I've done additional testing.
we have carbon black endpoint on our computers, which give command line access. Using that access if I remotely start the VPN, it will connect, and services across the VPN are accessible, expect services that need the route. The vpn route is NOT injected/loaded. This can be seen using the 'route print' command.
This can also be done with psexec. If you connect with the /s option to connect as the system account, then launch the VPN, it will NOT inject the routes. Just to be clear, to launch the VPN the command is: rasdial "<vpn name>" <username> <password>.
so - this is VERY reproducible. This is either an obvious bug (now that I'm looking at it), or by design.
And again, the sequence of events:
user launches vpn from logon screen and connects to vpn (and logs on) via the vpn screen - the user does not do a 'normal logon', they click on the netwrok/vpn icon on the lower righ
vpn connect, normal logon is processed - but the network drives, mapped via gpo preference, that are on servers that need to use the routes added to the VPN time out
after logon finishes and the profile is loaded the routes are available, resources that need that route are accessible, and a manually initiated "gpupdate" will ultimately cause the drives to be mapped