VPNv2 CSP
The VPNv2 configuration service provider allows the Mobile Device Management (MDM) server to configure the VPN profile of the device.
Here are the requirements for this CSP:
VPN configuration commands must be wrapped in an Atomic block in SyncML.
For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you're using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure Windows Information Protection policies.
In certain conditions you can change some properties directly, but we don't recommend it. Instead, follow these steps to make any changes:
- Send a Delete command for the ProfileName to delete the entire profile.
- Send the entire profile again with new values wrapped in an Atomic block.
The XSDs for all EAP methods are shipped in the box and can be found at the following locations:
C:\Windows\schemas\EAPHostC:\Windows\schemas\EAPMethods
The following list shows the VPNv2 configuration service provider nodes:
- ./Device/Vendor/MSFT/VPNv2
- {ProfileName}
- AlwaysOn
- AlwaysOnActive
- APNBinding
- AppTriggerList
- ByPassForLocal
- DataEncryption
- DeviceCompliance
- DeviceTunnel
- DisableAdvancedOptionsEditButton
- DisableDisconnectButton
- DisableIKEv2Fragmentation
- DnsSuffix
- DomainNameInformationList
- EdpModeId
- IPv4InterfaceMetric
- IPv6InterfaceMetric
- NativeProfile
- NetworkOutageTime
- PluginProfile
- PrivateNetwork
- ProfileXML
- Proxy
- RegisterDNS
- RememberCredentials
- RouteList
- TrafficFilterList
- TrustedNetworkDetection
- UseRasCredentials
- {ProfileName}
- ./User/Vendor/MSFT/VPNv2
- {ProfileName}
- AlwaysOn
- AlwaysOnActive
- APNBinding
- AppTriggerList
- ByPassForLocal
- DataEncryption
- DeviceCompliance
- DisableAdvancedOptionsEditButton
- DisableDisconnectButton
- DisableIKEv2Fragmentation
- DnsSuffix
- DomainNameInformationList
- EdpModeId
- IPv4InterfaceMetric
- IPv6InterfaceMetric
- NativeProfile
- NetworkOutageTime
- PluginProfile
- PrivateNetwork
- ProfileXML
- Proxy
- RegisterDNS
- RememberCredentials
- RequireVpnClientAppUI
- RouteList
- TrafficFilterList
- TrustedNetworkDetection
- UseRasCredentials
- {ProfileName}
Device/{ProfileName}
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}
Unique alpha numeric identifier for the profile. The profile name mustn't include a forward slash (/). If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get, Replace |
| Atomic Required | True |
| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
| Allowed Values | Regular Expression: ^[^/]*$ |
Device/{ProfileName}/AlwaysOn
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/AlwaysOn
An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | false |
Allowed values:
| Value | Description |
|---|---|
| false (Default) | Always On is turned off. |
| true | Always On is turned on. |
Device/{ProfileName}/AlwaysOnActive
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/AlwaysOnActive
An optional flag to activate Always On mode. This is true by default if AlwaysOn is true. Setting controls whether "Connect Automatically" is toggled on profile creation.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
Allowed values:
| Value | Description |
|---|---|
| 0 | Always On is inactive. |
| 1 (Default) | Always On is activated on provisioning. |
Device/{ProfileName}/APNBinding
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding
Reserved for future use.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
Device/{ProfileName}/APNBinding/AccessPointName
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/AccessPointName
Reserved for future use.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/APNBinding/AuthenticationType
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/AuthenticationType
Reserved for future use.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/APNBinding/IsCompressionEnabled
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/IsCompressionEnabled
Reserved for future use.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/APNBinding/Password
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/Password
Reserved for future use.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/APNBinding/ProviderId
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/ProviderId
Reserved for future use.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/APNBinding/UserName
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/UserName
Reserved for future use.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/AppTriggerList
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList
List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
Device/{ProfileName}/AppTriggerList/{appTriggerRowId}
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}
A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you shouldn't skip numbers.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get |
| Dynamic Node Naming | UniqueName: A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. |
Device/{ProfileName}/AppTriggerList/{appTriggerRowId}/App
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App
App Node under the Row Id.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
Device/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Id
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Id
App Identity. Specified, based on the Type Field.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Type
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Type
Returns the type of App/Id. This value can be either of the following: PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application. FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
Device/{ProfileName}/ByPassForLocal
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/ByPassForLocal
False: Don't Bypass for Local traffic.
True: ByPass VPN Interface for Local Traffic.
Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/DataEncryption
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DataEncryption
Determines the level of data encryption required for the connection.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Default Value | Require |
Allowed values:
| Value | Description |
|---|---|
| None | No Data Encryption required. |
| Require (Default) | Data Encryption required. |
| Max | Maximum-strength Data Encryption required. |
| Optional | Perform encryption if possible. |
Device/{ProfileName}/DeviceCompliance
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance
Nodes under DeviceCompliance can be used to enable Microsoft Entra ID based Conditional Access for VPN.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Get |
Device/{ProfileName}/DeviceCompliance/Enabled
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Enabled
Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Microsoft Entra ID to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Microsoft Entra ID.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| false | Disabled. |
| true | Enabled. |
Device/{ProfileName}/DeviceCompliance/Sso
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso
Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Get |
Device/{ProfileName}/DeviceCompliance/Sso/Eku
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/Eku
Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/DeviceCompliance/Sso/Enabled
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/Enabled
If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| false | Disabled. |
| true | Enabled. |
Device/{ProfileName}/DeviceCompliance/Sso/IssuerHash
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/IssuerHash
Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/DeviceTunnel
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceTunnel
If turned on a device tunnel profile does four things.
First, it automatically becomes an always on profile.
Second, it doesn't require the presence or logging in of any user to the machine in order for it to connect.
Third, no other Device Tunnel profile maybe be present on the same machine.
A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | false |
Allowed values:
| Value | Description |
|---|---|
| false (Default) | This isn't a device tunnel profile. |
| true | This is a device tunnel profile. |
Device/{ProfileName}/DisableAdvancedOptionsEditButton
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DisableAdvancedOptionsEditButton
Optional. When this setting is True, the Advanced Options page will have its edit functions disabled, only allowing viewing and Clear Sign-In Info.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| false | Advanced Options Edit Button is available. |
| true | Advanced Options Edit Button is unavailable. |
Device/{ProfileName}/DisableDisconnectButton
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DisableDisconnectButton
Optional. When this setting is True, the Disconnect button won't be visible for connected profiles.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| false | Disconnect Button is visible. |
| true | Disconnect Button isn't visible. |
Device/{ProfileName}/DisableIKEv2Fragmentation
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DisableIKEv2Fragmentation
Set to disable IKEv2 Fragmentation.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | false |
Allowed values:
| Value | Description |
|---|---|
| true | IKEv2 Fragmentation won't be used. |
| false (Default) | IKEv2 Fragmentation is used as normal. |
Device/{ProfileName}/DnsSuffix
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DnsSuffix
Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/DomainNameInformationList
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList
NRPT (Name Resolution Policy Table) Rules for the VPN Profile.
Note
Only applications using the Windows DNS API can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet Resolve-DNSName to check the functionality of the NRPT.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
Device/{ProfileName}/DomainNameInformationList/{dniRowId}
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}
A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get |
| Dynamic Node Naming | UniqueName: A sequential integer identifier for the Domain Name information. Sequencing must start at 0. |
Device/{ProfileName}/DomainNameInformationList/{dniRowId}/AutoTrigger
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/AutoTrigger
Boolean to determine whether this domain name rule will trigger the VPN.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | false |
Allowed values:
| Value | Description |
|---|---|
| false (Default) | This DomainName rule won't trigger the VPN. |
| true | This DomainName rule will trigger the VPN. |
Device/{ProfileName}/DomainNameInformationList/{dniRowId}/DnsServers
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DnsServers
Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainName
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainName
Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types: FQDN - Fully qualified domain name. Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a . to the DNS suffix.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainNameType
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainNameType
Returns the namespace type. This value can be one of the following: FQDN - If the DomainName wasn't prepended with a . and applies only to the fully qualified domain name (FQDN) of a specified host. Suffix - If the DomainName was prepended with a . and applies to the specified namespace, all records in that namespace, and all subdomains.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
Device/{ProfileName}/DomainNameInformationList/{dniRowId}/Persistent
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/Persistent
A boolean value that specifies if the rule being added should persist even when the VPN isn't connected.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | false |
Allowed values:
| Value | Description |
|---|---|
| false (Default) | This DomainName rule will only be applied when VPN is connected. |
| true | This DomainName rule will always be present and applied. |
Device/{ProfileName}/DomainNameInformationList/{dniRowId}/WebProxyServers
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/WebProxyServers
Web Proxy Server IP address if you are redirecting traffic through your intranet.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/EdpModeId
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/EdpModeId
Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/IPv4InterfaceMetric
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/IPv4InterfaceMetric
The metric for the IPv4 interface.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [1-9999] |
Device/{ProfileName}/IPv6InterfaceMetric
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/IPv6InterfaceMetric
The metric for the IPv6 interface.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [1-9999] |
Device/{ProfileName}/NativeProfile
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile
Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP, SSTP).
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Get |
Device/{ProfileName}/NativeProfile/Authentication
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication
Required node for native profile. It contains authentication information for the native VPN profile.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
Device/{ProfileName}/NativeProfile/Authentication/Certificate
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate
Reserved for future use.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
Device/{ProfileName}/NativeProfile/Authentication/Certificate/Eku
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate/Eku
Reserved for future use.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/NativeProfile/Authentication/Certificate/Issuer
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate/Issuer
Reserved for future use.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/NativeProfile/Authentication/Eap
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap
Required when the native profile specifies EAP authentication. EAP configuration XML.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
Device/{ProfileName}/NativeProfile/Authentication/Eap/Configuration
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap/Configuration
HTML encoded XML of the EAP configuration. For more information,see EAP configuration.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/NativeProfile/Authentication/Eap/Type
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap/Type
Required node for EAP profiles. This specifies the EAP Type ID 13 = EAP-TLS 26 = Ms-Chapv2 27 = Peap.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/NativeProfile/Authentication/MachineMethod
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/MachineMethod
This is only supported in IKEv2.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| Certificate | Certificate. |
Device/{ProfileName}/NativeProfile/Authentication/UserMethod
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/UserMethod
Type of user authentication.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| EAP | EAP. |
| MSChapv2 | MSChapv2: This isn't supported for IKEv2. |
Device/{ProfileName}/NativeProfile/CryptographySuite
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite
Properties of IPSec tunnels.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
Device/{ProfileName}/NativeProfile/CryptographySuite/AuthenticationTransformConstants
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/AuthenticationTransformConstants
Type of authentication transform constant.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| MD596 | MD596. |
| SHA196 | SHA196. |
| SHA256128 | SHA256128. |
| GCMAES128 | GCMAES128. |
| GCMAES192 | GCMAES192. |
| GCMAES256 | GCMAES256. |
Device/{ProfileName}/NativeProfile/CryptographySuite/CipherTransformConstants
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/CipherTransformConstants
Type of Cipher transform constant.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| DES | DES. |
| DES3 | DES3. |
| AES128 | AES128. |
| AES192 | AES192. |
| AES256 | AES256. |
| GCMAES128 | GCMAES128. |
| GCMAES192 | GCMAES192. |
| GCMAES256 | GCMAES256. |
Device/{ProfileName}/NativeProfile/CryptographySuite/DHGroup
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/DHGroup
Group used for DH (Diffie-Hellman).
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| None | None. |
| Group1 | Group1. |
| Group2 | Group2. |
| Group14 | Group14. |
| ECP256 | ECP256. |
| ECP384 | ECP384. |
| Group24 | Group24. |
Device/{ProfileName}/NativeProfile/CryptographySuite/EncryptionMethod
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/EncryptionMethod
Type of encryption method.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| DES | DES. |
| DES3 | DES3. |
| AES128 | AES128. |
| AES192 | AES192. |
| AES256 | AES256. |
| AES_GCM_128 | AES_GCM_128. |
| AES_GCM_256 | AES_GCM_256. |
Device/{ProfileName}/NativeProfile/CryptographySuite/IntegrityCheckMethod
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/IntegrityCheckMethod
Type of integrity check.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| MD5 | MD5. |
| SHA196 | SHA196. |
| SHA256 | SHA256. |
| SHA384 | SHA384. |
Device/{ProfileName}/NativeProfile/CryptographySuite/PfsGroup
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/PfsGroup
Group used for PFS (Perfect Forward Secrecy).
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| None | None. |
| PFS1 | PFS1. |
| PFS2 | PFS2. |
| PFS2048 | PFS2048. |
| ECP256 | ECP256. |
| ECP384 | ECP384. |
| PFSMM | PFSMM. |
| PFS24 | PFS24. |
Device/{ProfileName}/NativeProfile/DisableClassBasedDefaultRoute
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/DisableClassBasedDefaultRoute
Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| false | Enabled. |
| true | Disabled. |
Device/{ProfileName}/NativeProfile/L2tpPsk
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/L2tpPsk
The preshared key used for an L2TP connection.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/NativeProfile/NativeProtocolType
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/NativeProtocolType
Required for native profiles. Type of tunneling protocol used.
Note
For a Device Tunnel, use IKEv2 only.
For a User Tunnel, any value is allowed.
Using ProtocolList as value in NativeProtocolType requires additional configuration of the NativeProfile/ProtocolList parameter.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| PPTP | PPTP. |
| L2TP | L2TP. |
| IKEv2 | IKEv2. |
| Automatic | Automatic. |
| SSTP | SSTP. |
| ProtocolList | ProtocolList. |
Device/{ProfileName}/NativeProfile/PlumbIKEv2TSAsRoutes
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 [10.0.19041] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/PlumbIKEv2TSAsRoutes
True: Plumb traffic selectors as routes onto VPN interface, False: Don't plumb traffic selectors as routes.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/NativeProfile/ProtocolList
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20207] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
Device/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20207] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList
List of inbox VPN protocols in priority order.
Note
For a User Tunnel up to 4 VPN protocols are supported.
A separate entry is needed for every VPN protocol. For a sample format, see Examples.
For a Device tunnel, we recommend using IKEv2 in NativeProtocolType instead of ProtocolList.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
Device/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20207] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}
Note
A separate entry is needed for every VPN protocol. For a sample format, see Examples.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get |
Device/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}/Type
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20207] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}/Type
Inbox VPN protocols type.
Note
A separate entry is needed for every VPN protocol. For a sample format, see Examples.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| Pptp | Pptp. |
| L2tp | L2tp. |
| Ikev2 | Ikev2. |
| Sstp | Sstp. |
Device/{ProfileName}/NativeProfile/ProtocolList/RetryTimeInHours
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20207] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/RetryTimeInHours
Default 168, max 500000.
RetryTimeInHours specifies the length of time Windows tries to use the last successful protocol when making a new connection. Setting this value to 0 disables remembering the last successful protocol.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/NativeProfile/RoutingPolicyType
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/RoutingPolicyType
Type of routing policy.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| SplitTunnel | Traffic can go over any interface as determined by the networking stack. |
| ForceTunnel | All IP traffic must go over the VPN interface. |
Device/{ProfileName}/NativeProfile/Servers
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Servers
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/NetworkOutageTime
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NetworkOutageTime
The amount of time in seconds the network is allowed to idle. 0 means no limit.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [0-4294967295] |
Device/{ProfileName}/PluginProfile
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile
Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Get |
Device/{ProfileName}/PluginProfile/CustomConfiguration
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/CustomConfiguration
Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that's deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/PluginProfile/PluginPackageFamilyName
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/PluginPackageFamilyName
Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/PluginProfile/ServerUrlList
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/ServerUrlList
Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/PrivateNetwork
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/PrivateNetwork
Determines whether the VPN connection is public or private.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | true |
Allowed values:
| Value | Description |
|---|---|
| false | VPN connection is public. |
| true (Default) | VPN connection is private. |
Device/{ProfileName}/ProfileXML
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/ProfileXML
The XML schema for provisioning all the fields of a VPN.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | See ProfileXML XSD Schema |
Device/{ProfileName}/Proxy
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/Proxy
A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
Device/{ProfileName}/Proxy/AutoConfigUrl
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/AutoConfigUrl
Optional. Set a URL to automatically retrieve the proxy settings.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/Proxy/Manual
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/Manual
Optional node containing the manual server settings.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
Device/{ProfileName}/Proxy/Manual/Server
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/Manual/Server
Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/RegisterDNS
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/RegisterDNS
Allows registration of the connection's address in DNS.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | false |
Allowed values:
| Value | Description |
|---|---|
| false (Default) | Don't register the connection's address in DNS. |
| true | Register the connection's addresses in DNS. |
Device/{ProfileName}/RememberCredentials
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/RememberCredentials
Boolean value (true or false) for caching credentials.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | false |
Allowed values:
| Value | Description |
|---|---|
| false (Default) | Don't cache credentials. |
| true | Credentials are cached whenever possible. |
Device/{ProfileName}/RouteList
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList
List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
Device/{ProfileName}/RouteList/{routeRowId}
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}
A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get |
| Dynamic Node Naming | UniqueName: A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0. |
Device/{ProfileName}/RouteList/{routeRowId}/Address
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/Address
Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/RouteList/{routeRowId}/ExclusionRoute
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/ExclusionRoute
A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | false |
Allowed values:
| Value | Description |
|---|---|
| false (Default) | This route will direct traffic over the VPN. |
| true | This route will direct traffic over the physical interface. |
Device/{ProfileName}/RouteList/{routeRowId}/Metric
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/Metric
The route's metric.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/RouteList/{routeRowId}/PrefixSize
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/PrefixSize
The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [0-4294967295] |
Device/{ProfileName}/TrafficFilterList
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList
A list of rules allowing traffic over the VPN Interface. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
Note
Once a TrafficFilterList is added, all traffic is blocked other than the ones matching the rules.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}
A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get |
| Dynamic Node Naming | UniqueName: A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0. |
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/App
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App
Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Id
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Id
App identity for the app-based traffic filter. The value for this node can be one of the following: PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. SYSTEM - This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB).
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Type
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Type
Returns the type of ID of the App/Id. Either PackageFamilyName, FilePath, or System.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/Claims
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Claims
Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/Direction
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 [10.0.19041] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Direction
Outbound - The traffic filter allows traffic to reach destinations matching this rule. This is the default.
Inbound - The traffic filter allows traffic coming from external locations matching this rule.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalAddressRanges
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalAddressRanges
A list of comma separated values specifying local IP address ranges to allow.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalPortRanges
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalPortRanges
Comma Separated list of ranges for eg. 100-120,200,300-320.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Regular Expression: ^[\d]*$ |
| Dependency [ProtocolDependency] | Dependency Type: DependsOn Dependency URI: Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol Dependency Allowed Value: [6,17] Dependency Allowed Value Type: Range |
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/Protocol
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Protocol
0-255 number representing the ip protocol (TCP = 6, UDP = 17).
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [0-255] |
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemoteAddressRanges
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemoteAddressRanges
A list of comma separated values specifying remote IP address ranges to allow.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemotePortRanges
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemotePortRanges
A list of comma separated values specifying remote port ranges to allow. For example, 100-120, 200, 300-320.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Regular Expression: ^[\d]*$ |
| Dependency [ProtocolDependency] | Dependency Type: DependsOn Dependency URI: Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol Dependency Allowed Value: [6,17] Dependency Allowed Value Type: Range |
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/RoutingPolicyType
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RoutingPolicyType
Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| SplitTunnel | For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces. |
| ForceTunnel | For this traffic rule all IP traffic must go through the VPN Interface only. |
Device/{ProfileName}/TrustedNetworkDetection
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrustedNetworkDetection
Comma separated string to identify the trusted network. VPN won't connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | , |
Device/{ProfileName}/UseRasCredentials
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/VPNv2/{ProfileName}/UseRasCredentials
Determines whether the credential manager will save ras credentials after a connection.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | true |
Allowed values:
| Value | Description |
|---|---|
| false | Ras Credentials aren't saved. |
| true (Default) | Ras Credentials are saved. |
User/{ProfileName}
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}
Unique alpha numeric identifier for the profile. The profile name mustn't include a forward slash (/). If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get, Replace |
| Atomic Required | True |
| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
| Allowed Values | Regular Expression: ^[^/]*$ |
User/{ProfileName}/AlwaysOn
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/AlwaysOn
An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | false |
Allowed values:
| Value | Description |
|---|---|
| false (Default) | Always On is turned off. |
| true | Always On is turned on. |
User/{ProfileName}/AlwaysOnActive
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/AlwaysOnActive
An optional flag to activate Always On mode. This is true by default if AlwaysOn is true. Setting controls whether "Connect Automatically" is toggled on profile creation.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
Allowed values:
| Value | Description |
|---|---|
| 0 | Always On is inactive. |
| 1 (Default) | Always On is activated on provisioning. |
User/{ProfileName}/APNBinding
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding
Reserved for future use.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
User/{ProfileName}/APNBinding/AccessPointName
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/AccessPointName
Reserved for future use.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/APNBinding/AuthenticationType
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/AuthenticationType
Reserved for future use.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/APNBinding/IsCompressionEnabled
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/IsCompressionEnabled
Reserved for future use.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/APNBinding/Password
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/Password
Reserved for future use.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/APNBinding/ProviderId
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/ProviderId
Reserved for future use.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/APNBinding/UserName
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/UserName
Reserved for future use.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/AppTriggerList
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList
List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
User/{ProfileName}/AppTriggerList/{appTriggerRowId}
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}
A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you shouldn't skip numbers.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get |
| Dynamic Node Naming | UniqueName: A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. |
User/{ProfileName}/AppTriggerList/{appTriggerRowId}/App
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App
App Node under the Row Id.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
User/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Id
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Id
App Identity. Specified, based on the Type Field.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Type
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Type
Returns the type of App/Id. This value can be either of the following: PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application. FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
User/{ProfileName}/ByPassForLocal
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/ByPassForLocal
False: Don't Bypass for Local traffic.
True: ByPass VPN Interface for Local Traffic.
Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/DataEncryption
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/DataEncryption
Determines the level of data encryption required for the connection.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Default Value | Require |
Allowed values:
| Value | Description |
|---|---|
| None | No Data Encryption required. |
| Require (Default) | Data Encryption required. |
| Max | Maximum-strength Data Encryption required. |
| Optional | Perform encryption if possible. |
User/{ProfileName}/DeviceCompliance
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance
Nodes under DeviceCompliance can be used to enable Microsoft Entra ID based Conditional Access for VPN.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Get |
User/{ProfileName}/DeviceCompliance/Enabled
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Enabled
Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Microsoft Entra ID to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Microsoft Entra ID.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| false | Disabled. |
| true | Enabled. |
User/{ProfileName}/DeviceCompliance/Sso
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso
Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Get |
User/{ProfileName}/DeviceCompliance/Sso/Eku
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/Eku
Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/DeviceCompliance/Sso/Enabled
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/Enabled
If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| false | Disabled. |
| true | Enabled. |
User/{ProfileName}/DeviceCompliance/Sso/IssuerHash
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/IssuerHash
Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/DisableAdvancedOptionsEditButton
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/DisableAdvancedOptionsEditButton
Optional. When this setting is True, the Advanced Options page will have its edit functions disabled, only allowing viewing and Clear Sign-In Info.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| false | Advanced Options Edit Button is available. |
| true | Advanced Options Edit Button is unavailable. |
User/{ProfileName}/DisableDisconnectButton
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/DisableDisconnectButton
Optional. When this setting is True, the Disconnect button won't be visible for connected profiles.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| false | Disconnect Button is visible. |
| true | Disconnect Button isn't visible. |
User/{ProfileName}/DisableIKEv2Fragmentation
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/DisableIKEv2Fragmentation
Set to disable IKEv2 Fragmentation.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | false |
Allowed values:
| Value | Description |
|---|---|
| true | IKEv2 Fragmentation won't be used. |
| false (Default) | IKEv2 Fragmentation is used as normal. |
User/{ProfileName}/DnsSuffix
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/DnsSuffix
Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/DomainNameInformationList
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList
NRPT (Name Resolution Policy Table) Rules for the VPN Profile.
Note
Only applications using the Windows DNS API can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet Resolve-DNSName to check the functionality of the NRPT.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
User/{ProfileName}/DomainNameInformationList/{dniRowId}
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}
A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get |
| Dynamic Node Naming | UniqueName: A sequential integer identifier for the Domain Name information. Sequencing must start at 0. |
User/{ProfileName}/DomainNameInformationList/{dniRowId}/AutoTrigger
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/AutoTrigger
Boolean to determine whether this domain name rule will trigger the VPN.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | false |
Allowed values:
| Value | Description |
|---|---|
| false (Default) | This DomainName rule won't trigger the VPN. |
| true | This DomainName rule will trigger the VPN. |
User/{ProfileName}/DomainNameInformationList/{dniRowId}/DnsServers
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DnsServers
Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainName
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainName
Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types: FQDN - Fully qualified domain name. Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a . to the DNS suffix.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainNameType
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainNameType
Returns the namespace type. This value can be one of the following: FQDN - If the DomainName wasn't prepended with a . and applies only to the fully qualified domain name (FQDN) of a specified host. Suffix - If the DomainName was prepended with a . and applies to the specified namespace, all records in that namespace, and all subdomains.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
User/{ProfileName}/DomainNameInformationList/{dniRowId}/Persistent
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/Persistent
A boolean value that specifies if the rule being added should persist even when the VPN isn't connected.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | false |
Allowed values:
| Value | Description |
|---|---|
| false (Default) | This DomainName rule will only be applied when VPN is connected. |
| true | This DomainName rule will always be present and applied. |
User/{ProfileName}/DomainNameInformationList/{dniRowId}/WebProxyServers
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/WebProxyServers
Web Proxy Server IP address if you are redirecting traffic through your intranet.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/EdpModeId
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/EdpModeId
Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/IPv4InterfaceMetric
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/IPv4InterfaceMetric
The metric for the IPv4 interface.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [1-9999] |
User/{ProfileName}/IPv6InterfaceMetric
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/IPv6InterfaceMetric
The metric for the IPv6 interface.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [1-9999] |
User/{ProfileName}/NativeProfile
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile
InboxNodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP, SSTP).
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Get |
User/{ProfileName}/NativeProfile/Authentication
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication
Required node for native profile. It contains authentication information for the native VPN profile.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
User/{ProfileName}/NativeProfile/Authentication/Certificate
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate
Reserved for future use.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
User/{ProfileName}/NativeProfile/Authentication/Certificate/Eku
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate/Eku
Reserved for future use.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/NativeProfile/Authentication/Certificate/Issuer
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate/Issuer
Reserved for future use.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/NativeProfile/Authentication/Eap
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap
Required when the native profile specifies EAP authentication. EAP configuration XML.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
User/{ProfileName}/NativeProfile/Authentication/Eap/Configuration
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap/Configuration
HTML encoded XML of the EAP configuration. For more information,see EAP configuration.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/NativeProfile/Authentication/Eap/Type
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap/Type
Required node for EAP profiles. This specifies the EAP Type ID 13 = EAP-TLS 26 = Ms-Chapv2 27 = Peap.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/NativeProfile/Authentication/MachineMethod
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/MachineMethod
This is only supported in IKEv2.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| Certificate | Certificate. |
User/{ProfileName}/NativeProfile/Authentication/UserMethod
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/UserMethod
This value can be one of the following: EAP or MSChapv2 (This isn't supported for IKEv2).
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| EAP | EAP. |
| MSChapv2 | MSChapv2: This isn't supported for IKEv2. |
User/{ProfileName}/NativeProfile/CryptographySuite
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite
Properties of IPSec tunnels.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
User/{ProfileName}/NativeProfile/CryptographySuite/AuthenticationTransformConstants
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/AuthenticationTransformConstants
Type of authentication transform constant.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| MD596 | MD596. |
| SHA196 | SHA196. |
| SHA256128 | SHA256128. |
| GCMAES128 | GCMAES128. |
| GCMAES192 | GCMAES192. |
| GCMAES256 | GCMAES256. |
User/{ProfileName}/NativeProfile/CryptographySuite/CipherTransformConstants
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/CipherTransformConstants
Type of Cipher transform constant.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| DES | DES. |
| DES3 | DES3. |
| AES128 | AES128. |
| AES192 | AES192. |
| AES256 | AES256. |
| GCMAES128 | GCMAES128. |
| GCMAES192 | GCMAES192. |
| GCMAES256 | GCMAES256. |
User/{ProfileName}/NativeProfile/CryptographySuite/DHGroup
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/DHGroup
Group used for DH (Diffie-Hellman).
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| None | None. |
| Group1 | Group1. |
| Group2 | Group2. |
| Group14 | Group14. |
| ECP256 | ECP256. |
| ECP384 | ECP384. |
| Group24 | Group24. |
User/{ProfileName}/NativeProfile/CryptographySuite/EncryptionMethod
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/EncryptionMethod
Type of encryption method.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| DES | DES. |
| DES3 | DES3. |
| AES128 | AES128. |
| AES192 | AES192. |
| AES256 | AES256. |
| AES_GCM_128 | AES_GCM_128. |
| AES_GCM_256 | AES_GCM_256. |
User/{ProfileName}/NativeProfile/CryptographySuite/IntegrityCheckMethod
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/IntegrityCheckMethod
Type of integrity check.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| MD5 | MD5. |
| SHA196 | SHA196. |
| SHA256 | SHA256. |
| SHA384 | SHA384. |
User/{ProfileName}/NativeProfile/CryptographySuite/PfsGroup
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/PfsGroup
Group used for PFS (Perfect Forward Secrecy).
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| None | None. |
| PFS1 | PFS1. |
| PFS2 | PFS2. |
| PFS2048 | PFS2048. |
| ECP256 | ECP256. |
| ECP384 | ECP384. |
| PFSMM | PFSMM. |
| PFS24 | PFS24. |
User/{ProfileName}/NativeProfile/DisableClassBasedDefaultRoute
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/DisableClassBasedDefaultRoute
Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| false | Enabled. |
| true | Disabled. |
User/{ProfileName}/NativeProfile/L2tpPsk
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/L2tpPsk
The preshared key used for an L2TP connection.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/NativeProfile/NativeProtocolType
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/NativeProtocolType
Required for native profiles. Type of tunneling protocol used.
Note
For a Device Tunnel, use IKEv2 only.
For a User Tunnel, any value is allowed.
Using ProtocolList as value in NativeProtocolType requires additional configuration of the NativeProfile/ProtocolList parameter.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| PPTP | PPTP. |
| L2TP | L2TP. |
| IKEv2 | IKEv2. |
| Automatic | Automatic. |
| SSTP | SSTP. |
| ProtocolList | ProtocolList. |
User/{ProfileName}/NativeProfile/PlumbIKEv2TSAsRoutes
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 [10.0.19041] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/PlumbIKEv2TSAsRoutes
True: Plumb traffic selectors as routes onto VPN interface, False: Don't plumb traffic selectors as routes.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/NativeProfile/ProtocolList
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20207] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
User/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20207] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList
List of inbox VPN protocols in priority order.
Note
For a User Tunnel up to 4 VPN protocols are supported.
A separate entry is needed for every VPN protocol. For a sample format, see Examples.
For a Device tunnel, we recommend using IKEv2 in NativeProtocolType instead of ProtocolList.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
User/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20207] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}
Note
A separate entry is needed for every VPN protocol. For a sample format, see Examples.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get |
User/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}/Type
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20207] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}/Type
Inbox VPN protocols type.
Note
A separate entry is needed for every VPN protocol. For a sample format, see Examples.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| Pptp | Pptp. |
| L2tp | L2tp. |
| Ikev2 | Ikev2. |
| Sstp | Sstp. |
User/{ProfileName}/NativeProfile/ProtocolList/RetryTimeInHours
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20207] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/RetryTimeInHours
Default 168, max 500000.
RetryTimeInHours specifies the length of time Windows tries to use the last successful protocol when making a new connection. Setting this value to 0 disables remembering the last successful protocol.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/NativeProfile/RoutingPolicyType
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/RoutingPolicyType
Type of routing policy.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| SplitTunnel | Traffic can go over any interface as determined by the networking stack. |
| ForceTunnel | All IP traffic must go over the VPN interface. |
User/{ProfileName}/NativeProfile/Servers
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Servers
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/NetworkOutageTime
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/NetworkOutageTime
The amount of time in seconds the network is allowed to idle. 0 means no limit.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [0-4294967295] |
User/{ProfileName}/PluginProfile
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile
Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Get |
User/{ProfileName}/PluginProfile/CustomConfiguration
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/CustomConfiguration
Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that's deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/PluginProfile/PluginPackageFamilyName
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/PluginPackageFamilyName
Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/PluginProfile/ServerUrlList
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/ServerUrlList
Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/PrivateNetwork
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/PrivateNetwork
Determines whether the VPN connection is public or private.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | true |
Allowed values:
| Value | Description |
|---|---|
| false | VPN connection is public. |
| true (Default) | VPN connection is private. |
User/{ProfileName}/ProfileXML
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/ProfileXML
The XML schema for provisioning all the fields of a VPN.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | See ProfileXML XSD Schema |
User/{ProfileName}/Proxy
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/Proxy
A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
User/{ProfileName}/Proxy/AutoConfigUrl
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/AutoConfigUrl
Optional. Set a URL to automatically retrieve the proxy settings.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/Proxy/Manual
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/Manual
Optional node containing the manual server settings.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
User/{ProfileName}/Proxy/Manual/Server
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/Manual/Server
Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/RegisterDNS
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/RegisterDNS
Allows registration of the connection's address in DNS.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | false |
Allowed values:
| Value | Description |
|---|---|
| false (Default) | Don't register the connection's address in DNS. |
| true | Register the connection's addresses in DNS. |
User/{ProfileName}/RememberCredentials
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/RememberCredentials
Boolean value (true or false) for caching credentials.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | false |
Allowed values:
| Value | Description |
|---|---|
| false (Default) | Don't cache credentials. |
| true | Credentials are cached whenever possible. |
User/{ProfileName}/RequireVpnClientAppUI
| Scope | Editions | Applicable OS |
|---|---|---|
| ❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.19628] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/RequireVpnClientAppUI
Applicable only to AppContainer profiles.
False: Don't show profile in Settings UI.
True: Show profile in Settings UI.
Optional. This node is only relevant for AppContainer profiles (i.e. using the VpnManagementAgent::AddProfileFromXmlAsync method).
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/RouteList
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList
List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
User/{ProfileName}/RouteList/{routeRowId}
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}
A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get |
| Dynamic Node Naming | UniqueName: A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0. |
User/{ProfileName}/RouteList/{routeRowId}/Address
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/Address
Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/RouteList/{routeRowId}/ExclusionRoute
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/ExclusionRoute
A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | false |
Allowed values:
| Value | Description |
|---|---|
| false (Default) | This route will direct traffic over the VPN. |
| true | This route will direct traffic over the physical interface. |
User/{ProfileName}/RouteList/{routeRowId}/Metric
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/Metric
The route's metric.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/RouteList/{routeRowId}/PrefixSize
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/PrefixSize
The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [0-4294967295] |
User/{ProfileName}/TrafficFilterList
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList
A list of rules allowing traffic over the VPN Interface. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
Note
Once a TrafficFilterList is added, all traffic is blocked other than the ones matching the rules.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
User/{ProfileName}/TrafficFilterList/{trafficFilterId}
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}
A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get |
| Dynamic Node Naming | UniqueName: A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0. |
User/{ProfileName}/TrafficFilterList/{trafficFilterId}/App
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App
Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
User/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Id
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Id
App identity for the app-based traffic filter. The value for this node can be one of the following: PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. SYSTEM - This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB).
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Type
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Type
Returns the type of ID of the App/Id. Either PackageFamilyName, FilePath, or System.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
User/{ProfileName}/TrafficFilterList/{trafficFilterId}/Claims
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Claims
Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/TrafficFilterList/{trafficFilterId}/Direction
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 [10.0.19041] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Direction
Outbound - The traffic filter allows traffic to reach destinations matching this rule. This is the default.
Inbound - The traffic filter allows traffic coming from external locations matching this rule.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalAddressRanges
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalAddressRanges
A list of comma separated values specifying local IP address ranges to allow.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalPortRanges
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalPortRanges
Comma Separated list of ranges for eg. 100-120,200,300-320.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Regular Expression: ^[\d]*$ |
| Dependency [ProtocolDependency] | Dependency Type: DependsOn Dependency URI: Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol Dependency Allowed Value: [6,17] Dependency Allowed Value Type: Range |
User/{ProfileName}/TrafficFilterList/{trafficFilterId}/Protocol
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Protocol
0-255 number representing the ip protocol (TCP = 6, UDP = 17).
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [0-255] |
User/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemoteAddressRanges
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemoteAddressRanges
A list of comma separated values specifying remote IP address ranges to allow.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
User/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemotePortRanges
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemotePortRanges
A list of comma separated values specifying remote port ranges to allow. For example, 100-120, 200, 300-320.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Regular Expression: ^[\d]*$ |
| Dependency [ProtocolDependency] | Dependency Type: DependsOn Dependency URI: Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol Dependency Allowed Value: [6,17] Dependency Allowed Value Type: Range |
User/{ProfileName}/TrafficFilterList/{trafficFilterId}/RoutingPolicyType
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RoutingPolicyType
Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| SplitTunnel | For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces. |
| ForceTunnel | For this traffic rule all IP traffic must go through the VPN Interface only. |
User/{ProfileName}/TrustedNetworkDetection
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrustedNetworkDetection
Comma separated string to identify the trusted network. VPN won't connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | , |
User/{ProfileName}/UseRasCredentials
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/VPNv2/{ProfileName}/UseRasCredentials
Determines whether the credential manager will save ras credentials after a connection.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | true |
Allowed values:
| Value | Description |
|---|---|
| false | Ras Credentials aren't saved. |
| true (Default) | Ras Credentials are saved. |
ProfileXML XSD Schema
<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:import namespace="http://www.microsoft.com/provisioning/EapHostConfig" schemaLocation="EapHostConfig.xsd" />
<xs:element name="VPNProfile">
<xs:complexType>
<xs:sequence>
<xs:element name="ProfileName" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="EdpModeId" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="RememberCredentials" type="xs:boolean" minOccurs="0" maxOccurs="1" />
<xs:element name="AlwaysOn" type="xs:boolean" minOccurs="0" maxOccurs="1" />
<xs:element name="DnsSuffix" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="TrustedNetworkDetection" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="DisableAdvancedOptionsEditButton" type="xs:boolean" minOccurs="0" maxOccurs="1" />
<xs:element name="DisableDisconnectButton" type="xs:boolean" minOccurs="0" maxOccurs="1" />
<xs:element name="LockDown" type="xs:boolean" minOccurs="0" maxOccurs="1" />
<xs:element name="DeviceTunnel" type="xs:boolean" minOccurs="0" maxOccurs="1" />
<xs:element name="RegisterDNS" type="xs:boolean" minOccurs="0" maxOccurs="1" />
<xs:element name="ByPassForLocal" type="xs:boolean" minOccurs="0" maxOccurs="1" />
<xs:element name="RequireVpnClientAppUI" type="xs:boolean" minOccurs="0" maxOccurs="1" />
<xs:element name="Proxy" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="AutoConfigUrl" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="Manual" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="Server" type="xs:string" minOccurs="1" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="APNBinding" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="ProviderId" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="AccessPointName" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="UserName" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="Password" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="IsCompressionEnabled" type="xs:boolean" minOccurs="0" maxOccurs="1" />
<xs:element name="AuthenticationType" type="xs:string" minOccurs="0" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="DeviceCompliance" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="Enabled" type="xs:boolean" minOccurs="1" maxOccurs="1" />
<xs:element name="Sso" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="Enabled" type="xs:boolean" minOccurs="1" maxOccurs="1" />
<xs:element name="Eku" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="IssuerHash" type="xs:string" minOccurs="0" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="PluginProfile" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="ServerUrlList" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="CustomConfiguration" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="PluginPackageFamilyName" type="xs:string" minOccurs="1" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AppTrigger" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="App" minOccurs="1" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="Id" type="xs:string" minOccurs="1" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="DomainNameInformation" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="DomainName" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="DnsServers" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="WebProxyServers" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="AutoTrigger" type="xs:boolean" minOccurs="0" maxOccurs="1" />
<xs:element name="Persistent" type="xs:boolean" minOccurs="0" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="TrafficFilter" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="App" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="Id" type="xs:string" minOccurs="1" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Claims" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="Protocol" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="LocalPortRanges" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="RemotePortRanges" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="LocalAddressRanges" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="RemoteAddressRanges" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="RoutingPolicyType" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="Direction" type="xs:string" minOccurs="0" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="NativeProfile" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="Servers" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="RoutingPolicyType" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="NativeProtocolType" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="L2tpPsk" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="DisableClassBasedDefaultRoute" type="xs:boolean" minOccurs="0" maxOccurs="1" />
<xs:element name="PlumbIKEv2TSAsRoutes" type="xs:boolean" minOccurs="0" maxOccurs="1" />
<xs:element name="CryptographySuite" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="AuthenticationTransformConstants" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="CipherTransformConstants" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="PfsGroup" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="DHGroup" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="IntegrityCheckMethod" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="EncryptionMethod" type="xs:string" minOccurs="0" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Authentication" minOccurs="1" maxOccurs="1">
<xs:complexType>
<xs:choice>
<xs:sequence>
<xs:element name="UserMethod" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="Eap" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="Configuration" minOccurs="1" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element xmlns:q1="http://www.microsoft.com/provisioning/EapHostConfig" ref="q1:EapHostConfig" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:element name="MachineMethod" type="xs:string" minOccurs="0" maxOccurs="1" />
</xs:choice>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Route" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="Address" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="PrefixSize" type="xs:unsignedByte" minOccurs="1" maxOccurs="1" />
<xs:element name="ExclusionRoute" type="xs:boolean" minOccurs="0" maxOccurs="1" />
<xs:element name="Metric" type="xs:unsignedInt" minOccurs="0" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
Examples
Profile example
<SyncML xmlns="SYNCML:SYNCML1.2" xmlns:A="syncml:metinf">
<SyncBody>
<Atomic>
<CmdID>10000</CmdID>
<!-- Configure VPN Server Name or Address (PhoneNumber=) [Comma Separated]-->
<Add>
<CmdID>10001</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPN_Demo/ProfileXML</LocURI>
</Target>
<Data><VPNProfile>
<ProfileName>VPN_Demo</ProfileName>
<NativeProfile>
<Servers>VPNServer.contoso.com</Servers>
<NativeProtocolType>ProtocolList</NativeProtocolType>
<ProtocolList>
<NativeProtocol>
<Type>Ikev2</Type>
</NativeProtocol>
<NativeProtocol>
<Type>Sstp</Type>
</NativeProtocol>
<RetryTimeInHours>168</RetryTimeInHours>
</ProtocolList>
<Authentication>
<UserMethod>Eap</UserMethod>
<Eap>
<Configuration>
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <EapMethod> <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type> <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId> <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType> <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId> </EapMethod> <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <Type>25</Type> <EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"> <ServerValidation> <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation> <ServerNames></ServerNames> </ServerValidation> <FastReconnect>true</FastReconnect> <InnerEapOptional>false</InnerEapOptional> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <Type>13</Type> <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"> <CredentialsSource> <CertificateStore> <SimpleCertSelection>false</SimpleCertSelection> </CertificateStore> </CredentialsSource> <ServerValidation> <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation> <ServerNames></ServerNames> </ServerValidation> <DifferentUsername>false</DifferentUsername> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName> <TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"> <FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3"> <EKUMapping> <EKUMap> <EKUName>Unknown Key Usage</EKUName> <EKUOID>1.3.6.1.4.1.311.87</EKUOID> </EKUMap> </EKUMapping> <ClientAuthEKUList Enabled="true"> <EKUMapInList> <EKUName>Unknown Key Usage</EKUName> </EKUMapInList> </ClientAuthEKUList> </FilteringInfo> </TLSExtensions> </EapType> </Eap> <EnableQuarantineChecks>false</EnableQuarantineChecks> <RequireCryptoBinding>false</RequireCryptoBinding> <PeapExtensions> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName> </PeapExtensions> </EapType> </Eap> </Config> </EapHostConfig>
</Configuration>
</Eap>
</Authentication>
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
</NativeProfile>
<DomainNameInformationList>
<DomainName>.contoso.com</DomainName>
<DNSServers>10.5.5.5</DNSServers>
</DomainNameInformationList>
<TrafficFilter>
<App>%ProgramFiles%\Internet Explorer\iexplore.exe</App>
</TrafficFilter>
<TrafficFilter>
<App>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</App>
</TrafficFilter>
<Route>
<Address>10.0.0.0</Address>
<PrefixSize>8</PrefixSize>
</Route>
<Route>
<Address>25.0.0.0</Address>
<PrefixSize>8</PrefixSize>
</Route>
<RememberCredentials>true</RememberCredentials>
</VPNProfile></Data>
</Item>
</Add>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
AppTriggerList
<!-- Internet Explorer -->
<Add>
<CmdID>10013</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/0/App/Id</LocURI>
</Target>
<Data>%PROGRAMFILES%\Internet Explorer\iexplore.exe</Data>
</Item>
</Add>
<Add>
<CmdID>10014</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/1/App/Id</LocURI>
</Target>
<Data>%PROGRAMFILES% (x86)\Internet Explorer\iexplore.exe</Data>
</Item>
</Add>
<!-- Edge -->
<Add>
<CmdID>10015</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/2/App/Id</LocURI>
</Target>
<Data>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Data>
</Item>
</Add>
RouteList and ExclusionRoute
<Add>
<CmdID>10008</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/Address</LocURI>
</Target>
<Data>192.168.0.0</Data>
</Item>
</Add>
<Add>
<CmdID>10009</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/PrefixSize</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>24</Data>
</Item>
</Add>
<Add>
<CmdID>10010</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/ExclusionRoute</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Add>
DomainNameInformationList
<!-- Domain Name rule with Suffix Match with DNS Servers -->
<Add>
<CmdID>10013</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DomainName</LocURI>
</Target>
<Data>.contoso.com</Data>
</Item>
</Add>
<Add>
<CmdID>10014</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DnsServers</LocURI>
</Target>
<Data>192.168.0.11,192.168.0.12</Data>
</Item>
</Add>
<!-- Domain Name rule with Suffix Match with Web Proxy -->
<Add>
<CmdID>10013</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/DomainName</LocURI>
</Target>
<Data>.contoso.com</Data>
</Item>
</Add>
<Add>
<CmdID>10015</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/WebProxyServers</LocURI>
</Target>
<Data>192.168.0.100:8888</Data>
</Item>
</Add>
<!-- Domain Name rule with FQDN Match with DNS Servers -->
<Add>
<CmdID>10016</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DomainName</LocURI>
</Target>
<Data>finance.contoso.com</Data>
</Item>
</Add>
<Add>
<CmdID>10017</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DnsServers</LocURI>
</Target>
<Data>192.168.0.11,192.168.0.12</Data>
</Item>
</Add>
<!-- Domain Name rule with FQDN Match with Proxy Server -->
<Add>
<CmdID>10016</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/DomainName</LocURI>
</Target>
<Data>finance.contoso.com</Data>
</Item>
</Add>
<Add>
<CmdID>10017</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/WebProxyServers</LocURI>
</Target>
<Data>192.168.0.11:8080</Data>
</Item>
</Add>
<!-- Domain Name rule for all other (any) traffic through DNS Servers -->
<Add>
<CmdID>10016</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/4/DomainName</LocURI>
</Target>
<Data>.</Data>
</Item>
</Add>
<Add>
<CmdID>10017</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/4/DnsServers</LocURI>
</Target>
<Data>192.168.0.11,192.168.0.12</Data>
</Item>
</Add>
<!-- Domain Name rule for all other (any) traffic through Proxy -->
<Add>
<CmdID>10016</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/5/DomainName</LocURI>
</Target>
<Data>.</Data>
</Item>
</Add>
<Add>
<CmdID>10017</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/5/WebProxyServers</LocURI>
</Target>
<Data>192.168.0.11</Data>
</Item>
</Add>
AutoTrigger
<Add>
<CmdID>10010</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/AutoTrigger</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Add>
Persistent
<Add>
<CmdID>10010</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/Persistent</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Add>
TrafficFilterLIst App
<!-- Desktop App -->
<Add>
<CmdID>10013</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/0/App/Id</LocURI>
</Target>
<Data>%ProgramFiles%\Internet Explorer\iexplore.exe</Data>
</Item>
</Add>
<!-- Store App -->
<Add>
<CmdID>10014</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/1/App/Id</LocURI>
</Target>
<Data>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Data>
</Item>
</Add>
<!-- SYSTEM -->
<Add>
<CmdID>10015</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/App/Id</LocURI>
</Target>
<Data>SYSTEM</Data>
</Item>
</Add>
Protocol, LocalPortRanges, RemotePortRanges, LocalAddressRanges, RemoteAddressRanges, RoutingPolicyType, EDPModeId, RememberCredentials, AlwaysOn, Lockdown, DnsSuffix, TrustedNetworkDetection
<!-- Protocol -->
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/Protocol</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>6</Data>
</Item>
</Add>
<!-- LocalPortRanges -->
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/LocalPortRanges</LocURI>
</Target>
<Data>10,20-50,100-200</Data>
</Item>
</Add>
<!-- RemotePortRanges -->
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/RemotePortRanges</LocURI>
</Target>
<Data>20-50,100-200,300</Data>
</Item>
</Add>
<!-- LocalAddressRanges -->
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/LocalAddressRanges/LocURI>
</Target>
<Data>3.3.3.3/32,1.1.1.1-2.2.2.2</Data>
</Item>
</Add>
<!-- RemoteAddressRanges -->
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/RemoteAddressRanges</LocURI>
</Target>
<Data>30.30.0.0/16,10.10.10.10-20.20.20.20</Data>
</Item>
</Add>
<!-- RoutingPolicyType -->
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/0/RoutingPolicyType</LocURI>
</Target>
<Data>ForceTunnel</Data>
</Item>
</Add>
<!-- EDPModeId -->
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/EDPModeID</LocURI>
</Target>
<Data>corp.contoso.com</Data>
</Item>
</Add>
<!-- RememberCredentials -->
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/RememberCredentials</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Add>
<!-- AlwaysOn -->
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/AlwaysOn</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Add>
<!-- Lockdown -->
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/Lockdown</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Add>
<!-- DnsSuffix -->
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DnsSuffix</LocURI>
</Target>
<Data>Adatum.com</Data>
</Item>
</Add>
<!-- TrustedNetworkDetection -->
<!-- Configure Trusted Networks (TrustedNetworks=) [Comma separated] -->
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrustedNetworkDetection</LocURI>
</Target>
<Data>Adatum.com</Data>
</Item>
</Add>
Proxy - Manual or AutoConfigUrl
<!-- Manual -->
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/Proxy/Manual/Server</LocURI>
</Target>
<Data>192.168.0.100:8888</Data>
</Item>
</Add>
<!-- AutoConfigUrl -->
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/Proxy/AutoConfigUrl</LocURI>
</Target>
<Data>HelloWorld.com</Data>
</Item>
</Add>
Device Compliance - Sso
<!-- Enabled -->
<Add>
<CmdID>10011</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/Enabled</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Add>
<!-- IssuerHash -->
<Add>
<CmdID>10011</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/IssuerHash</LocURI>
</Target>
<Data>ffffffffffffffffffffffffffffffffffffffff;ffffffffffffffffffffffffffffffffffffffee</Data>
</Item>
</Add>
<!-- Eku -->
<Add>
<CmdID>10011</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/EKU</LocURI>
</Target>
<Data>1.3.6.1.5.5.7.3.2</Data>
</Item>
</Add>
PluginProfile
<!-- PluginPackageFamilyName -->
<!-- Configure VPN Server Name or Address (PhoneNumber=) [Comma Separated]-->
<Add>
<CmdID>10001</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/PluginProfile/ServerUrlList</LocURI>
</Target>
<Data>selfhost.corp.contoso.com</Data>
</Item>
</Add>
<!-- Configure VPN Plugin AppX Package ID (ThirdPartyProfileInfo=) -->
<Add>
<CmdID>10002</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/PluginProfile/PluginPackageFamilyName</LocURI>
</Target>
<Data>TestVpnPluginApp-SL_8wekyb3d8bbwe</Data>
</Item>
</Add>
<!-- Configure Microsoft's Custom XML (ThirdPartyProfileInfo=) -->
<Add>
<CmdID>10003</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/PluginProfile/CustomConfiguration</LocURI>
</Target>
<Data><pluginschema><ipAddress>auto</ipAddress><port>443</port><networksettings><routes><includev4><route><address>172.10.10.0</address><prefix>24</prefix></route></includev4></routes><namespaces><namespace><space>.vpnbackend.com</space><dnsservers><server>172.10.10.11</server></dnsservers></namespace></namespaces></networksettings></pluginschema></Data>
</Item>
</Add>
NativeProfile
<!-- Servers -->
<Add>
<CmdID>10001</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Servers</LocURI>
</Target>
<Data>Selfhost.corp.contoso.com</Data>
</Item>
</Add>
<!-- RoutingPolicyType -->
<Add>
<CmdID>10007</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/RoutingPolicyType</LocURI>
</Target>
<Data>ForceTunnel</Data>
</Item>
</Add>
<!-- NativeProtocolType -->
<!-- Configure VPN Protocol Type (L2tp, Pptp, Ikev2) -->
<Add>
<CmdID>10002</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/NativeProtocolType</LocURI>
</Target>
<Data>Automatic</Data>
</Item>
</Add>
<!-- Authentication -->
<!-- UserMethod -->
<!-- Configure VPN User Method (Mschapv2, Eap) -->
<Add>
<CmdID>10003</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/UserMethod</LocURI>
</Target>
<Data>Eap</Data>
</Item>
</Add>
<!-- MachineMethod -->
<!-- Configure VPN Machine Method (Certificate, Eap, PresharedKey) -->
<Add>
<CmdID>10004</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/MachineMethod</LocURI>
</Target>
<Data>Eap</Data>
</Item>
</Add>
<!-- CryptographySuite -->
<Add>
<CmdID>10004</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/AuthenticationTransformConstants</LocURI>
</Target>
<Data>SHA196</Data>
</Item>
</Add>
<Add>
<CmdID>10004</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/CipherTransformConstants</LocURI>
</Target>
<Data>AES192</Data>
</Item>
</Add>
<Add>
<CmdID>10004</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/EncryptionMethod</LocURI>
</Target>
<Data>AES128</Data>
</Item>
</Add>
<Add>
<CmdID>10004</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/IntegrityCheckMethod</LocURI>
</Target>
<Data>SHA256</Data>
</Item>
</Add>
<Add>
<CmdID>Group14</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/DHGroup</LocURI>
</Target>
<Data>Group2</Data>
</Item>
</Add>
<Add>
<CmdID>10004</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/PfsGroup</LocURI>
</Target>
<Data>PFS2048</Data>
</Item>
</Add>
<!-- DisableClassBasedDefaultRoute -->
<CmdID>10011</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/DisableClassBasedDefaultRoute</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Add>