN server, which is treated much like an exit node. So while it still uses the service provider's network, the exit node in this sense will not be the router, but the VPN server. Split tunneling just removes that layer for one particular program or service. You could actually change the firewall rules to unblock certain services, and add an extra VLAN that has another DNS server and HTTPS port that bypasses the VPN, if you are that worried. You could even change the service configuration to assign it a fixed IP address based on the port, or a certain range, and assign that one particular range to another VLAN, which of course uses up memory to do this ( VLAN partitioning, a feature based on the concept of Software Defined Networking / Network Virtualization. ) The operating system settings could be bypassed, regardless of what you do, or if there is a BYOD policy, anyone can bypass it, so this is why the router is used to configure this and not the device itself. When you properly configure the VPN, the device is not even aware the traffic is being tunneled through the VPN, because the router handles it, and you can't change it no matter what you do. This is why people do this, and they don't do anything else. Any other solution doesn't work. People will use simple DNS workarounds to bypass it, and you will look like an amateur ( even a lot of teenagers know how to get around this. ) Most Public WiFi hotspots are set up like this btw, and they often have a captive portal as well. If you don't want to use a hardware router, you could use VyOS, or some other combination of software on Solaris 11,x, or another operating system ( lots of open source software routers / software appliances that can run in a container, docker image, or whatever it is you have in mind. )

 

"its just ensuring that the clients are always going to try to connect and users can't disconnect it."


NOTE: I would suggest looking at a certification like CompTIA's Network+, Security+, or even CCNP, MCSE, etc. Here are some more free resources to help: https://techcommunity.microsoft.com/t5/windows-deployment/educational-resources-for-systems-administ...

@Peter Holland Here is another obvious thing most people do with VPNs. You might not like this idea as it sounds strange, but I assign a VLAN to every SINGLE device, and disable multicast ( it's to sandbox / partition every device on my local area network. ) The router's MAC address is used instead of the one on the device. When I close the connection, and those resources are freed from memory, nothing is left, and the configuration is actually way more simple ( less of a focus on randomly generating MAC addresses for client devices on the network. Of course some VPNs have features to block LAN addresses entirely, or network probing / port scans from other devices, but that's not the same as this. I already hardened my network stack, so it does this from the very beginning. That's a separate concept. ) It's way more secure, but it uses up more memory if you have a lot of services going, almost 50MB per device, which is a lot for an older VPN router. It sounds like something straight out of the early 1990s, but I have so much filtering that all incoming ports are blocked, all outgoing ports are blocked except the most basic things needed for VPN / VPN Passthrough, which is practically ONE port, for the entire VLAN. When you have A LOT of sockets open, and ephemeral key encryption enabled, it slows down, almost overheats my router too. I don't notice any slowdowns, just because my router handles the service configuration ( not any of my devices. I have a very light software firewall setup going, just to schedule which types of programs I want to connect to the network, but that's it. ) Of course if you scale up to a branch router or a rackmount system with service-grade hardware, your power consumption goes way up ( not to mention the amount of heat that generates. That would be excessive for a very simplistic setup, like the one I have. ) You have to be very mindful of power draw, especially if you add a lot of devices to your network.

@Peter Holland I did already explain this, but I only gave really generic advice, because that's all you can give. If you're using WAN failover ( HSPA / 3G, 4G / LTE, 5G, ) or a portable router, the service configuration depends on the interface ( media access controller, not the software interface itself. ) For WAN Failover, you can't use a single port obviously, it needs NTP to synchronize the clock, or it won't connect. Most VPNs have a supposed "kill switch" feature, so you have to write firewall rules specifically for this, but you also have to have rules for when you set up the VPN for the first time, so it doesn't get blocked before it finishes the setup process. Everything has to be scripted around the VPN for your idea to work, but the negative side of it, is that if you stop using the VPN and / or the resolver, then of course you have to reset everything to default, or restore the old settings:
 
"the VPN clients are external on random connections, home broadband, mobile hotspot, coffee shop wifi etc, they are using the Microsoft Always On VPN to vonnect to Microsoft RRAS servers using split tunnel (or force tunnel occasionally)."
 
Windows is an operating system ( monolithic kernel,) it is not a client or a server. You can enable Windows 11 Home to work much like Windows Server by going into the services.mmc snap-in and turning on Server, and then modifying this setting: System Properties -> Performance -> Settings -> Advanced -> Processor Scheduling: Background Services
 
If you wanted to create this, you couldn't actually block someone from turning it off. Instead you would have to have consent, or the person would have to be willing to not change the settings on you. Even if you added a security template, with a unified write filter, you could still boot into WinPE, load the registry hives, apply a new DACL, if it was unencrypted, and it would be simple to reset. I already described methods you could use to isolate it. These rules you could in theory use for a software firewall, but even with a mobile access point, you could still partition the devices on your network, or even use WSL, docker, a VM, as I have said before, on top of the operating system, if you were THAT worried. In the most extreme case, you could use OpenVPN or something else to make your own client to hardcode the settings I'm sure, but like I said, you have to pay close attention to making sure NTP isn't blocked, or you have to disable your in-house "kill switch," just to synchronize the clock. The other way around it, is to synchronize the clock on startup, just as the network stack is initialized, and then block all traffic as soon as the VPN loads ( the VPN has to be registered as a network service though. ) So you have to create your own custom network service to achieve this, but it follows all the same rules as in the above post anyways, although I only briefly covered some basic things, just to give you a hint as far as how much work it really is. The reason why it's not as popular to vertically integrate something like this with Windows, is when it breaks ( and you have to reverse the changes or go to default settings. ) I already have a similar setup to the one you have, that's why I'm describing it to you, although mine is superior to yours. Nothing I have said is esoteric knowledge or secret in any way shape or form. It's all derived from open sources:

 

This thread is about the fact that the Windows client side interface allows users to selectively disconnect from the user tunnel vpn and in doing so it disables the auto-connect "always on" nature of "always on vpn".

@Peter Holland Here's another example of a batch file that utilizes PowerShell, disables bypassing / inbound outbound firewall rules, and blocks all traffic in either directions. You can script it in almost the same way as you would on Windows Server, although I'm using this on a running operating system image. The only difference is probably a few cmdlets that don't exist on Windows 11 Home:

@ECHO OFF
SETLOCAL
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Get-NetFirewallProfile | Set-NetFirewallProfile -Enabled True -DefaultInboundAction Block -DefaultOutboundAction Block -AllowUnicastResponseToMulticast False -NotifyOnListen True -EnableStealthModeForIPsec True}"
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Get-NetFirewallRule -Enabled True | Disable-NetFirewallRule}"
ENDLOCAL

Here's another one that automatically creates and enables a firewall rule for the Windows Time Service:

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'Windows Time Service' -Profile Any -Protocol UDP -LocalPort 123 -RemotePort 123 -Service W32Time}"

Windows Defender Firewall with Advanced Security Administration with Windows PowerShell -> https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/windows-firewa...

 

Service overview and network port requirements for Windows -> https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/service-overview-and-networ...

 

Configure network infrastructure to support the NLB ( Network Load Balancing ) operation mode -> https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-network-to-suppor...

 

Windows Admin Center -> https://www.microsoft.com/en-us/windows-server/windows-admin-center

@Peter HollandIf you learn how a network stack works, how to harden operating system services, how network services work, how to use PowerShell, etc, various Systems Administration tasks as described in the above posts, it won't look like nonsense. The only problem is that you can't entirely lock it down as you imagine ( with a custom image, maybe, if it's company-owned. At that point, it's probably going to be a guest profile that is deleted after 12-72 hours or something else, or something that relies on STIG Viewer and OpenSCAP, both of which are publicly available. ) I did give you most examples, both hardware, and software configuration examples, albeit in a very generic cut-down fashion, given it's a platform-agnostic solution:

 

"this is entirely unrelated to the on-premises infrastructure and services. it is not related to any of the information you have posted in this thread. I am wondering if you are testing a techcommunity reply using chatgpt or something as it is also good at providing completely irrelevant nonsense."

@Peter HollandI know I'm providing support for someone who doesn't understand any of these topics. So I did actually give you replies, but for some reason they didn't show up lmao. I wrote some examples for you. I'm going to post them again, with PowerShell examples. I saved them, just in case nothing worked out. It's very generic, so read it at your own leisure:

 

Routers allow you to create VLANs where you can partition each device on the network. Obviously if you're worried about a client not being able to see a LAN address, then of course you could enable that network service, but block all the rest, so the client is forced to tunnel through the VPN to get to a WAN address ( all incoming connections MUST be blocked. ) The most basic service configuration has Unicast DNS ( UDP 53, ) Multicast DNS / mDNS ( UDP 5353, ) HTTP ( TCP 80, ) HTTPS / SSL / TLS 1.3+ ( TCP 443, ) and maybe WireGuard ( UDP 51820. ) In a rare situation, it would be UDP 123 for NTS / NTP ( Network Time Security / Network Time Protocol. ) Often you can tunnel almost any other service, including NTP, over the VPN, other than using DNS to bootstrap a DNS Stub Resolver, which in turn feeds a DNS server. In actuality, you could block all outgoing connections that don't utilize WireGuard ( UDP port 51820, ) and it would still work, although it will fail if the timestamps are inaccurate, or the system clock is not up to date. This is for the router though, not the operating system's firewall. You could even use a 3rd-party service to update the system clock if you're REALLY worried about security. Don't try to offload EVERYTHING to a software firewall, unless you want really high latency, and high power usage. That is a really big mistake. Even if you have interrupt moderation enabled for the network adapter, tons of receive buffers, and a decent multi-core CPU, it won't be anywhere near as fast as the ASIC / ASSP ( in this case a form of applications processor that has hard-IP blocks specifically made for encryption ) that comes with the VPN Router. A CPU is a general purpose processor, and will always be slower and less efficient at this task ( networking 101. )

 

Most commercial-grade entry-level SOHO routers have VPN support, and VPN passthrough, which is above and beyond the speed of any desktop computer you have. The method you have chosen ensures maximum lag for anyone on your network, if you were wondering. Nobody does that. You have to see the VPN is just an extra layer, a virtual one at that, in which packets / traffic are encapsulated over / through, and they traverse this one layer, to reach this specific endpoint. All you're doing is tunneling traffic from the router to the VPN server, which is treated much like an exit node. So while it still uses the service provider's network, the exit node in this sense will not be the router, but the VPN server. Split tunneling just removes that layer for one particular program or service. You could actually change the firewall rules to unblock certain services, and add an extra VLAN that has another DNS server and HTTPS port that bypasses the VPN, if you are that worried. You could even change the service configuration to assign it a fixed IP address based on the port, or a certain range, and assign that one particular range to another VLAN, which of course uses up memory to do this ( VLAN partitioning, a feature based on the concept of Software Defined Networking / Network Virtualization. ) The operating system settings could be bypassed, regardless of what you do, or if there is a BYOD policy, anyone can bypass it, so this is why the router is used to configure this and not the device itself. When you properly configure the VPN, the device is not even aware the traffic is being tunneled through the VPN, because the router handles it, and you can't change it no matter what you do. This is why people do this, and they don't do anything else. Any other solution doesn't work. People will use simple DNS workarounds to bypass it, and you will look like an amateur ( even a lot of teenagers know how to get around this. ) Most Public WiFi hotspots are set up like this btw, and they often have a captive portal as well. If you don't want to use a hardware router, you could use VyOS, or some other combination of software on Solaris 11,x, or another operating system ( lots of open source software routers / software appliances that can run in a container, docker image, or whatever it is you have in mind. )

 

NOTE: I would suggest looking at a certification like CompTIA's Network+, Security+, or even CCNP, MCSE, etc. Here are some more free resources to help: https://techcommunity.microsoft.com/t5/windows-deployment/educational-resources-for-systems-administ...

 

Here is another obvious thing most people do with VPNs. You might not like this idea as it sounds strange, but I assign a VLAN to every SINGLE device, and disable multicast ( it's to sandbox / partition every device on my local area network. ) The router's MAC address is used instead of the one on the device. When I close the connection, and those resources are freed from memory, nothing is left, and the configuration is actually way more simple ( less of a focus on randomly generating MAC addresses for client devices on the network. Of course some VPNs have features to block LAN addresses entirely, or network probing / port scans from other devices, but that's not the same as this. I already hardened my network stack, so it does this from the very beginning. That's a separate concept. ) It's way more secure, but it uses up more memory if you have a lot of services going, almost 50MB per device, which is a lot for an older VPN router. It sounds like something straight out of the early 1990s, but I have so much filtering that all incoming ports are blocked, all outgoing ports are blocked except the most basic things needed for VPN / VPN Passthrough, which is practically ONE port, for the entire VLAN. When you have A LOT of sockets open, and ephemeral key encryption enabled, it slows down, almost overheats my router too. I don't notice any slowdowns, just because my router handles the service configuration ( not any of my devices. I have a very light software firewall setup going, just to schedule which types of programs I want to connect to the network, but that's it. ) Of course if you scale up to a branch router or a rackmount system with service-grade hardware, your power consumption goes way up ( not to mention the amount of heat that generates. That would be excessive for a very simplistic setup, like the one I have. ) You have to be very mindful of power draw, especially if you add a lot of devices to your network.

 

Windows Defender Firewall with Advanced Security Administration with Windows PowerShell -> https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/windows-firewa...

 

Service overview and network port requirements for Windows -> https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/service-overview-and-networ...

 

Configure network infrastructure to support the NLB ( Network Load Balancing ) operation mode -> https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-network-to-suppor...

 

Windows Admin Center -> https://www.microsoft.com/en-us/windows-server/windows-admin-center

 

This script blocks all traffic, as described in some of the documentation ( I use things like this to deal with programs that try to automatically enable rules for no good reason. )

@ECHO OFF
SETLOCAL
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Get-NetFirewallProfile | Set-NetFirewallProfile -Enabled True -DefaultInboundAction Block -DefaultOutboundAction Block -AllowUnicastResponseToMulticast False -NotifyOnListen True -EnableStealthModeForIPsec True}"
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Get-NetFirewallRule -Enabled True | Disable-NetFirewallRule}"
ENDLOCAL

Here's an example of a script that creates a firewall rule for the Windows Time Service:

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'Windows Time Service' -Profile Any -Protocol UDP -LocalPort 123 -RemotePort 123 -Service W32Time}"

 

Ok, it seems you really don't know AOVPN and how it works client side. the reason i posted this is because the standard approaches to overriding settings do not exist.

@Mousefluff 

From what I've read, the OP is referring to Enterprise Windows 10 deployments, specifically the use of Always On VPN (https://learn.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/always-on-vp...) which is commonly deployed via Intune.

 

This isn't about a single VPN that needs to be 'Always On' this is about the literal technology which Microsoft have called 'Always On VPN'. Specifically the OP seems to be referring to this:

Capture2.JPG

Which can be toggled by the user and has no method of policy control. That about right @Peter Holland ?

 

@MousefluffI'm going to rewrite this one as well, due to some sort of issue with posting replies about service configurations on a site designed solely for sharing technical information with other people ( someone either edited it, or it disappeared due to a glitch. ) Windows itself isn't a client. Windows is an operating system ( monolithic kernel. ) You can switch at the drop of a hat from workstation to server using the MMC snap-in ( services.msc, ) enabling the Server service, disabling the Workstation service, and then going into System Properties and changing this -> Advanced -> Performance -> Advanced -> Processor Scheduling: Background Services

 

Knowing that this is modular enough that you can script it in the same way as Windows Server, you can partition each adapter on the network, and isolate / sandbox each program, enough that you could create your own "kill-switch" functionality just using scripts ( to block all traffic in the event that you lose the connection. Of course my VPN has this, as well as split-tunneling, but it's a post-paid product. ) Most commercial-quality VPN routers have WAN failover for HSPA / 3G, 4G / LTE, 5G, etc, and WiFi support. The main difference between these and the software firewall implementation on a PC, is that you can't block the Network Time Service like you can on a PC, or tunnel it over the VPN. You'll never be able to connect, and you won't know why, but the obvious reason is the time stamp doesn't match. If you pull out the battery as well, with the "kill-switch" engaged, you can't reconnect, and you have to reinstall it, or disable the VPN to be able to use it ( this is why they bypass the VPN / Firewall sometimes to allow NTP, or they synchronize the clock on startup. It's really problematic with mobile devices, but nothing else. ) With VyOS, all you need is an adapter to create your own access point, or you could even use a HTPC board with two Ethernet MACs ( it's very flexible, and you can even run it in a container using WSL / docker, on top of the operating system image. ) You could also make your own fixed-login process by forking OpenVPN and hard-coding the login, so nobody could disconnect, along with a custom network stack and service configuration. It's still vastly inferior to a VPN router, but understanding the drawbacks is an important part of learning how it works. If you don't understand this, then you won't be able to learn from your mistakes, or you won't understand the limitations of what you've learned. This is how I think about things, not just what I would tell someone else:


"the VPN clients are external on random connections, home broadband, mobile hotspot, coffee shop wifi etc"

your previous replies dissapeared as i marked them as spam.

are you familiar with the actual Microsoft service named "Always On VPN"?
if you were, then you would realise that none of your responses are relevant.

@BestowOk so he already identified the problem, and I gave examples of how to deal with this issue, using a solution that I already use:

 

"Which can be toggled by the user and has no method of policy control. That about right"

@Peter HollandThat's unfortunate, given I wrote several workarounds for this problem, but you have to learn how to use PowerShell to bypass this ( I did give examples as well, similar to the ones I use. ) I don't think I was trying to write spam at all:

 

"your previous replies dissapeared as i marked them as spam."

your solutions have nothing to do with the question posed though.
the examples have nothing to do with configuring the "connect automatically" option on the client VPN connection.
you havent submitted anything related to the Microsoft service "Always on VPN"

you can't be using this solution to answer the raised issue as those have nothing to do with the client side AOVPN config

have you looked at the links myself and Tom posted? have you looked at the image he posted?

@Peter HollandYou asked Microsoft to rewrite the default interface to suit your needs, which is not going to happen, and then you mass reported my account and it was locked up for some period of time. You have 3 choices really: Make your own app ( learn how to code. ) Choice #2: Learn how to write scripts to bypass the limitations with the default UI Choice: #3: Use a 3rd-party solution ( this is all industry-standard, and I'm not going to say anything else. I already explained how the VPN works. )

@Mousefluff 

You asked Microsoft to rewrite the default interface to suit your needs, which is not going to happen

You are starting to understand the point of this post. IF there is not administrative way to control this element of the UI, as there is with many parts of the UI, then it does need an element of control. I am hearing this from many customers of all sizes. This is the beginning of the route to enacting positive change in the platform and how many things have been improved over the years. I was also hopeful that someone else who has also spent the time digging into this area might have found a specific ACL on a registry key or a hidden registry setting that controls access to this element such as a registry setting that doesn't exist but changes behaviour when created.

 

In the second post I put a link to a feedback hub item created asking to make this a manageable setting, as many others have one in the past with other items that need to be brought into the scope of management. This is exactly the way we, as users, administrators, and consultants, help Microsoft to improve things so they work better for more. To say otherwise is to speak for the whole of Microsoft and rebuke all features requests.

 

 then you mass reported my account and it was locked up for some period of time

As there was no way to prevent additional derailing of the thread and no apparent change in behaviour change when repeatedly informed that either the question had been misunderstood or that the input was not related to the question and the forum doesn't allow thread starters to remove unhelpful responses it seemed that option had the desired result in getting the thread back on track so others with helpful insight might be able to provide input.

 

You have 3 choices really: Make your own app ( learn how to code. ) Choice #2: Learn how to write scripts to bypass the limitations with the default UI Choice: #3: Use a 3rd-party solution

none of those answer the problem. The point of this thread is to identify any undocumented methods of controlling the 'connect automatically' option on the client VPN UI as I have already explored option 2. Option 1 doesn't apply as we are talking about a closed Microsoft solution "Always On VPN". Neither does options 3 as the entire point of this is the need to use AOVPN for many organisations due to dependencies with autopilot, integration with Intune management etc.

 

this is all industry-standard, and I'm not going to say anything else. I already explained how the VPN works.

you did largely talk about genuine topics around VPN infrastructure and a lot of that information was technically accurate. It was, however, the equivalent of giving a detailed description of how the internal combustion engine works when being asked about the seatbelt warning light controls.

 

Personally, when it seems evident i have misunderstood somethign i have been told I would re-examine any initial assumptions and the scope of what is being asked rather than doubling down and ignoring what is being asked.

best response confirmed by Peter Holland (Iron Contributor)
Solution
Microsoft have implemented the required change (just needs to filter into Windows 10 and the intune management profiles)
https://learn.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp#deviceprofilenamedisabledi...

posted for anyone else seeking this info in the future
also see the blog post by the incomparable Richard Hicks https://directaccess.richardhicks.com/2023/03/06/always-on-vpn-csp-updates/
1 best response

Accepted Solutions
best response confirmed by Peter Holland (Iron Contributor)
Solution
Microsoft have implemented the required change (just needs to filter into Windows 10 and the intune management profiles)
https://learn.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp#deviceprofilenamedisabledi...

posted for anyone else seeking this info in the future
also see the blog post by the incomparable Richard Hicks https://directaccess.richardhicks.com/2023/03/06/always-on-vpn-csp-updates/

View solution in original post