We recently moved from a test to live implementation of Always on VPN, and moved our servers behind a load balancer, ratifying out profiles down to a single user and device tunnel.
We found that deleting the old connections from Settings still left a bunch of stuff in the registry, so I came up with a script to tidy this up.
It will remove all the Always On VPN user and device profiles except for the one you specify, and remove the entries from the registry.
Please be mindful, if you have other connections defined in Internet Explorer connections that you need to keep, you will need to add them as exclusions in the script (line 66 – is near the bottom of the script) – as always TEST FIRST!
Use at your own risk, I take no responsibility for any issues that may arise!
#######################################################
# Script to tidy up old AOVPN Profiles. #
# #
# V1.0 16/07/2020 Jimmy White #
# ji***@********eb.com #
#######################################################.
Clear-Host
#ok now define the active profiles we want to keep... change these to your named profiles!
$usertunnel = "PROFILENAME"
$devicetunnel ="PROFILENAME"
# first we need to parse through all entries in the registry and get a list of connections
$connections = Get-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" | Select-Object -Expand Property
#region usertunnels
#ok lets remove any additional user VPN connections...
# OMA URI information
$NodeCSPURI = './Vendor/MSFT/VPNv2'
$NamespaceName = 'root\cimv2\mdm\dmmap'
$ClassName = 'MDM_VPNv2_01'
try {
$Username = Get-WmiObject -Class Win32_ComputerSystem | Select-Object username
$User = New-Object System.Security.Principal.NTAccount($Username.Username)
$Sid = $User.Translate([System.Security.Principal.SecurityIdentifier])
$SidValue = $Sid.Value
Write-Verbose "User SID is $SidValue."
Write-Output "User SID is $SidValue." | Out-File C:\ProgramData\AlwaysONVPN\UserSID.txt
}
catch [Exception] {
Write-Output "Unable to get user SID. User may be logged on over Remote Desktop: $_"
Write-Output "Unable to get user SID. User may be logged on over Remote Desktop: $_ "
#exit
}
$Session = New-CimSession
$Options = New-Object Microsoft.Management.Infrastructure.Options.CimOperationOptions
$Options.SetCustomOption('PolicyPlatformContext_PrincipalContext_Type', 'PolicyPlatform_UserContext', $false)
$Options.SetCustomOption('PolicyPlatformContext_Pr(incipalContext_Id', "$SidValue", $false)
# remove the user vpn profiles we dont want
$deleteInstances = $session.EnumerateInstances($namespaceName, $className, $options)
foreach ($deleteInstance in $deleteInstances)
{
$InstanceId = $deleteInstance.InstanceID
if($instanceId -ne $usertunnel){
$session.DeleteInstance($namespaceName, $deleteInstance, $options)
$Message = "Removed $ProfileName profile $InstanceId"
Write-Host "$Message"
}
}
#endregion usertunnels
#region devicetunnels
$tunnels = (get-vpnconnection -alluserconnection).name
foreach($tunnel in $tunnels)
{
if($tunnel -ne $devicetunnel)
{
Remove-VpnConnection $tunnel -Force -PassThru
}
}
#endregion devicetunnels
#region regcleanup
#cyle through all the connections and remove any we dont want to keep
foreach($connection in $connections)
{
if ($connection -ne $usertunnel -and $connection -ne $devicetunnel -and $connection -ne "DefaultConnectionSettings" -and $connection -ne "SavedLegacySettings")
{
Write-host "Removing Item" $connection -ForegroundColor Red
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" -Name $connection
}
}
#endregion regcleanup