Static VPN Routes not applied via Windows login screen

TassieTrooper 16 Reputation points
2022-03-15T21:57:01.127+00:00

Hi,

Can someone confirm that this commandlet works when using an '-AllUsersConnection' VPN via Windows 10 login screen?
<SNIPPET>
Foreach ($Destination in $RouteList)
{
Add-Vpnconnectionroute -Connectionname $ConnectionName -AllUserConnection -DestinationPrefix $Destination
}
*This is the Meraki VPN split tunnel script.

The routing works fine when VPN is connected during a current user's login session, and that is also true for any user that is currently logged in, yet the routes are not being applied when connected via the Remote Connections login from Windows Login screen.

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,274 questions

15 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruno Guerreiro 1 Reputation point
    2022-10-13T01:32:15.89+00:00

    Hello.
    I've just found this topic and can inform that I'm also having this issue. The VPN connection gets established but the routes aren't added. If I then disconnect and reconnect the VPN everything works as expected.
    This happens every time I do the login process by clicking in the icon on the lower right corner.

    0 comments
  2. IT Trev 11 Reputation points
    2022-10-24T16:42:55.42+00:00

    I have a ticket open with Microsoft. It's proceeding, slowly. We'll see what happens.

    0 comments
  3. David McLees 1 Reputation point
    2022-11-08T16:37:46.91+00:00

    Hi,

    I've had the same issue, it won't work with a VPN profile that uses split tunnelling.

    The system account can't inject the route.

    I was wanting to use the VPN at the login screen to allow a user to sign in when using autopilot to do the first log on to enable hybrid AD join.

    I found 2 solutions:-

    1 use the full tunnel and disable split tunnelling.
    2 use a powershell script to inject the route during the autopilot process (Maybe you can adapt this method if you really want to stick with split tunnels.) I used the below code.

    $TestDomain = "\yourdomain.local\Public"
    if (Test-Path $TestDomain) { 

    Write-Host "Domain available, VPN not required!"

    }
    else
    {
    Write-Host "Domain not available" 

    route add 172.17.12.0 mask 255.255.255.0 172.20.0.1

    }

    0 comments
  4. IT Trev 11 Reputation points
    2022-11-08T19:00:34.52+00:00

    I'll need to test that.

    You said you used this for 'autopilot'. That's not the issue here, though it is directly related.

    The issue here is the logon, more specifically group policy, and very specifically drive mappings.

    I don't remember the order of GPO implementation. If I implement that script as a logon script, the issue would be: does the 'logon script' get implemented before the drive mapping 'preferences'. hmmm ... of course having it as a separate GPO with a higher precedent (so that it runs first) should fix that I guess.

    I have dome to more or less hate, or at least distrust, logon scripts. But - that would fix ANY issue related to needing the route, not just the issue I have TODAY of drive mapping.

    My ticket is still open with Microsoft. They initially pointed me to the issue back in January where they put out an update that broke VPNs, and then released an out of band update that fixed VPNs. I had to explain this is a separate issue, NOT fixed in that update (and also that update is applied with subsequent updates which proves it doesn't fix it).

    0 comments
  5. David McLees 1 Reputation point
    2022-11-09T14:18:33.457+00:00

    The other option Trev is to deploy a full tunnel instead of split then you won't have to script the route injection.

    0 comments