I use Cisco AnyConnect (4.2.05015) on Win10 Enterprise to handle my WiFi connections and VPN connections. Currently, whenever AnyConnect connects to WiFi it automatically attempts to connect to one of my VPN access points. I would like to disable this behavior. AnyConnect should only connect to VPN when I press the appropriate "Connect" button, but it should not attempt to connect to VPN automatically. How can I accomplish this?
Update
C:/ProgramData/Cisco/Cisco AnyConnect Secure Mobility Client/Profile/
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="false">true</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
<AuthenticationTimeout>12</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="false">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">true</LocalLanAccess>
<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
<AutoReconnect UserControllable="true">true
<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="true">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
<AutomaticVPNPolicy>true
<TrustedDNSDomains>...</TrustedDNSDomains>
<TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>
<UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy>
<AlwaysOn>false
</AlwaysOn>
</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Disable
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<CertificateMatch>
<KeyUsage>
<MatchKey>Key_Encipherment</MatchKey>
<MatchKey>Digital_Signature</MatchKey>
</KeyUsage>
<ExtendedKeyUsage>
<ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
</ExtendedKeyUsage>
<DistinguishedName>
<DistinguishedNameDefinition Operator="Equal" Wildcard="Enabled" MatchCase="Enabled">
<Name>ISSUER-CN</Name>
<Pattern>Seamless Access CA</Pattern>
</DistinguishedNameDefinition>
</DistinguishedName>
</CertificateMatch>
<EnableAutomaticServerSelection UserControllable="true">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>
(TrustedDNSDomains has been removed for privacy reasons).
Best Answer
Trusted Network Detection(TND) is not a user controllable security feature. It is enforced by your VPN Access Point administrator through VPN profile.
When the client's DNS domain does not fall under the listed domains in the VPN profile, AnyConnect considers client is under untrusted domain and takes course of action based on the TND policy in the VPN profile. In your case, untrusted network policy is to establish VPN connection (which should be course of action for untrusted networks anyway). And yes, it is highly likely that AnyConnect is automatically initiating VPN connection when you are switching Wi-Fi networks because of TND feature.
Had if your admin configured AlwaysOn too for the AutomaticVPNPolicy, you will be locked from internet access unless VPN connection is established.
PS: User control is not relevant for TND feature and sorry for my misleading comments earlier.