VPN auto-triggered profile options

  • Article
  • 3 minutes to read

Applies to

  • Windows x
  • Windows xi

In Windows 10 and Windows 11, a number of features accept been added to auto-trigger VPN so users won't take to manually connect when VPN is needed to access necessary resources. At that place are three dissimilar types of auto-trigger rules:

  • App trigger
  • Proper noun-based trigger
  • E'er On

Note

Motorcar-triggered VPN connections will not work if Folder Redirection for AppData is enabled. Either Folder Redirection for AppData must exist disabled or the auto-triggered VPN profile must be deployed in arrangement context, which changes the path to where the rasphone.pbk file is stored.

App trigger

VPN profiles in Windows x or Windows 11 tin can be configured to connect automatically on the launch of a specified set of applications. Y'all can configure desktop or Universal Windows Platform (UWP) apps to trigger a VPN connexion. You can also configure per-app VPN and specify traffic rules for each app. See Traffic filters for more than details.

The app identifier for a desktop app is a file path. The app identifier for a UWP app is a package family unit name.

Find a package family name (PFN) for per-app VPN configuration

Proper noun-based trigger

You lot tin configure a domain name-based rule so that a specific domain name triggers the VPN connexion.

Proper name-based motorcar-trigger can be configured using the VPNv2/ProfileName/DomainNameInformationList/dniRowId/AutoTrigger setting in the VPNv2 Configuration Service Provider (CSP).

There are iv types of name-based triggers:

  • Short name: for case, if HRweb is configured as a trigger and the stack sees a DNS resolution request for HRweb, the VPN will be triggered.
  • Fully-qualified domain name (FQDN): for example, if HRweb.corp.contoso.com is configured as a trigger and the stack sees a DNS resolution request for HRweb.corp.contoso.com, the VPN will be triggered.
  • Suffix: for example, if .corp.contoso.com is configured as a trigger and the stack sees a DNS resolution request with a matching suffix (such as HRweb.corp.contoso.com), the VPN volition be triggered. For whatsoever short proper name resolution, VPN volition exist triggered and the DNS server will be queried for the ShortName.corp.contoso.com.
  • All: if used, all DNS resolution should trigger VPN.

E'er On

Ever On is a feature in Windows 10 and Windows 11 which enables the active VPN profile to connect automatically on the post-obit triggers:

  • User sign-in
  • Network change
  • Device screen on

When the trigger occurs, VPN tries to connect. If an fault occurs or any user input is needed, the user is shown a toast notification for additional interaction.

When a device has multiple profiles with Ever On triggers, the user can specify the agile profile in Settings > Network & Internet > VPN > VPN contour by selecting the Let apps automatically use this VPN connection checkbox. By default, the kickoff MDM-configured profile is marked equally Active. Devices with multiple users accept the same brake: only i contour and therefore only one user will be able to use the Ever On triggers.

Preserving user Ever On preference

Windows has a feature to preserve a user'due south AlwaysOn preference. In the event that a user manually unchecks the "Connect automatically" checkbox, Windows will remember this user preference for this profile proper noun by adding the profile name to the value AutoTriggerDisabledProfilesList.

Should a management tool remove or add the same profile name back and set AlwaysOn to truthful, Windows will not check the box if the profile name exists in the following registry value in social club to preserve user preference.

Key: HKEY_LOCAL_MACHINE\Organisation\CurrentControlSet\Services\RasMan\Config
Value: AutoTriggerDisabledProfilesList
Type: REG_MULTI_SZ

Trusted network detection

This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffixes. The VPN stack volition look at the network name of the concrete interface connexion profile and if information technology matches any in the configured list and the network is private or provisioned past MDM, then VPN will not get triggered.

Trusted network detection tin be configured using the VPNv2/ProfileName/TrustedNetworkDetection setting in the VPNv2 CSP.

Configure app-triggered VPN

See VPN profile options and VPNv2 CSP for XML configuration.

The following image shows associating an app to a VPN connection in a VPN Profile configuration policy using Microsoft Intune.

Add an app for the VPN connection.

After yous add an associated app, if you select the Only these apps tin can utilise this VPN connectedness (per-app VPN) checkbox, the app becomes available in Corporate Boundaries, where yous tin configure rules for the app. Encounter Traffic filters for more details.

Configure rules for the app.

  • VPN technical guide
  • VPN connection types
  • VPN routing decisions
  • VPN authentication options
  • VPN and conditional access
  • VPN proper noun resolution
  • VPN security features
  • VPN profile options