Tip of the Day: Configure VPN Profiles using the SCCM/WMI Bridge – Part 3

Today’s Tip…

Today’s tip continues the series on deploying VPN Connection Profiles using PowerShell with a look the new ProfileXML URI node (./Vendor/MSFT/VPNv2/ProfileName/ProfileXML) added to the VPNv2CSP in the Windows 10 v1607 Anniversary update.  This node allows the configuration of all fields of a connection profile in a single operation by marking an XML configuration string with the ProfileXML tag as shown in the following figure.


Figure: Connection Profile Settings Marked by ProfileXML

ProfileXML Tag / ProfileXML Schema

When deploying VPN policy from MDM, connection elements are delivered using an OMA-DM SyncML provisioning file with each setting broken down to its individual node requiring configuration using its own data type (Boolean, String, Int.)

When using the ProfileXML tag, configuration elements are passed as a character string value using just one node

  • The ProfileXML character string must be created following the ProfileXML XSD XML schema definition
  • The string must also be in escaped XML format, meaning that any “, ‘, <, >, or & instances must be replaced by their respective escape characters

The ProfileXML schema matches the node map of the CSP almost exactly. Some terms are different, for example list items such as RouteList drop "List" from the name, but otherwise there should be a one-to-one mapping between the ProfileXML schema and the CSP nodes.

The ProfileXML WMI Object

When used in a script, the value for ProfileXML is passed using its name-value pair in the arguments of the Set-WmiInstance command as shown here


The first task is to prepare the XML character string to be passed to the ProfileXML object. A simple way to accomplish this is to define a variable to hold the configuration string as its value.


In the above example

  • On line 6, the $profileXML variable is created and its value set to the XML string on lines 7 through 18.
  • Notice the opening and closing apostrophes around the VPNProfile tag. Their purpose is obvious but they are worth pointing out as a reminder not to forget them.
  • Notice how clean the XML formatting looks. It’s pretty easy to distinguish the setting being configured, and the ordering and tabbing of tags mirrors the VPNv2CSP tree diagram allowing it to be used as a reference when creating or modifying the configuration (adding/removing nodes, modifying values, etc.). 

While the sample looks nice and clean, it does comes with a cost.  There are a number of problems that need to be fixed before it can be used:

  1. The full URI path to the CSP configuration nodes needs to be added, including the profile name
  2. It is not in the escaped XML format required by the ProfileXML node

Tomorrow’s tip will address these issues as well as the final logic necessary to pull everything discussed thus far into a functional VPN configuration script.

Skip to main content