Redigera

Dela via


VPNv2 CSP

The VPNv2 configuration service provider allows the Mobile Device Management (MDM) server to configure the VPN profile of the device.

Here are the requirements for this CSP:

  • VPN configuration commands must be wrapped in an Atomic block in SyncML.

  • For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you're using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure Windows Information Protection policies.

  • In certain conditions you can change some properties directly, but we don't recommend it. Instead, follow these steps to make any changes:

    • Send a Delete command for the ProfileName to delete the entire profile.
    • Send the entire profile again with new values wrapped in an Atomic block.

The XSDs for all EAP methods are shipped in the box and can be found at the following locations:

  • C:\Windows\schemas\EAPHost
  • C:\Windows\schemas\EAPMethods

The following list shows the VPNv2 configuration service provider nodes:

Device/{ProfileName}

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}

Unique alpha numeric identifier for the profile. The profile name mustn't include a forward slash (/). If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get, Replace
Atomic Required True
Dynamic Node Naming ServerGeneratedUniqueIdentifier
Allowed Values Regular Expression: ^[^/]*$

Device/{ProfileName}/AlwaysOn

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/AlwaysOn

An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace
Default Value false

Allowed values:

Value Description
false (Default) Always On is turned off.
true Always On is turned on.

Device/{ProfileName}/AlwaysOnActive

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/AlwaysOnActive

An optional flag to activate Always On mode. This is true by default if AlwaysOn is true. Setting controls whether "Connect Automatically" is toggled on profile creation.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
0 Always On is inactive.
1 (Default) Always On is activated on provisioning.

Device/{ProfileName}/APNBinding

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding

Reserved for future use.

Description framework properties:

Property name Property value
Format node
Access Type Get

Device/{ProfileName}/APNBinding/AccessPointName

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/AccessPointName

Reserved for future use.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Device/{ProfileName}/APNBinding/AuthenticationType

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/AuthenticationType

Reserved for future use.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Device/{ProfileName}/APNBinding/IsCompressionEnabled

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/IsCompressionEnabled

Reserved for future use.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace

Device/{ProfileName}/APNBinding/Password

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/Password

Reserved for future use.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Device/{ProfileName}/APNBinding/ProviderId

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/ProviderId

Reserved for future use.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Device/{ProfileName}/APNBinding/UserName

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/UserName

Reserved for future use.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Device/{ProfileName}/AppTriggerList

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList

List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect.

Description framework properties:

Property name Property value
Format node
Access Type Get

Device/{ProfileName}/AppTriggerList/{appTriggerRowId}

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}

A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you shouldn't skip numbers.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get
Dynamic Node Naming UniqueName: A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers.
Device/{ProfileName}/AppTriggerList/{appTriggerRowId}/App
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App

App Node under the Row Id.

Description framework properties:

Property name Property value
Format node
Access Type Get
Device/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Id
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Id

App Identity. Specified, based on the Type Field.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Device/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Type
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Type

Returns the type of App/Id. This value can be either of the following: PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application. FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get

Device/{ProfileName}/ByPassForLocal

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/ByPassForLocal

False: Don't Bypass for Local traffic.

True: ByPass VPN Interface for Local Traffic.

Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace

Device/{ProfileName}/DataEncryption

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DataEncryption

Determines the level of data encryption required for the connection.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Default Value Require

Allowed values:

Value Description
None No Data Encryption required.
Require (Default) Data Encryption required.
Max Maximum-strength Data Encryption required.
Optional Perform encryption if possible.

Device/{ProfileName}/DeviceCompliance

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance

Nodes under DeviceCompliance can be used to enable Microsoft Entra ID based Conditional Access for VPN.

Description framework properties:

Property name Property value
Format node
Access Type Add, Get

Device/{ProfileName}/DeviceCompliance/Enabled

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Enabled

Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Microsoft Entra ID to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Microsoft Entra ID.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
false Disabled.
true Enabled.

Device/{ProfileName}/DeviceCompliance/Sso

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso

Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance.

Description framework properties:

Property name Property value
Format node
Access Type Add, Get
Device/{ProfileName}/DeviceCompliance/Sso/Eku
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/Eku

Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Device/{ProfileName}/DeviceCompliance/Sso/Enabled
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/Enabled

If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
false Disabled.
true Enabled.
Device/{ProfileName}/DeviceCompliance/Sso/IssuerHash
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/IssuerHash

Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Device/{ProfileName}/DeviceTunnel

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceTunnel

If turned on a device tunnel profile does four things.

First, it automatically becomes an always on profile.

Second, it doesn't require the presence or logging in of any user to the machine in order for it to connect.

Third, no other Device Tunnel profile maybe be present on the same machine.

A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace
Default Value false

Allowed values:

Value Description
false (Default) This isn't a device tunnel profile.
true This is a device tunnel profile.

Device/{ProfileName}/DisableAdvancedOptionsEditButton

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DisableAdvancedOptionsEditButton

Optional. When this setting is True, the Advanced Options page will have its edit functions disabled, only allowing viewing and Clear Sign-In Info.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
false Advanced Options Edit Button is available.
true Advanced Options Edit Button is unavailable.

Device/{ProfileName}/DisableDisconnectButton

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DisableDisconnectButton

Optional. When this setting is True, the Disconnect button won't be visible for connected profiles.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
false Disconnect Button is visible.
true Disconnect Button isn't visible.

Device/{ProfileName}/DisableIKEv2Fragmentation

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DisableIKEv2Fragmentation

Set to disable IKEv2 Fragmentation.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace
Default Value false

Allowed values:

Value Description
true IKEv2 Fragmentation won't be used.
false (Default) IKEv2 Fragmentation is used as normal.

Device/{ProfileName}/DnsSuffix

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DnsSuffix

Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Device/{ProfileName}/DomainNameInformationList

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList

NRPT (Name Resolution Policy Table) Rules for the VPN Profile.

Note

Only applications using the Windows DNS API can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet Resolve-DNSName to check the functionality of the NRPT.

Description framework properties:

Property name Property value
Format node
Access Type Get

Device/{ProfileName}/DomainNameInformationList/{dniRowId}

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}

A sequential integer identifier for the Domain Name information. Sequencing must start at 0.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get
Dynamic Node Naming UniqueName: A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
Device/{ProfileName}/DomainNameInformationList/{dniRowId}/AutoTrigger
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/AutoTrigger

Boolean to determine whether this domain name rule will trigger the VPN.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace
Default Value false

Allowed values:

Value Description
false (Default) This DomainName rule won't trigger the VPN.
true This DomainName rule will trigger the VPN.
Device/{ProfileName}/DomainNameInformationList/{dniRowId}/DnsServers
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DnsServers

Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Device/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainName
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainName

Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types: FQDN - Fully qualified domain name. Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a . to the DNS suffix.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Device/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainNameType
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainNameType

Returns the namespace type. This value can be one of the following: FQDN - If the DomainName wasn't prepended with a . and applies only to the fully qualified domain name (FQDN) of a specified host. Suffix - If the DomainName was prepended with a . and applies to the specified namespace, all records in that namespace, and all subdomains.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get
Device/{ProfileName}/DomainNameInformationList/{dniRowId}/Persistent
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/Persistent

A boolean value that specifies if the rule being added should persist even when the VPN isn't connected.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace
Default Value false

Allowed values:

Value Description
false (Default) This DomainName rule will only be applied when VPN is connected.
true This DomainName rule will always be present and applied.
Device/{ProfileName}/DomainNameInformationList/{dniRowId}/WebProxyServers
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/WebProxyServers

Web Proxy Server IP address if you are redirecting traffic through your intranet.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Device/{ProfileName}/EdpModeId

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/EdpModeId

Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Device/{ProfileName}/IPv4InterfaceMetric

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/IPv4InterfaceMetric

The metric for the IPv4 interface.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [1-9999]

Device/{ProfileName}/IPv6InterfaceMetric

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/IPv6InterfaceMetric

The metric for the IPv6 interface.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [1-9999]

Device/{ProfileName}/NativeProfile

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile

Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP, SSTP).

Description framework properties:

Property name Property value
Format node
Access Type Add, Get

Device/{ProfileName}/NativeProfile/Authentication

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication

Required node for native profile. It contains authentication information for the native VPN profile.

Description framework properties:

Property name Property value
Format node
Access Type Get
Device/{ProfileName}/NativeProfile/Authentication/Certificate
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate

Reserved for future use.

Description framework properties:

Property name Property value
Format node
Access Type Get
Device/{ProfileName}/NativeProfile/Authentication/Certificate/Eku
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate/Eku

Reserved for future use.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Device/{ProfileName}/NativeProfile/Authentication/Certificate/Issuer
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate/Issuer

Reserved for future use.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Device/{ProfileName}/NativeProfile/Authentication/Eap
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap

Required when the native profile specifies EAP authentication. EAP configuration XML.

Description framework properties:

Property name Property value
Format node
Access Type Get
Device/{ProfileName}/NativeProfile/Authentication/Eap/Configuration
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap/Configuration

HTML encoded XML of the EAP configuration. For more information,see EAP configuration.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Device/{ProfileName}/NativeProfile/Authentication/Eap/Type
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap/Type

Required node for EAP profiles. This specifies the EAP Type ID 13 = EAP-TLS 26 = Ms-Chapv2 27 = Peap.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Device/{ProfileName}/NativeProfile/Authentication/MachineMethod
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/MachineMethod

This is only supported in IKEv2.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
Certificate Certificate.
Device/{ProfileName}/NativeProfile/Authentication/UserMethod
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/UserMethod

Type of user authentication.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
EAP EAP.
MSChapv2 MSChapv2: This isn't supported for IKEv2.

Device/{ProfileName}/NativeProfile/CryptographySuite

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite

Properties of IPSec tunnels.

Description framework properties:

Property name Property value
Format node
Access Type Get
Device/{ProfileName}/NativeProfile/CryptographySuite/AuthenticationTransformConstants
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/AuthenticationTransformConstants

Type of authentication transform constant.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
MD596 MD596.
SHA196 SHA196.
SHA256128 SHA256128.
GCMAES128 GCMAES128.
GCMAES192 GCMAES192.
GCMAES256 GCMAES256.
Device/{ProfileName}/NativeProfile/CryptographySuite/CipherTransformConstants
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/CipherTransformConstants

Type of Cipher transform constant.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
DES DES.
DES3 DES3.
AES128 AES128.
AES192 AES192.
AES256 AES256.
GCMAES128 GCMAES128.
GCMAES192 GCMAES192.
GCMAES256 GCMAES256.
Device/{ProfileName}/NativeProfile/CryptographySuite/DHGroup
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/DHGroup

Group used for DH (Diffie-Hellman).

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
None None.
Group1 Group1.
Group2 Group2.
Group14 Group14.
ECP256 ECP256.
ECP384 ECP384.
Group24 Group24.
Device/{ProfileName}/NativeProfile/CryptographySuite/EncryptionMethod
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/EncryptionMethod

Type of encryption method.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
DES DES.
DES3 DES3.
AES128 AES128.
AES192 AES192.
AES256 AES256.
AES_GCM_128 AES_GCM_128.
AES_GCM_256 AES_GCM_256.
Device/{ProfileName}/NativeProfile/CryptographySuite/IntegrityCheckMethod
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/IntegrityCheckMethod

Type of integrity check.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
MD5 MD5.
SHA196 SHA196.
SHA256 SHA256.
SHA384 SHA384.
Device/{ProfileName}/NativeProfile/CryptographySuite/PfsGroup
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/PfsGroup

Group used for PFS (Perfect Forward Secrecy).

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
None None.
PFS1 PFS1.
PFS2 PFS2.
PFS2048 PFS2048.
ECP256 ECP256.
ECP384 ECP384.
PFSMM PFSMM.
PFS24 PFS24.

Device/{ProfileName}/NativeProfile/DisableClassBasedDefaultRoute

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/DisableClassBasedDefaultRoute

Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
false Enabled.
true Disabled.

Device/{ProfileName}/NativeProfile/L2tpPsk

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/L2tpPsk

The preshared key used for an L2TP connection.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Device/{ProfileName}/NativeProfile/NativeProtocolType

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/NativeProtocolType

Required for native profiles. Type of tunneling protocol used.

Note

For a Device Tunnel, use IKEv2 only.
For a User Tunnel, any value is allowed.
Using ProtocolList as value in NativeProtocolType requires additional configuration of the NativeProfile/ProtocolList parameter.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
PPTP PPTP.
L2TP L2TP.
IKEv2 IKEv2.
Automatic Automatic.
SSTP SSTP.
ProtocolList ProtocolList.

Device/{ProfileName}/NativeProfile/PlumbIKEv2TSAsRoutes

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 [10.0.19041] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/PlumbIKEv2TSAsRoutes

True: Plumb traffic selectors as routes onto VPN interface, False: Don't plumb traffic selectors as routes.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace

Device/{ProfileName}/NativeProfile/ProtocolList

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20207] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList

Description framework properties:

Property name Property value
Format node
Access Type Get
Device/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20207] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList

List of inbox VPN protocols in priority order.

Note

For a User Tunnel up to 4 VPN protocols are supported.
A separate entry is needed for every VPN protocol. For a sample format, see Examples.
For a Device tunnel, we recommend using IKEv2 in NativeProtocolType instead of ProtocolList.

Description framework properties:

Property name Property value
Format node
Access Type Get
Device/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20207] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}

Note

A separate entry is needed for every VPN protocol. For a sample format, see Examples.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get
Device/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}/Type
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20207] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}/Type

Inbox VPN protocols type.

Note

A separate entry is needed for every VPN protocol. For a sample format, see Examples.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
Pptp Pptp.
L2tp L2tp.
Ikev2 Ikev2.
Sstp Sstp.
Device/{ProfileName}/NativeProfile/ProtocolList/RetryTimeInHours
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20207] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/RetryTimeInHours

Default 168, max 500000.

RetryTimeInHours specifies the length of time Windows tries to use the last successful protocol when making a new connection. Setting this value to 0 disables remembering the last successful protocol.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace

Device/{ProfileName}/NativeProfile/RoutingPolicyType

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/RoutingPolicyType

Type of routing policy.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
SplitTunnel Traffic can go over any interface as determined by the networking stack.
ForceTunnel All IP traffic must go over the VPN interface.

Device/{ProfileName}/NativeProfile/Servers

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Servers

Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Device/{ProfileName}/NetworkOutageTime

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/NetworkOutageTime

The amount of time in seconds the network is allowed to idle. 0 means no limit.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [0-4294967295]

Device/{ProfileName}/PluginProfile

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile

Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin.

Description framework properties:

Property name Property value
Format node
Access Type Add, Get

Device/{ProfileName}/PluginProfile/CustomConfiguration

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/CustomConfiguration

Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that's deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Device/{ProfileName}/PluginProfile/PluginPackageFamilyName

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/PluginPackageFamilyName

Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Device/{ProfileName}/PluginProfile/ServerUrlList

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/ServerUrlList

Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Device/{ProfileName}/PrivateNetwork

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/PrivateNetwork

Determines whether the VPN connection is public or private.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace
Default Value true

Allowed values:

Value Description
false VPN connection is public.
true (Default) VPN connection is private.

Device/{ProfileName}/ProfileXML

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/ProfileXML

The XML schema for provisioning all the fields of a VPN.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values See ProfileXML XSD Schema

Device/{ProfileName}/Proxy

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/Proxy

A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected.

Description framework properties:

Property name Property value
Format node
Access Type Get

Device/{ProfileName}/Proxy/AutoConfigUrl

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/AutoConfigUrl

Optional. Set a URL to automatically retrieve the proxy settings.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Device/{ProfileName}/Proxy/Manual

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/Manual

Optional node containing the manual server settings.

Description framework properties:

Property name Property value
Format node
Access Type Get
Device/{ProfileName}/Proxy/Manual/Server
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/Manual/Server

Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Device/{ProfileName}/RegisterDNS

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/RegisterDNS

Allows registration of the connection's address in DNS.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace
Default Value false

Allowed values:

Value Description
false (Default) Don't register the connection's address in DNS.
true Register the connection's addresses in DNS.

Device/{ProfileName}/RememberCredentials

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/RememberCredentials

Boolean value (true or false) for caching credentials.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace
Default Value false

Allowed values:

Value Description
false (Default) Don't cache credentials.
true Credentials are cached whenever possible.

Device/{ProfileName}/RouteList

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList

List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface.

Description framework properties:

Property name Property value
Format node
Access Type Get

Device/{ProfileName}/RouteList/{routeRowId}

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}

A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get
Dynamic Node Naming UniqueName: A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0.
Device/{ProfileName}/RouteList/{routeRowId}/Address
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/Address

Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Device/{ProfileName}/RouteList/{routeRowId}/ExclusionRoute
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/ExclusionRoute

A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace
Default Value false

Allowed values:

Value Description
false (Default) This route will direct traffic over the VPN.
true This route will direct traffic over the physical interface.
Device/{ProfileName}/RouteList/{routeRowId}/Metric
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/Metric

The route's metric.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Device/{ProfileName}/RouteList/{routeRowId}/PrefixSize
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/PrefixSize

The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [0-4294967295]

Device/{ProfileName}/TrafficFilterList

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList

A list of rules allowing traffic over the VPN Interface. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.

Note

Once a TrafficFilterList is added, all traffic is blocked other than the ones matching the rules.

Description framework properties:

Property name Property value
Format node
Access Type Get

Device/{ProfileName}/TrafficFilterList/{trafficFilterId}

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}

A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get
Dynamic Node Naming UniqueName: A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/App
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App

Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface.

Description framework properties:

Property name Property value
Format node
Access Type Get
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Id
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Id

App identity for the app-based traffic filter. The value for this node can be one of the following: PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. SYSTEM - This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB).

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Type
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Type

Returns the type of ID of the App/Id. Either PackageFamilyName, FilePath, or System.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/Claims
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Claims

Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/Direction
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 [10.0.19041] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Direction

Outbound - The traffic filter allows traffic to reach destinations matching this rule. This is the default.

Inbound - The traffic filter allows traffic coming from external locations matching this rule.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalAddressRanges
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalAddressRanges

A list of comma separated values specifying local IP address ranges to allow.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalPortRanges
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalPortRanges

Comma Separated list of ranges for eg. 100-120,200,300-320.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values Regular Expression: ^[\d]*$
Dependency [ProtocolDependency] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol
Dependency Allowed Value: [6,17]
Dependency Allowed Value Type: Range
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/Protocol
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Protocol

0-255 number representing the ip protocol (TCP = 6, UDP = 17).

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [0-255]
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemoteAddressRanges
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemoteAddressRanges

A list of comma separated values specifying remote IP address ranges to allow.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemotePortRanges
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemotePortRanges

A list of comma separated values specifying remote port ranges to allow. For example, 100-120, 200, 300-320.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values Regular Expression: ^[\d]*$
Dependency [ProtocolDependency] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol
Dependency Allowed Value: [6,17]
Dependency Allowed Value Type: Range
Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/RoutingPolicyType
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RoutingPolicyType

Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
SplitTunnel For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces.
ForceTunnel For this traffic rule all IP traffic must go through the VPN Interface only.

Device/{ProfileName}/TrustedNetworkDetection

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrustedNetworkDetection

Comma separated string to identify the trusted network. VPN won't connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values ,

Device/{ProfileName}/UseRasCredentials

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/VPNv2/{ProfileName}/UseRasCredentials

Determines whether the credential manager will save ras credentials after a connection.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace
Default Value true

Allowed values:

Value Description
false Ras Credentials aren't saved.
true (Default) Ras Credentials are saved.

User/{ProfileName}

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}

Unique alpha numeric identifier for the profile. The profile name mustn't include a forward slash (/). If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get, Replace
Atomic Required True
Dynamic Node Naming ServerGeneratedUniqueIdentifier
Allowed Values Regular Expression: ^[^/]*$

User/{ProfileName}/AlwaysOn

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/AlwaysOn

An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace
Default Value false

Allowed values:

Value Description
false (Default) Always On is turned off.
true Always On is turned on.

User/{ProfileName}/AlwaysOnActive

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/AlwaysOnActive

An optional flag to activate Always On mode. This is true by default if AlwaysOn is true. Setting controls whether "Connect Automatically" is toggled on profile creation.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
0 Always On is inactive.
1 (Default) Always On is activated on provisioning.

User/{ProfileName}/APNBinding

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding

Reserved for future use.

Description framework properties:

Property name Property value
Format node
Access Type Get

User/{ProfileName}/APNBinding/AccessPointName

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/AccessPointName

Reserved for future use.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

User/{ProfileName}/APNBinding/AuthenticationType

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/AuthenticationType

Reserved for future use.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

User/{ProfileName}/APNBinding/IsCompressionEnabled

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/IsCompressionEnabled

Reserved for future use.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace

User/{ProfileName}/APNBinding/Password

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/Password

Reserved for future use.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

User/{ProfileName}/APNBinding/ProviderId

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/ProviderId

Reserved for future use.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

User/{ProfileName}/APNBinding/UserName

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/UserName

Reserved for future use.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

User/{ProfileName}/AppTriggerList

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList

List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect.

Description framework properties:

Property name Property value
Format node
Access Type Get

User/{ProfileName}/AppTriggerList/{appTriggerRowId}

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}

A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you shouldn't skip numbers.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get
Dynamic Node Naming UniqueName: A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers.
User/{ProfileName}/AppTriggerList/{appTriggerRowId}/App
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App

App Node under the Row Id.

Description framework properties:

Property name Property value
Format node
Access Type Get
User/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Id
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Id

App Identity. Specified, based on the Type Field.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
User/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Type
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Type

Returns the type of App/Id. This value can be either of the following: PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application. FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get

User/{ProfileName}/ByPassForLocal

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/ByPassForLocal

False: Don't Bypass for Local traffic.

True: ByPass VPN Interface for Local Traffic.

Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace

User/{ProfileName}/DataEncryption

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/DataEncryption

Determines the level of data encryption required for the connection.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Default Value Require

Allowed values:

Value Description
None No Data Encryption required.
Require (Default) Data Encryption required.
Max Maximum-strength Data Encryption required.
Optional Perform encryption if possible.

User/{ProfileName}/DeviceCompliance

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance

Nodes under DeviceCompliance can be used to enable Microsoft Entra ID based Conditional Access for VPN.

Description framework properties:

Property name Property value
Format node
Access Type Add, Get

User/{ProfileName}/DeviceCompliance/Enabled

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Enabled

Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Microsoft Entra ID to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Microsoft Entra ID.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
false Disabled.
true Enabled.

User/{ProfileName}/DeviceCompliance/Sso

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso

Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance.

Description framework properties:

Property name Property value
Format node
Access Type Add, Get
User/{ProfileName}/DeviceCompliance/Sso/Eku
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/Eku

Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
User/{ProfileName}/DeviceCompliance/Sso/Enabled
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/Enabled

If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
false Disabled.
true Enabled.
User/{ProfileName}/DeviceCompliance/Sso/IssuerHash
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/IssuerHash

Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

User/{ProfileName}/DisableAdvancedOptionsEditButton

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/DisableAdvancedOptionsEditButton

Optional. When this setting is True, the Advanced Options page will have its edit functions disabled, only allowing viewing and Clear Sign-In Info.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
false Advanced Options Edit Button is available.
true Advanced Options Edit Button is unavailable.

User/{ProfileName}/DisableDisconnectButton

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/DisableDisconnectButton

Optional. When this setting is True, the Disconnect button won't be visible for connected profiles.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
false Disconnect Button is visible.
true Disconnect Button isn't visible.

User/{ProfileName}/DisableIKEv2Fragmentation

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/DisableIKEv2Fragmentation

Set to disable IKEv2 Fragmentation.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace
Default Value false

Allowed values:

Value Description
true IKEv2 Fragmentation won't be used.
false (Default) IKEv2 Fragmentation is used as normal.

User/{ProfileName}/DnsSuffix

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/DnsSuffix

Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

User/{ProfileName}/DomainNameInformationList

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList

NRPT (Name Resolution Policy Table) Rules for the VPN Profile.

Note

Only applications using the Windows DNS API can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet Resolve-DNSName to check the functionality of the NRPT.

Description framework properties:

Property name Property value
Format node
Access Type Get

User/{ProfileName}/DomainNameInformationList/{dniRowId}

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}

A sequential integer identifier for the Domain Name information. Sequencing must start at 0.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get
Dynamic Node Naming UniqueName: A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
User/{ProfileName}/DomainNameInformationList/{dniRowId}/AutoTrigger
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/AutoTrigger

Boolean to determine whether this domain name rule will trigger the VPN.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace
Default Value false

Allowed values:

Value Description
false (Default) This DomainName rule won't trigger the VPN.
true This DomainName rule will trigger the VPN.
User/{ProfileName}/DomainNameInformationList/{dniRowId}/DnsServers
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DnsServers

Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
User/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainName
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainName

Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types: FQDN - Fully qualified domain name. Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a . to the DNS suffix.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
User/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainNameType
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainNameType

Returns the namespace type. This value can be one of the following: FQDN - If the DomainName wasn't prepended with a . and applies only to the fully qualified domain name (FQDN) of a specified host. Suffix - If the DomainName was prepended with a . and applies to the specified namespace, all records in that namespace, and all subdomains.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get
User/{ProfileName}/DomainNameInformationList/{dniRowId}/Persistent
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/Persistent

A boolean value that specifies if the rule being added should persist even when the VPN isn't connected.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace
Default Value false

Allowed values:

Value Description
false (Default) This DomainName rule will only be applied when VPN is connected.
true This DomainName rule will always be present and applied.
User/{ProfileName}/DomainNameInformationList/{dniRowId}/WebProxyServers
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/WebProxyServers

Web Proxy Server IP address if you are redirecting traffic through your intranet.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

User/{ProfileName}/EdpModeId

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/EdpModeId

Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

User/{ProfileName}/IPv4InterfaceMetric

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/IPv4InterfaceMetric

The metric for the IPv4 interface.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [1-9999]

User/{ProfileName}/IPv6InterfaceMetric

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/IPv6InterfaceMetric

The metric for the IPv6 interface.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [1-9999]

User/{ProfileName}/NativeProfile

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile

InboxNodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP, SSTP).

Description framework properties:

Property name Property value
Format node
Access Type Add, Get

User/{ProfileName}/NativeProfile/Authentication

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication

Required node for native profile. It contains authentication information for the native VPN profile.

Description framework properties:

Property name Property value
Format node
Access Type Get
User/{ProfileName}/NativeProfile/Authentication/Certificate
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate

Reserved for future use.

Description framework properties:

Property name Property value
Format node
Access Type Get
User/{ProfileName}/NativeProfile/Authentication/Certificate/Eku
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate/Eku

Reserved for future use.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
User/{ProfileName}/NativeProfile/Authentication/Certificate/Issuer
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate/Issuer

Reserved for future use.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
User/{ProfileName}/NativeProfile/Authentication/Eap
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap

Required when the native profile specifies EAP authentication. EAP configuration XML.

Description framework properties:

Property name Property value
Format node
Access Type Get
User/{ProfileName}/NativeProfile/Authentication/Eap/Configuration
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap/Configuration

HTML encoded XML of the EAP configuration. For more information,see EAP configuration.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
User/{ProfileName}/NativeProfile/Authentication/Eap/Type
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap/Type

Required node for EAP profiles. This specifies the EAP Type ID 13 = EAP-TLS 26 = Ms-Chapv2 27 = Peap.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
User/{ProfileName}/NativeProfile/Authentication/MachineMethod
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/MachineMethod

This is only supported in IKEv2.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
Certificate Certificate.
User/{ProfileName}/NativeProfile/Authentication/UserMethod
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/UserMethod

This value can be one of the following: EAP or MSChapv2 (This isn't supported for IKEv2).

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
EAP EAP.
MSChapv2 MSChapv2: This isn't supported for IKEv2.

User/{ProfileName}/NativeProfile/CryptographySuite

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite

Properties of IPSec tunnels.

Description framework properties:

Property name Property value
Format node
Access Type Get
User/{ProfileName}/NativeProfile/CryptographySuite/AuthenticationTransformConstants
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/AuthenticationTransformConstants

Type of authentication transform constant.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
MD596 MD596.
SHA196 SHA196.
SHA256128 SHA256128.
GCMAES128 GCMAES128.
GCMAES192 GCMAES192.
GCMAES256 GCMAES256.
User/{ProfileName}/NativeProfile/CryptographySuite/CipherTransformConstants
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/CipherTransformConstants

Type of Cipher transform constant.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
DES DES.
DES3 DES3.
AES128 AES128.
AES192 AES192.
AES256 AES256.
GCMAES128 GCMAES128.
GCMAES192 GCMAES192.
GCMAES256 GCMAES256.
User/{ProfileName}/NativeProfile/CryptographySuite/DHGroup
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/DHGroup

Group used for DH (Diffie-Hellman).

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
None None.
Group1 Group1.
Group2 Group2.
Group14 Group14.
ECP256 ECP256.
ECP384 ECP384.
Group24 Group24.
User/{ProfileName}/NativeProfile/CryptographySuite/EncryptionMethod
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/EncryptionMethod

Type of encryption method.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
DES DES.
DES3 DES3.
AES128 AES128.
AES192 AES192.
AES256 AES256.
AES_GCM_128 AES_GCM_128.
AES_GCM_256 AES_GCM_256.
User/{ProfileName}/NativeProfile/CryptographySuite/IntegrityCheckMethod
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/IntegrityCheckMethod

Type of integrity check.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
MD5 MD5.
SHA196 SHA196.
SHA256 SHA256.
SHA384 SHA384.
User/{ProfileName}/NativeProfile/CryptographySuite/PfsGroup
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/PfsGroup

Group used for PFS (Perfect Forward Secrecy).

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
None None.
PFS1 PFS1.
PFS2 PFS2.
PFS2048 PFS2048.
ECP256 ECP256.
ECP384 ECP384.
PFSMM PFSMM.
PFS24 PFS24.

User/{ProfileName}/NativeProfile/DisableClassBasedDefaultRoute

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/DisableClassBasedDefaultRoute

Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
false Enabled.
true Disabled.

User/{ProfileName}/NativeProfile/L2tpPsk

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/L2tpPsk

The preshared key used for an L2TP connection.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

User/{ProfileName}/NativeProfile/NativeProtocolType

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/NativeProtocolType

Required for native profiles. Type of tunneling protocol used.

Note

For a Device Tunnel, use IKEv2 only.
For a User Tunnel, any value is allowed.
Using ProtocolList as value in NativeProtocolType requires additional configuration of the NativeProfile/ProtocolList parameter.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
PPTP PPTP.
L2TP L2TP.
IKEv2 IKEv2.
Automatic Automatic.
SSTP SSTP.
ProtocolList ProtocolList.

User/{ProfileName}/NativeProfile/PlumbIKEv2TSAsRoutes

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 [10.0.19041] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/PlumbIKEv2TSAsRoutes

True: Plumb traffic selectors as routes onto VPN interface, False: Don't plumb traffic selectors as routes.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace

User/{ProfileName}/NativeProfile/ProtocolList

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20207] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList

Description framework properties:

Property name Property value
Format node
Access Type Get
User/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20207] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList

List of inbox VPN protocols in priority order.

Note

For a User Tunnel up to 4 VPN protocols are supported.
A separate entry is needed for every VPN protocol. For a sample format, see Examples.
For a Device tunnel, we recommend using IKEv2 in NativeProtocolType instead of ProtocolList.

Description framework properties:

Property name Property value
Format node
Access Type Get
User/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20207] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}

Note

A separate entry is needed for every VPN protocol. For a sample format, see Examples.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get
User/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}/Type
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20207] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}/Type

Inbox VPN protocols type.

Note

A separate entry is needed for every VPN protocol. For a sample format, see Examples.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
Pptp Pptp.
L2tp L2tp.
Ikev2 Ikev2.
Sstp Sstp.
User/{ProfileName}/NativeProfile/ProtocolList/RetryTimeInHours
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20207] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/RetryTimeInHours

Default 168, max 500000.

RetryTimeInHours specifies the length of time Windows tries to use the last successful protocol when making a new connection. Setting this value to 0 disables remembering the last successful protocol.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace

User/{ProfileName}/NativeProfile/RoutingPolicyType

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/RoutingPolicyType

Type of routing policy.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
SplitTunnel Traffic can go over any interface as determined by the networking stack.
ForceTunnel All IP traffic must go over the VPN interface.

User/{ProfileName}/NativeProfile/Servers

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Servers

Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

User/{ProfileName}/NetworkOutageTime

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/NetworkOutageTime

The amount of time in seconds the network is allowed to idle. 0 means no limit.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [0-4294967295]

User/{ProfileName}/PluginProfile

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile

Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin.

Description framework properties:

Property name Property value
Format node
Access Type Add, Get

User/{ProfileName}/PluginProfile/CustomConfiguration

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/CustomConfiguration

Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that's deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

User/{ProfileName}/PluginProfile/PluginPackageFamilyName

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/PluginPackageFamilyName

Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

User/{ProfileName}/PluginProfile/ServerUrlList

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/ServerUrlList

Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

User/{ProfileName}/PrivateNetwork

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/PrivateNetwork

Determines whether the VPN connection is public or private.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace
Default Value true

Allowed values:

Value Description
false VPN connection is public.
true (Default) VPN connection is private.

User/{ProfileName}/ProfileXML

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/ProfileXML

The XML schema for provisioning all the fields of a VPN.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values See ProfileXML XSD Schema

User/{ProfileName}/Proxy

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/Proxy

A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected.

Description framework properties:

Property name Property value
Format node
Access Type Get

User/{ProfileName}/Proxy/AutoConfigUrl

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/AutoConfigUrl

Optional. Set a URL to automatically retrieve the proxy settings.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

User/{ProfileName}/Proxy/Manual

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/Manual

Optional node containing the manual server settings.

Description framework properties:

Property name Property value
Format node
Access Type Get
User/{ProfileName}/Proxy/Manual/Server
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/Manual/Server

Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

User/{ProfileName}/RegisterDNS

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/RegisterDNS

Allows registration of the connection's address in DNS.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace
Default Value false

Allowed values:

Value Description
false (Default) Don't register the connection's address in DNS.
true Register the connection's addresses in DNS.

User/{ProfileName}/RememberCredentials

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/RememberCredentials

Boolean value (true or false) for caching credentials.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace
Default Value false

Allowed values:

Value Description
false (Default) Don't cache credentials.
true Credentials are cached whenever possible.

User/{ProfileName}/RequireVpnClientAppUI

Scope Editions Applicable OS
❌ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.19628] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/RequireVpnClientAppUI

Applicable only to AppContainer profiles.

False: Don't show profile in Settings UI.

True: Show profile in Settings UI.

Optional. This node is only relevant for AppContainer profiles (i.e. using the VpnManagementAgent::AddProfileFromXmlAsync method).

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace

User/{ProfileName}/RouteList

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList

List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface.

Description framework properties:

Property name Property value
Format node
Access Type Get

User/{ProfileName}/RouteList/{routeRowId}

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}

A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get
Dynamic Node Naming UniqueName: A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0.
User/{ProfileName}/RouteList/{routeRowId}/Address
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/Address

Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
User/{ProfileName}/RouteList/{routeRowId}/ExclusionRoute
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/ExclusionRoute

A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace
Default Value false

Allowed values:

Value Description
false (Default) This route will direct traffic over the VPN.
true This route will direct traffic over the physical interface.
User/{ProfileName}/RouteList/{routeRowId}/Metric
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/Metric

The route's metric.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
User/{ProfileName}/RouteList/{routeRowId}/PrefixSize
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/PrefixSize

The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [0-4294967295]

User/{ProfileName}/TrafficFilterList

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList

A list of rules allowing traffic over the VPN Interface. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.

Note

Once a TrafficFilterList is added, all traffic is blocked other than the ones matching the rules.

Description framework properties:

Property name Property value
Format node
Access Type Get

User/{ProfileName}/TrafficFilterList/{trafficFilterId}

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}

A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get
Dynamic Node Naming UniqueName: A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.
User/{ProfileName}/TrafficFilterList/{trafficFilterId}/App
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App

Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface.

Description framework properties:

Property name Property value
Format node
Access Type Get
User/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Id
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Id

App identity for the app-based traffic filter. The value for this node can be one of the following: PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. SYSTEM - This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB).

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
User/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Type
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Type

Returns the type of ID of the App/Id. Either PackageFamilyName, FilePath, or System.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get
User/{ProfileName}/TrafficFilterList/{trafficFilterId}/Claims
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Claims

Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
User/{ProfileName}/TrafficFilterList/{trafficFilterId}/Direction
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 [10.0.19041] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Direction

Outbound - The traffic filter allows traffic to reach destinations matching this rule. This is the default.

Inbound - The traffic filter allows traffic coming from external locations matching this rule.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
User/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalAddressRanges
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalAddressRanges

A list of comma separated values specifying local IP address ranges to allow.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
User/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalPortRanges
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalPortRanges

Comma Separated list of ranges for eg. 100-120,200,300-320.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values Regular Expression: ^[\d]*$
Dependency [ProtocolDependency] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol
Dependency Allowed Value: [6,17]
Dependency Allowed Value Type: Range
User/{ProfileName}/TrafficFilterList/{trafficFilterId}/Protocol
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Protocol

0-255 number representing the ip protocol (TCP = 6, UDP = 17).

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [0-255]
User/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemoteAddressRanges
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemoteAddressRanges

A list of comma separated values specifying remote IP address ranges to allow.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
User/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemotePortRanges
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemotePortRanges

A list of comma separated values specifying remote port ranges to allow. For example, 100-120, 200, 300-320.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values Regular Expression: ^[\d]*$
Dependency [ProtocolDependency] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol
Dependency Allowed Value: [6,17]
Dependency Allowed Value Type: Range
User/{ProfileName}/TrafficFilterList/{trafficFilterId}/RoutingPolicyType
Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RoutingPolicyType

Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
SplitTunnel For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces.
ForceTunnel For this traffic rule all IP traffic must go through the VPN Interface only.

User/{ProfileName}/TrustedNetworkDetection

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/TrustedNetworkDetection

Comma separated string to identify the trusted network. VPN won't connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values ,

User/{ProfileName}/UseRasCredentials

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./User/Vendor/MSFT/VPNv2/{ProfileName}/UseRasCredentials

Determines whether the credential manager will save ras credentials after a connection.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace
Default Value true

Allowed values:

Value Description
false Ras Credentials aren't saved.
true (Default) Ras Credentials are saved.

ProfileXML XSD Schema

<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
  <xs:import namespace="http://www.microsoft.com/provisioning/EapHostConfig" schemaLocation="EapHostConfig.xsd" />
  <xs:element name="VPNProfile">
    <xs:complexType>
      <xs:sequence>
        <xs:element name="ProfileName" type="xs:string" minOccurs="0" maxOccurs="1" />
        <xs:element name="EdpModeId" type="xs:string" minOccurs="0" maxOccurs="1" />
        <xs:element name="RememberCredentials" type="xs:boolean" minOccurs="0" maxOccurs="1" />
        <xs:element name="AlwaysOn" type="xs:boolean" minOccurs="0" maxOccurs="1" />
        <xs:element name="DnsSuffix" type="xs:string" minOccurs="0" maxOccurs="1" />
        <xs:element name="TrustedNetworkDetection" type="xs:string" minOccurs="0" maxOccurs="1" />
        <xs:element name="DisableAdvancedOptionsEditButton" type="xs:boolean" minOccurs="0" maxOccurs="1" />
        <xs:element name="DisableDisconnectButton" type="xs:boolean" minOccurs="0" maxOccurs="1" />
        <xs:element name="LockDown" type="xs:boolean" minOccurs="0" maxOccurs="1" />
        <xs:element name="DeviceTunnel" type="xs:boolean" minOccurs="0" maxOccurs="1" />
        <xs:element name="RegisterDNS" type="xs:boolean" minOccurs="0" maxOccurs="1" />
        <xs:element name="ByPassForLocal" type="xs:boolean" minOccurs="0" maxOccurs="1" />
        <xs:element name="RequireVpnClientAppUI" type="xs:boolean" minOccurs="0" maxOccurs="1" />
        <xs:element name="Proxy" minOccurs="0" maxOccurs="1">
          <xs:complexType>
            <xs:sequence>
              <xs:element name="AutoConfigUrl" type="xs:string" minOccurs="0" maxOccurs="1" />
              <xs:element name="Manual" minOccurs="0" maxOccurs="1">
                <xs:complexType>
                  <xs:sequence>
                    <xs:element name="Server" type="xs:string" minOccurs="1" maxOccurs="1" />
                  </xs:sequence>
                </xs:complexType>
              </xs:element>
            </xs:sequence>
          </xs:complexType>
        </xs:element>
        <xs:element name="APNBinding" minOccurs="0" maxOccurs="1">
          <xs:complexType>
            <xs:sequence>
              <xs:element name="ProviderId" type="xs:string" minOccurs="0" maxOccurs="1" />
              <xs:element name="AccessPointName" type="xs:string" minOccurs="0" maxOccurs="1" />
              <xs:element name="UserName" type="xs:string" minOccurs="0" maxOccurs="1" />
              <xs:element name="Password" type="xs:string" minOccurs="0" maxOccurs="1" />
              <xs:element name="IsCompressionEnabled" type="xs:boolean" minOccurs="0" maxOccurs="1" />
              <xs:element name="AuthenticationType" type="xs:string" minOccurs="0" maxOccurs="1" />
            </xs:sequence>
          </xs:complexType>
        </xs:element>
        <xs:element name="DeviceCompliance" minOccurs="0" maxOccurs="1">
          <xs:complexType>
            <xs:sequence>
              <xs:element name="Enabled" type="xs:boolean" minOccurs="1" maxOccurs="1" />
              <xs:element name="Sso" minOccurs="0" maxOccurs="1">
                <xs:complexType>
                  <xs:sequence>
                    <xs:element name="Enabled" type="xs:boolean" minOccurs="1" maxOccurs="1" />
                    <xs:element name="Eku" type="xs:string" minOccurs="0" maxOccurs="1" />
                    <xs:element name="IssuerHash" type="xs:string" minOccurs="0" maxOccurs="1" />
                  </xs:sequence>
                </xs:complexType>
              </xs:element>
            </xs:sequence>
          </xs:complexType>
        </xs:element>
        <xs:element name="PluginProfile" minOccurs="0" maxOccurs="1">
          <xs:complexType>
            <xs:sequence>
              <xs:element name="ServerUrlList" type="xs:string" minOccurs="1" maxOccurs="1" />
              <xs:element name="CustomConfiguration" type="xs:string" minOccurs="0" maxOccurs="1" />
              <xs:element name="PluginPackageFamilyName" type="xs:string" minOccurs="1" maxOccurs="1" />
            </xs:sequence>
          </xs:complexType>
        </xs:element>
        <xs:element name="AppTrigger" minOccurs="0" maxOccurs="unbounded">
          <xs:complexType>
            <xs:sequence>
              <xs:element name="App" minOccurs="1" maxOccurs="1">
                <xs:complexType>
                  <xs:sequence>
                    <xs:element name="Id" type="xs:string" minOccurs="1" maxOccurs="1" />
                  </xs:sequence>
                </xs:complexType>
              </xs:element>
            </xs:sequence>
          </xs:complexType>
        </xs:element>
        <xs:element name="DomainNameInformation" minOccurs="0" maxOccurs="unbounded">
          <xs:complexType>
            <xs:sequence>
              <xs:element name="DomainName" type="xs:string" minOccurs="1" maxOccurs="1" />
              <xs:element name="DnsServers" type="xs:string" minOccurs="0" maxOccurs="1" />
              <xs:element name="WebProxyServers" type="xs:string" minOccurs="0" maxOccurs="1" />
              <xs:element name="AutoTrigger" type="xs:boolean" minOccurs="0" maxOccurs="1" />
              <xs:element name="Persistent" type="xs:boolean" minOccurs="0" maxOccurs="1" />
            </xs:sequence>
          </xs:complexType>
        </xs:element>
        <xs:element name="TrafficFilter" minOccurs="0" maxOccurs="unbounded">
          <xs:complexType>
            <xs:sequence>
              <xs:element name="App" minOccurs="0" maxOccurs="1">
                <xs:complexType>
                  <xs:sequence>
                    <xs:element name="Id" type="xs:string" minOccurs="1" maxOccurs="1" />
                  </xs:sequence>
                </xs:complexType>
              </xs:element>
              <xs:element name="Claims" type="xs:string" minOccurs="0" maxOccurs="1" />
              <xs:element name="Protocol" type="xs:string" minOccurs="0" maxOccurs="1" />
              <xs:element name="LocalPortRanges" type="xs:string" minOccurs="0" maxOccurs="1" />
              <xs:element name="RemotePortRanges" type="xs:string" minOccurs="0" maxOccurs="1" />
              <xs:element name="LocalAddressRanges" type="xs:string" minOccurs="0" maxOccurs="1" />
              <xs:element name="RemoteAddressRanges" type="xs:string" minOccurs="0" maxOccurs="1" />
              <xs:element name="RoutingPolicyType" type="xs:string" minOccurs="0" maxOccurs="1" />
              <xs:element name="Direction" type="xs:string" minOccurs="0" maxOccurs="1" />
            </xs:sequence>
          </xs:complexType>
        </xs:element>
        <xs:element name="NativeProfile" minOccurs="0" maxOccurs="1">
          <xs:complexType>
            <xs:sequence>
              <xs:element name="Servers" type="xs:string" minOccurs="1" maxOccurs="1" />
              <xs:element name="RoutingPolicyType" type="xs:string" minOccurs="0" maxOccurs="1" />
              <xs:element name="NativeProtocolType" type="xs:string" minOccurs="0" maxOccurs="1" />
              <xs:element name="L2tpPsk" type="xs:string" minOccurs="0" maxOccurs="1" />
              <xs:element name="DisableClassBasedDefaultRoute" type="xs:boolean" minOccurs="0" maxOccurs="1" />
              <xs:element name="PlumbIKEv2TSAsRoutes" type="xs:boolean" minOccurs="0" maxOccurs="1" />
              <xs:element name="CryptographySuite" minOccurs="0" maxOccurs="1">
                <xs:complexType>
                  <xs:sequence>
                    <xs:element name="AuthenticationTransformConstants" type="xs:string" minOccurs="0" maxOccurs="1" />
                    <xs:element name="CipherTransformConstants" type="xs:string" minOccurs="0" maxOccurs="1" />
                    <xs:element name="PfsGroup" type="xs:string" minOccurs="0" maxOccurs="1" />
                    <xs:element name="DHGroup" type="xs:string" minOccurs="0" maxOccurs="1" />
                    <xs:element name="IntegrityCheckMethod" type="xs:string" minOccurs="0" maxOccurs="1" />
                    <xs:element name="EncryptionMethod" type="xs:string" minOccurs="0" maxOccurs="1" />
                  </xs:sequence>
                </xs:complexType>
              </xs:element>
              <xs:element name="Authentication" minOccurs="1" maxOccurs="1">
                <xs:complexType>
                  <xs:choice>
                    <xs:sequence>
                      <xs:element name="UserMethod" type="xs:string" minOccurs="0" maxOccurs="1" />
                      <xs:element name="Eap" minOccurs="0" maxOccurs="1">
                        <xs:complexType>
                          <xs:sequence>
                            <xs:element name="Configuration" minOccurs="1" maxOccurs="1">
                              <xs:complexType>
                                <xs:sequence>
                                  <xs:element xmlns:q1="http://www.microsoft.com/provisioning/EapHostConfig" ref="q1:EapHostConfig" />
                                </xs:sequence>
                              </xs:complexType>
                            </xs:element>
                          </xs:sequence>
                        </xs:complexType>
                      </xs:element>
                    </xs:sequence>
                    <xs:element name="MachineMethod" type="xs:string" minOccurs="0" maxOccurs="1" />
                  </xs:choice>
                </xs:complexType>
              </xs:element>
            </xs:sequence>
          </xs:complexType>
        </xs:element>
        <xs:element name="Route" minOccurs="0" maxOccurs="unbounded">
          <xs:complexType>
            <xs:sequence>
              <xs:element name="Address" type="xs:string" minOccurs="1" maxOccurs="1" />
              <xs:element name="PrefixSize" type="xs:unsignedByte" minOccurs="1" maxOccurs="1" />
              <xs:element name="ExclusionRoute" type="xs:boolean" minOccurs="0" maxOccurs="1" />
              <xs:element name="Metric" type="xs:unsignedInt" minOccurs="0" maxOccurs="1" />
            </xs:sequence>
          </xs:complexType>
        </xs:element>
      </xs:sequence>
    </xs:complexType>
  </xs:element>
</xs:schema>

Examples

Profile example

<SyncML xmlns="SYNCML:SYNCML1.2" xmlns:A="syncml:metinf">
  <SyncBody>
    <Atomic>
      <CmdID>10000</CmdID>

      <!-- Configure VPN Server Name or Address (PhoneNumber=) [Comma Separated]-->
      <Add>
        <CmdID>10001</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPN_Demo/ProfileXML</LocURI>
          </Target>
          <Data><VPNProfile>
  <ProfileName>VPN_Demo</ProfileName>
  <NativeProfile>
    <Servers>VPNServer.contoso.com</Servers>
    <NativeProtocolType>ProtocolList</NativeProtocolType>
      <ProtocolList>
        <NativeProtocol>
          <Type>Ikev2</Type>
        </NativeProtocol>
        <NativeProtocol>
          <Type>Sstp</Type>
        </NativeProtocol>
        <RetryTimeInHours>168</RetryTimeInHours>
      </ProtocolList>
    <Authentication>
      <UserMethod>Eap</UserMethod>
      <Eap>
        <Configuration>
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <EapMethod> <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type> <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId> <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType> <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId> </EapMethod> <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <Type>25</Type> <EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"> <ServerValidation> <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation> <ServerNames></ServerNames> </ServerValidation> <FastReconnect>true</FastReconnect> <InnerEapOptional>false</InnerEapOptional> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <Type>13</Type> <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"> <CredentialsSource> <CertificateStore> <SimpleCertSelection>false</SimpleCertSelection> </CertificateStore> </CredentialsSource> <ServerValidation> <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation> <ServerNames></ServerNames> </ServerValidation> <DifferentUsername>false</DifferentUsername> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName> <TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"> <FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3"> <EKUMapping> <EKUMap> <EKUName>Unknown Key Usage</EKUName> <EKUOID>1.3.6.1.4.1.311.87</EKUOID> </EKUMap> </EKUMapping> <ClientAuthEKUList Enabled="true"> <EKUMapInList> <EKUName>Unknown Key Usage</EKUName> </EKUMapInList> </ClientAuthEKUList> </FilteringInfo> </TLSExtensions> </EapType> </Eap> <EnableQuarantineChecks>false</EnableQuarantineChecks> <RequireCryptoBinding>false</RequireCryptoBinding> <PeapExtensions> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName> </PeapExtensions> </EapType> </Eap> </Config> </EapHostConfig>
    </Configuration>
      </Eap>
    </Authentication>
    <RoutingPolicyType>SplitTunnel</RoutingPolicyType>
  </NativeProfile>
  <DomainNameInformationList>
    <DomainName>.contoso.com</DomainName>
    <DNSServers>10.5.5.5</DNSServers>
  </DomainNameInformationList>
 <TrafficFilter>
    <App>%ProgramFiles%\Internet Explorer\iexplore.exe</App>
  </TrafficFilter>
  <TrafficFilter>
    <App>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</App>
  </TrafficFilter>
  <Route>
    <Address>10.0.0.0</Address>
    <PrefixSize>8</PrefixSize>
  </Route>
  <Route>
    <Address>25.0.0.0</Address>
    <PrefixSize>8</PrefixSize>
  </Route>
    <RememberCredentials>true</RememberCredentials>
  </VPNProfile></Data>
        </Item>
      </Add>

    </Atomic>
    <Final/>
  </SyncBody>
</SyncML>

AppTriggerList

<!-- Internet Explorer -->
<Add>
  <CmdID>10013</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/0/App/Id</LocURI>
    </Target>
    <Data>%PROGRAMFILES%\Internet Explorer\iexplore.exe</Data>
  </Item>
</Add>
<Add>
  <CmdID>10014</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/1/App/Id</LocURI>
    </Target>
    <Data>%PROGRAMFILES% (x86)\Internet Explorer\iexplore.exe</Data>
  </Item>
</Add>
<!-- Edge -->
<Add>
  <CmdID>10015</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/2/App/Id</LocURI>
    </Target>
    <Data>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Data>
  </Item>
</Add>

RouteList and ExclusionRoute

<Add>
  <CmdID>10008</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/Address</LocURI>
    </Target>
    <Data>192.168.0.0</Data>
  </Item>
</Add>
<Add>
  <CmdID>10009</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/PrefixSize</LocURI>
    </Target>
    <Meta>
      <Format xmlns="syncml:metinf">int</Format>
    </Meta>
    <Data>24</Data>
  </Item>
</Add>
<Add>
  <CmdID>10010</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/ExclusionRoute</LocURI>
    </Target>
    <Meta>
      <Format xmlns="syncml:metinf">bool</Format>
    </Meta>
    <Data>true</Data>
  </Item>
</Add>

DomainNameInformationList

<!-- Domain Name rule with Suffix Match with DNS Servers -->
<Add>
  <CmdID>10013</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DomainName</LocURI>
    </Target>
    <Data>.contoso.com</Data>
  </Item>
</Add>
<Add>
  <CmdID>10014</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DnsServers</LocURI>
    </Target>
    <Data>192.168.0.11,192.168.0.12</Data>
  </Item>
</Add>

<!-- Domain Name rule with Suffix Match with Web Proxy -->
<Add>
  <CmdID>10013</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/DomainName</LocURI>
    </Target>
    <Data>.contoso.com</Data>
  </Item>
</Add>

<Add>
  <CmdID>10015</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/WebProxyServers</LocURI>
    </Target>
    <Data>192.168.0.100:8888</Data>
  </Item>
</Add>

<!-- Domain Name rule with FQDN Match with DNS Servers -->

<Add>
  <CmdID>10016</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DomainName</LocURI>
    </Target>
    <Data>finance.contoso.com</Data>
  </Item>
</Add>
<Add>
  <CmdID>10017</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DnsServers</LocURI>
    </Target>
    <Data>192.168.0.11,192.168.0.12</Data>
  </Item>
</Add>

<!-- Domain Name rule with FQDN Match with Proxy Server -->

<Add>
  <CmdID>10016</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/DomainName</LocURI>
    </Target>
    <Data>finance.contoso.com</Data>
  </Item>
</Add>
<Add>
  <CmdID>10017</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/WebProxyServers</LocURI>
    </Target>
    <Data>192.168.0.11:8080</Data>
  </Item>
</Add>

<!-- Domain Name rule for all other (any) traffic through DNS Servers -->
<Add>
  <CmdID>10016</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/4/DomainName</LocURI>
    </Target>
    <Data>.</Data>
  </Item>
</Add>
<Add>
  <CmdID>10017</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/4/DnsServers</LocURI>
    </Target>
    <Data>192.168.0.11,192.168.0.12</Data>
  </Item>
</Add>

<!-- Domain Name rule for all other (any) traffic through Proxy -->

<Add>
  <CmdID>10016</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/5/DomainName</LocURI>
    </Target>
    <Data>.</Data>
  </Item>
</Add>
<Add>
  <CmdID>10017</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/5/WebProxyServers</LocURI>
    </Target>
    <Data>192.168.0.11</Data>
  </Item>
</Add>

AutoTrigger

<Add>
  <CmdID>10010</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/AutoTrigger</LocURI>
    </Target>
    <Meta>
      <Format xmlns="syncml:metinf">bool</Format>
    </Meta>
    <Data>true</Data>
  </Item>
</Add>

Persistent

<Add>
  <CmdID>10010</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/Persistent</LocURI>
    </Target>
    <Meta>
      <Format xmlns="syncml:metinf">bool</Format>
    </Meta>
    <Data>true</Data>
  </Item>
</Add>

TrafficFilterLIst App

    <!-- Desktop App -->
    <Add>
        <CmdID>10013</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/0/App/Id</LocURI>
          </Target>
          <Data>%ProgramFiles%\Internet Explorer\iexplore.exe</Data>
        </Item>
      </Add>
      <!-- Store App -->
      <Add>
        <CmdID>10014</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/1/App/Id</LocURI>
          </Target>
          <Data>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Data>
        </Item>
      </Add>
      <!-- SYSTEM -->
      <Add>
        <CmdID>10015</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/App/Id</LocURI>
          </Target>
          <Data>SYSTEM</Data>
        </Item>
      </Add>

Protocol, LocalPortRanges, RemotePortRanges, LocalAddressRanges, RemoteAddressRanges, RoutingPolicyType, EDPModeId, RememberCredentials, AlwaysOn, Lockdown, DnsSuffix, TrustedNetworkDetection

    <!-- Protocol -->
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/Protocol</LocURI>
          </Target>
          <Meta>
            <Format xmlns="syncml:metinf">int</Format>
          </Meta>
          <Data>6</Data>
        </Item>
      </Add>
      <!-- LocalPortRanges -->
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/LocalPortRanges</LocURI>
          </Target>
          <Data>10,20-50,100-200</Data>
        </Item>
      </Add>
      <!-- RemotePortRanges -->
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/RemotePortRanges</LocURI>
          </Target>
          <Data>20-50,100-200,300</Data>
        </Item>
      </Add>
      <!-- LocalAddressRanges -->
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/LocalAddressRanges/LocURI>
          </Target>
          <Data>3.3.3.3/32,1.1.1.1-2.2.2.2</Data>
        </Item>
      </Add>
      <!-- RemoteAddressRanges -->
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/RemoteAddressRanges</LocURI>
          </Target>
          <Data>30.30.0.0/16,10.10.10.10-20.20.20.20</Data>
        </Item>
      </Add>
      <!-- RoutingPolicyType -->
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/0/RoutingPolicyType</LocURI>
          </Target>
          <Data>ForceTunnel</Data>
        </Item>
      </Add>
      <!-- EDPModeId -->
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/EDPModeID</LocURI>
          </Target>
          <Data>corp.contoso.com</Data>
        </Item>
      </Add>
      <!-- RememberCredentials -->
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/RememberCredentials</LocURI>
          </Target>
          <Meta>
            <Format xmlns="syncml:metinf">bool</Format>
          </Meta>
          <Data>true</Data>
        </Item>
      </Add>
      <!-- AlwaysOn -->
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/AlwaysOn</LocURI>
          </Target>
          <Meta>
            <Format xmlns="syncml:metinf">bool</Format>
          </Meta>
          <Data>true</Data>
        </Item>
      </Add>
      <!-- Lockdown -->
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/Lockdown</LocURI>
          </Target>
          <Meta>
            <Format xmlns="syncml:metinf">bool</Format>
          </Meta>
          <Data>true</Data>
        </Item>
      </Add>
      <!-- DnsSuffix -->
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DnsSuffix</LocURI>
          </Target>
          <Data>Adatum.com</Data>
        </Item>
      </Add>
      <!-- TrustedNetworkDetection -->
     <!-- Configure Trusted Networks (TrustedNetworks=) [Comma separated] -->
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrustedNetworkDetection</LocURI>
          </Target>
          <Data>Adatum.com</Data>
        </Item>
      </Add>

Proxy - Manual or AutoConfigUrl

      <!-- Manual -->
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/Proxy/Manual/Server</LocURI>
          </Target>
          <Data>192.168.0.100:8888</Data>
        </Item>
      </Add>
      <!-- AutoConfigUrl -->
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/Proxy/AutoConfigUrl</LocURI>
          </Target>
          <Data>HelloWorld.com</Data>
        </Item>
      </Add>

Device Compliance - Sso

    <!-- Enabled -->
    <Add>
      <CmdID>10011</CmdID>
      <Item>
        <Target>
          <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/Enabled</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">bool</Format>
        </Meta>
        <Data>true</Data>
      </Item>
    </Add>

    <!-- IssuerHash -->
    <Add>
      <CmdID>10011</CmdID>
      <Item>
        <Target>
          <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/IssuerHash</LocURI>
        </Target>
        <Data>ffffffffffffffffffffffffffffffffffffffff;ffffffffffffffffffffffffffffffffffffffee</Data>
      </Item>
    </Add>

    <!-- Eku -->
    <Add>
      <CmdID>10011</CmdID>
      <Item>
        <Target>
          <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/EKU</LocURI>
        </Target>
        <Data>1.3.6.1.5.5.7.3.2</Data>
      </Item>
    </Add>

PluginProfile

    <!-- PluginPackageFamilyName -->
      <!-- Configure VPN Server Name or Address (PhoneNumber=) [Comma Separated]-->
      <Add>
        <CmdID>10001</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/PluginProfile/ServerUrlList</LocURI>
          </Target>
          <Data>selfhost.corp.contoso.com</Data>
        </Item>
      </Add>

      <!-- Configure VPN Plugin AppX Package ID (ThirdPartyProfileInfo=) -->
      <Add>
        <CmdID>10002</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/PluginProfile/PluginPackageFamilyName</LocURI>
          </Target>
          <Data>TestVpnPluginApp-SL_8wekyb3d8bbwe</Data>
        </Item>
      </Add>

      <!-- Configure Microsoft's Custom XML (ThirdPartyProfileInfo=) -->
      <Add>
        <CmdID>10003</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/PluginProfile/CustomConfiguration</LocURI>
          </Target>
          <Data><pluginschema><ipAddress>auto</ipAddress><port>443</port><networksettings><routes><includev4><route><address>172.10.10.0</address><prefix>24</prefix></route></includev4></routes><namespaces><namespace><space>.vpnbackend.com</space><dnsservers><server>172.10.10.11</server></dnsservers></namespace></namespaces></networksettings></pluginschema></Data>
        </Item>
      </Add>

NativeProfile

      <!-- Servers -->
      <Add>
        <CmdID>10001</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Servers</LocURI>
          </Target>
          <Data>Selfhost.corp.contoso.com</Data>
        </Item>
      </Add>

      <!-- RoutingPolicyType -->
      <Add>
        <CmdID>10007</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/RoutingPolicyType</LocURI>
          </Target>
          <Data>ForceTunnel</Data>
        </Item>
      </Add>

    <!-- NativeProtocolType -->
    <!-- Configure VPN Protocol Type (L2tp, Pptp, Ikev2) -->
      <Add>
        <CmdID>10002</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/NativeProtocolType</LocURI>
          </Target>
          <Data>Automatic</Data>
        </Item>
      </Add>

  <!-- Authentication -->
      <!-- UserMethod -->
      <!-- Configure VPN User Method (Mschapv2, Eap) -->
      <Add>
        <CmdID>10003</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/UserMethod</LocURI>
          </Target>
          <Data>Eap</Data>
        </Item>
      </Add>

      <!-- MachineMethod -->
      <!-- Configure VPN Machine Method (Certificate, Eap, PresharedKey) -->
      <Add>
        <CmdID>10004</CmdID>
        <Item>
         <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/MachineMethod</LocURI>
          </Target>
          <Data>Eap</Data>
        </Item>
      </Add>

  <!-- CryptographySuite -->
        <Add>
        <CmdID>10004</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/AuthenticationTransformConstants</LocURI>
          </Target>
          <Data>SHA196</Data>
        </Item>
      </Add>
      <Add>
        <CmdID>10004</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/CipherTransformConstants</LocURI>
          </Target>
          <Data>AES192</Data>
        </Item>
      </Add>
      <Add>
        <CmdID>10004</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/EncryptionMethod</LocURI>
          </Target>
          <Data>AES128</Data>
        </Item>
      </Add>
      <Add>
        <CmdID>10004</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/IntegrityCheckMethod</LocURI>
          </Target>
          <Data>SHA256</Data>
        </Item>
      </Add>
      <Add>
        <CmdID>Group14</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/DHGroup</LocURI>
          </Target>
          <Data>Group2</Data>
        </Item>
     </Add>
      <Add>
        <CmdID>10004</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/PfsGroup</LocURI>
          </Target>
          <Data>PFS2048</Data>
        </Item>
      </Add>

      <!-- DisableClassBasedDefaultRoute -->
        <CmdID>10011</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/DisableClassBasedDefaultRoute</LocURI>
          </Target>
          <Meta>
            <Format xmlns="syncml:metinf">bool</Format>
          </Meta>
          <Data>true</Data>
        </Item>
      </Add>

Configuration service provider reference