Last year I did an article entitled “Connect to a Windows VPN at logon”. Rather than duplicate, please refer to that article for details, but It has been pointed out the method outlined is not available in Windows 8. Actually it is but Win 8 by default alters the standard domain logon that was present since Win NT of pressing “Ctrl+Alt+Del”. Restore that and you will again have the option to connect to a VPN prior to logon so you authenticate to the domain, and have group policy and logon scripts applied.
To re-enable “Ctrl+Alt+Del” either open the Local Security Policy under Control Panel, Administrative Tools, or open the local Group Policy editor by entering in the “Run” box gpedit.msc. The location of the policy is in pretty much the same location in both, and setting in one will update the other.
- In the Local Security Policy editor (control panel) it is located under; Security Settings | Local Policies | Security Options | Interactive logon: Do not require CTRL+ALT+DEL
- In the local Group Policy editor (gpedit.msc) it is located under; Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options | Interactive logon: Do not require CTRL+ALT+DEL
The default state of the policy in Win 8 is “Not Defined” which on a domain joined computer effectively results in enabled. You need to set the policy to disabled which will force the use of “Ctrl+Alt+Del”. After doing so, I recommend running from an elevated command prompt gpupdate /force, though it should not be necessary when editing the local policy. On that note; you can enforce the use of “Ctrl+Alt+Del” domain wide by creating a GPO on your Domain Controller and editing the same policy.
Once you do so, and log off, you will see the familiar “Press Ctrl+Alt+Delete to sign in” message in the top left corner of the logon screen.
After pressing “Ctrl+Alt+Del” there will be a small network icon in the lower left corner
Click on the network icon and you will be presented with any VPN connection created on that computer. Note these VPN connections must have been created using the “Allow other people to use this connection” option. This discussion also applies only to domain joined computers.
Enter you domain credentials, the VPN will connect, authentication to the domain will be processed, and group polices and logon scripts, including your mapped drives, will be pushed to the client.
UPDATE: Should the PC not be domain joined and you wish to automate the VPN connection, please see: https://blog.lan-tech.ca/2013/06/08/rasdial-automate-vpn-connections/
LAN-Tech Network Management 
Comments on: "Windows 8 connect to VPN before logon" (35)
[…] Please see the more recent post to enable on a Win 8 PC […]
Is it possible to also choose a wireless network to connect to before log on?
So, choose a wireless network and then choose the VPN?
Though I have never tried it, it should be possible, but you would have to have a Wireless NIC that supports connections before logon. Some, such as Intel, offer this feature. I doubt you have the ability to choose which wireless connection but I think you can set a default wireless and if available it will connect at startup rather than after logon. The settings are located in the advanced adapter settings. Keep in mind that VPN’s tend to be less stable over a wireless connection, perhaps due to the dual encryption.
Hi there,
I am not amazingly computer savvy, but I have managed to follow your instructions for setting Ctrl+Alt+Delete to disabled so that it appears in logon, but I am a bit lost afterwards. i am running windows 8 on a home laptop with 2 seperater user accounts on the one pc. I have setup a VPN and connecting fine but want to sort so automatic. After acheiving the Ctrl+Alt+Delete section I have no network connection icon yet in logon screen?
Any help you can give would be greatly appreciated, as I know I’m not the only one. Thanks so much in advance. Glenn
Hi Glenn. Is the computer a member of a domain (corporate network)? The option is not available on non domain joined computers as it should not be necessary to use the feature. Thus it would not be present on Win 8 home edition. Let me know if that applies or it is a different issue.
If wanting to automate the connection after logon, that can be done with RASdial and a script. Let me know if you need details and I can provide those.
Hi again,
Thanks for getting back to me so quickly.
Sorry I should have been clearer, it is a home used computer and not on any domain or network.
Basically I have set up a VPN but have to start it manually everytime I connect to the internet, and was hoping to set it to automatically connect on log in or start up.
If you can help it would again be greatly appreciated!
Also, sometimes the VPN disconnects and switches to my normal wireless provider, I understand this is just a signal issue, but do you know of anyway to set an alert sound to advise me of when this happens?
Thanks so much for any help you could give.
Have a nice day.
Glenn
My apologies Glenn I am ‘on the road’ for a couple of days. I will provide a more detailed answer for you, but in short to automatically connect you need to create a batch file and add it to the start up menu. The batch file would simply contain
rasdial connectionname username password
such as
rasdial “Acme VPN” JDoe password
If the connection name has spaces you need to use the quotes as above.
Substituting * for the password will prompt for the password which is much more secure as the password is stored in the batch file in clear text.
One way you could monitor the network connection and have an alert is to use NetGong, formally known as IPmonitor. It will allow you to monitor multiple IP’s such as one at the other end of the VPN tunnel and alert you if disconnected. They have a 30 day trial:
http://netgong.tsarfin.com/
Hope that is of some help and I’ll provide specifics, possibly in a blog article as I am sure you are not alone, the first of the week.
Glen, as promised, the following link outlines using a batch file to automatically connect the VPN on a non-domain joined computer, after logon. https://blog.lan-tech.ca/2013/06/08/rasdial-automate-vpn-connections/
Thanks for this post, it was very helpful.
Unfortunately it doesn’t work when the VPN connection uses machine certificates for authentication, and I can’t seem to find a solution for that (besides not using machine certificates…).
I assume you are using L2TP with a server generated certificate? I am surprised that will not work, but I confess I have not tried it, good to know. Thanks.
That’s fantastic!
Thanks ever so much for all your kind help.
All the best!
Glenn
Hi
Is it possible to make the VPN login the default one that comes up in Windows 8 when the PC is started, rather than having to click the left arrow back button then the small network icon in the bottom left and then the relevant VPN connection before you can login? I have some users who work from home on PCs supplied by the firm so will only ever need to login on the VPN connection on them and its a bit of a long winded login each time at the moment.
Many thanks
Jo
I am afraid there is no way to do so as far as I am aware. I can appreciate why you would want to do so. XP made it a little easier with a little check box in the logon area.
This doesn’t seem to work on 8.1? I’ve re-created the VPN a dozen times and it never gives the option to connect at login.
I will admit I have never tried it on Win 8 until now but just did and it works well and exactly the same as on Win 8.
– This only works for a domain joined PC/laptop
– Please make sure you review the other details on the Win 7 related page https://blog.lan-tech.ca/2012/04/29/connect-to-windows-vpn-at-logon/
– When creating the VPN you must choose “Allow other people to use this connection”
– Make sure you can access the user icon page by pressing ctrl+alt+del or the back button. You may need to enable the ctrl+alt+delete option using the security policy
I’m struggling to get on the domain through PPTP vpn described. Running Win 8.1. vpn doesn’t stay up when “switching user”…and yes I’ve checked “Allow other people to use this connect” when creating vpn. Ideas?
Are you switching user accounts while connected to the VPN? If so that will not work as you are changing credentials. You will have to switch and manually reconnect the VPN or log out and back in with the VPN integrated login.
Hello… I followed these tips and successfully joined my virtual machine to an offsite domain (yay!) and got all the way to the VPN login prompt as described in this article. I’ve been looking at the Windows “Welcome” screen and it’s circling dots for over an hour… something’s got to be wrong. I’m running Win 8.1 on a parallels virtual machine, from a Mac. This is 1 of 2 virtuals I have set up, and I know the VPN opens because I was allowed to join the machine to the domain, and my credentials were accepted at login after reboot. Anyone have ideas? Thank you!
Do you have offline files enabled, with or without redirected folders? If so I have seen that take an hour or even a few hours while on the same LAN if the folders are large. If over a VPN at 1/100th the speed of the LAN it could take days for the first file sync to complete. It is usually best to configure group policy so that these features are not used by users with VPN connections.
[…] want to use the logon over vpn feature – in win8 you configure it as so: Windows 8 connect to VPN before logon | LAN-Tech Network Management That said, could you not put something in as an infrastructure vpn? the experience would likely […]
Ok, so, i’ve experimented with this quick a bit, and at least with some vpn connections, and especially with an azure vpn connection it does not work. I de-constructed the azure vpn (from the one you download) and set it up manually exactly as described. It is impossible to get that option before login. I requires the user to manually install the client certificate before it will connect to the vpn. If it’s a new user, then it won’t work. Even then, since it won’t accept putting the cert in the computer store then I never get the option to connect before login. Has anyone else experienced this or found a way around. I’m try to get scripts to work that install certs and rasdial, but there are still issues. If a new user wants to login you still have to login as another user first and connect to the vpn, then switch users and login as the new user. I’d love to find a way around this in windows 8.1 Pro.
I am afraid I have never tried this with Azure. As mentioned in the article though; it only works with the built-in Windows client, the PC from which you are connecting must be domain joined (to your Azure domain), it must me an established VPN connection, it will not work with first time connections and new users.
The article was primarily written after requests by different users wanting to connect to their internal server using a PPTP VPN such as those created by SBS and Essentials where certificates are not involved, though an L2TP VPN with certificates should work fine.
Hi Jonathan,
I am working exactly on same thing, trying to automate Azure VPN by script and wondering if you could help if you manage to sort it.
thanks
Hi! Thanks a lot for the article!
My VPN credentials differ from the domain ones so i failed to connect either to VPN or to domain. Any thoughts of workaround? Thanks!
Assuming the VPN is hosted by a domain server, you have to use domain credentials. Though you usually do not have to, try as a user name using: Domain\DomainUserName such as acme\JDoe with your domain password.
Hello there, You’ve done an incredible job. Very helpful. Thanks!
Great tutorial, but: Is it possible to establish a VPN Connection before logon without Domain credentials? Because the VPN Services are provided by our router, and the VPN user credentials are different from the logon credentíals.. Hope you understand what I mean! Would really appreciate an answer, because I really Need to use roaming profiles on the road..
No I am afraid not, unless you are using a 3rd party VPN client and router that supports connections before login such as some Cisco configurations. The option I discussed only applies to the built-in Windows VPN client and a domain joined computer.
Having said that, I have never done so, but it is possible if using the Windows VPN client to use the built in RASdial (VPN auto-dialer) and srvany to have a VPN connect as a service when the PC boots up. An explanation of these two commands can be found in the following links (The RASdial link references XP but it is present in all O/S’s):
https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/rasdial.mspx?mfr=true
https://support.microsoft.com/en-us/kb/137890
This has helped me out loads.
Great job.
Hi, just wanted to mention, I enjoyed this article.
Used this article before for windows 8.1. have you found a fix for windows 10??
THank you
Never do mind, I just had to recreate the VPN and choose allow for all users then it shows up in the bottom right of the logon screen after cntl alt delete
Thanks for updating Sean. I had assumed the same would work with Windows 10 but confess I had not tried it. I did notice on a win 8.1 => Win 10 upgrade the VPN connection option was still present. Good to know it still works. Thanks.
Hi, I have managed to connect to a VPN connection during the pre-logon and the disconnect button appears after a successful connection. I am intrigued to know why the disconnect button does not show when the user locks his session as the VPN Connection is still running. Is it something I have to enable from windows to get this “feature” or is it not possible and I have to disconnect the VPN Connection before I lock my windows session. Thanks
Hi David, are you expecting the disconnect button to appear on the lock screen or are you saying it is missing after you log back in? It is not supposed to appear on the lock screen or someone else could disconnect them, but it should be present when you log back in. I verified on 2 machines.