Tip of the Day: Configure VPN Profiles using the SCCM/WMI Bridge - Part 1
Today’s Tip…
There are a number of ways to create a VPN profile on Windows 10 Anniversary v1607. In this week’s tips we discuss what you need to know to deploy connection profiles using PowerShell, WMI, and the SCCM/WMI (aka WMI-to-CSP) Bridge.
The VPNv2CSP sits on top of what is known as the MDM stack. The CSP defines a set of nodes specified by URIs that represent different configurations. All VPN URIs have one of the following forms, which specifies the node hierarchy, which nodes can be edited, what type the node has, and what value is associated with the node.
./Vendor/MSFT/VPNv2/<ProfileName>/<Configuration>
./User/Vendor/MSFT/VPNv2/<ProfileName>/<Configuration>
The WMI/SCCM (aka WMI-to-CSP) Bridge
The SCCM/WMI Bridge provides an alternate to configuring VPNv2 CSP settings using MDM by exposing a WMI layer written on top of the native CSP. Using the bridge, WMI configuration scripts (whether executed locally or deployed via SCCM) are able to leverage the same code path used by MDM provisioning documents, with only the entry point being different. The distinction between these MDM and WMI configuration interfaces is as follows:
- VPN connection profiles deployed using Microsoft Intune or other MDM provider take an entry path through the platform MDM Client, delivering XML-based configurations directly to the VPNv2 CSP.
- WMI scripts use the SCCM/WMI Bridge as a configuration entry point, leveraging a set of MDM Bridge WMI Providers object classes whose properties map directly to VPNv2 CSP settings.
The graphic below illustrates the client configuration architecture on Windows 10, showing both the MDM client and the SCCM/WMI Bridge interfaces. NOTE - The provisioning engine and the EAS client interfaces are shown merely for the sake of completion.
Tomorrow’s Tip: VPNv2CSP MDM Bridge WMI Providers
In tomorrow’s tip, we will discuss the MDM Bridge WMI Provider classes and their member properties.