Hi Andrew,
Try the following solution from a similar post (by Konstantinos Passadis):
Enabling the
<AlwaysOn>true</AlwaysOn>
parameter in the VPN profile is intended to maintain a persistent connection between the VPN client and the VPN server. However, this parameter does not prevent the user from disconnecting the VPN manually. To prevent users from disconnecting the VPN manually, you can use the Always On VPN feature in Windows 10. Always On VPN is a Microsoft remote access technology that provides an always-on VPN connection that is automatically established when a user logs on to their device. To enable Always On VPN, you can use the following steps: Create a VPN profile using the VPNv2 CSP in Intune or another device management tool. Configure the VPN profile with the following settings:
<AlwaysOn>true</AlwaysOn>
to enable always-on VPN<NativeProfile><LockDown>true</LockDown></NativeProfile>
to prevent the user from disabling the VPN manually<NativeProfile><DisableClassBasedDefaultRoutes>true</DisableClassBasedDefaultRoutes></NativeProfile>
to prevent traffic from being routed through the VPN when it is not connected. Assign the VPN profile to the appropriate device group in Intune or another device management tool. With Always On VPN enabled, the VPN connection will be established automatically when the user logs on to their device and will remain connected even if the user logs off. Additionally, the user will not be able to disable the VPN manually, ensuring that the VPN connection is always on when the device is connected to the Internet.
If this is helpful please accept answer.