This week’s exciting tip series examines what you need to know to successfully configure Windows 10 VPN client settings using PowerShell scripts. Before proceeding, let’s take a moment to reflect.
- Tip #1 looked at Windows 10’s device configuration architecture, the foundation of which is provided by the ‘MDM stack’
- MDM configuration service providers, such as the VPNv2CSP sit on top of the MDM stack
- Entry points for the delivery of MDM CSP settings include
- The MDM Client, which is used by Microsoft Intune to configure device settings using XML Provisioning documents, the native format for MDM configuration service providers
- The WMI/SCCM Bridge, which more or less provides a wrapper around the CSP, exposing CSP nodes as WMI objects
- Today’s tip discusses how those WMI objects can be addressed via WMI Bridge Provider class definitions
- Remaining tips in this series will cover a few more ‘things you need to know’ and pull everything together into a working PowerShell script that can be used to configure VPNv2CSP configuration node
Note: Some concepts and terms referenced in today’s tip assume familiarity a few previously tipped topics. If you need a refresher or additional context, view previous tips on the Tip-of-the-Day Blog.
MDM Bridge WMI Providers
MDM Bridge WMI Provider classes include member properties that map directly to CSP URI nodes and allow admins to use PowerShell or SCCM to manage VPN profiles. A few of the WMI classes for the VPNv2CSP are listed below.
For a complete list see the MSDN MDM Bridge WMI Provider reference at
Each WMI Bridge Provider includes properties that expose a subset of the total number of VPNv2CSP URI nodes. A couple of examples include the MDM_VPNv2_01 and MDM_VPNv2_NativeProfile02 providers, whose properties are reflected by the following class definitions.
Class properties can be accessed using PowerShell commands such as Set-WmiInstance and GetWmiObject. The following example is used to retrieve all VPN profiles on the computer.
Executing the command returns the following output.
Let’s take a closer look at a few of the class properties in the above figure:
- Class – The name of the object class, ‘MDM_VPNv2_01’
- Namespace – The parent for MDM WMI Bridge providers, which is ‘root\cimv2\mdm\dmmap’. The parent namespace is used to invoke the full path to the object class, as indicated by __PATH.
- InstanceID – This is the name given to the object instance when it is created. It is also used to provide the ProfileName for the VPN connection.
- ParentID – When prepended along with the InstanceID to other class member properties (e.g. Always On, DnsSuffix, LockDown, etc.) at runtime, the ParentID value fulfills the requirement of providing the full URI path to the targeted CSP node. For example:
- URI Setting Node: AlwaysOn
- Full URI Path: ./Vendor/MSFT/VPNv2/ProfileName/AlwaysOn
Creating an Object Instance
The ContosoVPN profile instance in the figure above was created using the Set-WmiInstance PowerShell command.
This command will be discussed in greater detail in a subsequent tip, but for now take a look at the first half of the command
With the values for the –Namespace and -Class properties set, an instance of the MDM_VPNv2_01 class can be created at runtime. Factor in the value passed by the InstanceID property and this is essentially the connection profile you will see in the VPN Settings UI and the network control panel applet.
Now, the second half of the command
The –Argument switch is where VPNv2CSP configuration properties are passed. The options you can pass for a given class include only those included in its definition. See the figure above for the MDM_VPNv2_01 class definition.
At this point you might be saying to yourself,
‘Whoa, there are not a whole lot of VPN properties included in the MDM_VPNv2_01 definition. And they certainly aren’t all reflected in that screenshot! What are you trying to pull here!?’
And with the exception of any assertions regarding mischievous behavior, those observations would be correct.
As noted above, each of the (17) MDM_VPNv2 classes contain only a subset of all configurable fields of a VPN profile. There are numerous approaches to logic that can be added to make things simpler, but at the end of the day you would still have to create a class object for each provider containing VPNv2CSP fields you want to set.
The ProfileXML Tag
That’s where the new ProfileXML URI added to the VPNv2CSP in the Windows 10 v1607 Anniversary update comes in handy. ProfileXML, a property of the MDM_VPNv2_01 class, allows the configuration of all VPN fields by passing escaped-formatted XML. You’ll not that this property is used in the above example.
The ProfileXML property is the subject of Tip #3. Once that is covered, we will be able to pull everything together into a working script.