Always On VPN Part 3 – Task Scheduler

Always On VPN Part 3 – Task Scheduler

24 March 2023 Windows 0

In this section, I will describe the Scheduler Tasks that will be responsible for automatically establishing a VPN connection.

Each task is responsible for establishing a single tunnel. The recommended method for delivering these tasks is through Group Policy Preferences (GPP):

  1. GPO with settings in the device configuration section for the Device Tunnel.
  2. GPO with settings in the user configuration section for the User Tunnel.

The task responsible for establishing the Device Tunnel connection is run with the credentials of the System account. The task will run regardless of whether the user is logged in.

The following triggers are defined:

  • Event-based trigger:
    • Log: Microsoft-Windows-NetworkProfile/Operational
    • Source: NetworkProfile
    • Event ID: 10000

  • Time-based trigger:
    • Runs every day, with a repetition every 5 minutes. This trigger is used to monitor the connection status.

  • Startup trigger:
    • Establishes a connection at computer startup.

  • Wake-up trigger:
    • Establishes a connection after the computer wakes up from sleep mode.

Once the triggers are defined, we can add a task to be executed. For the Device Tunnel, the script described in the previous entry, Connect-DeviceTunnel.ps1, will be used.

Program: powershell.exe Arguments: -ExecutionPolicy Bypass -File “C:\Program Files\VPN\Connect-DeviceTunnel.ps1”

On the subsequent tabs, configure the ability to run the task on demand, run the task if it was skipped, set job stop options, and prevent multiple task instances from being triggered.

On the Conditions tab, you can specify that the task will only run when there is an active network connection.

The second task in the Task Scheduler is responsible for establishing the User Tunnel connection. The connection will be established only when the user is logged into the computer.

On the following tab, add the following triggers:

  • Logon trigger:
    • Runs after any user logs into the computer.
    • On workstation unlock.

  • Time-based trigger:
    • Monitors the connection status every 5 minutes.

  • System event triggers:
    • Network connection established:
      • Log: Microsoft-Windows-NetworkProfile/Operational
      • Source: NetworkProfile
      • Event ID: 10000
    • Network disconnection:
      • Log: Microsoft-Windows-NetworkProfile/Operational
      • Source: NetworkProfile
      • Event ID: 10001

If you want the Device Tunnel to start after the user logs out, you can add an additional trigger:

  • Log: Microsoft-Windows-User Profile Service/Operational
  • Source: Microsoft-Windows-User Profiles Services
  • Event ID: 3

On the Actions tab, specify:

Program: “C:\Program Files\VPN\Connect-UserTunnel.vbs” The specified VBS file launches Connect-UserTunnel.ps1 and hides the PowerShell window from users.

The configuration on the Conditions and Settings tabs is similar to the previously described task.

In the next post in this series, I will demonstrate how to build and deploy an installation package using the prepared files.

Below is the content of the VBS file:

command = "powershell.exe -nologo -command " & Chr(34) & "& 'C:\Program Files\VPN\Connect-UserTunnel.ps1'"  & Chr(34)
set shell = CreateObject("WScript.Shell")
shell.Run command,0


Leave a Reply

Your email address will not be published. Required fields are marked *