From 505a828354f711a47e24fbabf71cbe5c7d2aa73f Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Mon, 27 Feb 2023 13:20:51 -0500
Subject: [PATCH] VPNv2 CSP
---
.openpublishing.redirection.json | 5 +
windows/client-management/mdm/toc.yml | 2 -
windows/client-management/mdm/vpnv2-csp.md | 9794 ++++++++++++--
.../client-management/mdm/vpnv2-ddf-file.md | 10837 +++++++++-------
.../mdm/vpnv2-profile-xsd.md | 447 -
5 files changed, 15330 insertions(+), 5755 deletions(-)
delete mode 100644 windows/client-management/mdm/vpnv2-profile-xsd.md
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 155536f5e6..72f7b416ce 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -20525,6 +20525,11 @@
"redirect_url": "/windows/client-management/mdm/applocker-csp#policy-xsd-schema",
"redirect_document_id": true
},
+ {
+ "source_path": "windows/client-management/mdm/vpnv2-profile-xsd.md",
+ "redirect_url": "/windows/client-management/mdm/vpnv2-csp#profilexml-xsd-schema",
+ "redirect_document_id": true
+ },
{
"source_path": "education/windows/education-scenarios-store-for-business.md",
"redirect_url": "/windows/resources",
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index a83a0d85fa..5f76856695 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -917,8 +917,6 @@ items:
items:
- name: VPNv2 DDF file
href: vpnv2-ddf-file.md
- - name: ProfileXML XSD
- href: vpnv2-profile-xsd.md
- name: EAP configuration
href: eap-configuration.md
- name: w4 APPLICATION
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index ea73b10265..916d89e45c 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -1,899 +1,8982 @@
---
title: VPNv2 CSP
-description: Learn how the VPNv2 configuration service provider (CSP) allows the mobile device management (MDM) server to configure the VPN profile of the device.
-ms.reviewer: pesmith
+description: Learn more about the VPNv2 CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/27/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 09/21/2021
+ms.topic: reference
---
+
+
+
# VPNv2 CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The VPNv2 configuration service provider allows the Mobile Device Management (MDM) server to configure the VPN profile of the device.
Here are the requirements for this CSP:
- VPN configuration commands must be wrapped in an Atomic block in SyncML.
- For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you're using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure Windows Information Protection policies.
-- Instead of changing individual properties, follow these steps to make any changes:
+- In certain conditions you can change some properties directly, but we don't recommend it. Instead, follow these steps to make any changes:
- Send a Delete command for the ProfileName to delete the entire profile.
- Send the entire profile again with new values wrapped in an Atomic block.
- In certain conditions you can change some properties directly, but we don't recommend it.
-
The XSDs for all EAP methods are shipped in the box and can be found at the following locations:
- `C:\Windows\schemas\EAPHost`
- `C:\Windows\schemas\EAPMethods`
+
+
The following example shows the VPNv2 configuration service provider in tree format.
+```text
+./Device/Vendor/MSFT/VPNv2
+--- {ProfileName}
+------ AlwaysOn
+------ AlwaysOnActive
+------ APNBinding
+--------- AccessPointName
+--------- AuthenticationType
+--------- IsCompressionEnabled
+--------- Password
+--------- ProviderId
+--------- UserName
+------ AppTriggerList
+--------- {appTriggerRowId}
+------------ App
+--------------- Id
+--------------- Type
+------ ByPassForLocal
+------ DataEncryption
+------ DeviceCompliance
+--------- Enabled
+--------- Sso
+------------ Eku
+------------ Enabled
+------------ IssuerHash
+------ DeviceTunnel
+------ DisableAdvancedOptionsEditButton
+------ DisableDisconnectButton
+------ DisableIKEv2Fragmentation
+------ DnsSuffix
+------ DomainNameInformationList
+--------- {dniRowId}
+------------ AutoTrigger
+------------ DnsServers
+------------ DomainName
+------------ DomainNameType
+------------ Persistent
+------------ WebProxyServers
+------ EdpModeId
+------ IPv4InterfaceMetric
+------ IPv6InterfaceMetric
+------ NativeProfile
+--------- Authentication
+------------ Certificate
+--------------- Eku
+--------------- Issuer
+------------ Eap
+--------------- Configuration
+--------------- Type
+------------ MachineMethod
+------------ UserMethod
+--------- CryptographySuite
+------------ AuthenticationTransformConstants
+------------ CipherTransformConstants
+------------ DHGroup
+------------ EncryptionMethod
+------------ IntegrityCheckMethod
+------------ PfsGroup
+--------- DisableClassBasedDefaultRoute
+--------- L2tpPsk
+--------- NativeProtocolType
+--------- PlumbIKEv2TSAsRoutes
+--------- ProtocolList
+------------ NativeProtocolList
+--------------- {NativeProtocolRowId}
+------------------ Type
+------------ RetryTimeInHours
+--------- RoutingPolicyType
+--------- Servers
+------ NetworkOutageTime
+------ PluginProfile
+--------- CustomConfiguration
+--------- PluginPackageFamilyName
+--------- ServerUrlList
+------ PrivateNetwork
+------ ProfileXML
+------ Proxy
+--------- AutoConfigUrl
+--------- Manual
+------------ Server
+------ RegisterDNS
+------ RememberCredentials
+------ RouteList
+--------- {routeRowId}
+------------ Address
+------------ ExclusionRoute
+------------ Metric
+------------ PrefixSize
+------ TrafficFilterList
+--------- {trafficFilterId}
+------------ App
+--------------- Id
+--------------- Type
+------------ Claims
+------------ Direction
+------------ LocalAddressRanges
+------------ LocalPortRanges
+------------ Protocol
+------------ RemoteAddressRanges
+------------ RemotePortRanges
+------------ RoutingPolicyType
+------ TrustedNetworkDetection
+------ UseRasCredentials
+./User/Vendor/MSFT/VPNv2
+--- {ProfileName}
+------ AlwaysOn
+------ AlwaysOnActive
+------ APNBinding
+--------- AccessPointName
+--------- AuthenticationType
+--------- IsCompressionEnabled
+--------- Password
+--------- ProviderId
+--------- UserName
+------ AppTriggerList
+--------- {appTriggerRowId}
+------------ App
+--------------- Id
+--------------- Type
+------ ByPassForLocal
+------ DataEncryption
+------ DeviceCompliance
+--------- Enabled
+--------- Sso
+------------ Eku
+------------ Enabled
+------------ IssuerHash
+------ DisableAdvancedOptionsEditButton
+------ DisableDisconnectButton
+------ DisableIKEv2Fragmentation
+------ DnsSuffix
+------ DomainNameInformationList
+--------- {dniRowId}
+------------ AutoTrigger
+------------ DnsServers
+------------ DomainName
+------------ DomainNameType
+------------ Persistent
+------------ WebProxyServers
+------ EdpModeId
+------ IPv4InterfaceMetric
+------ IPv6InterfaceMetric
+------ NativeProfile
+--------- Authentication
+------------ Certificate
+--------------- Eku
+--------------- Issuer
+------------ Eap
+--------------- Configuration
+--------------- Type
+------------ MachineMethod
+------------ UserMethod
+--------- CryptographySuite
+------------ AuthenticationTransformConstants
+------------ CipherTransformConstants
+------------ DHGroup
+------------ EncryptionMethod
+------------ IntegrityCheckMethod
+------------ PfsGroup
+--------- DisableClassBasedDefaultRoute
+--------- L2tpPsk
+--------- NativeProtocolType
+--------- PlumbIKEv2TSAsRoutes
+--------- ProtocolList
+------------ NativeProtocolList
+--------------- {NativeProtocolRowId}
+------------------ Type
+------------ RetryTimeInHours
+--------- RoutingPolicyType
+--------- Servers
+------ NetworkOutageTime
+------ PluginProfile
+--------- CustomConfiguration
+--------- PluginPackageFamilyName
+--------- ServerUrlList
+------ PrivateNetwork
+------ ProfileXML
+------ Proxy
+--------- AutoConfigUrl
+--------- Manual
+------------ Server
+------ RegisterDNS
+------ RememberCredentials
+------ RequireVpnClientAppUI
+------ RouteList
+--------- {routeRowId}
+------------ Address
+------------ ExclusionRoute
+------------ Metric
+------------ PrefixSize
+------ TrafficFilterList
+--------- {trafficFilterId}
+------------ App
+--------------- Id
+--------------- Type
+------------ Claims
+------------ Direction
+------------ LocalAddressRanges
+------------ LocalPortRanges
+------------ Protocol
+------------ RemoteAddressRanges
+------------ RemotePortRanges
+------------ RoutingPolicyType
+------ TrustedNetworkDetection
+------ UseRasCredentials
```
-./Vendor/MSFT
-VPNv2
-----ProfileName
---------AppTriggerList
-------------appTriggerRowId
-----------------App
---------------------Id
---------------------Type
---------RouteList
-------------routeRowId
-----------------Address
-----------------PrefixSize
-----------------Metric
-----------------ExclusionRoute
---------DomainNameInformationList
-------------dniRowId
-----------------DomainName
-----------------DomainNameType
-----------------DnsServers
-----------------WebProxyServers
-----------------AutoTrigger
-----------------Persistent
---------TrafficFilterList
-------------trafficFilterId
-----------------App
---------------------Id
---------------------Type
-----------------Claims
-----------------Protocol
-----------------LocalPortRanges
-----------------RemotePortRanges
-----------------LocalAddressRanges
-----------------RemoteAddressRanges
-----------------RoutingPolicyType
-----------------Direction
---------EdpModeId
---------RememberCredentials
---------AlwaysOn
---------LockDown
---------DeviceTunnel
---------RegisterDNS
---------DnsSuffix
---------ByPassForLocal
---------TrustedNetworkDetection
---------ProfileXML
---------Proxy
-------------Manual
-----------------Server
-------------AutoConfigUrl
---------APNBinding
-------------ProviderId
-------------AccessPointName
-------------UserName
-------------Password
-------------IsCompressionEnabled
-------------AuthenticationType
---------DeviceCompliance
-------------Enabled
-------------Sso
-----------------Enabled
-----------------IssuerHash
-----------------Eku
---------PluginProfile
-------------ServerUrlList
-------------CustomConfiguration
-------------PluginPackageFamilyName
-------------CustomStoreUrl
-------------WebAuth
-----------------Enabled
-----------------ClientId
---------NativeProfile
-------------Servers
-------------RoutingPolicyType
-------------NativeProtocolType
-------------Authentication
-----------------UserMethod
-----------------MachineMethod
-----------------Eap
---------------------Configuration
---------------------Type
-----------------Certificate
---------------------Issuer
---------------------Eku
-------------CryptographySuite
-----------------AuthenticationTransformConstants
-----------------CipherTransformConstants
-----------------EncryptionMethod
-----------------IntegrityCheckMethod
-----------------DHGroup
-----------------PfsGroup
-------------L2tpPsk
-------------DisableClassBasedDefaultRoute
-------------PlumbIKEv2TSAsRoutes
+
+
+## Device/{ProfileName}
-./User/Vendor/MSFT
-VPNv2
-----ProfileName
---------AppTriggerList
-------------appTriggerRowId
-----------------App
---------------------Id
---------------------Type
---------RouteList
-------------routeRowId
-----------------Address
-----------------PrefixSize
-----------------Metric
-----------------ExclusionRoute
---------DomainNameInformationList
-------------dniRowId
-----------------DomainName
-----------------DomainNameType
-----------------DnsServers
-----------------WebProxyServers
-----------------AutoTrigger
-----------------Persistent
---------TrafficFilterList
-------------trafficFilterId
-----------------App
---------------------Id
---------------------Type
-----------------Claims
-----------------Protocol
-----------------LocalPortRanges
-----------------RemotePortRanges
-----------------LocalAddressRanges
-----------------RemoteAddressRanges
-----------------RoutingPolicyType
---------EdpModeId
---------RememberCredentials
---------AlwaysOn
---------DnsSuffix
---------ByPassForLocal
---------TrustedNetworkDetection
---------ProfileXML
---------Proxy
-------------Manual
-----------------Server
-------------AutoConfigUrl
---------APNBinding
-------------ProviderId
-------------AccessPointName
-------------UserName
-------------Password
-------------IsCompressionEnabled
-------------AuthenticationType
---------DeviceCompliance
-------------Enabled
-------------Sso
-----------------Enabled
-----------------IssuerHash
-----------------Eku
---------PluginProfile
-------------ServerUrlList
-------------CustomConfiguration
-------------PluginPackageFamilyName
-------------CustomStoreUrl
-------------WebAuth
-----------------Enabled
-----------------ClientId
---------NativeProfile
-------------Servers
-------------RoutingPolicyType
-------------NativeProtocolType
-------------Authentication
-----------------UserMethod
-----------------MachineMethod
-----------------Eap
---------------------Configuration
---------------------Type
-----------------Certificate
---------------------Issuer
---------------------Eku
-------------CryptographySuite
-----------------AuthenticationTransformConstants
-----------------CipherTransformConstants
-----------------EncryptionMethod
-----------------IntegrityCheckMethod
-----------------DHGroup
-----------------PfsGroup
-------------L2tpPsk
-------------DisableClassBasedDefaultRoute
-------------PlumbIKEv2TSAsRoutes
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-
-./Vendor/MSFT
-./User/Vendor/MSFT
-VPNv2
-----ProfileName
---------AppTriggerList
-------------appTriggerRowId
-----------------App
---------------------Id
---------------------Type
---------RouteList
-------------routeRowId
-----------------Address
-----------------PrefixSize
-----------------Metric
-----------------ExclusionRoute
---------DomainNameInformationList
-------------dniRowId
-----------------DomainName
-----------------DomainNameType
-----------------DnsServers
-----------------WebProxyServers
-----------------AutoTrigger
-----------------Persistent
---------TrafficFilterList
-------------trafficFilterId
-----------------App
---------------------Id
---------------------Type
-----------------Claims
-----------------Protocol
-----------------LocalPortRanges
-----------------RemotePortRanges
-----------------LocalAddressRanges
-----------------RemoteAddressRanges
-----------------RoutingPolicyType
-----------------Direction
---------EdpModeId
---------RememberCredentials
---------AlwaysOn
---------LockDown
---------DeviceTunnel
---------RegisterDNS
---------DnsSuffix
---------ByPassForLocal
---------TrustedNetworkDetection
---------ProfileXML
---------Proxy
-------------Manual
-----------------Server
-------------AutoConfigUrl
---------APNBinding
-------------ProviderId
-------------AccessPointName
-------------UserName
-------------Password
-------------IsCompressionEnabled
-------------AuthenticationType
---------DeviceCompliance
-------------Enabled
-------------Sso
-----------------Enabled
-----------------IssuerHash
-----------------Eku
---------PluginProfile
-------------ServerUrlList
-------------CustomConfiguration
-------------PluginPackageFamilyName
-------------CustomStoreUrl
-------------WebAuth
-----------------Enabled
-----------------ClientId
---------NativeProfile
-------------Servers
-------------RoutingPolicyType
-------------NativeProtocolType
-------------Authentication
-----------------UserMethod
-----------------MachineMethod
-----------------Eap
---------------------Configuration
---------------------Type
-----------------Certificate
---------------------Issuer
---------------------Eku
-------------CryptographySuite
-----------------AuthenticationTransformConstants
-----------------CipherTransformConstants
-----------------EncryptionMethod
-----------------IntegrityCheckMethod
-----------------DHGroup
-----------------PfsGroup
-------------L2tpPsk
-------------DisableClassBasedDefaultRoute
-------------PlumbIKEv2TSAsRoutes
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}
```
-**Device or User profile**
-For user profile, use **./User/Vendor/MSFT** path and for device profile, use **./Device/Vendor/MSFT** path.
+
-**VPNv2/**ProfileName
-Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/).
+
+
+Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/). If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
+
-Supported operations include Get, Add, and Delete.
+
+
+
-> [!NOTE]
-> If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
+
+**Description framework properties**:
-**VPNv2/**ProfileName**/AppTriggerList**
-Optional node. List of applications set to trigger the VPN. If any of these apps are launched and the VPN profile is currently the active profile, this VPN profile will be triggered to connect.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Atomic Required | True |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+| Allowed Values | Regular Expression: `^[^/]*$` |
+
-**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId
-A sequential integer identifier that allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you shouldn't skip numbers.
+
+
+
-Supported operations include Get, Add, Replace, and Delete.
+
-**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App**
-App Node under the Row ID.
+
+### Device/{ProfileName}/AlwaysOn
-**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App/Id**
-App identity, which is either an app’s package family name or file path. The type is inferred by the ID, and therefore can't be specified in the get only App/Type field
-**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App/Type**
-Returns the type of **App/Id**. This value can be either of the following values:
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-- PackageFamilyName - When this value is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application.
-- FilePath - When this value is returned, the App/Id value represents the full file path of the app. For example, `C:\Windows\System\Notepad.exe`.
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/AlwaysOn
+```
+
-Value type is chr. Supported operation is Get.
+
+
+An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects.
+
-**VPNv2/**ProfileName**/RouteList/**
-Optional node. List of routes to be added to the routing table for the VPN interface. This information is required for split tunneling case where the VPN server site has more subnets that the default subnet based on the IP assigned to the interface.
+
+
+
-Every computer that runs TCP/IP makes routing decisions. These decisions are controlled by the IP routing table. Adding values under this node updates the routing table with routes for the VPN interface post connection. The values under this node represent the destination prefix of IP routes. A destination prefix consists of an IP address prefix and a prefix length.
+
+**Description framework properties**:
-Adding a route here allows the networking stack to identify the traffic that needs to go over the VPN interface for split tunnel VPN. Some VPN servers can configure this during connect negotiation and don't need this information in the VPN Profile. Check with your VPN server administrator to determine whether you need this information in the VPN profile.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
-**VPNv2/**ProfileName**/RouteList/**routeRowId
+
+**Allowed values**:
-A sequential integer identifier for the RouteList. This value is required if you're adding routes. Sequencing must start at 0.
+| Value | Description |
+|:--|:--|
+| false (Default) | Always On is turned off. |
+| true | Always On is turned on. |
+
-Supported operations include Get, Add, Replace, and Delete.
+
+
+
-**VPNv2/**ProfileName**/RouteList/**routeRowId**/Address**
-Subnet address in IPv4/v6 address format which, along with the prefix, will be used to determine the destination prefix to send via the VPN Interface. This subnet address is the IP address part of the destination prefix.
+
-Supported operations include Get, Add, Replace, and Delete. Value type is chr. Example, `192.168.0.0`
+
+### Device/{ProfileName}/AlwaysOnActive
-**VPNv2/**ProfileName**/RouteList/**routeRowId**/PrefixSize**
-The subnet prefix size part of the destination prefix for the route entry. This subnet prefix, along with the address, will be used to determine the destination prefix to route through the VPN Interface.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Value type is int. Supported operations include Get, Add, Replace, and Delete.
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/AlwaysOnActive
+```
+
-**VPNv2/**ProfileName**/RouteList/**routeRowId**/Metric**
-Added in Windows 10, version 1607. The route's metric.
+
+
+An optional flag to activate Always On mode. This is true by default if AlwaysOn is true. Setting controls whether "Connect Automatically" is toggled on profile creation.
+
-Value type is int. Supported operations include Get, Add, Replace, and Delete.
+
+
+
-**VPNv2/**ProfileName**/RouteList/**routeRowId**/ExclusionRoute**
-Added in Windows 10, version 1607. A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway. Valid values:
+
+**Description framework properties**:
-- False (default) - This route will direct traffic over the VPN
-- True - This route will direct traffic over the physical interface.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
-Supported operations include Get, Add, Replace, and Delete.
+
+**Allowed values**:
-**VPNv2/**ProfileName**/DomainNameInformationList**
-Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile.
+| Value | Description |
+|:--|:--|
+| 0 | Always On is inactive. |
+| 1 (Default) | Always On is activated on provisioning. |
+
-The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before name resolution queries are issued, the DNS client consults the NRPT to determine if any extra flags must be set in the query. After the response is received, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface.
+
+
+
+
+
+
+### Device/{ProfileName}/APNBinding
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/APNBinding/AccessPointName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/AccessPointName
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/APNBinding/AuthenticationType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/AuthenticationType
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/APNBinding/IsCompressionEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/IsCompressionEnabled
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/APNBinding/Password
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/Password
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/APNBinding/ProviderId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/ProviderId
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/APNBinding/UserName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/UserName
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/AppTriggerList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList
+```
+
+
+
+
+List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/AppTriggerList/{appTriggerRowId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}
+```
+
+
+
+
+A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/AppTriggerList/{appTriggerRowId}/App
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App
+```
+
+
+
+
+App Node under the Row Id.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Id
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Id
+```
+
+
+
+
+App Identity. Specified, based on the Type Field.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### Device/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Type
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Type
+```
+
+
+
+
+Returns the type of App/Id. This value can be either of the following: PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application. FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/ByPassForLocal
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/ByPassForLocal
+```
+
+
+
+
+False : Do not Bypass for Local traffic
+True : ByPass VPN Interface for Local Traffic
+
+Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/DataEncryption
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DataEncryption
+```
+
+
+
+
+Determines the level of data encryption required for the connection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | Require |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| None | No Data Encryption required. |
+| Require (Default) | Data Encryption required. |
+| Max | Maximum-strength Data Encryption required. |
+| Optional | Perform encryption if possible. |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/DeviceCompliance
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance
+```
+
+
+
+
+Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/DeviceCompliance/Enabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Enabled
+```
+
+
+
+
+Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/DeviceCompliance/Sso
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso
+```
+
+
+
+
+Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/DeviceCompliance/Sso/Eku
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/Eku
+```
+
+
+
+
+Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/DeviceCompliance/Sso/Enabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/Enabled
+```
+
+
+
+
+If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/DeviceCompliance/Sso/IssuerHash
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/IssuerHash
+```
+
+
+
+
+Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/DeviceTunnel
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceTunnel
+```
+
+
+
+
+If turned on a device tunnel profile does four things.
+First, it automatically becomes an always on profile.
+Second, it does not require the presence or logging in of any user to the machine in order for it to connect.
+Third, no other Device Tunnel profile maybe be present on the same machine.
+A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | This is not a device tunnel profile. |
+| true | This is a device tunnel profile. |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/DisableAdvancedOptionsEditButton
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DisableAdvancedOptionsEditButton
+```
+
+
+
+
+Optional. When this setting is True, the Advanced Options page will have its edit functions disabled, only allowing viewing and Clear Sign-In Info.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Advanced Options Edit Button is available. |
+| true | Advanced Options Edit Button is unavailable. |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/DisableDisconnectButton
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DisableDisconnectButton
+```
+
+
+
+
+Optional. When this setting is True, the Disconnect button will not be visible for connected profiles.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disconnect Button is visible. |
+| true | Disconnect Button is not visible. |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/DisableIKEv2Fragmentation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DisableIKEv2Fragmentation
+```
+
+
+
+
+Set to disable IKEv2 Fragmentation.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| true | IKEv2 Fragmentation will not be used. |
+| false (Default) | IKEv2 Fragmentation is used as normal. |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/DnsSuffix
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DnsSuffix
+```
+
+
+
+
+Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/DomainNameInformationList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList
+```
+
+
+
+
+NRPT ([Name Resolution Policy Table](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn593632(v=ws.11))) Rules for the VPN Profile.
+
+
+
+
> [!NOTE]
> Only applications using the [Windows DNS API](/windows/win32/dns/dns-reference) can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet [Resolve-DNSName](/powershell/module/dnsclient/resolve-dnsname) to check the functionality of the NRPT.
+
-**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/DomainNameInformationList/{dniRowId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}
+```
+
+
+
+
A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
-
-Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DomainName**
-Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types:
-
-- FQDN - Fully qualified domain name
-- Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend .**.** to the DNS suffix.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DomainNameType**
-Returns the namespace type. This value can be one of the following values:
-
-- FQDN - If the DomainName wasn't prepended with a**.** and applies only to the fully qualified domain name (FQDN) of a specified host.
-- Suffix - If the DomainName was prepended with a**.** and applies to the specified namespace, all records in that namespace, and all subdomains.
-
-Value type is chr. Supported operation is Get.
-
-**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DnsServers**
-List of comma-separated DNS Server IP addresses to use for the namespace.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/WebProxyServers**
-Optional. Web Proxy Server IP address if you're redirecting traffic through your intranet.
-
-> [!NOTE]
-> Currently only one web proxy server is supported.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/AutoTrigger**
-Added in Windows 10, version 1607. Optional. Boolean to determine whether this domain name rule will trigger the VPN.
-
-If set to False, this DomainName rule won't trigger the VPN.
-
-If set to True, this DomainName rule will trigger the VPN
-
-By default, this value is false.
-
-Value type is bool.
-
-**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/Persistent**
-Added in Windows 10, version 1607. A boolean value that specifies if the rule being added should persist even when the VPN isn't connected. Value values:
-
-- False (default) - This DomainName rule will only be applied when VPN is connected.
-- True - This DomainName rule will always be present and applied.
-
-Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/TrafficFilterList**
-An optional node that specifies a list of rules. Only traffic that matches these rules can be sent via the VPN Interface.
-
-> [!NOTE]
-> Once a TrafficFilterList is added, all traffic are blocked other than the ones matching the rules.
-
-When multiple rules are being added, each rule operates based on an OR with the other rules. Within each rule, each property operates based on an AND with each other.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId
-A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/App**
-Per app VPN rule. This property will allow only the apps specified to be allowed over the VPN interface. Value type is chr.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/App/Id**
-App identity for the app-based traffic filter.
-
-The value for this node can be one of the following values:
-
-- PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
-- FilePath - This App/Id value represents the full file path of the app. For example, `C:\Windows\System\Notepad.exe`.
-- SYSTEM – This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB).
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/App/Type**
-Returns the type of ID of the **App/Id**.
-
-Value type is chr. Supported operation is Get.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/Claims**
-Reserved for future use.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/Protocol**
-Numeric value from 0-255 representing the IP protocol to allow. For example, TCP = 6 and UDP = 17.
-
-Value type is int. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/LocalPortRanges**
-A list of comma-separated values specifying local port ranges to allow. For example, `100-120, 200, 300-320`.
-
-> [!NOTE]
-> Ports are only valid when the protocol is set to TCP=6 or UDP=17.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RemotePortRanges**
-A list of comma-separated values specifying remote port ranges to allow. For example, `100-120, 200, 300-320`.
-
-> [!NOTE]
-> Ports are only valid when the protocol is set to TCP=6 or UDP=17.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/LocalAddressRanges**
-A list of comma-separated values specifying local IP address ranges to allow.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RemoteAddressRanges**
-A list of comma-separated values specifying remote IP address ranges to allow.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RoutingPolicyType**
-Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone. The value can be one of the following values:
-
-- SplitTunnel - For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces.
-- ForceTunnel - For this traffic rule all IP traffic must go through the VPN Interface only.
-
-This property is only applicable for App ID-based Traffic Filter rules.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/Direction**
-Added in Windows 10, version 2004. Specifies the traffic direction to apply this policy to. Default is Outbound. The value can be one of the following values:
-
-- Outbound - The rule applies to all outbound traffic
-- Inbound - The rule applies to all inbound traffic
-
-If no inbound filter is provided, then by default all unsolicited inbound traffic will be blocked.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/EdpModeId**
-Enterprise ID, which is required for connecting this VPN profile with a Windows Information Protection policy. When this ID is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
-
-Additionally when a connection is being established with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin doesn't have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the Windows Information Protection policies and App lists automatically takes effect.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/RememberCredentials**
-Boolean value (true or false) for caching credentials. Default is false, which means don't cache credentials. If set to true, credentials are cached whenever possible.
-
-Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/AlwaysOn**
-An optional flag to enable Always On mode. This flag will automatically connect the VPN at sign in and will stay connected until the user manually disconnects.
-
-> [!NOTE]
-> Always On only works for the active profile. The first profile provisioned that can be auto triggered will automatically be set as active.
-
-Preserving user Always On preference
-
-Windows has a feature to preserve a user’s AlwaysOn preference. If a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.
-Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows won't check the box if the profile name exists in the below registry value in order to preserve user preference.
-Key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config`
-Value: AutoTriggerDisabledProfilesList
-Type: REG_MULTI_SZ
-
-
-Valid values:
-
-- False (default) - Always On is turned off.
-- True - Always On is turned on.
-
-Value type is bool. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/DeviceTunnel** (./Device only profile)
-Device tunnel profile.
-
-Valid values:
-
-- False (default) - this profile isn't a device tunnel profile.
-- True - this profile is a device tunnel profile.
-
-When the DeviceTunnel profile is turned on, it does the following things:
-
-- First, it automatically becomes an "always on" profile.
-- Second, it doesn't require the presence or logging in of any user to the machine in order for it to connect.
-- Third, no other device tunnel profile maybe is present on the same machine.-
-
-A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected.
-
-Value type is bool. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/RegisterDNS**
-Allows registration of the connection's address in DNS.
-
-Valid values:
-
-- False = Don't register the connection's address in DNS (default).
-- True = Register the connection's addresses in DNS.
-
-**VPNv2/**ProfileName**/DnsSuffix**
-Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. Windows has a limit of 50 DNS suffixes that can be set. Windows name resolution will apply each suffix in order. Long DNS suffix lists may impact performance.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/ByPassForLocal**
-Reserved for future use.
-
-**VPNv2/**ProfileName**/TrustedNetworkDetection**
-Optional. Comma-separated string to identify the trusted network. VPN won't connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/ProfileXML**
-Added in Windows 10, version 1607. The XML schema for provisioning all the fields of a VPN. For the XSD, see [ProfileXML XSD](vpnv2-profile-xsd.md).
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/Proxy**
-A collection of configuration objects to enable a post-connect proxy support for VPN Force Tunnel connections. The proxy defined for this profile is applied when this profile is active and connected.
-
-> [!NOTE]
-> VPN proxy settings are used only on Force Tunnel connections. On Split Tunnel connections, the general proxy settings are used.
-
-**VPNv2/**ProfileName**/Proxy/Manual**
-Optional node containing the manual server settings.
-
-**VPNv2/**ProfileName**/Proxy/Manual/Server**
-Optional. Proxy server address as a fully qualified hostname or an IP address. You should set this element together with Port. Example, proxy.contoso.com.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/Proxy/AutoConfigUrl**
-Optional. URL to automatically retrieve the proxy settings.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/APNBinding**
-Reserved for future use.
-
-**VPNv2/**ProfileName**/APNBinding/ProviderId**
-Reserved for future use. Optional node.
-
-**VPNv2/**ProfileName**/APNBinding/AccessPointName**
-Reserved for future use.
-
-**VPNv2/**ProfileName**/APNBinding/UserName**
-Reserved for future use.
-
-**VPNv2/**ProfileName**/APNBinding/Password**
-Reserved for future use.
-
-**VPNv2/**ProfileName**/APNBinding/IsCompressionEnabled**
-Reserved for future use.
-
-**VPNv2/**ProfileName**/APNBinding/AuthenticationType**
-Reserved for future use.
-
-**VPNv2/**ProfileName**/DeviceCompliance**
-Added in Windows 10, version 1607. Nodes under DeviceCompliance can be used to enable Azure Active Directory-based Conditional Access for VPN.
-
-**VPNv2/**ProfileName**/DeviceCompliance/Enabled**
-Added in Windows 10, version 1607. Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Azure Active Directory to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory (AAD).
-
-Value type is bool. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/DeviceCompliance/Sso**
-Added in Windows 10, version 1607. Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication if there's Device Compliance.
-
-**VPNv2/**ProfileName**/DeviceCompliance/Sso/Enabled**
-Added in Windows 10, version 1607. If this field is set to True, the VPN Client will look for a separate certificate for Kerberos Authentication.
-
-Value type is bool. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/DeviceCompliance/Sso/IssuerHash**
-Added in Windows 10, version 1607. Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/DeviceCompliance/Sso/Eku**
-Added in Windows 10, version 1607. Comma-Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/PluginProfile**
-Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin.
-
-**VPNv2/**ProfileName**/PluginProfile/ServerUrlList**
-Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/PluginProfile/CustomConfiguration**
-Optional. This property is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations and defaults.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/PluginProfile/PluginPackageFamilyName**
-Required for plug-in profiles. Package family name for the SSL-VPN plug-in.
-
-Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/PluginProfile/CustomStoreUrl**
-Reserved for future use.
-
-**VPNv2/**ProfileName**/NativeProfile**
-Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, and L2TP).
-
-**VPNv2/**ProfileName**/NativeProfile/Servers**
-Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com.
-
-The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name.
-
-You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/NativeProfile/RoutingPolicyType**
-Optional for native profiles. Type of routing policy. This value can be one of the following values:
-
-- SplitTunnel - Traffic can go over any interface as determined by the networking stack.
-- ForceTunnel - All IP traffic must go over the VPN interface.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/NativeProfile/NativeProtocolType**
-Required for native profiles. Type of tunneling protocol used. This value can be one of the following values:
-
-- PPTP
-- L2TP
-- IKEv2
-- Automatic
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-> [!NOTE]
-> The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt protocols in following order: SSTP, IKEv2, PPTP and then L2TP. This order isn't customizable.
-
-**VPNv2/**ProfileName**/NativeProfile/Authentication**
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: A sequential integer identifier for the Domain Name information. Sequencing must start at 0. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/DomainNameInformationList/{dniRowId}/AutoTrigger
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/AutoTrigger
+```
+
+
+
+
+Boolean to determine whether this domain name rule will trigger the VPN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | This DomainName rule will not trigger the VPN. |
+| true | This DomainName rule will trigger the VPN. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/DomainNameInformationList/{dniRowId}/DnsServers
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DnsServers
+```
+
+
+
+
+Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainName
+```
+
+
+
+
+Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types: FQDN - Fully qualified domain name. Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a . to the DNS suffix.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainNameType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainNameType
+```
+
+
+
+
+Returns the namespace type. This value can be one of the following: FQDN - If the DomainName was not prepended with a . and applies only to the fully qualified domain name (FQDN) of a specified host. Suffix - If the DomainName was prepended with a . and applies to the specified namespace, all records in that namespace, and all subdomains.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/DomainNameInformationList/{dniRowId}/Persistent
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/Persistent
+```
+
+
+
+
+A boolean value that specifies if the rule being added should persist even when the VPN is not connected.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | This DomainName rule will only be applied when VPN is connected. |
+| true | This DomainName rule will always be present and applied. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/DomainNameInformationList/{dniRowId}/WebProxyServers
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/WebProxyServers
+```
+
+
+
+
+Web Proxy Server IP address if you are redirecting traffic through your intranet.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/EdpModeId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/EdpModeId
+```
+
+
+
+
+Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/IPv4InterfaceMetric
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/IPv4InterfaceMetric
+```
+
+
+
+
+The metric for the IPv4 interface.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-9999]` |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/IPv6InterfaceMetric
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/IPv6InterfaceMetric
+```
+
+
+
+
+The metric for the IPv6 interface.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-9999]` |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/NativeProfile
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile
+```
+
+
+
+
+Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP, SSTP).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/NativeProfile/Authentication
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication
+```
+
+
+
+
Required node for native profile. It contains authentication information for the native VPN profile.
+
-**VPNv2/**ProfileName**/NativeProfile/Authentication/UserMethod**
-This value can be one of the following:
+
+
+
-- EAP
-- MSChapv2 (This method isn't supported for IKEv2)
+
+**Description framework properties**:
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**VPNv2/**ProfileName**/NativeProfile/Authentication/MachineMethod**
-This is only supported in IKEv2.
+
+
+
-This value can be one of the following values:
+
-- Certificate
+
+##### Device/{ProfileName}/NativeProfile/Authentication/Certificate
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**VPNv2/**ProfileName**/NativeProfile/Authentication/Eap**
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/{ProfileName}/NativeProfile/Authentication/Certificate/Eku
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate/Eku
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### Device/{ProfileName}/NativeProfile/Authentication/Certificate/Issuer
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate/Issuer
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/NativeProfile/Authentication/Eap
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap
+```
+
+
+
+
Required when the native profile specifies EAP authentication. EAP configuration XML.
+
-Supported operations include Get, Add, Replace, and Delete.
+
+
+
-**VPNv2/**ProfileName**/NativeProfile/Authentication/Eap/Configuration**
-HTML encoded XML of the EAP configuration. For more information about EAP configuration XML, see [EAP configuration](eap-configuration.md).
+
+**Description framework properties**:
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**VPNv2/**ProfileName**/NativeProfile/Authentication/Eap/Type**
+
+
+
+
+
+
+
+###### Device/{ProfileName}/NativeProfile/Authentication/Eap/Configuration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap/Configuration
+```
+
+
+
+
+HTML encoded XML of the EAP configuration. For more information about EAP configuration XML, see .
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### Device/{ProfileName}/NativeProfile/Authentication/Eap/Type
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap/Type
+```
+
+
+
+
+Required node for EAP profiles. This specifies the EAP Type ID
+13 = EAP-TLS
+26 = Ms-Chapv2
+27 = Peap.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/NativeProfile/Authentication/MachineMethod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/MachineMethod
+```
+
+
+
+
+This is only supported in IKEv2.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| Certificate | Certificate. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/NativeProfile/Authentication/UserMethod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/UserMethod
+```
+
+
+
+
+Type of user authentication.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| EAP | EAP. |
+| MSChapv2 | MSChapv2: This is not supported for IKEv2. |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/NativeProfile/CryptographySuite
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite
+```
+
+
+
+
+Properties of IPSec tunnels.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/NativeProfile/CryptographySuite/AuthenticationTransformConstants
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/AuthenticationTransformConstants
+```
+
+
+
+
+Type of authentication transform constant.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| MD596 | MD596. |
+| SHA196 | SHA196. |
+| SHA256128 | SHA256128. |
+| GCMAES128 | GCMAES128. |
+| GCMAES192 | GCMAES192. |
+| GCMAES256 | GCMAES256. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/NativeProfile/CryptographySuite/CipherTransformConstants
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/CipherTransformConstants
+```
+
+
+
+
+Type of Cipher transform constant.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| DES | DES. |
+| DES3 | DES3. |
+| AES128 | AES128. |
+| AES192 | AES192. |
+| AES256 | AES256. |
+| GCMAES128 | GCMAES128. |
+| GCMAES192 | GCMAES192. |
+| GCMAES256 | GCMAES256. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/NativeProfile/CryptographySuite/DHGroup
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/DHGroup
+```
+
+
+
+
+Group used for DH (Diffie-Hellman).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| None | None. |
+| Group1 | Group1. |
+| Group2 | Group2. |
+| Group14 | Group14. |
+| ECP256 | ECP256. |
+| ECP384 | ECP384. |
+| Group24 | Group24. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/NativeProfile/CryptographySuite/EncryptionMethod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/EncryptionMethod
+```
+
+
+
+
+Type of encryption method.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| DES | DES. |
+| DES3 | DES3. |
+| AES128 | AES128. |
+| AES192 | AES192. |
+| AES256 | AES256. |
+| AES_GCM_128 | AES_GCM_128. |
+| AES_GCM_256 | AES_GCM_256. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/NativeProfile/CryptographySuite/IntegrityCheckMethod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/IntegrityCheckMethod
+```
+
+
+
+
+Type of integrity check.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| MD5 | MD5. |
+| SHA196 | SHA196. |
+| SHA256 | SHA256. |
+| SHA384 | SHA384. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/NativeProfile/CryptographySuite/PfsGroup
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/PfsGroup
+```
+
+
+
+
+Group used for PFS (Perfect Forward Secrecy).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| None | None. |
+| PFS1 | PFS1. |
+| PFS2 | PFS2. |
+| PFS2048 | PFS2048. |
+| ECP256 | ECP256. |
+| ECP384 | ECP384. |
+| PFSMM | PFSMM. |
+| PFS24 | PFS24. |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/NativeProfile/DisableClassBasedDefaultRoute
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/DisableClassBasedDefaultRoute
+```
+
+
+
+
+Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Enabled. |
+| true | Disabled. |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/NativeProfile/L2tpPsk
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/L2tpPsk
+```
+
+
+
+
+The preshared key used for an L2TP connection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/NativeProfile/NativeProtocolType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/NativeProtocolType
+```
+
+
+
+
+Required for native profiles. Type of tunneling protocol used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| PPTP | PPTP. |
+| L2TP | L2TP. |
+| IKEv2 | IKEv2. |
+| Automatic | Automatic. |
+| SSTP | SSTP. |
+| ProtocolList | ProtocolList. |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/NativeProfile/PlumbIKEv2TSAsRoutes
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/PlumbIKEv2TSAsRoutes
+```
+
+
+
+
+True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb traffic selectors as routes.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/NativeProfile/ProtocolList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList
+```
+
+
+
+
+List of inbox VPN protocols in priority order.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+###### Device/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}/Type
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}/Type
+```
+
+
+
+
+Inbox VPN protocols type.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| Pptp | Pptp. |
+| L2tp | L2tp. |
+| Ikev2 | Ikev2. |
+| Sstp | Sstp. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/NativeProfile/ProtocolList/RetryTimeInHours
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/RetryTimeInHours
+```
+
+
+
+
+Default 168, max 500000.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/NativeProfile/RoutingPolicyType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/RoutingPolicyType
+```
+
+
+
+
+Type of routing policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| SplitTunnel | Traffic can go over any interface as determined by the networking stack. |
+| ForceTunnel | All IP traffic must go over the VPN interface. |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/NativeProfile/Servers
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Servers
+```
+
+
+
+
+Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/NetworkOutageTime
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NetworkOutageTime
+```
+
+
+
+
+The amount of time in seconds the network is allowed to idle. 0 means no limit.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/PluginProfile
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile
+```
+
+
+
+
+Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/PluginProfile/CustomConfiguration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/CustomConfiguration
+```
+
+
+
+
+Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/PluginProfile/PluginPackageFamilyName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/PluginPackageFamilyName
+```
+
+
+
+
+Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/PluginProfile/ServerUrlList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/ServerUrlList
+```
+
+
+
+
+Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/PrivateNetwork
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/PrivateNetwork
+```
+
+
+
+
+Determines whether the VPN connection is public or private.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | true |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | VPN connection is public. |
+| true (Default) | VPN connection is private. |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/ProfileXML
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/ProfileXML
+```
+
+
+
+
+The XML schema for provisioning all the fields of a VPN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | See [ProfileXML XSD Schema](#profilexml-xsd-schema) |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/Proxy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/Proxy
+```
+
+
+
+
+A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/Proxy/AutoConfigUrl
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/AutoConfigUrl
+```
+
+
+
+
+Optional. Set a URL to automatically retrieve the proxy settings.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/Proxy/Manual
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/Manual
+```
+
+
+
+
+Optional node containing the manual server settings.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/Proxy/Manual/Server
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/Manual/Server
+```
+
+
+
+
+Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/RegisterDNS
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/RegisterDNS
+```
+
+
+
+
+Allows registration of the connection's address in DNS.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Do not register the connection's address in DNS. |
+| true | Register the connection's addresses in DNS. |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/RememberCredentials
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/RememberCredentials
+```
+
+
+
+
+Boolean value (true or false) for caching credentials.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Do not cache credentials. |
+| true | Credentials are cached whenever possible. |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/RouteList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList
+```
+
+
+
+
+List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/RouteList/{routeRowId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}
+```
+
+
+
+
+A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/RouteList/{routeRowId}/Address
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/Address
+```
+
+
+
+
+Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/RouteList/{routeRowId}/ExclusionRoute
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/ExclusionRoute
+```
+
+
+
+
+A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | This route will direct traffic over the VPN. |
+| true | This route will direct traffic over the physical interface. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/RouteList/{routeRowId}/Metric
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/Metric
+```
+
+
+
+
+The route's metric.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/RouteList/{routeRowId}/PrefixSize
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/PrefixSize
+```
+
+
+
+
+The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/TrafficFilterList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList
+```
+
+
+
+
+A list of rules allowing traffic over the VPN Interface. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
+
+
+
+
+> [!NOTE]
+> Once a TrafficFilterList is added, all traffic is blocked other than the ones matching the rules.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}
+```
+
+
+
+
+A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/App
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App
+```
+
+
+
+
+Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Id
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Id
+```
+
+
+
+
+App identity for the app-based traffic filter. The value for this node can be one of the following: PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. SYSTEM - This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Type
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Type
+```
+
+
+
+
+Returns the type of ID of the App/Id. Either PackageFamilyName, FilePath, or System.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/Claims
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Claims
+```
+
+
+
+
+Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/Direction
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Direction
+```
+
+
+
+
+Outbound - The traffic filter allows traffic to reach destinations matching this rule. This is the default.
+Inbound - The traffic filter allows traffic coming from external locations matching this rule.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalAddressRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalAddressRanges
+```
+
+
+
+
+A list of comma separated values specifying local IP address ranges to allow.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalPortRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalPortRanges
+```
+
+
+
+
+Comma Separated list of ranges for eg. 100-120,200,300-320.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Regular Expression: `^[\d]*$` |
+| Dependency [ProtocolDependency] | Dependency Type: `DependsOn`
Dependency URI: `Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol`
Dependency Allowed Value: `[6,17]`
Dependency Allowed Value Type: `Range`
|
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/Protocol
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Protocol
+```
+
+
+
+
+0-255 number representing the ip protocol (TCP = 6, UDP = 17).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-255]` |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemoteAddressRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemoteAddressRanges
+```
+
+
+
+
+A list of comma separated values specifying remote IP address ranges to allow.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemotePortRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemotePortRanges
+```
+
+
+
+
+A list of comma separated values specifying remote port ranges to allow. For example, 100-120, 200, 300-320.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Regular Expression: `^[\d]*$` |
+| Dependency [ProtocolDependency] | Dependency Type: `DependsOn`
Dependency URI: `Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol`
Dependency Allowed Value: `[6,17]`
Dependency Allowed Value Type: `Range`
|
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/RoutingPolicyType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RoutingPolicyType
+```
+
+
+
+
+Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| SplitTunnel | For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces. |
+| ForceTunnel | For this traffic rule all IP traffic must go through the VPN Interface only. |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/TrustedNetworkDetection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrustedNetworkDetection
+```
+
+
+
+
+Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | `,` |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/UseRasCredentials
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/UseRasCredentials
+```
+
+
+
+
+Determines whether the credential manager will save ras credentials after a connection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | true |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Ras Credentials are not saved. |
+| true (Default) | Ras Credentials are saved. |
+
+
+
+
+
+
+
+
+
+## User/{ProfileName}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}
+```
+
+
+
+
+Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/). If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Atomic Required | True |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+| Allowed Values | Regular Expression: `^[^/]*$` |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/AlwaysOn
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/AlwaysOn
+```
+
+
+
+
+An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Always On is turned off. |
+| true | Always On is turned on. |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/AlwaysOnActive
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/AlwaysOnActive
+```
+
+
+
+
+An optional flag to activate Always On mode. This is true by default if AlwaysOn is true. Setting controls whether "Connect Automatically" is toggled on profile creation.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Always On is inactive. |
+| 1 (Default) | Always On is activated on provisioning. |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/APNBinding
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding
+```
+
+
+
+
Reserved for future use.
+
-**VPNv2/**ProfileName**/NativeProfile/Authentication/Certificate**
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/APNBinding/AccessPointName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/AccessPointName
+```
+
+
+
+
Reserved for future use.
+
-**VPNv2/**ProfileName**/NativeProfile/Authentication/Certificate/Issuer**
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/APNBinding/AuthenticationType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/AuthenticationType
+```
+
+
+
+
Reserved for future use.
+
-**VPNv2/**ProfileName**/NativeProfile/Authentication/Certificate/Eku**
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/APNBinding/IsCompressionEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/IsCompressionEnabled
+```
+
+
+
+
Reserved for future use.
+
-**VPNv2/**ProfileName**/NativeProfile/CryptographySuite**
-Added in Windows 10, version 1607. Properties of IPSec tunnels.
+
+
+
-[!NOTE] If you specify any of the properties under CryptographySuite, you must specify all of them. It's not valid to specify just some of the properties.
+
+**Description framework properties**:
-**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/AuthenticationTransformConstants**
-Added in Windows 10, version 1607.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
-The following list contains the valid values:
+
+
+
-- MD596
-- SHA196
-- SHA256128
-- GCMAES128
-- GCMAES192
-- GCMAES256
+
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
+
+#### User/{ProfileName}/APNBinding/Password
-**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/CipherTransformConstants**
-Added in Windows 10, version 1607.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-The following list contains the valid values:
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/Password
+```
+
-- DES
-- DES3
-- AES128
-- AES192
-- AES256
-- GCMAES128
-- GCMAES192
-- GCMAES256
+
+
+Reserved for future use.
+
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
+
+
+
-**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/EncryptionMethod**
-Added in Windows 10, version 1607.
+
+**Description framework properties**:
-The following list contains the valid values:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-- DES
-- DES3
-- AES128
-- AES192
-- AES256
-- AES\_GCM_128
-- AES\_GCM_256
+
+
+
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
+
-**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/IntegrityCheckMethod**
-Added in Windows 10, version 1607.
+
+#### User/{ProfileName}/APNBinding/ProviderId
-The following list contains the valid values:
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-- MD5
-- SHA196
-- SHA256
-- SHA384
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/ProviderId
+```
+
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
+
+
+Reserved for future use.
+
-**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/DHGroup**
-Added in Windows 10, version 1607.
+
+
+
-The following list contains the valid values:
+
+**Description framework properties**:
-- Group1
-- Group2
-- Group14
-- ECP256
-- ECP384
-- Group24
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
+
+
+
-**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/PfsGroup**
-Added in Windows 10, version 1607.
+
-The following list contains the valid values:
+
+#### User/{ProfileName}/APNBinding/UserName
-- PFS1
-- PFS2
-- PFS2048
-- ECP256
-- ECP384
-- PFSMM
-- PFS24
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/UserName
+```
+
-**VPNv2/**ProfileName**/NativeProfile/L2tpPsk**
-Added in Windows 10, version 1607. The preshared key used for an L2TP connection.
+
+
+Reserved for future use.
+
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
+
+
+
-**VPNv2/**ProfileName**/NativeProfile/DisableClassBasedDefaultRoute**
-Added in Windows 10, version 1607. Specifies the class-based default routes. For example, if the interface IP begins with 10, it assumes a class an IP and pushes the route to 10.0.0.0/8
+
+**Description framework properties**:
-Value type is bool. Supported operations include Get, Add, Replace, and Delete.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-**VPNv2/**ProfileName**/NativeProfile/PlumbIKEv2TSAsRoutes**
-Determines whether plumbing IPSec traffic selectors as routes onto VPN interface is enabled.
+
+
+
-If set to False, plumbing traffic selectors as routes is disabled.
+
-If set to True, plumbing traffic selectors as routes is enabled.
+
+### User/{ProfileName}/AppTriggerList
-By default, this value is set to False.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Value type is bool. Supported operations include Get, Add, Replace, and Delete.
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList
+```
+
+
+
+
+List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/AppTriggerList/{appTriggerRowId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}
+```
+
+
+
+
+A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/AppTriggerList/{appTriggerRowId}/App
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App
+```
+
+
+
+
+App Node under the Row Id.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Id
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Id
+```
+
+
+
+
+App Identity. Specified, based on the Type Field.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### User/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Type
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Type
+```
+
+
+
+
+Returns the type of App/Id. This value can be either of the following: PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application. FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/ByPassForLocal
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/ByPassForLocal
+```
+
+
+
+
+False : Do not Bypass for Local traffic
+True : ByPass VPN Interface for Local Traffic
+
+Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/DataEncryption
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DataEncryption
+```
+
+
+
+
+Determines the level of data encryption required for the connection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | Require |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| None | No Data Encryption required. |
+| Require (Default) | Data Encryption required. |
+| Max | Maximum-strength Data Encryption required. |
+| Optional | Perform encryption if possible. |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/DeviceCompliance
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance
+```
+
+
+
+
+Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/DeviceCompliance/Enabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Enabled
+```
+
+
+
+
+Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/DeviceCompliance/Sso
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso
+```
+
+
+
+
+Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/DeviceCompliance/Sso/Eku
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/Eku
+```
+
+
+
+
+Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/DeviceCompliance/Sso/Enabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/Enabled
+```
+
+
+
+
+If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/DeviceCompliance/Sso/IssuerHash
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/IssuerHash
+```
+
+
+
+
+Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/DisableAdvancedOptionsEditButton
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DisableAdvancedOptionsEditButton
+```
+
+
+
+
+Optional. When this setting is True, the Advanced Options page will have its edit functions disabled, only allowing viewing and Clear Sign-In Info.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Advanced Options Edit Button is available. |
+| true | Advanced Options Edit Button is unavailable. |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/DisableDisconnectButton
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DisableDisconnectButton
+```
+
+
+
+
+Optional. When this setting is True, the Disconnect button will not be visible for connected profiles.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disconnect Button is visible. |
+| true | Disconnect Button is not visible. |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/DisableIKEv2Fragmentation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DisableIKEv2Fragmentation
+```
+
+
+
+
+Set to disable IKEv2 Fragmentation.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| true | IKEv2 Fragmentation will not be used. |
+| false (Default) | IKEv2 Fragmentation is used as normal. |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/DnsSuffix
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DnsSuffix
+```
+
+
+
+
+Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/DomainNameInformationList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList
+```
+
+
+
+
+NRPT ([Name Resolution Policy Table](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn593632(v=ws.11))) Rules for the VPN Profile.
+
+
+
+
+> [!NOTE]
+> Only applications using the [Windows DNS API](/windows/win32/dns/dns-reference) can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet [Resolve-DNSName](/powershell/module/dnsclient/resolve-dnsname) to check the functionality of the NRPT.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/DomainNameInformationList/{dniRowId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}
+```
+
+
+
+
+A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: A sequential integer identifier for the Domain Name information. Sequencing must start at 0. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/DomainNameInformationList/{dniRowId}/AutoTrigger
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/AutoTrigger
+```
+
+
+
+
+Boolean to determine whether this domain name rule will trigger the VPN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | This DomainName rule will not trigger the VPN. |
+| true | This DomainName rule will trigger the VPN. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/DomainNameInformationList/{dniRowId}/DnsServers
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DnsServers
+```
+
+
+
+
+Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainName
+```
+
+
+
+
+Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types: FQDN - Fully qualified domain name. Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a . to the DNS suffix.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainNameType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainNameType
+```
+
+
+
+
+Returns the namespace type. This value can be one of the following: FQDN - If the DomainName was not prepended with a . and applies only to the fully qualified domain name (FQDN) of a specified host. Suffix - If the DomainName was prepended with a . and applies to the specified namespace, all records in that namespace, and all subdomains.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/DomainNameInformationList/{dniRowId}/Persistent
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/Persistent
+```
+
+
+
+
+A boolean value that specifies if the rule being added should persist even when the VPN is not connected.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | This DomainName rule will only be applied when VPN is connected. |
+| true | This DomainName rule will always be present and applied. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/DomainNameInformationList/{dniRowId}/WebProxyServers
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/WebProxyServers
+```
+
+
+
+
+Web Proxy Server IP address if you are redirecting traffic through your intranet.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/EdpModeId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/EdpModeId
+```
+
+
+
+
+Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/IPv4InterfaceMetric
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/IPv4InterfaceMetric
+```
+
+
+
+
+The metric for the IPv4 interface.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-9999]` |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/IPv6InterfaceMetric
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/IPv6InterfaceMetric
+```
+
+
+
+
+The metric for the IPv6 interface.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-9999]` |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/NativeProfile
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile
+```
+
+
+
+
+InboxNodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP, SSTP).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/NativeProfile/Authentication
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication
+```
+
+
+
+
+Required node for native profile. It contains authentication information for the native VPN profile.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/Authentication/Certificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/{ProfileName}/NativeProfile/Authentication/Certificate/Eku
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate/Eku
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### User/{ProfileName}/NativeProfile/Authentication/Certificate/Issuer
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate/Issuer
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/Authentication/Eap
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap
+```
+
+
+
+
+Required when the native profile specifies EAP authentication. EAP configuration XML.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/{ProfileName}/NativeProfile/Authentication/Eap/Configuration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap/Configuration
+```
+
+
+
+
+HTML encoded XML of the EAP configuration. For more information about EAP configuration XML, see .
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### User/{ProfileName}/NativeProfile/Authentication/Eap/Type
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap/Type
+```
+
+
+
+
+Required node for EAP profiles. This specifies the EAP Type ID
+13 = EAP-TLS
+26 = Ms-Chapv2
+27 = Peap.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/Authentication/MachineMethod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/MachineMethod
+```
+
+
+
+
+This is only supported in IKEv2.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| Certificate | Certificate. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/Authentication/UserMethod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/UserMethod
+```
+
+
+
+
+This value can be one of the following: EAP or MSChapv2 (This is not supported for IKEv2).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| EAP | EAP. |
+| MSChapv2 | MSChapv2: This is not supported for IKEv2. |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/NativeProfile/CryptographySuite
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite
+```
+
+
+
+
+Properties of IPSec tunnels.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/CryptographySuite/AuthenticationTransformConstants
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/AuthenticationTransformConstants
+```
+
+
+
+
+Type of authentication transform constant.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| MD596 | MD596. |
+| SHA196 | SHA196. |
+| SHA256128 | SHA256128. |
+| GCMAES128 | GCMAES128. |
+| GCMAES192 | GCMAES192. |
+| GCMAES256 | GCMAES256. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/CryptographySuite/CipherTransformConstants
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/CipherTransformConstants
+```
+
+
+
+
+Type of Cipher transform constant.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| DES | DES. |
+| DES3 | DES3. |
+| AES128 | AES128. |
+| AES192 | AES192. |
+| AES256 | AES256. |
+| GCMAES128 | GCMAES128. |
+| GCMAES192 | GCMAES192. |
+| GCMAES256 | GCMAES256. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/CryptographySuite/DHGroup
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/DHGroup
+```
+
+
+
+
+Group used for DH (Diffie-Hellman).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| None | None. |
+| Group1 | Group1. |
+| Group2 | Group2. |
+| Group14 | Group14. |
+| ECP256 | ECP256. |
+| ECP384 | ECP384. |
+| Group24 | Group24. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/CryptographySuite/EncryptionMethod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/EncryptionMethod
+```
+
+
+
+
+Type of encryption method.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| DES | DES. |
+| DES3 | DES3. |
+| AES128 | AES128. |
+| AES192 | AES192. |
+| AES256 | AES256. |
+| AES_GCM_128 | AES_GCM_128. |
+| AES_GCM_256 | AES_GCM_256. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/CryptographySuite/IntegrityCheckMethod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/IntegrityCheckMethod
+```
+
+
+
+
+Type of integrity check.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| MD5 | MD5. |
+| SHA196 | SHA196. |
+| SHA256 | SHA256. |
+| SHA384 | SHA384. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/CryptographySuite/PfsGroup
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/PfsGroup
+```
+
+
+
+
+Group used for PFS (Perfect Forward Secrecy).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| None | None. |
+| PFS1 | PFS1. |
+| PFS2 | PFS2. |
+| PFS2048 | PFS2048. |
+| ECP256 | ECP256. |
+| ECP384 | ECP384. |
+| PFSMM | PFSMM. |
+| PFS24 | PFS24. |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/NativeProfile/DisableClassBasedDefaultRoute
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/DisableClassBasedDefaultRoute
+```
+
+
+
+
+Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Enabled. |
+| true | Disabled. |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/NativeProfile/L2tpPsk
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/L2tpPsk
+```
+
+
+
+
+The preshared key used for an L2TP connection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/NativeProfile/NativeProtocolType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/NativeProtocolType
+```
+
+
+
+
+Required for native profiles. Type of tunneling protocol used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| PPTP | PPTP. |
+| L2TP | L2TP. |
+| IKEv2 | IKEv2. |
+| Automatic | Automatic. |
+| SSTP | SSTP. |
+| ProtocolList | ProtocolList. |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/NativeProfile/PlumbIKEv2TSAsRoutes
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/PlumbIKEv2TSAsRoutes
+```
+
+
+
+
+True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb traffic selectors as routes.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/NativeProfile/ProtocolList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList
+```
+
+
+
+
+List of inbox VPN protocols in priority order.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+###### User/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}/Type
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}/Type
+```
+
+
+
+
+Inbox VPN protocols type.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| Pptp | Pptp. |
+| L2tp | L2tp. |
+| Ikev2 | Ikev2. |
+| Sstp | Sstp. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/ProtocolList/RetryTimeInHours
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/RetryTimeInHours
+```
+
+
+
+
+Default 168, max 500000.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/NativeProfile/RoutingPolicyType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/RoutingPolicyType
+```
+
+
+
+
+Type of routing policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| SplitTunnel | Traffic can go over any interface as determined by the networking stack. |
+| ForceTunnel | All IP traffic must go over the VPN interface. |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/NativeProfile/Servers
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Servers
+```
+
+
+
+
+Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/NetworkOutageTime
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NetworkOutageTime
+```
+
+
+
+
+The amount of time in seconds the network is allowed to idle. 0 means no limit.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/PluginProfile
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile
+```
+
+
+
+
+Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/PluginProfile/CustomConfiguration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/CustomConfiguration
+```
+
+
+
+
+Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/PluginProfile/PluginPackageFamilyName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/PluginPackageFamilyName
+```
+
+
+
+
+Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/PluginProfile/ServerUrlList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/ServerUrlList
+```
+
+
+
+
+Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/PrivateNetwork
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/PrivateNetwork
+```
+
+
+
+
+Determines whether the VPN connection is public or private.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | true |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | VPN connection is public. |
+| true (Default) | VPN connection is private. |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/ProfileXML
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/ProfileXML
+```
+
+
+
+
+The XML schema for provisioning all the fields of a VPN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | See [ProfileXML XSD Schema](#profilexml-xsd-schema) |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/Proxy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/Proxy
+```
+
+
+
+
+A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/Proxy/AutoConfigUrl
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/AutoConfigUrl
+```
+
+
+
+
+Optional. Set a URL to automatically retrieve the proxy settings.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/Proxy/Manual
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/Manual
+```
+
+
+
+
+Optional node containing the manual server settings.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/Proxy/Manual/Server
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/Manual/Server
+```
+
+
+
+
+Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/RegisterDNS
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/RegisterDNS
+```
+
+
+
+
+Allows registration of the connection's address in DNS.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Do not register the connection's address in DNS. |
+| true | Register the connection's addresses in DNS. |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/RememberCredentials
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/RememberCredentials
+```
+
+
+
+
+Boolean value (true or false) for caching credentials.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Do not cache credentials. |
+| true | Credentials are cached whenever possible. |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/RequireVpnClientAppUI
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.19628] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/RequireVpnClientAppUI
+```
+
+
+
+
+Applicable only to AppContainer profiles.
+
+False : Do not show profile in Settings UI.
+True : Show profile in Settings UI.
+
+Optional. This node is only relevant for AppContainer profiles (i.e. using the VpnManagementAgent::AddProfileFromXmlAsync method).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/RouteList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList
+```
+
+
+
+
+List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/RouteList/{routeRowId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}
+```
+
+
+
+
+A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/RouteList/{routeRowId}/Address
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/Address
+```
+
+
+
+
+Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/RouteList/{routeRowId}/ExclusionRoute
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/ExclusionRoute
+```
+
+
+
+
+A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | This route will direct traffic over the VPN. |
+| true | This route will direct traffic over the physical interface. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/RouteList/{routeRowId}/Metric
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/Metric
+```
+
+
+
+
+The route's metric.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/RouteList/{routeRowId}/PrefixSize
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/PrefixSize
+```
+
+
+
+
+The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/TrafficFilterList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList
+```
+
+
+
+
+A list of rules allowing traffic over the VPN Interface. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
+
+
+
+
+> [!NOTE]
+> Once a TrafficFilterList is added, all traffic is blocked other than the ones matching the rules.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/TrafficFilterList/{trafficFilterId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}
+```
+
+
+
+
+A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/App
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App
+```
+
+
+
+
+Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Id
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Id
+```
+
+
+
+
+App identity for the app-based traffic filter. The value for this node can be one of the following: PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. SYSTEM - This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Type
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Type
+```
+
+
+
+
+Returns the type of ID of the App/Id. Either PackageFamilyName, FilePath, or System.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/Claims
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Claims
+```
+
+
+
+
+Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/Direction
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Direction
+```
+
+
+
+
+Outbound - The traffic filter allows traffic to reach destinations matching this rule. This is the default.
+Inbound - The traffic filter allows traffic coming from external locations matching this rule.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalAddressRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalAddressRanges
+```
+
+
+
+
+A list of comma separated values specifying local IP address ranges to allow.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalPortRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalPortRanges
+```
+
+
+
+
+Comma Separated list of ranges for eg. 100-120,200,300-320.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Regular Expression: `^[\d]*$` |
+| Dependency [ProtocolDependency] | Dependency Type: `DependsOn`
Dependency URI: `Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol`
Dependency Allowed Value: `[6,17]`
Dependency Allowed Value Type: `Range`
|
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/Protocol
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Protocol
+```
+
+
+
+
+0-255 number representing the ip protocol (TCP = 6, UDP = 17).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-255]` |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemoteAddressRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemoteAddressRanges
+```
+
+
+
+
+A list of comma separated values specifying remote IP address ranges to allow.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemotePortRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemotePortRanges
+```
+
+
+
+
+A list of comma separated values specifying remote port ranges to allow. For example, 100-120, 200, 300-320.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Regular Expression: `^[\d]*$` |
+| Dependency [ProtocolDependency] | Dependency Type: `DependsOn`
Dependency URI: `Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol`
Dependency Allowed Value: `[6,17]`
Dependency Allowed Value Type: `Range`
|
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/RoutingPolicyType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RoutingPolicyType
+```
+
+
+
+
+Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| SplitTunnel | For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces. |
+| ForceTunnel | For this traffic rule all IP traffic must go through the VPN Interface only. |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/TrustedNetworkDetection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrustedNetworkDetection
+```
+
+
+
+
+Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | `,` |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/UseRasCredentials
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/UseRasCredentials
+```
+
+
+
+
+Determines whether the credential manager will save ras credentials after a connection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | true |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Ras Credentials are not saved. |
+| true (Default) | Ras Credentials are saved. |
+
+
+
+
+
+
+
+
+
+
+# ProfileXML XSD Schema
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
## Examples
-
Profile example
```xml
@@ -1190,7 +9273,7 @@ Persistent
TrafficFilterLIst App
```xml
- Desktop App
+
10013
-
@@ -1200,7 +9283,7 @@ TrafficFilterLIst App
%ProgramFiles%\Internet Explorer\iexplore.exe
- Store App
+
10014
-
@@ -1210,7 +9293,7 @@ TrafficFilterLIst App
Microsoft.MicrosoftEdge_8wekyb3d8bbwe
- SYSTEM
+
10015
-
@@ -1225,7 +9308,7 @@ TrafficFilterLIst App
Protocol, LocalPortRanges, RemotePortRanges, LocalAddressRanges, RemoteAddressRanges, RoutingPolicyType, EDPModeId, RememberCredentials, AlwaysOn, Lockdown, DnsSuffix, TrustedNetworkDetection
```xml
-Protocol
+
$CmdID$
-
@@ -1238,7 +9321,7 @@ Protocol
6
- LocalPortRanges
+
$CmdID$
-
@@ -1248,8 +9331,7 @@ Protocol
10,20-50,100-200
-
- RemotePortRanges
+
$CmdID$
-
@@ -1259,8 +9341,7 @@ Protocol
20-50,100-200,300
-
- LocalAddressRanges
+
$CmdID$
-
@@ -1270,8 +9351,7 @@ Protocol
3.3.3.3/32,1.1.1.1-2.2.2.2
-
- RemoteAddressRanges
+
$CmdID$
-
@@ -1281,9 +9361,8 @@ Protocol
30.30.0.0/16,10.10.10.10-20.20.20.20
-
- RoutingPolicyType
-
+
+
$CmdID$
-
@@ -1292,20 +9371,18 @@ Protocol
ForceTunnel
-
- EDPModeId
-
- $CmdID$
- -
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/EDPModeID
-
- corp.contoso.com
-
-
-
- RememberCredentials
-
+
+
+ $CmdID$
+ -
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/EDPModeID
+
+ corp.contoso.com
+
+
+
+
$CmdID$
-
@@ -1317,8 +9394,7 @@ Protocol
true
-
- AlwaysOn
+
$CmdID$
-
@@ -1331,9 +9407,8 @@ Protocol
true
-
- Lockdown
-
+
+
$CmdID$
-
@@ -1345,8 +9420,7 @@ Protocol
true
-
- DnsSuffix
+
$CmdID$
-
@@ -1356,8 +9430,7 @@ Protocol
Adatum.com
-
- TrustedNetworkDetection
+
$CmdID$
@@ -1373,7 +9446,7 @@ Protocol
Proxy - Manual or AutoConfigUrl
```xml
-Manual
+
$CmdID$
-
@@ -1383,8 +9456,7 @@ Manual
192.168.0.100:8888
-
- AutoConfigUrl
+
$CmdID$
-
@@ -1399,47 +9471,47 @@ Manual
Device Compliance - Sso
```xml
- Enabled
-
- 10011
-
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/Enabled
-
-
- bool
-
- true
-
-
+
+
+ 10011
+ -
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/Enabled
+
+
+ bool
+
+ true
+
+
- IssuerHash
-
- 10011
- -
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/IssuerHash
-
- ffffffffffffffffffffffffffffffffffffffff;ffffffffffffffffffffffffffffffffffffffee
-
-
+
+
+ 10011
+ -
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/IssuerHash
+
+ ffffffffffffffffffffffffffffffffffffffff;ffffffffffffffffffffffffffffffffffffffee
+
+
- Eku
-
- 10011
- -
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/EKU
-
- 1.3.6.1.5.5.7.3.2
-
-
+
+
+ 10011
+ -
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/EKU
+
+ 1.3.6.1.5.5.7.3.2
+
+
```
PluginProfile
```xml
-PluginPackageFamilyName
+
10001
@@ -1477,8 +9549,8 @@ PluginPackageFamilyName
NativeProfile
```xml
-Servers
-
+
+
10001
-
@@ -1488,7 +9560,7 @@ Servers
- RoutingPolicyType
+
10007
-
@@ -1499,7 +9571,7 @@ Servers
- NativeProtocolType
+
10002
@@ -1511,8 +9583,8 @@ Servers
- Authentication
- UserMethod
+
+
10003
@@ -1524,7 +9596,7 @@ Servers
- MachineMethod
+
10004
@@ -1536,7 +9608,7 @@ Servers
- CryptographySuite
+
10004
-
@@ -1592,7 +9664,7 @@ Servers
- DisableClassBasedDefaultRoute
+
10011
-
@@ -1605,12 +9677,10 @@ Servers
```
+
-## See also
-
-[Configuration service provider reference](index.yml)
-
-
-
+
+## Related articles
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md
index 66de42bf56..294b7c1f32 100644
--- a/windows/client-management/mdm/vpnv2-ddf-file.md
+++ b/windows/client-management/mdm/vpnv2-ddf-file.md
@@ -1,4465 +1,2259 @@
---
title: VPNv2 DDF file
-description: This topic shows the OMA DM device description framework (DDF) for the VPNv2 configuration service provider.
-ms.reviewer: pesmith
+description: View the XML file containing the device description framework (DDF) for the VPNv2 configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/27/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 10/30/2020
+ms.topic: reference
---
+
+
# VPNv2 DDF file
-
-This topic shows the OMA DM device description framework (DDF) for the **VPNv2** configuration service provider.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is for Windows 10, version 2004.
+The following XML file contains the device description framework (DDF) for the VPNv2 configuration service provider.
```xml
-
-]>
+]>
- 1.2
+ 1.2
+
+
+
+ VPNv2
+ ./User/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
- VPNv2
- ./Vendor/MSFT
+
+
+
+
+
+
+
+
+
+ Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/). If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
+
+
+
+
+
+
+
+
+
+ ProfileName
+
+
+
+
+
+
+
+ ^[^/]*$
+
+
+
+
+ AppTriggerList
-
-
-
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.3/MDM/VPNv2
-
+
+
+
+ List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect.
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+ A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers.
+
+
+
+
+
+
+
+
+
+ appTriggerRowId
+
+
+
+
+ A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers.
+
+
+
+ App
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ProfileName
-
-
-
+
+
+
+ App Node under the Row Id.
+
+
+
+
+
+
+
+
+
+
+
+
- AppTriggerList
-
-
-
-
- List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- appTriggerRowId
-
-
-
-
-
- App
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Id
-
-
-
-
-
-
-
- App Identity. Specified, based on the Type Field..
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Type
-
-
-
-
-
- PackageFamilyName
- FQBN
- FilePath
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
+ Id
+
+
+
+
+
+
+
+ App Identity. Specified, based on the Type Field.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
- RouteList
-
-
-
-
- List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- routeRowId
-
-
-
-
-
- Address
-
-
-
-
-
-
-
- Subnet address
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PrefixSize
-
-
-
-
-
-
-
- Subnet Prefix
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Metric
-
-
-
-
-
-
-
- The route's metric.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExclusionRoute
-
-
-
-
-
-
-
-
- False = This Route will direct traffic over the VPN
- True = This Route will direct traffic over the physical interface
- By default, this value is false.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+ Type
+
+
+
+
+ Returns the type of App/Id. This value can be either of the following: PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application. FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RouteList
+
+
+
+
+ List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0.
+
+
+
+
+
+
+
+
+
+ routeRowId
+
+
+
+
+ A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0.
+
+
+
+ Address
+
+
+
+
+
+
+
+ Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PrefixSize
+
+
+
+
+
+
+
+ The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-4294967295]
+
+
+
+
+ Metric
+
+
+
+
+
+
+
+ The route's metric.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+
+
+
+ ExclusionRoute
+
+
+
+
+
+
+
+ false
+ A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+ false
+ This route will direct traffic over the VPN.
+
+
+ true
+ This route will direct traffic over the physical interface.
+
+
+
+
+
+
+
+ DomainNameInformationList
+
+
+
+
+ NRPT (Name Resolution Policy Table) Rules for the VPN Profile.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
+
+
+
+
+
+
+
+
+
+ dniRowId
+
+
+
+
+ A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
+
+
+
+ DomainName
+
+
+
+
+
+
+
+ Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types: FQDN - Fully qualified domain name. Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a . to the DNS suffix.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DomainNameType
+
+
+
+
+ Returns the namespace type. This value can be one of the following: FQDN - If the DomainName was not prepended with a . and applies only to the fully qualified domain name (FQDN) of a specified host. Suffix - If the DomainName was prepended with a . and applies to the specified namespace, all records in that namespace, and all subdomains.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DnsServers
+
+
+
+
+
+
+
+ Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ WebProxyServers
+
+
+
+
+
+
+
+ Web Proxy Server IP address if you are redirecting traffic through your intranet.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AutoTrigger
+
+
+
+
+
+
+
+ false
+ Boolean to determine whether this domain name rule will trigger the VPN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+ false
+ This DomainName rule will not trigger the VPN.
+
+
+ true
+ This DomainName rule will trigger the VPN.
+
+
+
+
+
+ Persistent
+
+
+
+
+
+
+
+ false
+ A boolean value that specifies if the rule being added should persist even when the VPN is not connected.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+ false
+ This DomainName rule will only be applied when VPN is connected.
+
+
+ true
+ This DomainName rule will always be present and applied.
+
+
+
+
+
+
+
+ TrafficFilterList
+
+
+
+
+ A list of rules allowing traffic over the VPN Interface. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.
+
+
+
+
+
+
+
+
+
+ trafficFilterId
+
+
+
+
+ A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.
+
+
+
+ App
+
+
+
+
+ Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Id
+
+
+
+
+
+
+
+ App identity for the app-based traffic filter. The value for this node can be one of the following: PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. SYSTEM - This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
- DomainNameInformationList
-
-
-
-
- NRPT (Name Resolution Policy Table) Rules for the VPN Profile
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- dniRowId
-
-
-
-
-
- DomainName
-
-
-
-
-
-
-
- Value based on the DomainNameType field
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DomainNameType
-
-
-
-
-
- a. FQDN: Select this if the policy applies only to the fully qualified domain name (FQDN) of a specified host. Do not use the FQDN of a domain.
-
- b. Suffix: Select this if the policy applies to the specified namespace, all records in that namespace, and all subdomains.
-
- c. Prefix: Select this if the policy applies only to a hostname. This policy will be triggered only if the hostname portion of the query matches the name configured here. A flat name (dotless name) must be configured here.
-
- d. Any: Use this if the policy applies to all.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DnsServers
-
-
-
-
-
-
-
- Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- WebProxyServers
-
-
-
-
-
-
-
- [Optional] If you are redirecting traffic through your intranet Web proxy servers, add the webproxyserver (Singular)
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AutoTrigger
-
-
-
-
-
-
-
-
- False = This DomainName Rule will not trigger the VPN
- True = This DomainName Rule will trigger the VPN
- By default, this value is false.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Persistent
-
-
-
-
-
-
-
-
- False = This DomainName Rule will only be plumbed when the VPN is connected
- True = This DomainName Rule will always be plumbed.
- By default, this value is false.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+ Type
+
+
+
+
+ Returns the type of ID of the App/Id. Either PackageFamilyName, FilePath, or System.
+
+
+
+
+
+
+
+
+
+
+
+
+
-
- TrafficFilterList
-
-
-
-
-
- A list of rules allowing traffic over the VPN Interface.
-
- Each Rule ID is ORed.
- Within each rule ID each Filter type is AND'ed
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- trafficFilterId
-
-
-
-
-
- App
-
-
-
-
- Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Id
-
-
-
-
-
-
-
- App Identity. Specified, based on the Type Field..
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Type
-
-
-
-
-
- PackageFamilyName
- FQBN
- FilePath
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Claims
-
-
-
-
-
-
-
- Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Protocol
-
-
-
-
-
-
-
-
- 0-255 number representing the ip protocol (TCP = 6, UDP = 17)
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LocalPortRanges
-
-
-
-
-
-
-
-
- Comma Separated list of ranges for eg.
- 100-120,200,300-320
-
-
-
-
-
-
-
-
-
-
- LocalPortRanges
-
- text/plain
-
-
-
-
- RemotePortRanges
-
-
-
-
-
-
-
-
- Comma Separated list of ranges for eg.
- 100-120,200,300-320
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LocalAddressRanges
-
-
-
-
-
-
-
- Comma Separated list of IP ranges
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RemoteAddressRanges
-
-
-
-
-
-
-
- Comma Separated list of IP ranges
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RoutingPolicyType
-
-
-
-
-
-
-
-
- SplitTunnel - For this Rule, you are allowed to go over the VPN as well as the Internet. Other traffic may not go over the VPN Interface.
- ForceTunnel - All Traffic matching this rule must go over only the VPN Interface.
-
- Only Applicable for App and Claims type.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Direction
-
-
-
-
-
-
-
-
+
+
+ Claims
+
+
+
+
+
+
+
+ Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Protocol
+
+
+
+
+
+
+
+ 0-255 number representing the ip protocol (TCP = 6, UDP = 17).
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-255]
+
+
+
+
+ LocalPortRanges
+
+
+
+
+
+
+
+ Comma Separated list of ranges for eg. 100-120,200,300-320.
+
+
+
+
+
+
+
+
+
+ LocalPortRanges
+
+
+
+
+ ^[\d]*$
+
+
+
+
+ Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol
+
+ [6,17]
+
+
+
+
+
+
+
+ RemotePortRanges
+
+
+
+
+
+
+
+ A list of comma separated values specifying remote port ranges to allow. For example, 100-120, 200, 300-320.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ^[\d]*$
+
+
+
+
+ Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol
+
+ [6,17]
+
+
+
+
+
+
+
+ LocalAddressRanges
+
+
+
+
+
+
+
+ A list of comma separated values specifying local IP address ranges to allow.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RemoteAddressRanges
+
+
+
+
+
+
+
+ A list of comma separated values specifying remote IP address ranges to allow.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RoutingPolicyType
+
+
+
+
+
+
+
+ Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SplitTunnel
+ For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces.
+
+
+ ForceTunnel
+ For this traffic rule all IP traffic must go through the VPN Interface only.
+
+
+
+
+
+ Direction
+
+
+
+
+
+
+
+
Outbound - The traffic filter allows traffic to reach destinations matching this rule. This is the default.
Inbound - The traffic filter allows traffic coming from external locations matching this rule.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- EdpModeId
-
-
-
-
-
-
-
-
- Enterprise ID for the EDP Policy that this VPN Profile is supposed to interace with.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RememberCredentials
-
-
-
-
-
-
-
-
- False = Remember credentials is turned off
- True = Remember credentials is turned on
- If True, Credentials will be cached wherever applicable.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AlwaysOn
-
-
-
-
-
-
-
-
- False = Always on in not turned On
- True = Always is on is turned on
-
- Note: Always On will work only for the active profile.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LockDown
-
-
-
-
-
-
-
-
- False = This is not a LockDown profile.
- True = This is a LockDown profile.
-
- If turned on a lockdown profile does four things.
- First, it automatically becomes an always on profile.
- Second, it can never be disconnected.
- Third, if the profile is not connected, then the user
- has no network connectivity.
- Fourth, no other profiles may be connected or modified.
-
- A lockdown profile must be deleted before any other
- profiles can be added, removed, or connected.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DeviceTunnel
-
-
-
-
-
-
-
-
- False = This is not a Device Tunnel profile and it is the default value.
- True = This is a Device Tunnel profile.
-
- If turned on a device tunnel profile does four things.
- First, it automatically becomes an always on profile.
- Second, it does not require the presence or logging in
- of any user to the machine in order for it to connect.
- Third, no other Device Tunnel profile maybe be present on the
- Same machine.
-
- A device tunnel profile must be deleted before another device tunnel
- profile can be added, removed, or connected.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RegisterDNS
-
-
-
-
-
-
-
-
- False = Do not register the connection's address in DNS (default).
- True = Register the connection's addresses in DNS.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DnsSuffix
-
-
-
-
-
-
-
- Connection Specific DNS Suffix. for eg. corp.contoso.com
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ByPassForLocal
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.19041
+ 1.3
+
+
+
+
+
+
+ EdpModeId
+
+
+
+
+
+
+
+ Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RememberCredentials
+
+
+
+
+
+
+
+ false
+ Boolean value (true or false) for caching credentials.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Do not cache credentials.
+
+
+ true
+ Credentials are cached whenever possible.
+
+
+
+
+
+ AlwaysOn
+
+
+
+
+
+
+
+ false
+ An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Always On is turned off.
+
+
+ true
+ Always On is turned on.
+
+
+
+
+
+ AlwaysOnActive
+
+
+
+
+
+
+
+ 1
+ An optional flag to activate Always On mode. This is true by default if AlwaysOn is true. Setting controls whether "Connect Automatically" is toggled on profile creation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Always On is inactive.
+
+
+ 1
+ Always On is activated on provisioning.
+
+
+
+
+
+ RegisterDNS
+
+
+
+
+
+
+
+ false
+ Allows registration of the connection's address in DNS.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.3
+
+
+
+ false
+ Do not register the connection's address in DNS.
+
+
+ true
+ Register the connection's addresses in DNS.
+
+
+
+
+
+ DnsSuffix
+
+
+
+
+
+
+
+ Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ByPassForLocal
+
+
+
+
+
+
+
+
False : Do not Bypass for Local traffic
True : ByPass VPN Interface for Local Traffic
Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TrustedNetworkDetection
-
-
-
-
-
-
-
-
- String
- Optional.String to identify the trusted network. VPN will not connect when the user is on their corporate wireless network where protected resources are directly accessible to the device.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ProfileXML
-
-
-
-
-
-
-
-
- Xml schema for provisioning all the fields of a VPN
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Proxy
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Manual
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Server
-
-
-
-
-
-
-
- Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- AutoConfigUrl
-
-
-
-
-
-
-
- Optional. Set a URL to automatically retrieve the proxy settings.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- APNBinding
-
-
-
-
- Reserved for Future Use
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ProviderId
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AccessPointName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- UserName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Password
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IsCompressionEnabled
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AuthenticationType
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- DeviceCompliance
-
-
-
-
-
- Nodes under DeviceCompliance can be used to enable Azure Active Directory based Conditional Access for VPN
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Enabled
-
-
-
-
-
-
-
- Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Azure Active Directory to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Sso
-
-
-
-
-
- Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
- Enabled
-
-
-
-
-
-
-
- If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuerHash
-
-
-
-
-
-
-
- Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Eku
-
-
-
-
-
-
-
- Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- PluginProfile
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ServerUrlList
-
-
-
-
-
-
-
- Required. URL for VPN Server
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CustomConfiguration
-
-
-
-
-
-
-
- Optional. This is an XML blob for SSL-VPN plugin specific configuration that is deployed to the device to make it available for SSL-VPN plugins
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PluginPackageFamilyName
-
-
-
-
-
-
-
- Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CustomStoreUrl
-
-
-
-
-
-
-
- TO be Deleted
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- WebAuth
-
-
-
-
-
- Nodes under WebAuth can be used to enable WebToken based authentication for 3rd Party Plugin VPN Profiles.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Enabled
-
-
-
-
-
-
-
- Enables the WebToken based authentication flow.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ClientId
-
-
-
-
-
-
-
- The client ID to specify when communicating with the Web Account provider in retrieving the token.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- NativeProfile
-
-
-
-
-
- Inbox VPN Profile
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Servers
-
-
-
-
-
-
-
-
- Server
-
-
- Required. Public or routable IP address or DNS name for the VPN gateway server farm. It can point to the external IP of a gateway or a virtual IP for a server farm
- Some examples are 208.23.45.130 or vpn.contoso.com.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RoutingPolicyType
-
-
-
-
-
-
-
-
- SplitTunnel - For this Connection, Traffic can go over any interface as determined by the networking stack.
-
- ForceTunnel - All IP Traffic must go over only the VPN Interface.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- NativeProtocolType
-
-
-
-
-
-
-
-
- Supported Values :
-
- Pptp
- L2tp
- Ikev2
- Automatic
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Authentication
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- UserMethod
-
-
-
-
-
-
-
-
- Supported Values
-
- Mschapv2
- Eap
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- MachineMethod
-
-
-
-
-
-
-
-
- Supported Values
-
- Eap
- Certificate
- PresharedKey
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Eap
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Configuration
-
-
-
-
-
-
-
- XML Configuration for EAP Method
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Type
-
-
-
-
-
-
-
-
- Required node for EAP profiles. This specifies the EAP Type ID
- 13 = EAP-TLS
- 26 = Ms-Chapv2
- 27 = Peap
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Certificate
-
-
-
-
- Reserved for future Use
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Issuer
-
-
-
-
-
-
-
- Reserved for future Use
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Eku
-
-
-
-
-
-
-
- Reserved for future Use
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- CryptographySuite
-
-
-
-
- Properties of IPSec tunnels.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- AuthenticationTransformConstants
-
-
-
-
-
-
-
-
- Choices are:
- -- MD596
- -- SHA196
- -- SHA256128
- -- GCMAES128
- -- GCMAES192
- -- GCMAES256
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CipherTransformConstants
-
-
-
-
-
-
-
-
- Choices Are:
- -- DES
- -- DES3
- -- AES128
- -- AES192
- -- AES256
- -- GCMAES128
- -- GCMAES192
- -- GCMAES256
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EncryptionMethod
-
-
-
-
-
-
-
-
- Choices are:
- -- DES
- -- DES3
- -- AES128
- -- AES192
- -- AES256
- -- AES_GCM_128
- -- AES_GCM_256
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IntegrityCheckMethod
-
-
-
-
-
-
-
-
- Choices are:
- -- MD5
- -- SHA196
- -- SHA256
- -- SHA384
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DHGroup
-
-
-
-
-
-
-
-
- Choices are:
- -- Group1
- -- Group2
- -- Group14
- -- ECP256
- -- ECP384
- -- Group24
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PfsGroup
-
-
-
-
-
-
-
-
- Choices are:
- -- PFS1
- -- PFS2
- -- PFS2048
- -- ECP256
- -- ECP384
- -- PFSMM
- -- PFS24
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- L2tpPsk
-
-
-
-
-
-
-
- The preshared key used for an L2TP connection
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DisableClassBasedDefaultRoute
-
-
-
-
-
-
-
-
- When false this VPN connection will plumb class based default routes.
- i.e.
- If the interface IP begins with 10, it assumes a class a IP
- and pushes the route 10.0.0.0/8
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PlumbIKEv2TSAsRoutes
-
-
-
-
-
-
-
-
- True: Plumb traffic selectors as routes onto VPN interface
- False: Do not plumb traffic selectors as routes
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
- VPNv2
- ./User/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TrustedNetworkDetection
-
-
-
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.3/MDM/VPNv2
-
+
+
+
+
+
+
+ Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ,
+
+
+
+
+ DisableAdvancedOptionsEditButton
+
+
+
+
+
+
+
+ Optional. When this setting is True, the Advanced Options page will have its edit functions disabled, only allowing viewing and Clear Sign-In Info.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.5
+
+
+
+ false
+ Advanced Options Edit Button is available.
+
+
+ true
+ Advanced Options Edit Button is unavailable.
+
+
+
+
+
+ DisableDisconnectButton
+
+
+
+
+
+
+
+ Optional. When this setting is True, the Disconnect button will not be visible for connected profiles.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.5
+
+
+
+ false
+ Disconnect Button is visible.
+
+
+ true
+ Disconnect Button is not visible.
+
+
+
+
+
+ RequireVpnClientAppUI
+
+
+
+
+
+
+
+
+ Applicable only to AppContainer profiles.
+
+ False : Do not show profile in Settings UI.
+ True : Show profile in Settings UI.
+
+ Optional. This node is only relevant for AppContainer profiles (i.e. using the VpnManagementAgent::AddProfileFromXmlAsync method).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.19628
+ 1.4
+
+
+
+
+ ProfileXML
+
+
+
+
+
+
+
+ The XML schema for provisioning all the fields of a VPN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+]]>
+
+
+
+
+ Proxy
+
+
+
+
+ A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected.
+
+
+
+
+
+
+
+
+
+
+
+
-
+ Manual
+
+
+
+
+ Optional node containing the manual server settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Server
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ProfileName
-
-
-
+
+
+
+
+
+
+ Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AutoConfigUrl
+
+
+
+
+
+
+
+ Optional. Set a URL to automatically retrieve the proxy settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ APNBinding
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ProviderId
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AccessPointName
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UserName
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Password
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsCompressionEnabled
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AuthenticationType
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DeviceCompliance
+
+
+
+
+
+ Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.1
+
+
+
+ Enabled
+
+
+
+
+
+
+
+ Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ Sso
+
+
+
+
+
+ Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Enabled
+
+
+
+
+
+
+
+ If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ IssuerHash
+
+
+
+
+
+
+
+ Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Eku
+
+
+
+
+
+
+
+ Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PluginProfile
+
+
+
+
+
+ Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ServerUrlList
+
+
+
+
+
+
+
+ Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CustomConfiguration
+
+
+
+
+
+
+
+ Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PluginPackageFamilyName
+
+
+
+
+
+
+
+ Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NativeProfile
+
+
+
+
+
+ InboxNodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP, SSTP).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Servers
+
+
+
+
+
+
+
+ Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RoutingPolicyType
+
+
+
+
+
+
+
+ Type of routing policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SplitTunnel
+ Traffic can go over any interface as determined by the networking stack.
+
+
+ ForceTunnel
+ All IP traffic must go over the VPN interface.
+
+
+
+
+
+ NativeProtocolType
+
+
+
+
+
+
+
+ Required for native profiles. Type of tunneling protocol used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PPTP
+ PPTP
+
+
+ L2TP
+ L2TP
+
+
+ IKEv2
+ IKEv2
+
+
+ Automatic
+ Automatic
+
+
+ SSTP
+ SSTP
+
+
+ ProtocolList
+ ProtocolList
+
+
+
+
+
+ ProtocolList
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.20207
+ 1.4
+
+
+
+ NativeProtocolList
+
+
+
+
+ List of inbox VPN protocols in priority order.
+
+
+
+
+
+
+
+
+
+
+
+
- AppTriggerList
-
-
-
-
- List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- appTriggerRowId
-
-
-
-
-
- App
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Id
-
-
-
-
-
-
-
- App Identity. Specified, based on the Type Field..
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Type
-
-
-
-
-
- PackageFamilyName
- FQBN
- FilePath
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
- RouteList
-
-
-
-
- List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- routeRowId
-
-
-
-
-
- Address
-
-
-
-
-
-
-
- Subnet address
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PrefixSize
-
-
-
-
-
-
-
- Subnet Prefix
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Metric
-
-
-
-
-
-
-
- The route's metric.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExclusionRoute
-
-
-
-
-
-
-
- Is this a route to never go over the VPN
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- DomainNameInformationList
-
-
-
-
- NRPT (Name Resolution Policy Table) Rules for the VPN Profile
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- dniRowId
-
-
-
-
-
- DomainName
-
-
-
-
-
-
-
- Value based on the DomainNameType field
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DomainNameType
-
-
-
-
-
- a. FQDN: Select this if the policy applies only to the fully qualified domain name (FQDN) of a specified host. Do not use the FQDN of a domain.
-
- b. Suffix: Select this if the policy applies to the specified namespace, all records in that namespace, and all subdomains.
-
- c. Prefix: Select this if the policy applies only to a hostname. This policy will be triggered only if the hostname portion of the query matches the name configured here. A flat name (dotless name) must be configured here.
-
- d. Any: Use this if the policy applies to all.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DnsServers
-
-
-
-
-
-
-
- Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- WebProxyServers
-
-
-
-
-
-
-
- [Optional] If you are redirecting traffic through your intranet Web proxy servers, add the webproxyserver (Singular)
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AutoTrigger
-
-
-
-
-
-
-
-
- False = This DomainName Rule will not trigger the VPN
- True = This DomainName Rule will trigger the VPN
- By default, this value is false.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Persistent
-
-
-
-
-
-
-
-
- False = This DomainName Rule will only be plumbed when the VPN is connected
- True = This DomainName Rule will always be plumbed.
- By default, this value is false.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- TrafficFilterList
-
-
-
-
-
- A list of rules allowing traffic over the VPN Interface.
-
- Each Rule ID is ORed.
- Within each rule ID each Filter type is AND'ed
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- trafficFilterId
-
-
-
-
-
- App
-
-
-
-
- Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Id
-
-
-
-
-
-
-
- App Identity. Specified, based on the Type Field..
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Type
-
-
-
-
-
- PackageFamilyName
- FQBN
- FilePath
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Claims
-
-
-
-
-
-
-
- Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Protocol
-
-
-
-
-
-
-
-
- 0-255 number representing the ip protocol (TCP = 6, UDP = 17)
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LocalPortRanges
-
-
-
-
-
-
-
-
- Comma Separated list of ranges for eg.
- 100-120,200,300-320
-
-
-
-
-
-
-
-
-
-
- LocalPortRanges
-
- text/plain
-
-
-
-
- RemotePortRanges
-
-
-
-
-
-
-
-
- Comma Separated list of ranges for eg.
- 100-120,200,300-320
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LocalAddressRanges
-
-
-
-
-
-
-
- Comma Separated list of IP ranges
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RemoteAddressRanges
-
-
-
-
-
-
-
- Comma Separated list of IP ranges
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RoutingPolicyType
-
-
-
-
-
-
-
-
- SplitTunnel - For this Rule, you are allowed to go over the VPN as well as the Internet. Other traffic may not go over the VPN Interface.
- ForceTunnel - All Traffic matching this rule must go over only the VPN Interface.
-
- Only Applicable for App and Claims type.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- EdpModeId
-
-
-
-
-
-
-
-
- Enterprise ID for the EDP Policy that this VPN Profile is supposed to interace with.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RememberCredentials
-
-
-
-
-
-
-
-
- False = Remember credentials is turned off
- True = Remember credentials is turned on
- If True, Credentials will be cached wherever applicable.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AlwaysOn
-
-
-
-
-
-
-
-
- False = Always on in not turned On
- True = Always is on is turned on
-
- Note: Always On will work only for the active profile.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DnsSuffix
-
-
-
-
-
-
-
- Connection Specific DNS Suffix. for eg. corp.contoso.com
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ByPassForLocal
-
-
-
-
-
-
-
-
- False : Do not Bypass for Local traffic
- True : ByPass VPN Interface for Local Traffic
-
- Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TrustedNetworkDetection
-
-
-
-
-
-
-
-
- String
- Optional.String to identify the trusted network. VPN will not connect when the user is on their corporate wireless network where protected resources are directly accessible to the device.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ProfileXML
+
+
-
-
- Xml schema for provisioning all the fields of a VPN
-
-
+
-
+
+ NativeProtocolRowId
- text/plain
+
-
-
- Proxy
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Manual
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Server
-
-
-
-
-
-
-
- Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- AutoConfigUrl
-
-
-
-
-
-
-
- Optional. Set a URL to automatically retrieve the proxy settings.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- APNBinding
-
-
-
-
- Reserved for Future Use
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ProviderId
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AccessPointName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- UserName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Password
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IsCompressionEnabled
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AuthenticationType
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- DeviceCompliance
-
-
-
-
-
- Nodes under DeviceCompliance can be used to enable Azure Active Directory based Conditional Access for VPN
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Enabled
-
-
-
-
-
-
-
- Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Azure Active Directory to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Sso
-
-
-
-
-
- Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
- Enabled
-
-
-
-
-
-
-
- If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuerHash
-
-
-
-
-
-
-
- Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Eku
-
-
-
-
-
-
-
- Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- PluginProfile
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ServerUrlList
-
-
-
-
-
-
-
- Required. URL for VPN Server
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CustomConfiguration
-
-
-
-
-
-
-
- Optional. This is an XML blob for SSL-VPN plugin specific configuration that is deployed to the device to make it available for SSL-VPN plugins
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PluginPackageFamilyName
-
-
-
-
-
-
-
- Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CustomStoreUrl
-
-
-
-
-
-
-
- TO be Deleted
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- WebAuth
-
-
-
-
-
- Nodes under WebAuth can be used to enable WebToken based authentication for 3rd Party Plugin VPN Profiles.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Enabled
-
-
-
-
-
-
-
- Enables the WebToken based authentication flow.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ClientId
-
-
-
-
-
-
-
- The client ID to specify when communicating with the Web Account provider in retrieving the token.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- NativeProfile
-
-
-
-
-
- Inbox VPN Profile
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Servers
-
-
-
-
-
-
-
-
- Server
-
-
- Required. Public or routable IP address or DNS name for the VPN gateway server farm. It can point to the external IP of a gateway or a virtual IP for a server farm
- Some examples are 208.23.45.130 or vpn.contoso.com.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RoutingPolicyType
-
-
-
-
-
-
-
-
- SplitTunnel - For this Connection, Traffic can go over any interface as determined by the networking stack.
-
- ForceTunnel - All IP Traffic must go over only the VPN Interface.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- NativeProtocolType
-
-
-
-
-
-
-
-
- Supported Values :
-
- Pptp
- L2tp
- Ikev2
- Automatic
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Authentication
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- UserMethod
-
-
-
-
-
-
-
-
- Supported Values
-
- Mschapv2
- Eap
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- MachineMethod
-
-
-
-
-
-
-
-
- Supported Values
-
- Eap
- Certificate
- PresharedKey
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Eap
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Configuration
-
-
-
-
-
-
-
- XML Configuration for EAP Method
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Type
-
-
-
-
-
-
-
-
- Required node for EAP profiles. This specifies the EAP Type ID
- 13 = EAP-TLS
- 26 = Ms-Chapv2
- 27 = Peap
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Certificate
-
-
-
-
- Reserved for future Use
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Issuer
-
-
-
-
-
-
-
- Reserved for future Use
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Eku
-
-
-
-
-
-
-
- Reserved for future Use
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- CryptographySuite
-
-
-
-
- Properties of IPSec tunnels.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- AuthenticationTransformConstants
-
-
-
-
-
-
-
-
- Choices are:
- -- MD596
- -- SHA196
- -- SHA256128
- -- GCMAES128
- -- GCMAES192
- -- GCMAES256
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CipherTransformConstants
-
-
-
-
-
-
-
-
- Choices Are:
- -- DES
- -- DES3
- -- AES128
- -- AES192
- -- AES256
- -- GCMAES128
- -- GCMAES192
- -- GCMAES256
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EncryptionMethod
-
-
-
-
-
-
-
-
- Choices are:
- -- DES
- -- DES3
- -- AES128
- -- AES192
- -- AES256
- -- AES_GCM_128
- -- AES_GCM_256
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IntegrityCheckMethod
-
-
-
-
-
-
-
-
- Choices are:
- -- MD5
- -- SHA196
- -- SHA256
- -- SHA384
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DHGroup
-
-
-
-
-
-
-
-
- Choices are:
- -- Group1
- -- Group2
- -- Group14
- -- ECP256
- -- ECP384
- -- Group24
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PfsGroup
-
-
-
-
-
-
-
-
- Choices are:
- -- PFS1
- -- PFS2
- -- PFS2048
- -- ECP256
- -- ECP384
- -- PFSMM
- -- PFS24
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- L2tpPsk
+ Type
@@ -4467,7 +2261,7 @@ The XML below is for Windows 10, version 2004.
- The preshared key used for an L2TP connection
+ Inbox VPN protocols type.
@@ -4478,12 +2272,3224 @@ The XML below is for Windows 10, version 2004.
- text/plain
+
+
+
+ Pptp
+ Pptp
+
+
+ L2tp
+ L2tp
+
+
+ Ikev2
+ Ikev2
+
+
+ Sstp
+ Sstp
+
+
+
+
+
+ RetryTimeInHours
+
+
+
+
+
+
+
+ Default 168, max 500000.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Authentication
+
+
+
+
+ Required node for native profile. It contains authentication information for the native VPN profile.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UserMethod
+
+
+
+
+
+
+
+ This value can be one of the following: EAP or MSChapv2 (This is not supported for IKEv2).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EAP
+ EAP
+
+
+ MSChapv2
+ MSChapv2: This is not supported for IKEv2
+
+
+
+
+
+ MachineMethod
+
+
+
+
+
+
+
+ This is only supported in IKEv2.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Certificate
+ Certificate
+
+
+
+
+
+ Eap
+
+
+
+
+ Required when the native profile specifies EAP authentication. EAP configuration XML.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Configuration
+
+
+
+
+
+
+
+ HTML encoded XML of the EAP configuration. For more information about EAP configuration XML, see https://docs.microsoft.com/en-us/windows/client-management/mdm/eap-configuration.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Type
+
+
+
+
+
+
+
+
+ Required node for EAP profiles. This specifies the EAP Type ID
+ 13 = EAP-TLS
+ 26 = Ms-Chapv2
+ 27 = Peap
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Certificate
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Issuer
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Eku
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CryptographySuite
+
+
+
+
+ Properties of IPSec tunnels.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+ AuthenticationTransformConstants
+
+
+
+
+
+
+
+ Type of authentication transform constant.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MD596
+ MD596
+
+
+ SHA196
+ SHA196
+
+
+ SHA256128
+ SHA256128
+
+
+ GCMAES128
+ GCMAES128
+
+
+ GCMAES192
+ GCMAES192
+
+
+ GCMAES256
+ GCMAES256
+
+
+
+
+
+ CipherTransformConstants
+
+
+
+
+
+
+
+ Type of Cipher transform constant.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DES
+ DES
+
+
+ DES3
+ DES3
+
+
+ AES128
+ AES128
+
+
+ AES192
+ AES192
+
+
+ AES256
+ AES256
+
+
+ GCMAES128
+ GCMAES128
+
+
+ GCMAES192
+ GCMAES192
+
+
+ GCMAES256
+ GCMAES256
+
+
+
+
+
+ EncryptionMethod
+
+
+
+
+
+
+
+ Type of encryption method.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DES
+ DES
+
+
+ DES3
+ DES3
+
+
+ AES128
+ AES128
+
+
+ AES192
+ AES192
+
+
+ AES256
+ AES256
+
+
+ AES_GCM_128
+ AES_GCM_128
+
+
+ AES_GCM_256
+ AES_GCM_256
+
+
+
+
+
+ IntegrityCheckMethod
+
+
+
+
+
+
+
+ Type of integrity check.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MD5
+ MD5
+
+
+ SHA196
+ SHA196
+
+
+ SHA256
+ SHA256
+
+
+ SHA384
+ SHA384
+
+
+
+
+
+ DHGroup
+
+
+
+
+
+
+
+ Group used for DH (Diffie-Hellman).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ None
+ None
+
+
+ Group1
+ Group1
+
+
+ Group2
+ Group2
+
+
+ Group14
+ Group14
+
+
+ ECP256
+ ECP256
+
+
+ ECP384
+ ECP384
+
+
+ Group24
+ Group24
+
+
+
+
+
+ PfsGroup
+
+
+
+
+
+
+
+ Group used for PFS (Perfect Forward Secrecy).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ None
+ None
+
+
+ PFS1
+ PFS1
+
+
+ PFS2
+ PFS2
+
+
+ PFS2048
+ PFS2048
+
+
+ ECP256
+ ECP256
+
+
+ ECP384
+ ECP384
+
+
+ PFSMM
+ PFSMM
+
+
+ PFS24
+ PFS24
+
+
+
+
+
+
+ L2tpPsk
+
+
+
+
+
+
+
+ The preshared key used for an L2TP connection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+
+
+
+ DisableClassBasedDefaultRoute
+
+
+
+
+
+
+
+ Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+ false
+ Enabled
+
+
+ true
+ Disabled
+
+
+
+
+
+ PlumbIKEv2TSAsRoutes
+
+
+
+
+
+
+
+ True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb traffic selectors as routes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.19041
+ 1.3
+
+
+
+
+
+ NetworkOutageTime
+
+
+
+
+
+
+
+ The amount of time in seconds the network is allowed to idle. 0 means no limit.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+ [0-4294967295]
+
+
+
+
+ IPv4InterfaceMetric
+
+
+
+
+
+
+
+ The metric for the IPv4 interface.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+ [1-9999]
+
+
+
+
+ IPv6InterfaceMetric
+
+
+
+
+
+
+
+ The metric for the IPv6 interface.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+ [1-9999]
+
+
+
+
+ UseRasCredentials
+
+
+
+
+
+
+
+ true
+ Determines whether the credential manager will save ras credentials after a connection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+
+ false
+ Ras Credentials are not saved.
+
+
+ true
+ Ras Credentials are saved.
+
+
+
+
+
+ DataEncryption
+
+
+
+
+
+
+
+ Require
+ Determines the level of data encryption required for the connection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+
+ None
+ No Data Encryption required.
+
+
+ Require
+ Data Encryption required.
+
+
+ Max
+ Maximum-strength Data Encryption required.
+
+
+ Optional
+ Perform encryption if possible.
+
+
+
+
+
+ PrivateNetwork
+
+
+
+
+
+
+
+ true
+ Determines whether the VPN connection is public or private.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+
+ false
+ VPN connection is public.
+
+
+ true
+ VPN connection is private.
+
+
+
+
+
+ DisableIKEv2Fragmentation
+
+
+
+
+
+
+
+ false
+ Set to disable IKEv2 Fragmentation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+
+ true
+ IKEv2 Fragmentation will not be used.
+
+
+ false
+ IKEv2 Fragmentation is used as normal.
+
+
+
+
+
+
+
+ VPNv2
+ ./Device/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+
+
+
+
+
+
+
+
+
+ Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/). If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
+
+
+
+
+
+
+
+
+
+ ProfileName
+
+
+
+
+
+
+
+ ^[^/]*$
+
+
+
+
+ AppTriggerList
+
+
+
+
+ List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers.
+
+
+
+
+
+
+
+
+
+ appTriggerRowId
+
+
+
+
+ A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers.
+
+
+
+ App
+
+
+
+
+ App Node under the Row Id.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Id
+
+
+
+
+
+
+
+ App Identity. Specified, based on the Type Field.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Type
+
+
+
+
+ Returns the type of App/Id. This value can be either of the following: PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application. FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RouteList
+
+
+
+
+ List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0.
+
+
+
+
+
+
+
+
+
+ routeRowId
+
+
+
+
+ A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0.
+
+
+
+ Address
+
+
+
+
+
+
+
+ Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PrefixSize
+
+
+
+
+
+
+
+ The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-4294967295]
+
+
+
+
+ Metric
+
+
+
+
+
+
+
+ The route's metric.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+
+
+
+ ExclusionRoute
+
+
+
+
+
+
+
+ false
+ A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+ false
+ This route will direct traffic over the VPN.
+
+
+ true
+ This route will direct traffic over the physical interface.
+
+
+
+
+
+
+
+ DomainNameInformationList
+
+
+
+
+ NRPT (Name Resolution Policy Table) Rules for the VPN Profile.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
+
+
+
+
+
+
+
+
+
+ dniRowId
+
+
+
+
+ A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
+
+
+
+ DomainName
+
+
+
+
+
+
+
+ Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types: FQDN - Fully qualified domain name. Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a . to the DNS suffix.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DomainNameType
+
+
+
+
+ Returns the namespace type. This value can be one of the following: FQDN - If the DomainName was not prepended with a . and applies only to the fully qualified domain name (FQDN) of a specified host. Suffix - If the DomainName was prepended with a . and applies to the specified namespace, all records in that namespace, and all subdomains.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DnsServers
+
+
+
+
+
+
+
+ Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ WebProxyServers
+
+
+
+
+
+
+
+ Web Proxy Server IP address if you are redirecting traffic through your intranet.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AutoTrigger
+
+
+
+
+
+
+
+ false
+ Boolean to determine whether this domain name rule will trigger the VPN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+ false
+ This DomainName rule will not trigger the VPN.
+
+
+ true
+ This DomainName rule will trigger the VPN.
+
+
+
+
+
+ Persistent
+
+
+
+
+
+
+
+ false
+ A boolean value that specifies if the rule being added should persist even when the VPN is not connected.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+ false
+ This DomainName rule will only be applied when VPN is connected.
+
+
+ true
+ This DomainName rule will always be present and applied.
+
+
+
+
+
+
+
+ TrafficFilterList
+
+
+
+
+ A list of rules allowing traffic over the VPN Interface. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.
+
+
+
+
+
+
+
+
+
+ trafficFilterId
+
+
+
+
+ A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.
+
+
+
+ App
+
+
+
+
+ Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Id
+
+
+
+
+
+
+
+ App identity for the app-based traffic filter. The value for this node can be one of the following: PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. SYSTEM - This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Type
+
+
+
+
+ Returns the type of ID of the App/Id. Either PackageFamilyName, FilePath, or System.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Claims
+
+
+
+
+
+
+
+ Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Protocol
+
+
+
+
+
+
+
+ 0-255 number representing the ip protocol (TCP = 6, UDP = 17).
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-255]
+
+
+
+
+ LocalPortRanges
+
+
+
+
+
+
+
+ Comma Separated list of ranges for eg. 100-120,200,300-320.
+
+
+
+
+
+
+
+
+
+ LocalPortRanges
+
+
+
+
+ ^[\d]*$
+
+
+
+
+ Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol
+
+ [6,17]
+
+
+
+
+
+
+
+ RemotePortRanges
+
+
+
+
+
+
+
+ A list of comma separated values specifying remote port ranges to allow. For example, 100-120, 200, 300-320.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ^[\d]*$
+
+
+
+
+ Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol
+
+ [6,17]
+
+
+
+
+
+
+
+ LocalAddressRanges
+
+
+
+
+
+
+
+ A list of comma separated values specifying local IP address ranges to allow.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RemoteAddressRanges
+
+
+
+
+
+
+
+ A list of comma separated values specifying remote IP address ranges to allow.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RoutingPolicyType
+
+
+
+
+
+
+
+ Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SplitTunnel
+ For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces.
+
+
+ ForceTunnel
+ For this traffic rule all IP traffic must go through the VPN Interface only.
+
+
+
+
+
+ Direction
+
+
+
+
+
+
+
+
+ Outbound - The traffic filter allows traffic to reach destinations matching this rule. This is the default.
+ Inbound - The traffic filter allows traffic coming from external locations matching this rule.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.19041
+ 1.3
+
+
+
+
+
+
+ EdpModeId
+
+
+
+
+
+
+
+ Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RememberCredentials
+
+
+
+
+
+
+
+ false
+ Boolean value (true or false) for caching credentials.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Do not cache credentials.
+
+
+ true
+ Credentials are cached whenever possible.
+
+
+
+
+
+ AlwaysOn
+
+
+
+
+
+
+
+ false
+ An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Always On is turned off.
+
+
+ true
+ Always On is turned on.
+
+
+
+
+
+ AlwaysOnActive
+
+
+
+
+
+
+
+ 1
+ An optional flag to activate Always On mode. This is true by default if AlwaysOn is true. Setting controls whether "Connect Automatically" is toggled on profile creation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Always On is inactive.
+
+
+ 1
+ Always On is activated on provisioning.
+
+
+
+
+
+ DeviceTunnel
+
+
+
+
+
+
+
+ false
+ If turned on a device tunnel profile does four things.
+ First, it automatically becomes an always on profile.
+ Second, it does not require the presence or logging in of any user to the machine in order for it to connect.
+ Third, no other Device Tunnel profile maybe be present on the same machine.
+A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.3
+
+
+
+ false
+ This is not a device tunnel profile.
+
+
+ true
+ This is a device tunnel profile.
+
+
+
+
+
+ RegisterDNS
+
+
+
+
+
+
+
+ false
+ Allows registration of the connection's address in DNS.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.3
+
+
+
+ false
+ Do not register the connection's address in DNS.
+
+
+ true
+ Register the connection's addresses in DNS.
+
+
+
+
+
+ DnsSuffix
+
+
+
+
+
+
+
+ Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ByPassForLocal
+
+
+
+
+
+
+
+
+ False : Do not Bypass for Local traffic
+ True : ByPass VPN Interface for Local Traffic
+
+ Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TrustedNetworkDetection
+
+
+
+
+
+
+
+ Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ,
+
+
+
+
+ DisableAdvancedOptionsEditButton
+
+
+
+
+
+
+
+
+ Optional. When this setting is True, the Advanced Options page will have its edit functions disabled, only allowing viewing and Clear Sign-In Info.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.5
+
+
+
+ false
+ Advanced Options Edit Button is available.
+
+
+ true
+ Advanced Options Edit Button is unavailable.
+
+
+
+
+
+ DisableDisconnectButton
+
+
+
+
+
+
+
+
+ Optional. When this setting is True, the Disconnect button will not be visible for connected profiles.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.5
+
+
+
+ false
+ Disconnect Button is visible.
+
+
+ true
+ Disconnect Button is not visible.
+
+
+
+
+
+ ProfileXML
+
+
+
+
+
+
+
+ The XML schema for provisioning all the fields of a VPN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+]]>
+
+
+
+
+ Proxy
+
+
+
+
+ A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Manual
+
+
+
+
+ Optional node containing the manual server settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Server
+
+
+
+
+
+
+
+ Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AutoConfigUrl
+
+
+
+
+
+
+
+ Optional. Set a URL to automatically retrieve the proxy settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ APNBinding
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ProviderId
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AccessPointName
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UserName
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Password
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsCompressionEnabled
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AuthenticationType
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DeviceCompliance
+
+
+
+
+
+ Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.1
+
+
+
+ Enabled
+
+
+
+
+
+
+
+ Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ Sso
+
+
+
+
+
+ Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Enabled
+
+
+
+
+
+
+
+ If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ IssuerHash
+
+
+
+
+
+
+
+ Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Eku
+
+
+
+
+
+
+
+ Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PluginProfile
+
+
+
+
+
+ Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ServerUrlList
+
+
+
+
+
+
+
+ Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CustomConfiguration
+
+
+
+
+
+
+
+ Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PluginPackageFamilyName
+
+
+
+
+
+
+
+ Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NativeProfile
+
+
+
+
+
+ Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP, SSTP).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Servers
+
+
+
+
+
+
+
+ Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RoutingPolicyType
+
+
+
+
+
+
+
+ Type of routing policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SplitTunnel
+ Traffic can go over any interface as determined by the networking stack.
+
+
+ ForceTunnel
+ All IP traffic must go over the VPN interface.
+
+
+
+
+
+ NativeProtocolType
+
+
+
+
+
+
+
+ Required for native profiles. Type of tunneling protocol used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PPTP
+ PPTP
+
+
+ L2TP
+ L2TP
+
+
+ IKEv2
+ IKEv2
+
+
+ Automatic
+ Automatic
+
+
+ SSTP
+ SSTP
+
+
+ ProtocolList
+ ProtocolList
+
+
+
+
+
+ ProtocolList
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.20207
+ 1.4
+
+
+
+ NativeProtocolList
+
+
+
+
+ List of inbox VPN protocols in priority order.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NativeProtocolRowId
+
+
+
+
- DisableClassBasedDefaultRoute
+ Type
@@ -4491,55 +5497,998 @@ The XML below is for Windows 10, version 2004.
-
- When false this VPN connection will plumb class based default routes.
- i.e.
- If the interface IP begins with 10, it assumes a class a IP
- and pushes the route 10.0.0.0/8
-
+ Inbox VPN protocols type.
-
+
-
+
- text/plain
+
+
+
+ Pptp
+ Pptp
+
+
+ L2tp
+ L2tp
+
+
+ Ikev2
+ Ikev2
+
+
+ Sstp
+ Sstp
+
+
-
- PlumbIKEv2TSAsRoutes
-
-
-
-
-
-
-
-
- True: Plumb traffic selectors as routes onto VPN interface
- False: Do not plumb traffic selectors as routes
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
+
+
+ RetryTimeInHours
+
+
+
+
+
+
+
+ Default 168, max 500000.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Authentication
+
+
+
+
+ Required node for native profile. It contains authentication information for the native VPN profile.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UserMethod
+
+
+
+
+
+
+
+ Type of user authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EAP
+ EAP
+
+
+ MSChapv2
+ MSChapv2: This is not supported for IKEv2
+
+
+
+
+
+ MachineMethod
+
+
+
+
+
+
+
+ This is only supported in IKEv2.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Certificate
+ Certificate
+
+
+
+
+
+ Eap
+
+
+
+
+ Required when the native profile specifies EAP authentication. EAP configuration XML.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Configuration
+
+
+
+
+
+
+
+ HTML encoded XML of the EAP configuration. For more information about EAP configuration XML, see https://docs.microsoft.com/en-us/windows/client-management/mdm/eap-configuration.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Type
+
+
+
+
+
+
+
+
+ Required node for EAP profiles. This specifies the EAP Type ID
+ 13 = EAP-TLS
+ 26 = Ms-Chapv2
+ 27 = Peap
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Certificate
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Issuer
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Eku
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CryptographySuite
+
+
+
+
+ Properties of IPSec tunnels.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+ AuthenticationTransformConstants
+
+
+
+
+
+
+
+ Type of authentication transform constant.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MD596
+ MD596
+
+
+ SHA196
+ SHA196
+
+
+ SHA256128
+ SHA256128
+
+
+ GCMAES128
+ GCMAES128
+
+
+ GCMAES192
+ GCMAES192
+
+
+ GCMAES256
+ GCMAES256
+
+
+
+
+
+ CipherTransformConstants
+
+
+
+
+
+
+
+ Type of Cipher transform constant.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DES
+ DES
+
+
+ DES3
+ DES3
+
+
+ AES128
+ AES128
+
+
+ AES192
+ AES192
+
+
+ AES256
+ AES256
+
+
+ GCMAES128
+ GCMAES128
+
+
+ GCMAES192
+ GCMAES192
+
+
+ GCMAES256
+ GCMAES256
+
+
+
+
+
+ EncryptionMethod
+
+
+
+
+
+
+
+ Type of encryption method.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DES
+ DES
+
+
+ DES3
+ DES3
+
+
+ AES128
+ AES128
+
+
+ AES192
+ AES192
+
+
+ AES256
+ AES256
+
+
+ AES_GCM_128
+ AES_GCM_128
+
+
+ AES_GCM_256
+ AES_GCM_256
+
+
+
+
+
+ IntegrityCheckMethod
+
+
+
+
+
+
+
+ Type of integrity check.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MD5
+ MD5
+
+
+ SHA196
+ SHA196
+
+
+ SHA256
+ SHA256
+
+
+ SHA384
+ SHA384
+
+
+
+
+
+ DHGroup
+
+
+
+
+
+
+
+ Group used for DH (Diffie-Hellman).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ None
+ None
+
+
+ Group1
+ Group1
+
+
+ Group2
+ Group2
+
+
+ Group14
+ Group14
+
+
+ ECP256
+ ECP256
+
+
+ ECP384
+ ECP384
+
+
+ Group24
+ Group24
+
+
+
+
+
+ PfsGroup
+
+
+
+
+
+
+
+ Group used for PFS (Perfect Forward Secrecy).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ None
+ None
+
+
+ PFS1
+ PFS1
+
+
+ PFS2
+ PFS2
+
+
+ PFS2048
+ PFS2048
+
+
+ ECP256
+ ECP256
+
+
+ ECP384
+ ECP384
+
+
+ PFSMM
+ PFSMM
+
+
+ PFS24
+ PFS24
+
+
+
+
+
+
+ L2tpPsk
+
+
+
+
+
+
+
+ The preshared key used for an L2TP connection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+
+
+
+ DisableClassBasedDefaultRoute
+
+
+
+
+
+
+
+ Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+ false
+ Enabled
+
+
+ true
+ Disabled
+
+
+
+
+
+ PlumbIKEv2TSAsRoutes
+
+
+
+
+
+
+
+ True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb traffic selectors as routes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.19041
+ 1.3
+
+
+
+
+
+ NetworkOutageTime
+
+
+
+
+
+
+
+ The amount of time in seconds the network is allowed to idle. 0 means no limit.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+ [0-4294967295]
+
+
+
+
+ IPv4InterfaceMetric
+
+
+
+
+
+
+
+ The metric for the IPv4 interface.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+ [1-9999]
+
+
+
+
+ IPv6InterfaceMetric
+
+
+
+
+
+
+
+ The metric for the IPv6 interface.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+ [1-9999]
+
+
+
+
+ UseRasCredentials
+
+
+
+
+
+
+
+ true
+ Determines whether the credential manager will save ras credentials after a connection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+
+ false
+ Ras Credentials are not saved.
+
+
+ true
+ Ras Credentials are saved.
+
+
+
+
+
+ DataEncryption
+
+
+
+
+
+
+
+ Require
+ Determines the level of data encryption required for the connection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+
+ None
+ No Data Encryption required.
+
+
+ Require
+ Data Encryption required.
+
+
+ Max
+ Maximum-strength Data Encryption required.
+
+
+ Optional
+ Perform encryption if possible.
+
+
+
+
+
+ PrivateNetwork
+
+
+
+
+
+
+
+ true
+ Determines whether the VPN connection is public or private.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+
+ false
+ VPN connection is public.
+
+
+ true
+ VPN connection is private.
+
+
+
+
+
+ DisableIKEv2Fragmentation
+
+
+
+
+
+
+
+ false
+ Set to disable IKEv2 Fragmentation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+
+ true
+ IKEv2 Fragmentation will not be used.
+
+
+ false
+ IKEv2 Fragmentation is used as normal.
+
+
+
+
+
```
+
+## Related articles
+
+[VPNv2 configuration service provider reference](vpnv2-csp.md)
diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md
deleted file mode 100644
index bfca5ab7aa..0000000000
--- a/windows/client-management/mdm/vpnv2-profile-xsd.md
+++ /dev/null
@@ -1,447 +0,0 @@
----
-title: ProfileXML XSD
-description: Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some profile examples.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 07/14/2020
----
-
-# ProfileXML XSD
-
-Here's the XSD for the ProfileXML node in the VPNv2 CSP and VpnManagementAgent::AddProfileFromXmlAsync for Windows 10 and some profile examples.
-
-## XSD for the VPN profile
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-## Native profile example
-
-```xml
-
- corp.contoso.com
- true
- false
- corp.contoso.com
- contoso.com
-
-
- Helloworld.Com
-
- HelloServer
-
-
-
-
- true
-
- true
- This is my Eku
- This is my issuer hash
-
-
-
-
-
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe
-
-
-
-
- C:\windows\system32\ping.exe
-
-
-
-
- hrsite.corporate.contoso.com
- 1.2.3.4,5.6.7.8
- 5.5.5.5
- true
-
-
- .corp.contoso.com
- 10.10.10.10,20.20.20.20
- 100.100.100.100
-
-
-
-
- %ProgramFiles%\Internet Explorer\iexplore.exe
-
- 6
- 10,20-50,100-200
- 20-50,100-200,300
- 30.30.0.0/16,10.10.10.10-20.20.20.20
- ForceTunnel
-
-
-
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe
-
- 3.3.3.3/32,1.1.1.1-2.2.2.2
-
-
-
- testServer.VPN.com
- SplitTunnel
- IKEv2
- true
-
- Eap
-
-
-
-
- 25
- 0
- 0
- 0
-
-
-
- 25
-
-
- true
-
- d2 d3 8e ba 60 ca a1 c1 20 55 a2 e1 c8 3b 15 ad 45 01 10 c2
- d1 76 97 cc 20 6e d2 6e 1a 51 f5 bb 96 e9 35 6d 6d 61 0b 74
-
- true
- false
-
- 13
-
-
-
- true
-
-
-
- true
-
- d2 d3 8e ba 60 ca a1 c1 20 55 a2 e1 c8 3b 15 ad 45 01 10 c2
- d1 76 97 cc 20 6e d2 6e 1a 51 f5 bb 96 e9 35 6d 6d 61 0b 74
-
- false
- true
- false
-
-
-
-
- AAD Conditional Access
- 1.3.6.1.4.1.311.87
-
-
-
-
- AAD Conditional Access
-
-
-
-
-
-
- false
- true
-
- true
- false
-
-
-
-
-
-
-
-
-
-
-
- 192.168.0.0
- 24
-
-
- 10.10.0.0
- 16
-
-
-```
-
-## Plug-in profile example
-
-```xml
-
-
- true
- false
- corp.contoso.com
- contoso.com,test.corp.contoso.com
- false
- false
-
-
- Helloworld.Com
-
- HelloServer
-
-
-
-
-
-
-
-
-
- true
-
-
-
-
- testserver1.contoso.com;testserver2.contoso..com
- true
- JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy
-
-
-
-
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe
-
-
-
-
- %ProgramFiles%\Internet Explorer\iexplore.exe
-
-
-
-
- corp.contoso.com
- 1.2.3.4,5.6.7.8
- 5.5.5.5
- false
-
-
- corp.contoso.com
- 10.10.10.10,20.20.20.20
- 100.100.100.100
-
-
-
-
- %ProgramFiles%\Internet Explorer\iexplore.exe
-
- 6
- 10,20-50,100-200
- 20-50,100-200,300
- 30.30.0.0/16,10.10.10.10-20.20.20.20
-
-
-
-
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe
-
- 3.3.3.3/32,1.1.1.1-2.2.2.2
-
-
-
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe
-
- O:SYG:SYD:(A;;CC;;;AU)
-
-
-
-
- 192.168.0.0
- 24
-
-
- 10.10.0.0
- 16
-
-
-```
-
-## Related topics
-
-[Configuration service provider reference](index.yml)
\ No newline at end of file