Prevent users from disconnecting AOVPN user tunnel

Peter Holland I did already explain this, but I only gave really generic advice, because that's all you can give. If you're using WAN failover ( HSPA / 3G, 4G / LTE, 5G, ) or a portable router, the service configuration depends on the interface ( media access controller, not the software interface itself. ) For WAN Failover, you can't use a single port obviously, it needs NTP to synchronize the clock, or it won't connect. Most VPNs have a supposed "kill switch" feature, so you have to write firewall rules specifically for this, but you also have to have rules for when you set up the VPN for the first time, so it doesn't get blocked before it finishes the setup process. Everything has to be scripted around the VPN for your idea to work, but the negative side of it, is that if you stop using the VPN and / or the resolver, then of course you have to reset everything to default, or restore the old settings:
 
"the VPN clients are external on random connections, home broadband, mobile hotspot, coffee shop wifi etc, they are using the Microsoft Always On VPN to vonnect to Microsoft RRAS servers using split tunnel (or force tunnel occasionally)."
 
Windows is an operating system ( monolithic kernel,) it is not a client or a server. You can enable Windows 11 Home to work much like Windows Server by going into the services.mmc snap-in and turning on Server, and then modifying this setting: System Properties -> Performance -> Settings -> Advanced -> Processor Scheduling: Background Services
 
If you wanted to create this, you couldn't actually block someone from turning it off. Instead you would have to have consent, or the person would have to be willing to not change the settings on you. Even if you added a security template, with a unified write filter, you could still boot into WinPE, load the registry hives, apply a new DACL, if it was unencrypted, and it would be simple to reset. I already described methods you could use to isolate it. These rules you could in theory use for a software firewall, but even with a mobile access point, you could still partition the devices on your network, or even use WSL, docker, a VM, as I have said before, on top of the operating system, if you were THAT worried. In the most extreme case, you could use OpenVPN or something else to make your own client to hardcode the settings I'm sure, but like I said, you have to pay close attention to making sure NTP isn't blocked, or you have to disable your in-house "kill switch," just to synchronize the clock. The other way around it, is to synchronize the clock on startup, just as the network stack is initialized, and then block all traffic as soon as the VPN loads ( the VPN has to be registered as a network service though. ) So you have to create your own custom network service to achieve this, but it follows all the same rules as in the above post anyways, although I only briefly covered some basic things, just to give you a hint as far as how much work it really is. The reason why it's not as popular to vertically integrate something like this with Windows, is when it breaks ( and you have to reverse the changes or go to default settings. ) I already have a similar setup to the one you have, that's why I'm describing it to you, although mine is superior to yours. Nothing I have said is esoteric knowledge or secret in any way shape or form. It's all derived from open sources:

This thread is about the fact that the Windows client side interface allows users to selectively disconnect from the user tunnel vpn and in doing so it disables the auto-connect "always on" nature of "always on vpn".