Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Auto-Triggering VPNs in Windows 10

Dialing a VPN before remotely connecting to an intranet application is often a necessary evil and to that end, Microsoft has made it easier in Windows 8.1 and later versions of the OS to get users working without having to remember to dial up before launching business apps. In today’s Ask the Admin, I’ll show you how to set up VPN auto-triggering in Windows 10.

End users like applications to ‘just work’ and don’t want to be bothered with having to remember to perform one or more steps before starting programs. While it’s not that difficult to explain how to establish a VPN connection, users don’t always remember what to do, especially if it’s not something they need to do frequently, and moving from one OS to another, such as from Windows 7 to 10, requires some retraining because of changes to the GUI.

Starting in Windows 8.1, Microsoft added the ability to auto-trigger a VPN when a Windows Universal or desktop apps are launched. Not only that but it’s also possible to have the VPN automatically disconnect after a given period of time once the application has been closed.

Add an auto-trigger application to a VPN profile

In this demo I’m going to use Windows 10, although the following procedure also works in Windows 8.1, with a few minor differences in where GUI elements are located. For more detailed instructions on how to set up auto-triggering in Windows 8.1, see Auto-Triggered VPN in Windows 8.1: Overview on the Petri IT Knowledgebase.

Log into Windows 10 with a user account that contains an existing VPN profile. My user account has a VPN already set up called My Private Network, and I’m going to configure an application called JRiver Media Center to automatically trigger this VPN.

Open a PowerShell console by typing powershell in the search box on the taskbar and then select Windows PowerShell from the search results.
In the PowerShell console, run the Add-VpnConnectionTriggerApplication cmdlet as shown below, replacing the value (My Private Network) of the $vpn variable with the name of your VPN, and $app variable (C:\Program Files (x86)\J River\Media Center 20\Media Center 20.exe) with the full path to the app that will trigger the VPN.

- You will be prompted to confirm the operation, and notice in the screenshot below that split tunneling for the specified VPN is disabled. Type Y for YES anyway, and then ENTER.

Add an auto-trigger app to a VPN profile (Image Credit: Russell Smith)

Now that Media Center is configured to auto-trigger the VPN, we need to enable split tunneling:
Split tunneling isn’t enabled by default when you create a new VPN in Windows, forcing all network traffic to be routed through the VPN when connected. Split tunneling allows the VPN client to determine which traffic should be routed to the public Internet and which to the dialed VPN connection, potentially creating a security risk.

Let’s also set the idle disconnection time so the VPN will automatically disconnect once the application has closed:
To confirm the new split tunnel and idle disconnect settings on the VPN connection, run the
Get-VpnConnection

Enable split tunneling and idle disconnection time (Image Credit: Russell Smith)

Now launch the application and you should see in the networking panel, which is accessible by clicking the network icon in the system tray, that a VPN connection has been established. Close the application, and after five seconds, or the time you specified in the
–IdleDisconnectSeconds
parameter, the VPN will be disconnected.

Remove auto-triggering

To remove auto-triggering configuration from a VPN connection, use the Remove-VpnConnectionTriggerApplication cmdlet as shown below:

Configure a trusted network

If you don’t want auto-triggering to occur when the client is already connected to a specific network, such as the corporate intranet, you can configure a list of trusted networks for which auto-triggering is disabled. This works by matching a list of trusted DNS suffixes configured for the VPN connection against the DNS suffixes set on the device’s physical network adapter. If a match is found on the physical NIC, the VPN will not be auto-triggered. Use the Add-VpnConnectionTriggerTrustedNetwork cmdlet as shown below, replacing contoso.com and acme.com with one or more DNS suffixes of trusted networks:
To remove the trusted networks, use the
Remove-VpnConnectionTriggerTrustedNetwork
cmdlet:

Notes from the field

If a user manually disconnects the VPN after it’s been auto-triggered, when the app is launched subsequently, a connection to the VPN will not be established. To re-enable auto-triggering, open the Network settings panel by clicking the network icon in the system tray, and then click the VPN connection in the panel. This will open the NETWORK & INTERNET page in the Settings app. Click the VPN connection in the Settings app and check Let apps automatically use this VPN connection. You should note that this option is only available if the VPN is configured for split tunneling.

Re-enable auto-triggering in the GUI (Image Credit: Russell Smith)

I haven’t tested auto-triggering a VPN in Windows 8.1 but in Windows 10 RTM (build 10240), and despite the warning messages, a split tunnel isn’t necessary for auto-triggering, so you can set split tunneling on the VPN connection to $False:
This could be an undocumented feature in Windows 10 or a bug, but probably the former. There is the important caveat in disabling split tunneling: users won’t be able to re-enable auto-triggering of the VPN if a connection is manually disconnected after having been auto-triggered by the application.

Confirming auto-trigger settings

If you need to confirm the auto-trigger settings on a VPN connection, run the Get-VpnConnectionTrigger cmdlet as shown here:

Add trusted networks to a VPN profile (Image Credit: Russell Smith)

Windows Universal Apps

Windows Store apps can also auto-trigger a VPN. All you need to do is specify the app’s package name instead of a path in the –ApplicationID parameter. To get a list of installed Universal apps and their corresponding package names, run the Get-AppXPackage cmdlet, where you’ll find the package names in the Name field.

by Russell Smith
Nov 2, 2015

Editorial Director at Petri IT Knowledgebase. Russell has more than 20 years' experience working in IT. From small business to large government IT infrastructure projects. Russell started his writing career for Windows IT Pro magazine in the early...

What is a Roaming User Profile on Windows?

Sep 1, 2023
Oct 24, 2023
How to Add Microsoft Store Apps to Intune

May 5, 2023
Microsoft Releases May 2023 Patch Tuesday Updates for Windows 11 and Windows 10

May 9, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.