Guides
ProductDeveloperPartnerPersonal

Customize Windows Installation of AnyConnect

You can customize the installation of Cisco AnyConnect with various modules and features on Windows. AnyConnect installation packages support a number of MSI properties that you can change during installation, including lockdown and disabling the display of the VPN module in the client's graphical user interface (GUI).

This guide describes how to deploy AnyConnect with the virtual private network (VPN), Umbrella Roaming Security, and DART (for diagnostics) modules. By default, AnyConnect deploys with the VPN module.

Table of Contents

Requirements

  • Windows 8.1 or newer
    • The Roaming Security Module requires a .NET framework (4.6.2+ at the minimum)
    • Windows 10/11 on ARM-64 is not supported by the Umbrella Roaming Security module
  • Cisco AnyConnect 4.8 MR2 or newer
  • Administrative permissions on the Windows device

Prerequisites

Procedure

You can deploy AnyConnect for Windows with several options including:

  • Hide the VPN module in the AnyConnect client GUI.
  • Hide the AnyConnect installation from the Add/Remove Windows Programs list.
  • Enable the Lockdown option.

AnyConnect installation packages support a number of MSI properties that you can change during installation, including lockdown and disabling the display of the VPN module in the client's graphical user interface (GUI). Lockdown prevents the service from being disabled manually.

Deploy the AnyConnect VPN Module

  1. Run the Windows installer to deploy the AnyConnect VPN package and set the option that hides the VPN module in the AnyConnect client's GUI. This option does not disable the VPN module. Set the MSI property to PRE_DEPLOY_DISABLE_VPN=1.

Note: If the VPN module is hidden in the client GUI, you can manage the VPN module through the AnyConnect command-line interface.

The following command disables the VPN functionality by copying the VPNDisable_ServiceProfile.xml file embedded in the MSI to the directory specified for profiles for VPN functionality.

For example:

msiexec /package anyconnect-win-\<\_version\_>-core-vpn-predeploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* output_1.log

Deploy the AnyConnect Umbrella Roaming Security Module

  1. Run the Windows installer to deploy the AnyConnect Umbrella Roaming Security package.
msiexec /package anyconnect-win-\<_version_>-umbrella-predeploy.msi /norestart /passive /lvx* output_2.log

To enable lockdown, add LOCKDOWN=1 in the command-line installer.

msiexec /package anyconnect-win-\<\_version\_>-umbrella-predeploy-k9.msi /passive LOCKDOWN=1 /lvx* output_3.log

(Optional) Deploy the AnyConnect DART Module

  1. Run the Windows installer to deploy the AnyConnect DART (diagnostics and troubleshooting) package.
msiexec /package anyconnect-win-\<_version_>-dart-predeploy-k9.msi /norestart /passive /lvx* output_4.log

Hide AnyConnect from Add/Remove Programs List

You can hide the installed AnyConnect modules from users that have permissions to view the Windows Add/Remove Programs list.

  1. Run the Windows installer for an AnyConnect package using ARPSYSTEMCOMPONENT=1.
    This provided module does not appear in the Windows Add/Remove Programs list. Apply this to all modules at the time of deployment.

For example:

msiexec /package anyconnect-win-\<\_version\_>-umbrella-predeploy-k9.msi /passive ARPSYSTEMCOMPONENT=1 /lvx* output_5.log

Optional OrgInfo.json Configurations

When deploying the AnyConnect Roaming Security module, you can add and configure various parameters to the Umbrella OrgInfo.json profile file. These parameters, unlike LOCKDOWN, are applied to the OrgInfo.json profile directly rather than at the time of installation with an msiexec parameter. The following does not apply if run at install time.

ParameterValuesDescription
noAutoSuffix0 - Add the domains (default)
1 - Do not add domains
Does not add domains contained in the DNS Suffixes settings in network adapters and networking properties to the Internal Domains list.
This feature exists so that the Umbrella roaming module is more aware of local resources and domains on foreign networks.
customUSResolvers["208.67.221.76", "208.67.223.76"] - Sets primary and secondary US-based Anycast addressesEnables special DNS resolver Anycast addresses that limits DNS queries to only US-based Umbrella servers. Does not affect block pages or proxy.
noNXDOMAIN0 - Do re-query (default)
1 - Do not re-query
Automatically re-query public NXDOMAINS at the local resolvers. This feature allows roaming users to resolve internal domains on networks beyond their own without interruption or internal domains list management.
Note: DNS search suffixes are automatically sent to local resolvers, unless this functionality is disabled.

Customize macOS Installation of AnyConnect < Customize Windows Installation of AnyConnect > Virtual Appliance User Guide