"VPN users" login time to windows too long

Hi all,

I’ve got the following situation :

Some users are working at home through coporate VPN (Pulse Secure). When users do a login, they’re waiting between 1 and 15 minutes to see the system appearing (taskbar, desktop icons, etc…).

Basically, DC is not reachable and therefore group policies are not applied (we’ve got folder redirection, mapping drives, etc…). And that’s normal behaviour here.

Checked on event viewer and found this :

https://docs.microsoft.com/en-us/troubleshoot/windows-server/group-policy/netlogon-event-id-5719-or-group-policy-event-1129

I tried some methods, but that’s not working.

The idea is to not applying GPO, until users are connecting through VPN, so no GPOs will process and the login will be smoothely done without any delay between login screen and windows screen.

Any idea on how can I manage that?

Thanks!

move to an always on vpn or one you do pre login so they have connectivity

any if there is no DC connectivity, no gpos will process so it doesnt matter

the issue will be your mapped drives being connected to (and failing) and then folder redirection as they are already setup they will try and connect regardless of whether gpo is processing

Not sure I understand you correctly.

The users having a delay on their local (domain joined) machine during the logon process WITHOUT the VPN being connected?

The idea is to not applying GPO, until users are connecting through VPN, so no GPOs will process and the login will be smoothely done without any delay between login screen and windows screen.

Some GPOs will only apply at logon.

You need a connect before logon VPN for this to work properly.

“Always wait for the network at startup or logon.”

Disable it, use an always-on device tunnel for logons, or remove the drive map policies for remote users.

Pulse Secure has a completely seamless connect before logon feature that requires no extra or changes in logon process for the user as it integrated with the credential providers of windows. When a user enters their user/pass at the Windows login, it’s intercepted by Pulse Secure and Pulse automatically makes a connection attempt and seamlessly authenticates with the credentials that were just entered. After the VPN connections, the credentials are passed on to Windows and the user is logged into Windows. If the VPN cannot establish for some reason, the logon process to Windows still occurs, it just gets delayed briefly for the connection attempt to timeout (generally no more than 10 seconds if the device actually has internet connectivity, and just a second or two if the device has no internet connectivity.

I highly suggest you turn on the connect before logon feature. It’s found under Users / Pulse Secure Client / Connections. Edit the Connection then scroll to the bottom under the “Connections” section and edit the connection configuration. In there under the “Connection is established” section is a box for "Enable pre-dekstop login (Credential provider), check that box.

Correct. The ones only working from home (external network). The ones working in the office, they don’t have any issues.

You already got some good tips. You also might want to read this, just make sure it applies to your environment.

You basically want the VPN connection happening before the user logon. Or you avoid drive mappings/folder redirection for remote users because those happen during logon.