You can customize the installation of Cisco AnyConnect with various modules and features on Windows. AnyConnect installation packages support a number of MSI properties that you can change during installation, including lockdown and disabling the display of the VPN module in the client's graphical user interface (GUI).
This guide describes how to deploy AnyConnect with the virtual private network (VPN), Umbrella Roaming Security, and DART (for diagnostics) modules. By default, AnyConnect deploys with the VPN module.
- Windows 8.1 or newer
- The Roaming Security Module requires a .NET framework (4.6.2+ at the minimum)
- Windows 10/11 on ARM-64 is not supported by the Umbrella Roaming Security module
- Cisco AnyConnect 4.8 MR2 or newer
- Administrative permissions on the Windows device
- Download OrgInfo.json from Umbrella.
- Download the AnyConnect Package (Windows) from https://software.cisco.com/download/home.
You can deploy AnyConnect for Windows with several options including:
- Hide the VPN module in the AnyConnect client GUI.
- Hide the AnyConnect installation from the Add/Remove Windows Programs list.
- Enable the Lockdown option.
AnyConnect installation packages support a number of MSI properties that you can change during installation, including lockdown and disabling the display of the VPN module in the client's graphical user interface (GUI). Lockdown prevents the service from being disabled manually.
- Run the Windows installer to deploy the AnyConnect VPN package and set the option that hides the VPN module in the AnyConnect client's GUI. This option does not disable the VPN module. Set the MSI property to
Note: If the VPN module is hidden in the client GUI, you can manage the VPN module through the AnyConnect command-line interface.
The following command disables the VPN functionality by copying the VPNDisable_ServiceProfile.xml file embedded in the MSI to the directory specified for profiles for VPN functionality.
msiexec /package anyconnect-win-\<\_version\_>-core-vpn-predeploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* output_1.log
- Run the Windows installer to deploy the AnyConnect Umbrella Roaming Security package.
msiexec /package anyconnect-win-\<_version_>-umbrella-predeploy.msi /norestart /passive /lvx* output_2.log
To enable lockdown, add
LOCKDOWN=1 in the command-line installer.
msiexec /package anyconnect-win-\<\_version\_>-umbrella-predeploy-k9.msi /passive LOCKDOWN=1 /lvx* output_3.log
- Run the Windows installer to deploy the AnyConnect DART (diagnostics and troubleshooting) package.
msiexec /package anyconnect-win-\<_version_>-dart-predeploy-k9.msi /norestart /passive /lvx* output_4.log
You can hide the installed AnyConnect modules from users that have permissions to view the Windows Add/Remove Programs list.
- Run the Windows installer for an AnyConnect package using
This provided module does not appear in the Windows Add/Remove Programs list. Apply this to all modules at the time of deployment.
msiexec /package anyconnect-win-\<\_version\_>-umbrella-predeploy-k9.msi /passive ARPSYSTEMCOMPONENT=1 /lvx* output_5.log
When deploying the AnyConnect Roaming Security module, you can add and configure various parameters to the Umbrella OrgInfo.json profile file. These parameters, unlike
LOCKDOWN, are applied to the OrgInfo.json profile directly rather than at the time of installation with an msiexec parameter. The following does not apply if run at install time.
|noAutoSuffix||Does not add domains contained in the DNS Suffixes settings in network adapters and networking properties to the Internal Domains list.|
This feature exists so that the Umbrella roaming module is more aware of local resources and domains on foreign networks.
|customUSResolvers||Enables special DNS resolver Anycast addresses that limits DNS queries to only US-based Umbrella servers. Does not affect block pages or proxy.|
|noNXDOMAIN||Automatically re-query public NXDOMAINS at the local resolvers. This feature allows roaming users to resolve internal domains on networks beyond their own without interruption or internal domains list management.|
Note: DNS search suffixes are automatically sent to local resolvers, unless this functionality is disabled.
Updated 2 days ago