Short story about Windows 10 Always On VPN, Trusted Network Detection and Network List Manager Policies.
When you deploy Windows 10 Always On VPN to your environment, there is a thing called “Trusted Network Detection”. This is a value defined in your VPN profile that tells the VPN if you are connected to your corporate network or not. If you are not connected to your corporate network (Trusted Network), then the VPN connection is established. This setting is available for both device and user tunnel profiles.
The way this setting works is that it will look for the “Connection specific DNS suffix” of your network connections. When left untouched, this suffix is usually populated with your internal domain FQDN. All the guides on how to deploy Windows 10 Always On VPN will tell you to match your internal domain FQDN and off you go!
If there is someone, somewhere, someday, that decided “corp.contoso.com” is not what he/she wanted his/her users to see when looking at the network connections in the Control Panel, this person could have decided to use Network List Manager Policies and deploy them using GPO. This allows them to substitute “corp.contoso.com” with something like “Contoso Corporate network”. The setting to look for: Computer Configuration | Windows Settings | Security Settings | Network List Manager Policies.
When deploying Windows 10 Always On VPN profiles, apparently this substitute name is taken into account when performing Trusted Network Detection. When using Network List Manager Policies, make sure to include that name in your Trusted Network Detection. If you forget to do this, you’ll spend some time troubleshooting this question: “Why the hell are my devices trying to connect to the VPN when they are inside the corporate network?! I defined the damn Trusted Network Detection!” 🙂
BTW, the Trusted Network Detection tag in the VPN XML profile allows multiple values, separated by a comma 😉
Have a nice one!