The Microsoft Always On VPN Solution pushed by Microsoft as the successor to DirectAccess is a great tool for remote workers. Despite the name, user tunnel connections don't always auto-connect, even with "AlwaysOn" configured in the ProfileXML or Intune configuration policy.

Some hacks include scheduling the "rasdial" command, but wouldn't you rather know why it stopped auto-connecting?

This might happen because the user manually disconnected the user tunnel, or for unexplained reasons. What happens is the VPN connection gets added to a registry list called AUTOTRIGGERDISABLEDPROFILELIST.

The AUTOTRIGGERDISABLEDPROFILELIST property is located at:

This is a REG_MULTI_SZ property that maintains profiles in a disconnected state, surviving reboots.

You could use PowerShell to remove unwanted entries, or create a .intunewin package with a detection rule.

For the detection method:

Microsoft has a device CSP you can deploy with a custom OMA-URI:

Remember to include %20 for spaces in your VPN profile name.

Read more about this CSP at: VPNv2 CSP Documentation (https://learn.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp#deviceprofilenamedisabledisconnectbutton)

Adding a fix via Intune complements the fact that Intune is the preferred distribution mechanism for Always On VPN profiles. Even though this seems like a bug, it's a feature, and as such it might never end up on the troubleshooting page.