question

GarethLittle-9887 avatar image
0 Votes"
GarethLittle-9887 asked JonMarnock commented

VPN on Logon Screen

Hi

I am trying to create a VPN connection that is available on the Windows 10 Pro logon screen. I've done much Googling and tried the add-vpnconnection method in Powershell but whatever I try the connection is not avaialble on login. Can anyone help?

Thanks,

Gareth.

windows-10-network
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I know this is an old thread... but trying to see if any other progress has been made. I tried everything listed in the thread for a non domain machine and still can not get the VPN to show at login screen.

0 Votes 0 ·
JonMarnock avatar image JonMarnock BrandonStadthagen-1231 ·

Can I ask why you need this on the logon screen for a non-domain joined machine? The whole point of the login screen thing is to bring up the VPN so the domain-authentication can work for login (normally you would not have direct access to your AD over the internet, hence the need for a VPN).

0 Votes 0 ·
GloriaGu-MSFT avatar image
0 Votes"
GloriaGu-MSFT answered BrandonStadthagen-1231 commented

@GarethLittle-9887 Hi,

Thank you for posting in Q&A!

Please try the following method to see if it works:

In Network and Sharing Center -> Set Up a New Connection or Network -> Connect to a Workplace -> [Configure as Needed] ->
Check the last box with the shield next to it (Allow other people to use this connection).

42613-9.png


Hope you have a nice day : )
Gloria
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
https://docs.microsoft.com/en-us/answers/articles/67444/email-notifications.html



9.png (13.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This does not work on Win10 21h1 - 19043.1165

0 Votes 0 ·
GarethLittle-9887 avatar image
0 Votes"
GarethLittle-9887 answered

Hi Gloria,

Thanks for your reply. I have tried this method but the VPN does not appear on the login screen. I am connected to Azure AD if relevant.

Gareth.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AravinthMathan-3183 avatar image
0 Votes"
AravinthMathan-3183 answered

Hi @GarethLittle-9887 ,

Could you lets us know what vpn are you trying to configure. Also what is the authentication mechanism.

Also, can you share the powershell command/script you used to deploy the profile

Regards
Aravinth

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GarethLittle-9887 avatar image
0 Votes"
GarethLittle-9887 answered

Hi @AravinthMathan-3183

I am trying to create L2TP/IPSEC with pre-shared key

Authentication is username/password MS-CHAP v2

Command is

 Add-VpnConnection -Name TEST -ServerAddress xxx.xxx.xxx.xxx -AllUserConnection $true -SplitTunneling $true -AuthenticationMethod MSChapv2 -TunnelType L2tp -EncryptionLevel Required -PassThru


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JonMarnock avatar image
0 Votes"
JonMarnock answered JonMarnock commented

We use the following, from an elevated (admin) powershell prompt:

Add-VpnConnection -Name 'VPN Name' -ServerAddress 'vpn.server.address' -TunnelType 'L2TP' -L2TPPSK 'redacted' -Force -DnsSuffix 'if.you.care' -AllUserConnection

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

while this adds a new vpn entry that can not be modified via gui... there is nothing on the login screen. This does not work on Win10 21h1 - 19043.1165

0 Votes 0 ·
JonMarnock avatar image JonMarnock BrandonStadthagen-1231 ·

I am using the same version of windows and it definitely shows up on the login screen - but the difference is it's an enterprise version of windows 10, and joined to a domain.

Please also note that even though this "works", there's a bug and it doesn't actually allow you to log in with the domain creds as the VPN terminates due to an internal error in windows before it can fully auth and log in.

My advice is: don't try and do this, MS clearly doesn't care about it working, it's broken more often than not, and tbh it's not the most secure VPN anyway. Plus I honestly cannot see a point to bringing up the VPN before login on a non-domain joined machine anyway. Just open the VPN after you log in.

0 Votes 0 ·
JonMarnock avatar image
0 Votes"
JonMarnock answered

Just be aware we've found a few bugs in recent Windows 10 builds where this will fail with an error message stating the username or password is incorrect (this is not correct - the VPN comes up just fine but SYSTEM terminates it less than 1 second after it's created).

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GarethLittle-9887 avatar image
0 Votes"
GarethLittle-9887 answered

Hi @JonMarnock

Thanks for this. I tried using the exact string you posted and the connection was created, it did not however appear on the logon screen.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JonMarnock avatar image
0 Votes"
JonMarnock answered

I wonder if the issue is Azure-AD. Perhaps it's not considered domain joined in the same way and so doesn't trigger the availability?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GarethLittle-9887 avatar image
0 Votes"
GarethLittle-9887 answered JonMarnock commented

Is availability of VPN on login screen only possible on domain joined machines? (usually) If so I will try jining a traditional domain.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It's entirely possible, yes. The specific scenario I believe it's designed to address is logging into a domain account when you are offsite and the domain is only accessible via VPN.

0 Votes 0 ·

That said, as noted, it is broken more often than it's fixed, and the UI keeps getting forgotten, so I suspect this is pretty low on MS's list of things they care about. Azure-AD is the way they want all this remote shenanigans to work, so if you're trying to use a more traditional approach it's probably just going to keep sucking like it currently does and then eventually go away officially.

0 Votes 0 ·