Hi,
You mentioned “I would assume that if the client decides that is on domain network, it will not dial AOVPN. But apparently this is not the case when on BO split VPN.” For my understanding, when deploying Windows 10 Always On VPN, the Trusted Network Detection (TND) can be configured which enables clients to detect when they are on the internal network. The VPN client will evaluate the DNS suffix assigned to all physical adapters that are active. If they match the trusted network setting, the client is determined to be on the internal network and the VPN connection will not connect. If the DNS suffix is not present on any of these adapters, the client is determined to be outside the internal network and the VPN connection will establish automatically.
In my opinion, you may check whether all the branch offices’ adapters have been assigned the DNS suffix.
The following link is how you configure the DNS suffix being presenting on adapters for your reference.
https://directaccess.richardhicks.com/2020/03/24/always-on-vpn-trusted-network-detection/
Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Best Regards,
Mulder Zhang
--------------------------------------------------------------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.