Table of contents
TOC
Collapse the table of content
Expand the table of content

VPNv2 CSP

Last Updated: 11/10/2016

The VPNv2 configuration service provider allows the mobile device management (MDM) server to configure the VPN profile of the device.

Here are the requirements for this CSP:

  • VPN configuration commands must be wrapped in an Atomic block in SyncML.
  • For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you are using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure WIP policies.
  • Instead of changing individual properties, follow these steps to make any changes:

    • Send a Delete command for the ProfileName to delete the entire profile.
    • Send the entire profile again with new values wrapped in an Atomic block.

    In certain conditions you can change some properties directly, but we do not recommend it.

The XSDs for all EAP methods are shipped in the box and can be found at the following locations:

  • C:\Windows\schemas\EAPHost
  • C:\Windows\schemas\EAPMethods

The following diagram shows the VPNv2 configuration service provider in tree format.

vpnv2 csp diagram

Device or User profile
For user profile, use ./User/Vendor/MSFT path and for device profile, use ./Device/Vendor/MSFT path.

VPNv2/ProfileName
Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/).

Supported operations include Get, Add, and Delete.

Note If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.

VPNv2/ProfileName/AppTriggerList
Optional node. List of applications set to trigger the VPN. If any of these apps are launched and the VPN profile is currently the active profile, this VPN profile will be triggered to connect.

VPNv2/ProfileName/AppTriggerList/appTriggerRowId
A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers.

Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/AppTriggerList/appTriggerRowId/App
App Node under the Row Id.

VPNv2/ProfileName/AppTriggerList/appTriggerRowId/App/Id
App identity, which is either an app’s package family name or file path. The type is inferred by the Id, and therefore cannot be specified in the get only App/Type field

VPNv2/ProfileName/AppTriggerList/appTriggerRowId/App/Type
Returns the type of App/Id. This value can be either of the following:

  • PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Windows Store application.
  • FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.

Value type is chr. Supported operation is Get.

VPNv2/ProfileName/RouteList/
Optional node. List of routes to be added to the routing table for the VPN interface. This is required for split tunneling case where the VPN server site has more subnets that the default subnet based on the IP assigned to the interface.

Every computer that runs TCP/IP makes routing decisions. These decisions are controlled by the IP routing table. Adding values under this node updates the routing table with routes for the VPN interface post connection. The values under this node represent the destination prefix of IP routes. A destination prefix consists of an IP address prefix and a prefix length.

Adding a route here allows the networking stack to identify the traffic that needs to go over the VPN interface for split tunnel VPN. Some VPN servers can configure this during connect negotiation and do not need this information in the VPN Profile. Please check with your VPN server administrator to determine whether you need this information in the VPN profile.

VPNv2/ProfileName/RouteList/routeRowId
A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0.

Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/RouteList/routeRowId/Address
Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix.

Supported operations include Get, Add, Replace, and Delete. Value type is chr. Example, 192.168.0.0

VPNv2/ProfileName/RouteList/routeRowId/PrefixSize
The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface.

Value type is int. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/RouteList/routeRowId/ExclusionRoute
Added in Windows 10, version 1607. A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway. Valid values:

  • False (default) - This route will direct traffic over the VPN
  • True - This route will direct traffic over the physical interface.

Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/DomainNameInformationList
Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile.

The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any additional flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface.

VPNv2/ProfileName/DomainNameInformationList/dniRowId
A sequential integer identifier for the Domain Name information. Sequencing must start at 0.

Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/DomainNameInformationList/dniRowId/DomainName
Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types:

  • FQDN - Fully qualified domain name
  • Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a . to the DNS suffix.

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/DomainNameInformationList/dniRowId/DomainNameType
Returns the namespace type. This value can be one of the following:

  • FQDN - If the DomainName was not prepended with a . and applies only to the fully qualified domain name (FQDN) of a specified host.
  • Suffix - If the DomainName was prepended with a . and applies to the specified namespace, all records in that namespace, and all subdomains.

Value type is chr. Supported operation is Get.

VPNv2/ProfileName/DomainNameInformationList/dniRowId/DnsServers
List of comma separated DNS Server IP addresses to use for the namespace.

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/DomainNameInformationList/dniRowId/WebProxyServers
Optional. Web Proxy Server IP address if you are redirecting traffic through your intranet.

Note Currently only one web proxy server is supported.

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/DomainNameInformationList/dniRowId/AutoTrigger
Added in Windows 10, version 1607. Optional. Boolean to determine whether this domain name rule will trigger the VPN.

If set to False, this DomainName rule will not trigger the VPN.

If set to True, this DomainName rule will trigger the VPN

By default, this value is false.

Value type is bool. Persistent

VPNv2/ProfileName/DomainNameInformationList/dniRowId/Persistent
Added in Windows 10, version 1607. A boolean value that specifies if the rule being added should persist even when the VPN is not connected. Value values:

  • False (default) - This DomainName rule will only be applied when VPN is connected.
  • True - This DomainName rule will always be present and applied.

Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/TrafficFilterList
An optional node that specifies a list of rules. Only traffic that matches these rules can be sent via the VPN Interface.

Note Once a TrafficFilterList is added, all traffic are blocked other than the ones matching the rules.

When adding multiple rules, each rule operates based on an OR with the other rules. Within each rule, each property operates based on an AND with each other.

VPNv2/ProfileName/TrafficFilterList/trafficFilterId
A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.

VPNv2/ProfileName/TrafficFilterList/trafficFilterId/App
Per app VPN rule. This will allow only the apps specified to be allowed over the VPN interface. Value type is chr.

VPNv2/ProfileName/TrafficFilterList/trafficFilterId/App/Id
App identity for the app-based traffic filter.

The value for this node can be one of the following:

  • PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Windows Store application.
  • FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
  • SYSTEM – This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB).

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/TrafficFilterList/trafficFilterId/App/Type
Returns the type of ID of the App/Id.

Value type is chr. Supported operation is Get.

VPNv2/ProfileName/TrafficFilterList/trafficFilterId/Claims
Reserved for future use.

VPNv2/ProfileName/TrafficFilterList/trafficFilterId/Protocol
Numeric value from 0-255 representing the IP protocol to allow. For example, TCP = 6 and UDP = 17.

Value type is int. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/TrafficFilterList/trafficFilterId/LocalPortRanges
A list of comma separated values specifying local port ranges to allow. For example, 100-120, 200, 300-320.

Note Ports are only valid when the protocol is set to TCP=6 or UDP=17.

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/TrafficFilterList/trafficFilterId/RemotePortRanges
A list of comma separated values specifying remote port ranges to allow. For example, 100-120, 200, 300-320.

Note Ports are only valid when the protocol is set to TCP=6 or UDP=17.

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/TrafficFilterList/trafficFilterId/LocalAddressRanges
A list of comma separated values specifying local IP address ranges to allow.

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/TrafficFilterList/trafficFilterId/RemoteAddressRanges
A list of comma separated values specifying remote IP address ranges to allow.

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/TrafficFilterList/trafficFilterId/RoutingPolicyType
Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone. The value can be one of the following:

  • SplitTunnel - For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces.
  • ForceTunnel - For this traffic rule all IP traffic must go through the VPN Interface only.

This is only applicable for App ID based Traffic Filter rules.

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/EdpModeId
Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.

Additionally when connecting with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin does not have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the WIP policies and App lists automatically takes effect.

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/RememberCredentials
Boolean value (true or false) for caching credentials. Default is false, which means do not cache credentials. If set to true, credentials are cached whenever possible.

Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/AlwaysOn
An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects.

Note Always On only works for the active profile. Always On cannot be set with force tunnel. The first profile provisioned that can be auto triggered will automatically be set as active.

Valid values:

  • False (default) - Always On is turned off.
  • True - Always On is turned on.

Value type is bool. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/LockDown
Lockdown profile.

Valid values:

  • False (default) - this is not a LockDown profile.
  • True - this is a LockDown profile.

When the LockDown profile is turned on, it does the following things:

  • First, it automatically becomes an "always on" profile.
  • Second, it can never be disconnected.
  • Third, if the profile is not connected, then the user has no network.
  • Fourth, no other profiles may be connected or modified.

A Lockdown profile must be deleted before you can add, remove, or connect other profiles.

Value type is bool. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/DnsSuffix
Optional. Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/ByPassForLocal
Reserved for future use.

VPNv2/ProfileName/TrustedNetworkDetection
Optional. Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/ProfileXML
Added in Windows 10, version 1607. The XML schema for provisioning all the fields of a VPN. For the XSD, see ProfileXML XSD.

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/Proxy
A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected.

VPNv2/ProfileName/Proxy/Manual
Optional node containing the manual server settings.

VPNv2/ProfileName/Proxy/Manual/Server
Optional. Proxy server address as a fully qualified hostname or an IP address. You should set this element together with Port. Example, proxy.contoso.com.

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/Proxy/AutoConfigUrl
Optional. URL to automatically retrieve the proxy settings.

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/APNBinding
Reserved for future use.

VPNv2/ProfileName/APNBinding/ProviderId
Reserved for future use. Optional node.

VPNv2/ProfileName/APNBinding/AccessPointName
Reserved for future use.

VPNv2/ProfileName/APNBinding/UserName
Reserved for future use.

VPNv2/ProfileName/APNBinding/Password
Reserved for future use.

VPNv2/ProfileName/APNBinding/IsCompressionEnabled
Reserved for future use.

VPNv2/ProfileName/APNBinding/AuthenticationType
Reserved for future use.

VPNv2/ProfileName/DeviceCompliance
Added in Windows 10, version 1607. Nodes under DeviceCompliance can be used to enable AAD-based Conditional Access for VPN.

VPNv2/ProfileName/DeviceCompliance/Enabled
Added in Windows 10, version 1607. Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory.

Value type is bool. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/DeviceCompliance/Sso
Added in Windows 10, version 1607. Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance.

VPNv2/ProfileName/DeviceCompliance/Sso/Enabled
Added in Windows 10, version 1607. If this field is set to True, the VPN Client will look for a separate certificate for Kerberos Authentication.

Value type is bool. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/DeviceCompliance/Sso/IssuerHash
Added in Windows 10, version 1607. Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication.

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/DeviceCompliance/Sso/Eku
Added in Windows 10, version 1607. Comma Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication.

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/PluginProfile
Nodes under the PluginProfile are required when using a Windows Store based VPN plugin.

VPNv2/ProfileName/PluginProfile/ServerUrlList
Required for plug-in profiles. Comma separated list of servers in URL, hostname, or IP format.

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/PluginProfile/CustomConfiguration
Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults.

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/PluginProfile/PluginPackageFamilyName
Required for plug-in profiles. Package family name for the SSL-VPN plug-in.

Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/PluginProfile/CustomStoreUrl
Reserved for future use.

VPNv2/ProfileName/NativeProfile
Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP).

VPNv2/ProfileName/NativeProfile/Servers
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com.

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/NativeProfile/RoutingPolicyType
Optional for native profiles. Type of routing policy. This value can be one of the following:

  • SplitTunnel - Traffic can go over any interface as determined by the networking stack.
  • ForceTunnel - All IP traffic must go over the VPN interface.

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/NativeProfile/NativeProtocolType
Required for native profiles. Type of tunneling protocol used. This value can be one of the following:

  • PPTP
  • L2TP
  • IKEv2
  • Automatic

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/NativeProfile/Authentication
Required node for native profile. It contains authentication information for the native VPN profile.

VPNv2/ProfileName/NativeProfile/Authentication/UserMethod
This value can be one of the following:

  • EAP
  • MSChapv2 (This is not supported for IKEv2)

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/NativeProfile/Authentication/MachineMethod
This is only supported in IKEv2.

This value can be one of the following:

  • Certificate

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/NativeProfile/Authentication/Eap
Required when the native profile specifies EAP authentication. EAP configuration XML.

Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/NativeProfile/Authentication/Eap/Configuration
HTML encoded XML of the EAP configuration. For more information about EAP configuration XML, see EAP configuration.

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/NativeProfile/Authentication/Eap/Type
Reserved for future use.

VPNv2/ProfileName/NativeProfile/Authentication/Certificate
Reserved for future use.

VPNv2/ProfileName/NativeProfile/Authentication/Certificate/Issuer
Reserved for future use.

VPNv2/ProfileName/NativeProfile/Authentication/Certificate/Eku
Reserved for future use.

VPNv2/ProfileName/NativeProfile/CryptographySuite
Added in Windows 10, version 1607. Properties of IPSec tunnels.

VPNv2/ProfileName/NativeProfile/CryptographySuite/AuthenticationTransformConstants
Added in Windows 10, version 1607.

The following list contains the valid values:

  • MD596
  • SHA196
  • SHA256128
  • GCMAES128
  • GCMAES192
  • GCMAES256

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/NativeProfile/CryptographySuite/CipherTransformConstants
Added in Windows 10, version 1607.

The following list contains the valid values:

  • DES
  • DES3
  • AES128
  • AES192
  • AES256
  • GCMAES128
  • GCMAES192
  • GCMAES256

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/NativeProfile/CryptographySuite/EncryptionMethod
Added in Windows 10, version 1607.

The following list contains the valid values:

  • DES
  • DES3
  • AES128
  • AES192
  • AES256

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/NativeProfile/CryptographySuite/IntegrityCheckMethod
Added in Windows 10, version 1607.

The following list contains the valid values:

  • MD5
  • SHA196
  • SHA256
  • SHA384

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/NativeProfile/CryptographySuite/DHGroup
Added in Windows 10, version 1607.

The following list contains the valid values:

  • Group1
  • Group2
  • Group14
  • ECP256
  • ECP384
  • Group24

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/NativeProfile/CryptographySuite/PfsGroup
Added in Windows 10, version 1607.

The following list contains the valid values:

  • PFS1
  • PFS2
  • PFS2048
  • ECP256
  • ECP384
  • PFSMM
  • PFS24

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

VPNv2/ProfileName/NativeProfile/L2tpPsk
Added in Windows 10, version 1607. The preshared key used for an L2TP connection.

Value type is chr. Supported operations include Get, Add, Replace, and Delete.

Examples

Profile example

<SyncML xmlns="SYNCML:SYNCML1.2" xmlns:A="syncml:metinf">
  <SyncBody>
    <Atomic>
      <CmdID>10000</CmdID>

      <!-- Configure VPN Server Name or Address (PhoneNumber=) [Comma Separated]-->
      <Add>
        <CmdID>10001</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPN_Demo/ProfileXML</LocURI>
          </Target>
          <Data>&lt;VPNProfile&gt;
  &lt;ProfileName&gt;VPN_Demo&lt;/ProfileName&gt;
  &lt;NativeProfile&gt;
    &lt;Servers&gt;VPNServer.contoso.com&lt;/Servers&gt;
    &lt;NativeProtocolType&gt;Automatic&lt;/NativeProtocolType&gt;
    &lt;Authentication&gt;
      &lt;UserMethod&gt;Eap&lt;/UserMethod&gt;
      &lt;Eap&gt;
        &lt;Configuration&gt;
&lt;EapHostConfig xmlns=&quot;http://www.microsoft.com/provisioning/EapHostConfig&quot;&gt; &lt;EapMethod&gt; &lt;Type xmlns=&quot;http://www.microsoft.com/provisioning/EapCommon&quot;&gt;25&lt;/Type&gt; &lt;VendorId xmlns=&quot;http://www.microsoft.com/provisioning/EapCommon&quot;&gt;0&lt;/VendorId&gt; &lt;VendorType xmlns=&quot;http://www.microsoft.com/provisioning/EapCommon&quot;&gt;0&lt;/VendorType&gt; &lt;AuthorId xmlns=&quot;http://www.microsoft.com/provisioning/EapCommon&quot;&gt;0&lt;/AuthorId&gt; &lt;/EapMethod&gt; &lt;Config xmlns=&quot;http://www.microsoft.com/provisioning/EapHostConfig&quot;&gt; &lt;Eap xmlns=&quot;http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1&quot;&gt; &lt;Type&gt;25&lt;/Type&gt; &lt;EapType xmlns=&quot;http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1&quot;&gt; &lt;ServerValidation&gt; &lt;DisableUserPromptForServerValidation&gt;false&lt;/DisableUserPromptForServerValidation&gt; &lt;ServerNames&gt;&lt;/ServerNames&gt; &lt;/ServerValidation&gt; &lt;FastReconnect&gt;true&lt;/FastReconnect&gt; &lt;InnerEapOptional&gt;false&lt;/InnerEapOptional&gt; &lt;Eap xmlns=&quot;http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1&quot;&gt; &lt;Type&gt;13&lt;/Type&gt; &lt;EapType xmlns=&quot;http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1&quot;&gt; &lt;CredentialsSource&gt; &lt;CertificateStore&gt; &lt;SimpleCertSelection&gt;false&lt;/SimpleCertSelection&gt; &lt;/CertificateStore&gt; &lt;/CredentialsSource&gt; &lt;ServerValidation&gt; &lt;DisableUserPromptForServerValidation&gt;false&lt;/DisableUserPromptForServerValidation&gt; &lt;ServerNames&gt;&lt;/ServerNames&gt; &lt;/ServerValidation&gt; &lt;DifferentUsername&gt;false&lt;/DifferentUsername&gt; &lt;PerformServerValidation xmlns=&quot;http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2&quot;&gt;false&lt;/PerformServerValidation&gt; &lt;AcceptServerName xmlns=&quot;http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2&quot;&gt;false&lt;/AcceptServerName&gt; &lt;TLSExtensions xmlns=&quot;http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2&quot;&gt; &lt;FilteringInfo xmlns=&quot;http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3&quot;&gt; &lt;EKUMapping&gt; &lt;EKUMap&gt; &lt;EKUName&gt;Unknown Key Usage&lt;/EKUName&gt; &lt;EKUOID&gt;1.3.6.1.4.1.311.87&lt;/EKUOID&gt; &lt;/EKUMap&gt; &lt;/EKUMapping&gt; &lt;ClientAuthEKUList Enabled=&quot;true&quot;&gt; &lt;EKUMapInList&gt; &lt;EKUName&gt;Unknown Key Usage&lt;/EKUName&gt; &lt;/EKUMapInList&gt; &lt;/ClientAuthEKUList&gt; &lt;/FilteringInfo&gt; &lt;/TLSExtensions&gt; &lt;/EapType&gt; &lt;/Eap&gt; &lt;EnableQuarantineChecks&gt;false&lt;/EnableQuarantineChecks&gt; &lt;RequireCryptoBinding&gt;false&lt;/RequireCryptoBinding&gt; &lt;PeapExtensions&gt; &lt;PerformServerValidation xmlns=&quot;http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2&quot;&gt;false&lt;/PerformServerValidation&gt; &lt;AcceptServerName xmlns=&quot;http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2&quot;&gt;false&lt;/AcceptServerName&gt; &lt;/PeapExtensions&gt; &lt;/EapType&gt; &lt;/Eap&gt; &lt;/Config&gt; &lt;/EapHostConfig&gt;
    &lt;/Configuration&gt;
      &lt;/Eap&gt;
    &lt;/Authentication&gt;
    &lt;RoutingPolicyType&gt;SplitTunnel&lt;/RoutingPolicyType&gt;
  &lt;/NativeProfile&gt;
  &lt;DomainNameInformation&gt;
    &lt;DomainName&gt;.contoso.com&lt;/DomainName&gt;
    &lt;DNSServers&gt;10.5.5.5&lt;/DNSServers&gt;
  &lt;/DomainNameInformation&gt;
 &lt;TrafficFilter&gt;  
    &lt;App&gt;%ProgramFiles%\Internet Explorer\iexplore.exe&lt;/App&gt; 
  &lt;/TrafficFilter&gt; 
  &lt;TrafficFilter&gt;  
    &lt;App&gt;Microsoft.MicrosoftEdge_8wekyb3d8bbwe&lt;/App&gt;  
  &lt;/TrafficFilter&gt;
  &lt;Route&gt;
    &lt;Address&gt;10.0.0.0&lt;/Address&gt;
    &lt;PrefixSize&gt;8&lt;/PrefixSize&gt;
  &lt;/Route&gt;
  &lt;Route&gt;
    &lt;Address&gt;25.0.0.0&lt;/Address&gt;
    &lt;PrefixSize&gt;8&lt;/PrefixSize&gt;
  &lt;/Route&gt;
    &lt;RememberCredentials&gt;true&lt;/RememberCredentials&gt;
  &lt;/VPNProfile&gt;</Data>
        </Item>
      </Add>

    </Atomic>
    <Final/>
  </SyncBody>
</SyncML>

AppTriggerList

<!-- Internet Explorer -->
      <Add>
        <CmdID>10013</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/0/App/Id</LocURI>
          </Target>
          <Data>%PROGRAMFILES%\Internet Explorer\iexplore.exe</Data>
        </Item>
      </Add>
      <Add>
        <CmdID>10014</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/1/App/Id</LocURI>
          </Target>
          <Data>%PROGRAMFILES% (x86)\Internet Explorer\iexplore.exe</Data>
        </Item>
      </Add>
      <!-- Edge -->
      <Add>
        <CmdID>10015</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/2/App/Id</LocURI>
          </Target>
          <Data>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Data>
        </Item>
      </Add>

RouteList and ExclusionRoute


     <Add>
        <CmdID>10008</CmdID>
        <Item>
          <Target>
           <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/Address</LocURI>
          </Target>
          <Data>192.168.0.0</Data>
        </Item>
      </Add>
      <Add>
        <CmdID>10009</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/PrefixSize</LocURI>
          </Target>
          <Meta>
            <Format xmlns="syncml:metinf">int</Format>
          </Meta>
          <Data>24</Data>
        </Item>
      </Add>
      <Add>
        <CmdID>10010</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/ExclusionRoute</LocURI>
          </Target>
          <Meta>
            <Format xmlns="syncml:metinf">bool</Format>
          </Meta>
          <Data>true</Data>
        </Item>
      </Add>

DomainNameInformationList


      <!-- Domain Name rule with Suffix Match with DNS Servers -->
      <Add>
        <CmdID>10013</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DomainName</LocURI>  
          </Target>
          <Data>.contoso.com</Data>
        </Item>
      </Add>
      <Add>
        <CmdID>10014</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DnsServers</LocURI>  
          </Target>
          <Data>192.168.0.11,192.168.0.12</Data>
        </Item>
      </Add>

<!-- Domain Name rule with Suffix Match with Web Proxy -->
      <Add>
        <CmdID>10013</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/DomainName</LocURI>  
          </Target>
          <Data>.contoso.com</Data>
        </Item>
      </Add>

      <Add>
        <CmdID>10015</CmdID>
        <Item>
          <Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/WebProxyServers</LocURI>  
          </Target>
          <Data>192.168.0.100:8888</Data>
        </Item>
      </Add>

<!-- Domain Name rule with FQDN Match with DNS Servers -->

      <Add>
        <CmdID>10016</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DomainName</LocURI>  
          </Target>
          <Data>finance.contoso.com</Data>
        </Item>
      </Add>
      <Add>
        <CmdID>10017</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DnsServers</LocURI>  
          </Target>
          <Data>192.168.0.11,192.168.0.12</Data>
        </Item>
      </Add>

<!-- Domain Name rule with FQDN Match with Proxy Server -->

      <Add>
        <CmdID>10016</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/DomainName</LocURI>  
          </Target>
          <Data>finance.contoso.com</Data>
        </Item>
      </Add>
      <Add>
        <CmdID>10017</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/WebProxyServers</LocURI>  
          </Target>
          <Data>192.168.0.11:8080</Data>
        </Item>
      </Add>

<!-- Domain Name rule for all other (any) traffic through DNS Servers -->
      <Add>
        <CmdID>10016</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/4/DomainName</LocURI>  
          </Target>
          <Data>.</Data>
        </Item>
      </Add>
      <Add>
        <CmdID>10017</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/4/DnsServers</LocURI>  
          </Target>
          <Data>192.168.0.11,192.168.0.12</Data>
        </Item>
      </Add>

<!-- Domain Name rule for all other (any) traffic through Proxy -->

      <Add>
        <CmdID>10016</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/5/DomainName</LocURI>  
          </Target>
          <Data>.</Data>
        </Item>
      </Add>
      <Add>
        <CmdID>10017</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/5/WebProxyServers</LocURI>  
          </Target>
          <Data>192.168.0.11</Data>
        </Item>
      </Add>

AutoTrigger

<Add>
        <CmdID>10010</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/AutoTrigger</LocURI>
          </Target>
          <Meta>
            <Format xmlns="syncml:metinf">bool</Format>
          </Meta>
          <Data>true</Data>
        </Item>
      </Add>

Persistent

<Add>
        <CmdID>10010</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/Persistent</LocURI>
          </Target>
          <Meta>
            <Format xmlns="syncml:metinf">bool</Format>
          </Meta>
          <Data>true</Data>
        </Item>
      </Add>

TrafficFilterLIst App

  Desktop App
    <Add>
        <CmdID>10013</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/0/App/Id</LocURI>
          </Target>
          <Data>%ProgramFiles%\Internet Explorer\iexplore.exe</Data>
        </Item>
      </Add>
  Store App
      <Add>
        <CmdID>10014</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/1/App/Id</LocURI>  
          </Target>
          <Data>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Data>
        </Item>
      </Add>
  SYSTEM
      <Add>
        <CmdID>10015</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/App/Id</LocURI>  
          </Target>
          <Data>SYSTEM</Data>
        </Item>
      </Add>

Protocol, LocalPortRanges, RemotePortRanges, LocalAddressRanges, RemoteAddressRanges, RoutingPolicyType, EDPModeId, RememberCredentials, AlwaysOn, Lockdown, DnsSuffix, TrustedNetworkDetection

Protocol
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/Protocol</LocURI>  
          </Target>
          <Meta>
            <Format xmlns="syncml:metinf">int</Format>
          </Meta>
          <Data>6</Data>
        </Item>
      </Add>
  LocalPortRanges
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/LocalPortRanges</LocURI>  
          </Target>
          <Data>10,20-50,100-200</Data>
        </Item>
      </Add>

  RemotePortRanges
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/RemotePortRanges</LocURI>  
          </Target>
          <Data>20-50,100-200,300</Data>
        </Item>
      </Add>

  LocalAddressRanges
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/LocalAddressRanges/LocURI>  
          </Target>
          <Data>3.3.3.3/32,1.1.1.1-2.2.2.2</Data>
        </Item>
      </Add>

  RemoteAddressRanges
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/RemoteAddressRanges</LocURI>  
          </Target>
          <Data>30.30.0.0/16,10.10.10.10-20.20.20.20</Data>
        </Item>
      </Add>

  RoutingPolicyType
<Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/0/RoutingPolicyType</LocURI>
          </Target>
          <Data>ForceTunnel</Data>
        </Item>
      </Add>

  EDPModeId
    <Add>
      <CmdID>$CmdID$</CmdID>
      <Item>
        <Target>
          <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/EDPModeID</LocURI>
        </Target>
        <Data>corp.contoso.com</Data>
      </Item>
    </Add>

  RememberCredentials
<Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/RememberCredentials</LocURI>
          </Target>
          <Meta>
            <Format xmlns="syncml:metinf">bool</Format>
          </Meta>
          <Data>true</Data>
        </Item>
      </Add>

  AlwaysOn
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/AlwaysOn</LocURI>
          </Target>
          <Meta>
            <Format xmlns="syncml:metinf">bool</Format>
          </Meta>
          <Data>true</Data>
        </Item>
      </Add>

  Lockdown
<Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/Lockdown</LocURI>
          </Target>
          <Meta>
            <Format xmlns="syncml:metinf">bool</Format>
          </Meta>
          <Data>true</Data>
        </Item>
      </Add>

  DnsSuffix
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DnsSuffix</LocURI>
          </Target>
          <Data>Adatum.com</Data>
        </Item>
      </Add>

  TrustedNetworkDetection
     <!-- Configure Trusted Networks (TrustedNetworks=) [Comma separated] -->
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrustedNetworkDetection</LocURI>
          </Target>
          <Data>Adatum.com</Data>
        </Item>
      </Add>

Proxy - Manual or AutoConfigUrl

Manual
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/Proxy/Manual/Server</LocURI>
          </Target>
          <Data>192.168.0.100:8888</Data>
        </Item>
      </Add>

  AutoConfigUrl
      <Add>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/Proxy/AutoConfigUrl</LocURI>
          </Target>
          <Data>HelloWorld.com</Data>
        </Item>
      </Add>

Device Compliance - Sso

  Enabled
<Add>
        <CmdID>10011</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/Enabled</LocURI>
          </Target>
          <Meta>
            <Format xmlns="syncml:metinf">bool</Format>
          </Meta>
          <Data>true</Data>
        </Item>
      </Add>

  IssuerHash
<Add>
        <CmdID>10011</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/IssuerHash</LocURI>
          </Target>
          <Data>ffffffffffffffffffffffffffffffffffffffff;ffffffffffffffffffffffffffffffffffffffee</Data>
        </Item>
      </Add>

  Eku
<Add>
        <CmdID>10011</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/EKU</LocURI>
          </Target>
          <Data>1.3.6.1.5.5.7.3.2</Data>
        </Item>
      </Add>

PluginProfile

PluginPackageFamilyName
      <!-- Configure VPN Server Name or Address (PhoneNumber=) [Comma Separated]-->
      <Add>
        <CmdID>10001</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/PluginProfile/ServerUrlList</LocURI>
          </Target>
          <Data>selfhost.corp.contoso.com</Data>
        </Item>
      </Add>

      <!-- Configure VPN Plugin AppX Package ID (ThirdPartyProfileInfo=) -->
      <Add>
        <CmdID>10002</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/PluginProfile/PluginPackageFamilyName</LocURI>
          </Target>
          <Data>TestVpnPluginApp-SL_8wekyb3d8bbwe</Data>
        </Item>
      </Add>

      <!-- Configure Microsoft's Custom XML (ThirdPartyProfileInfo=) -->
      <Add>
        <CmdID>10003</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/PluginProfile/CustomConfiguration</LocURI>
          </Target>
          <Data>&lt;pluginschema&gt;&lt;ipAddress&gt;auto&lt;/ipAddress&gt;&lt;port&gt;443&lt;/port&gt;&lt;networksettings&gt;&lt;routes&gt;&lt;includev4&gt;&lt;route&gt;&lt;address&gt;172.10.10.0&lt;/address&gt;&lt;prefix&gt;24&lt;/prefix&gt;&lt;/route&gt;&lt;/includev4&gt;&lt;/routes&gt;&lt;namespaces&gt;&lt;namespace&gt;&lt;space&gt;.vpnbackend.com&lt;/space&gt;&lt;dnsservers&gt;&lt;server&gt;172.10.10.11&lt;/server&gt;&lt;/dnsservers&gt;&lt;/namespace&gt;&lt;/namespaces&gt;&lt;/networksettings&gt;&lt;/pluginschema&gt;</Data>
        </Item>
      </Add>

NativeProfile

Servers
<Add>
        <CmdID>10001</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Servers</LocURI>
          </Target>
          <Data>Selfhost.corp.contoso.com</Data>
        </Item>
      </Add>

  RoutingPolicyType
      <Add>
        <CmdID>10007</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/RoutingPolicyType</LocURI>
          </Target>
          <Data>ForceTunnel</Data>
        </Item>
      </Add>

  NativeProtocolType
    <!-- Configure VPN Protocol Type (L2tp, Pptp, Ikev2) -->
      <Add>
        <CmdID>10002</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/NativeProtocolType</LocURI>
          </Target>
          <Data>Automatic</Data>
        </Item>
      </Add>

  Authentication
  UserMethod
      <!-- Configure VPN User Method (Mschapv2, Eap) -->
      <Add>
        <CmdID>10003</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/UserMethod</LocURI>
          </Target>
          <Data>Eap</Data>
        </Item>
      </Add>

  MachineMethod
      <!-- Configure VPN Machine Method (Certificate, Eap, PresharedKey) -->
      <Add>
        <CmdID>10004</CmdID>
        <Item>
         <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/MachineMethod</LocURI>
          </Target>
          <Data>Eap</Data>
        </Item>
      </Add>

  CryptographySuite
        <Add>
        <CmdID>10004</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/AuthenticationTransformConstants</LocURI>
          </Target>
          <Data>SHA196</Data>
        </Item>
      </Add>
      <Add>
        <CmdID>10004</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/CipherTransformConstants</LocURI>
          </Target>
          <Data>AES192</Data>
        </Item>
      </Add>
      <Add>
        <CmdID>10004</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/EncryptionMethod</LocURI>
          </Target>
          <Data>PFS2048</Data>
        </Item>
      </Add>
      <Add>
        <CmdID>10004</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/IntegrityCheckMethod</LocURI>
          </Target>
          <Data>Eap</Data>
        </Item>
      </Add>
      <Add>
        <CmdID>Group14</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/DHGroup</LocURI>
          </Target>
          <Data>SHA256</Data>
        </Item>
     </Add>
      <Add>
        <CmdID>10004</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/PfsGroup</LocURI>
          </Target>
          <Data>AES128</Data>
        </Item>
      </Add>

  DisableClassBasedDefaultRoute 
        <CmdID>10011</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/DisableClassBasedDefaultRoute</LocURI>
          </Target>
          <Meta>
            <Format xmlns="syncml:metinf">bool</Format>
          </Meta>
          <Data>true</Data>
        </Item>
      </Add>

Configuration service provider reference

© 2017 Microsoft