26 Comments

  • Rene Castro

    If you found your way here, you’re using Windows 11, and Windows Built-in VPN, this might work for you.

    Summary:

    You need to copy

    C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\PBK
    to
    C:\ProgramData\Microsoft\Network\Connections\PBK

    Thought I’d start with the summary for those who just want the red meat.

    Here’s what I did:

    I created a local admin user and setup a L2TP VPN connector with the Winows Built-In VPN software to an Edgerouter Lite. This works and I could ping my distant end devices using FQDN, for example server.****.local. I Then joined the domain and after reboot, logged back in as local admin, started VPN and added the domain user. Next was to log in as the domain user and setup a VPN connector. Using the same or differet VPN login credentials it fails showing error message: The system could not find the phone book entry for this connection.

    The solution: Once you join the domain it seems that Windows, in it’s infinite wisdom, changes the location of where PBK files lay thus the VPN created by domain user cannot find the PBK files. As the domain user, remove the VPN connector you’ve created. Next Log in as the local admin, and find the PBK folder, mine was located at
    C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\ Next I copied the PBK directory into following location,
    C:\Users\\AppData\Roaming\Microsoft\Network\Connections\ as there was none. Be warned this DID NOT work because at this time I did not know of the correct location PBK should be. But it was a good place to stash the PBK folder which contanted the PBK files like rasphone.pbk. So store the PBK folder in a higher level folder accessible by all users. Which is best as there may have been ownership issues I bypassed by coping files using the local admin account.

    The real location you want to copy the PBK folder to is C:\ProgramData\Microsoft\Network\Connections\

    Log in as the domain user, Then copy the PBK folder from either the higher level directory you used or if you did what I did from the \AppData location I used originally. As we all know, domain user will have access to the other directories I’ve listed but possibly not the admin\AppData directory.

    Once the copy is complete, you should see the VPN connector is now list in the VPN selection and it should work. That’s my 2 cents. I hope you find this helpful. Will this work in Windows 10? I don’t know. I tried this with a hope and a prayer and got lucky.

  • Silviu

    Hi Jon,
    The connection was succesfull created. I have the vpn icon on login page but cannot login because I get the error “User or password incorrect”. If I log into windows and start the connection from there the credentials works. Do you have any ideea what is the problem?
    Thank you

  • Jon

    Hello,
    I have executed the command and a new VPN is added but after logoff I don’t see the possibility of connecting to the VPN before logging in.
    The icons in the corner do not show the VPN.
    My windows version is 21h1.
    Regards

      • Jon

        Hello,
        I have already solved. I can see the VPNs before the logon.
        Of course, I have two laptops and I can only see them in the one that belongs to a domain.
        Both version of WIN10 21H1.
        Greetings.

  • Ian Salgado

    Hi,

    quick questions

    which part of the command forces the vpn connection to come up ?

    Add-VpnConnection -Name VPN_NAME -ServerAddress VPN_SERVER_ADDRESS -AllUserConnection $true -SplitTunneling $true -AuthenticationMethod MSChapv2 -TunnelType Automatic -EncryptionLevel Required -PassThru

    I’m assuming is “-PasssThru”

    cheers

    • Ian

      Hi Ian,

      This does not connect the VPN, just adds a connection that you can connect to before logging in.
      -Passthru outputs the connection details to the powershell screen so you can see the settings applied.

      Thanks

      Ian

  • John

    When you enter your AD credentials after selecting your VPN address does it automattically pasthrough to windows or are you foreced to login a second time using the same creds?

    • Ian

      Hi John,

      It automatically logs you in, as long as you’re using Microsoft RRAS for the VPN.

      Regards

      Ian

  • Garth

    Hey Ian. Thanks alot for the Powershell script. I am having no joy. Script executes fine, and DOES create the PPTP VPN entry which works when I launch it through GUI and or command line rasdial [entry].

    I expect I would see the two comupter icon in the lower right (I’ve seen them before), but it’s just not being added.

    Have you tried with the latest Windows? Just curious.

    Thank you again for sharing!

    Garth

    • Ian

      Hi Garth,
      Thanks for your comment. I have not had to use this script lately so can’t say definitely if it will or will not work on the latest Windows 10 release.
      I can’t see why it wouldn’t work though.
      If I get a chance I’ll try it out and report back.
      Ian

  • Manu

    Hi,

    I follow all steps and I created vpn access, but when I try to log in, I got the message “we can’t access to your session because domain isn’t available” .

    My VPN connection works, even when I type my credentials I achieve to connect but when I got error message it clearly disconnect from router.

    any idea?
    Thanks you.

    • Ian

      Hi Manu,

      This sounds like a DNS issue from the message you get. If you log in and then connect the VPN manually can you ping the domain controller?
      Also, you mention a router, this works when you are using Microsoft Windows Server RRAS for the VPN rather than a VPN to a router.

      Hope this helps

      Ian

  • Brian Zellinger

    Thanks for the tutorial. Do you know if there is a way to auto log the user in using this method?

    • Ian

      Hi Brian,
      Thanks for your comment.
      I don’t think there should be a way to do this.
      This is too much of a security risk, to have the computer automatically log into a (business) network without a password as a minimum.
      I can’t think of a good reason to do this. If you would like to expand the scenario I may be able to help.
      If a computer is lost/stolen the whole network is vulnerable.
      Thanks
      Ian

  • Paolo

    Is there a way to add the additional network icon at login screen for existing VPN Connections? We use a IKEv2 certificate-based connection and the script provided about doesn’t work even if I want to create a second connection
    Thank you!

    • Ian

      Hi Paolo,
      Thanks for leaving a question. You could try “Set-VpnConnection -Name EXISITING_VPN_NAME -AllUserConnection $true”, where EXISTING_VPN_NAME is your current VPN name. Please let me know how you get on.
      Thanks
      Ian

    • JohnD

      I’m wondering if that suggestion for Paolo worked, as I have the exact same situation and would help to find out if this is possible. We need to change Domain on remote laptops, and need the VPN to be up and running prior to login. Thanks!

      • Ian

        Hi John,
        Unfortunately, I’ve not heard back from Paolo. If you do any testing and find a solution please post back to let us all know.
        Thanks
        Ian

        • Jay

          Not Paolo, but I attempted this myself with Anyconnect VPN provider for Windows VPN client and receive the following:

          Set-VpnConnection : The configuration cannot be applied to the global user VPN connection [vpn connection name] : The system could not find the phone book entry for this connection.

          I recognize this is a bit different as I’m making use of the Anyconnect adapter found in the Microsoft Store, but hoping there’s a good way to make this work to allow mobile users to login using domain credentials over VPN.

          • Ian

            Hi Jay,

            I’m not sure how Anyconnect VPN works I’m afraid. The Set-VPNConnection modifies an entry in the rasphone.pbk.
            If Anyconnect does not add an entry in the rasphone.pbk, then the command won’t work. (You can open the file with notepad to check).

            The rasphone.pbk is found in C:\Users\username\AppData\Roaming\Microsoft\Network\Connections\Pbk for users VPN’s and as it’s per user, obviously only available after login.
            The Global VPN rasphone.pbk is where the VPN is stored if it is available before login and can be found in C:\ProgramData\Microsoft\Network\Connections\Pbk.

            I’m not sure if this will help you but hope it explains a bit more.

            Ian

  • Roger Leemann

    Hi
    I came this far on my own, however the stumbling block for me ist that in our environment we use different credentials for VPN and domain login. I haven’t found a way to first connect the VPN and then log in with differnet credentials to the domain. Is there any?
    Regards
    Roger

    • Ian

      Hi Roger,
      Thanks for your visit to my web site. I have just tested this from a non-domain PC (Windows 10 Pro) to a Windows domain, and the VPN connected but gave an error it was unable to log on to the computer. I was able to go back and log into the PC with my Pin and the VPN was connected. However, I would not use this method for end-users unfortunately as it’s not a clean process. Sorry, I’m not sure of a better way.
      Regards
      Ian

      • Roger Leemann

        Hi Ian

        Just a short follow-up. Thanks for the suggestion. Unfortunately in our case this doesn’t seem to work. The only way I found, is to login as another (local) user, turn on the vpn and then switch user. Not enduser friendly as they normally don’t know another login but at least I could get them started that way with a little help from my side via TeamViewer or some other remote support tool.
        Best regards
        Roger

Leave a Reply to Ian Salgado Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.