The most normal option is to run the VPN client as a service.
Another quite suitable option is to put the start of the batch file in the scheduler at the start of the computer.

You didn't specify your version of Windows and which VPN solution you're using.
in Windows 10, but the same behavior was reportedly available in previous versions of Windows, it is possible to make a VPN connection available on the login screen.
In the case of VPN connections created using Windows tools, they must be created with the "available to all users" flag.
On Windows 10, this is only possible using the powershell add-vpnconnection cmdlet (or set-vpnconnection if the connection has already been created.). In previous versions of the OS, such a flag was available in the interface for creating a VPN connection.
After creating such a connection and rebooting, a dual monitor icon will appear on the login screen - this is the VPN connection.
I have now tested the following situation:
- The PC is entered into the domain but is located remotely and does not have access to the domain until the VPN connection is established (according to your description, you have the same)
- A domain user with reduced rights, the local user has administrative rights (both sets of credits are available to me, in any case you will also need a user with administrative rights on the PC)
- powershell (version 7.0, to be more precise. Most likely it doesn’t matter - Posh can handle it too) is running under a local user with administrator rights, but a user without rights is logged into the machine ( domain). Only if it is run under local admin is it possible to create a connection for all users. Maybe you can just log in under the admin to perform this single operation
- Executed Posh VPN connection creation script (containing -AllUsersConnection flag). If you have never written scripts - see examples
- Reboot
- A double monitor icon appears on the login screen, when you click on it, you are prompted to enter the user's login password for this VPN
If you use an alternative client for VPN (OpenVPN, etc.) the task of raising such a GNP lies already on the client itself - Windows will not process this.
UPD: I did not answer the question, but suggested a solution to the problem that you described in the text. Additionally, I completely forgot to write that the route in Windows can be registered automatically when raising the connection using the Add-VpnConnectionRoute cmdlet
UPD2: Answer to the question in the title: To run a batch file with administrator rights, use the TaskScheduler task with LocalSystem or NetworkSystem rights. Read what they are and how they differ

Thanks everyone! Made. Works! Details here:
https://zen.yandex.ru/media/id/5e1db2c98f011100ad2...