I'm not sure if this would be of any use to people but the question came up of how do we deal with replacing profiles in mass if there needs to be a change made to them. Maybe there is a network that needs to be added or removed from routing or a new traffic filter is applied etc. You cannot just install a profile with the same name to replace the existing one and you cannot replace it if it is connected either.
When deploying the user profiles with PowerShell via SCCM the answer seems pretty simple.
Just add some additional code to the top of the user profile PowerShell script to disconnect the tunnel, remove the VPN profile, and install the new one.
This is a very basic example that can be improved upon but it works just fine when placed at the top of the user profile PowerShell script.
$UserVPNProfile = Get-VpnConnection | ?{$_.Name -eq "Name of User VPN Profile to be replaced"}
rasdial $UserVPNProfile.Name /DISCONNECT
Remove-VpnConnection $UserVPNProfile.Name -Force
Write-Host "The existing Always On VPN user profile ""Name of User VPN Profile that was replaced"" has been disconnected and removed"I am deploying the device tunnels in the same way as the user tunnels with SCCM except I am targeting a device collection and set the program to run whether or not a user is logged on. Seems to work fine.