---
title: VPN profile options (Windows 10)
description: Windows 10 adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523
ms.reviewer:
manager: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
author: dulcemontemayor
ms.author: dansimp
ms.localizationpriority: medium
ms.date: 05/17/2018
---
# VPN profile options
**Applies to**
- Windows 10
- Windows 10 Mobile
Most of the VPN settings in Windows 10 can be configured in VPN profiles using Microsoft Intune or Microsoft Endpoint Configuration Manager. All VPN settings in Windows 10 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
>[!NOTE]
>If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers) first.
The following table lists the VPN settings and whether the setting can be configured in Intune and Configuration Manager, or can only be configured using **ProfileXML**.
| Profile setting | Can be configured in Intune and Configuration Manager |
| --- | --- |
| Connection type | yes |
| Routing: split-tunnel routes | yes, except exclusion routes |
| Routing: forced-tunnel | yes |
| Authentication (EAP) | yes, if connection type is built-in |
| Conditional access | yes |
| Proxy settings | yes, by PAC/WPAD file or server and port |
| Name resolution: NRPT | yes |
| Name resolution: DNS suffix | no |
| Name resolution: persistent | no |
| Auto-trigger: app trigger | yes |
| Auto-trigger: name trigger | yes |
| Auto-trigger: Always On | yes |
| Auto-trigger: trusted network detection | no |
| LockDown | no |
| Windows Information Protection (WIP) | yes |
| Traffic filters | yes |
The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This is particularly useful for deploying profiles with features that are not yet supported by MDMs. You can get additional examples in the [ProfileXML XSD](https://msdn.microsoft.com/library/windows/hardware/mt755930.aspx) topic.
## Sample Native VPN profile
The following is a sample Native VPN profile. This blob would fall under the ProfileXML node.
```
TestVpnProfile
testServer.VPN.com
IKEv2
Eap
Eap
25
0
0
0
25
true
d2 d3 8e ba 60 ca a1 c1 20 55 a2 e1 c8 3b 15 ad 45 01 10 c2
d1 76 97 cc 20 6e d2 6e 1a 51 f5 bb 96 e9 35 6d 6d 61 0b 74
true
false
13
true
true
d2 d3 8e ba 60 ca a1 c1 20 55 a2 e1 c8 3b 15 ad 45 01 10 c2
d1 76 97 cc 20 6e d2 6e 1a 51 f5 bb 96 e9 35 6d 6d 61 0b 74
false
true
false
AAD Conditional Access
1.3.6.1.4.1.311.87
AAD Conditional Access
false
true
true
false
SplitTunnel
true
192.168.0.0
24
10.10.0.0
16
Microsoft.MicrosoftEdge_8wekyb3d8bbwe
C:\windows\system32\ping.exe
%ProgramFiles%\Internet Explorer\iexplore.exe
6
10,20-50,100-200
20-50,100-200,300
30.30.0.0/16,10.10.10.10-20.20.20.20
ForceTunnel
Microsoft.MicrosoftEdge_8wekyb3d8bbwe
3.3.3.3/32,1.1.1.1-2.2.2.2
hrsite.corporate.contoso.com
1.2.3.4,5.6.7.8
5.5.5.5
true
.corp.contoso.com
10.10.10.10,20.20.20.20
100.100.100.100
corp.contoso.com
true
false
corp.contoso.com
contoso.com
HelloServer
Helloworld.Com
true
true
This is my Eku
This is my issuer hash
```
## Sample plug-in VPN profile
The following is a sample plug-in VPN profile. This blob would fall under the ProfileXML node.
```
TestVpnProfile
testserver1.contoso.com;testserver2.contoso..com
JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy
<pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema>
192.168.0.0
24
10.10.0.0
16
Microsoft.MicrosoftEdge_8wekyb3d8bbwe
%ProgramFiles%\Internet Explorer\iexplore.exe
%ProgramFiles%\Internet Explorer\iexplore.exe
6
10,20-50,100-200
20-50,100-200,300
30.30.0.0/16,10.10.10.10-20.20.20.20
Microsoft.MicrosoftEdge_8wekyb3d8bbwe
3.3.3.3/32,1.1.1.1-2.2.2.2
Microsoft.MicrosoftEdge_8wekyb3d8bbwe
O:SYG:SYD:(A;;CC;;;AU)
corp.contoso.com
1.2.3.4,5.6.7.8
5.5.5.5
false
corp.contoso.com
10.10.10.10,20.20.20.20
100.100.100.100
true
false
corp.contoso.com
contoso.com,test.corp.contoso.com
HelloServer
Helloworld.Com
```
## Apply ProfileXML using Intune
After you configure the settings that you want using ProfileXML, you can apply it using Intune and a **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy.
1. Sign into the [Azure portal](https://portal.azure.com).
2. Go to **Intune** > **Device Configuration** > **Profiles**.
3. Click **Create Profile**.
4. Enter a name and (optionally) a description.
5. Choose **Windows 10 and later** as the platform.
6. Choose **Custom** as the profile type and click **Add**.
8. Enter a name and (optionally) a description.
9. Enter the OMA-URI **./user/vendor/MSFT/VPNv2/_VPN profile name_/ProfileXML**.
10. Set Data type to **String (XML file)**.
11. Upload the profile XML file.
12. Click **OK**.
13. Click **OK**, then **Create**.
14. Assign the profile.
## Learn more
- [Learn how to configure VPN connections in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/vpn-connections-in-microsoft-intune)
- [VPNv2 configuration service provider (CSP) reference](https://go.microsoft.com/fwlink/p/?LinkId=617588)
- [How to Create VPN Profiles in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=618028)
## Related topics
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)