Merge branch 'master' into v-mathavale-5324320-16-to-30

2025-05-12 13:27:23 +00:00 · 2021-09-28 14:18:13 +05:30 · 2021-09-28 14:18:13 +05:30 · 0257bc2601
commit 0257bc2601
parent 0efafa2077 5e09c3b27d
17 changed files with 183 additions and 97 deletions
--- a/windows/client-management/manage-device-installation-with-group-policy.md
+++ b/windows/client-management/manage-device-installation-with-group-policy.md
@ -281,7 +281,7 @@ To find device identification strings using Device Manager
 ### Getting device identifiers using PnPUtil

 ```console
-pnputil /enum-devices /deviceids
+pnputil /enum-devices /ids
 ```

 Here is an example of an output for a single device on a machine:
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@ -71,7 +71,7 @@ sections:

      - question: Can I use an external Windows Hello compatible camera when my laptop is closed or docked?
        answer: |
-          Yes. Starting with Windows 10, version 21H2 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera will be be used for face authentication. For more information see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103).
+          Yes. Starting with Windows 10, version 21H1 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera will be be used for face authentication. For more information see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103).

      - question: Why does authentication fail immediately after provisioning hybrid key trust?
        answer: |
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@ -33,6 +33,7 @@ If you plan to use certificates for on-premises single-sign on, then follow thes
 > Ensure you have performed the configurations in [Azure AD joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue.

 Steps you will perform include:
+
 - [Prepare Azure AD Connect](#prepare-azure-ad-connect)
 - [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account)
 - [Prepare Active Directory Certificate Services](#prepare-active-directory-certificate-authority)
@ -42,12 +43,14 @@ Steps you will perform include:
 - [Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile](#create-and-assign-a-simple-certificate-enrollment-protocol-scep-certificate-profile)

 ## Requirements
+
 You need to install and configure additional infrastructure to provide Azure AD joined devices with on-premises single-sign on.

 - An existing Windows Server 2012 R2 or later Enterprise Certificate Authority
 - A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role

 ### High Availability
+
 The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority.  Certificate registration servers enroll certificates on behalf of the user.  Users request certificates from the NDES service rather than directly from the issuing certificate authority.

 The architecture of the NDES server prevents it from being clustered or load balanced for high availability.  To provide high availability, you need to install more than one identically configured NDES servers and use Microsoft Intune to load balance then (in round-robin fashion).
@ -61,9 +64,11 @@ The Network Device Enrollment Service (NDES) server role can issue up to three u
 If you need to deploy more than three types of certificates to the Azure AD joined device, you need additional NDES servers.  Alternatively, consider consolidating certificate templates to reduce the number of certificate templates.

 ### Network Requirements
+
 All communication occurs securely over port 443.

 ## Prepare Azure AD Connect
+
 Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain.  The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name.

 Most environments change the user principal name suffix to match the organization's external domain name (or vanity domain), which prevents the user principal name as a hint to locate a domain controller.  Therefore, the certificate needs the user's on-premises distinguished name in the subject to properly locate a domain controller.
@ -71,6 +76,7 @@ Most environments change the user principal name suffix to match the organizatio
 To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute.  Azure AD Connect version 1.1.819 includes the proper synchronization rules needed for these attributes.

 ### Verify AAD Connect version
+
 Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_.

 1. Open **Synchronization Services** from the **Azure AD Connect** folder.
@ -78,6 +84,7 @@ Sign-in to computer running Azure AD Connect with access equivalent to _local ad
 3. If the version number is not **1.1.819** or later, then upgrade Azure AD Connect to the latest version.

 ### Verify the onPremisesDistinguishedName attribute is synchronized
+
 The easiest way to verify the onPremisesDistingushedNamne attribute is synchronized is to use Azure AD Graph Explorer.

 1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/
@ -89,6 +96,7 @@ The easiest way to verify the onPremisesDistingushedNamne attribute is synchroni
 ## Prepare the Network Device Enrollment Services (NDES) Service Account

 ### Create the NDES Servers global security group
+
 The deployment uses the **NDES Servers** security group to assign the NDES service the proper user right assignments.

 Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
@ -100,6 +108,7 @@ Sign-in to a domain controller or management workstation with access equivalent
 5. Click **OK**.

 ### Add the NDES server to the NDES Servers global security group
+
 Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.

 1. Open **Active Directory Users and Computers**.
@ -111,6 +120,7 @@ Sign-in to a domain controller or management workstation with access equivalent
 > For high-availability, you should have more than one NDES server to service Windows Hello for Business certificate requests.  You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration.

 ### Create the NDES Service Account
+
 The Network Device Enrollment Services (NDES) role runs under a service account. Typically, it is preferential to run services using a Group Managed Service Account (GMSA).  While the NDES role can be configured to run using a GMSA, the Intune Certificate Connector was not designed nor tested using a GMSA and is considered an unsupported configuration.  The deployment uses a normal services account.

 Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
@ -124,6 +134,7 @@ Sign-in to a domain controller or management workstation with access equivalent
 > Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk.  Normal service account passwords should expire in accordance with the organizations user password expiration policy.  Create a reminder to change the service account's password two weeks before it will expire.  Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires.

 ### Create the NDES Service User Rights Group Policy object
+
 The Group Policy object ensures the NDES Service account has the proper user right to assign all the NDES servers in the **NDES Servers** group.  As you add new NDES servers to your environment and this group, the service account automatically receives the proper user rights through the Group Policy.

 Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
@ -141,6 +152,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
 11. Close the **Group Policy Management Editor**.

 ### Configure security for the NDES Service User Rights Group Policy object
+
 The best way to deploy the **NDES Service User Rights** Group Policy object is to use security group filtering. This enables you to easily manage the computers that receive the Group Policy settings by adding them to a group.

 Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
@ -153,6 +165,7 @@ Sign-in to a domain controller or management workstation with access equivalent
 6. In the **Group or User names** list, select **Authenticated Users**.  In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**.

 ### Deploy the NDES Service User Rights Group Policy object
+
 The application of the **NDES Service User Rights** Group Policy object uses security group filtering.  This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all computers. However, the security group filtering ensures only computers included in the **NDES Servers** global security group receive and apply the Group Policy object, which results in providing the **NDESSvc** service account with the proper user rights.

 Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
@ -165,6 +178,7 @@ Sign-in to a domain controller or management workstation with access equivalent
 > Linking the **NDES Service User Rights** Group Policy object to the domain ensures the Group Policy object is in scope for all computers. However, not all computers will have the policy settings applied to them. Only computers that are members of the **NDES Servers** global security group receive the policy settings. All others computers ignore the Group Policy object.

 ## Prepare Active Directory Certificate Authority
+
 You must prepare the public key infrastructure and the issuing certificate authority to support issuing certificates using Microsoft Intune and the Network Devices Enrollment Services (NDES) server role.  In this task, you will

 - Configure the certificate authority to let Intune provide validity periods
@ -173,6 +187,7 @@ You must prepare the public key infrastructure and the issuing certificate autho
 - Publish certificate templates

 ### Configure the certificate authority to let Intune provide validity periods
+
 When deploying certificates using Microsoft Intune, you have the option of providing the validity period in the SCEP certificate profile rather than relying on the validity period in the certificate template.  If you need to issue the same certificate with different validity periods, it may be advantageous to use the SCEP profile, given the limited number of certificates a single NDES server can issue.

 > [!NOTE]
@ -181,12 +196,15 @@ When deploying certificates using Microsoft Intune, you have the option of provi
 Sign-in to the issuing certificate authority with access equivalent to _local administrator_.

 1. Open an elevated command prompt and type the following command:
+
   ```
   certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
   ```
-2. Restart the **Active Directory Certificate Services** service.
+
+1. Restart the **Active Directory Certificate Services** service.

 ### Create an NDES-Intune authentication certificate template
+
 NDES uses a server authentication certificate to authenticate the server endpoint, which encrypts the communication between it and the connecting client.  The Intune Certificate Connector uses a client authentication certificate template to authenticate to the certificate registration point.

 Sign-in to the issuing certificate authority or management workstations with _Domain Admin_ equivalent credentials.
@ -207,6 +225,7 @@ Sign-in to the issuing certificate authority or management workstations with _Do
 10. Click on the **Apply** to save changes and close the console.

 ### Create an Azure AD joined Windows Hello for Business authentication certificate template
+
 During Windows Hello for Business provisioning,  Windows requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user.  This task configures the Windows Hello for Business authentication certificate template.  You use the name of the certificate template when configuring the NDES Server.

 Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
@ -225,10 +244,11 @@ Sign in a certificate authority or management workstations with _Domain Admin eq
 8. On the **Subject** tab, select **Supply in the request**.
 9. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list.  Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**.
 10. On the **Security** tab, click **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and click **OK**.
-12. Select  **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
-13. Close the console.
+11. Select  **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
+12. Close the console.

 ### Publish certificate templates
+
 The certificate authority may only issue certificates for certificate templates that are published to that certificate authority.  If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.

 > [!Important]
@ -244,16 +264,19 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
 6. Close the console.

 ## Install and Configure the NDES Role
+
 This section includes the following topics:
-* Install the Network Device Enrollment Service Role
-* Configure the NDES service account
-* Configure the NDES role and Certificate Templates
-* Create a Web Application Proxy for the Internal NDES URL.
-* Enroll for an NDES-Intune Authentication Certificate
-* Configure the Web Server Certificate for NDES
-* Verify the configuration
+
+- Install the Network Device Enrollment Service Role
+- Configure the NDES service account
+- Configure the NDES role and Certificate Templates
+- Create a Web Application Proxy for the Internal NDES URL.
+- Enroll for an NDES-Intune Authentication Certificate
+- Configure the Web Server Certificate for NDES
+- Verify the configuration

 ### Install the Network Device Enrollment Services Role
+
 Install the Network Device Enrollment Service role on a computer other than the issuing certificate authority.

 Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
@ -272,11 +295,13 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
   ![Server Manager ADCS NDES Role.](images/aadjcert/servermanager-adcs-ndes-role-checked.png)
 7. Click **Next** on the **Web Server Role (IIS)** page.
 8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**.
-   * **Web Server > Security > Request Filtering**
-   * **Web Server > Application Development > ASP.NET 3.5**.
-   * **Web Server > Application Development > ASP.NET 4.5**.   .
-   * **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility**
-   * **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility**
+
+   - **Web Server > Security > Request Filtering**
+   - **Web Server > Application Development > ASP.NET 3.5**.
+   - **Web Server > Application Development > ASP.NET 4.5**.   .
+   - **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility**
+   - **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility**
+
   ![Server Manager Web Server Role.](images/aadjcert/servermanager-adcs-webserver-role.png)
 9. Click **Install**. When the installation completes, continue with the next procedure.  **Do not click Close**.
   > [!IMPORTANT]
@ -284,9 +309,11 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
   ![.NET Side by Side.](images/aadjcert/dotNet35sidebyside.png)

 ### Configure the NDES service account
+
 This task adds the NDES service account to the local IIS_USRS group.  The task also configures the NDES service account for Kerberos authentication and delegation

 #### Add the NDES service account to the IIS_USRS group
+
 Sign-in the NDES server with access equivalent to _local administrator_.

 1. Start the **Local Users and Groups** management console (`lusrmgr.msc`).
@ -295,10 +322,12 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 4. Close the management console.

 #### Register a Service Principal Name on the NDES Service account
+
 Sign-in the NDES server with access equivalent to _Domain Admins_.

 1. Open an elevated command prompt.
 2. Type the following command to register the service principal name
+
   ```
   setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount]
   ```
@ -313,6 +342,7 @@ Sign-in the NDES server with access equivalent to _Domain Admins_.
 ![Set SPN command prompt.](images/aadjcert/setspn-commandprompt.png)

 #### Configure the NDES Service account for delegation
+
 The NDES service enrolls certificates on behalf of users.  Therefore, you want to limit the actions it can perform on behalf of the user. You do this through delegation.

 Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
@ -332,9 +362,11 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
 10. Click **OK**.  Close **Active Directory Users and Computers**.

 ### Configure the NDES Role and Certificate Templates
+
 This task configures the NDES role and the certificate templates the NDES server issues.

 #### Configure the NDES Role
+
 Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.

 > [!NOTE]
@ -355,13 +387,15 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
 7. On the **Cryptography for NDES** page, click **Next**.
 8. Review the **Confirmation** page.  Click **Configure**.
   ![NDES Confirmation.](images/aadjcert/ndesconfig05.png)
-8. Click **Close** after the configuration completes.
+9. Click **Close** after the configuration completes.

 #### Configure Certificate Templates on NDES
+
 A single NDES server can request a maximum of three certificate templates.  The NDES server determines which certificate to issue based on the incoming certificate request that is assigned in the Microsoft Intune SCEP certificate profile.  The Microsoft Intune SCEP certificate profile has three values.
-* Digital Signature
-* Key Encipherment
-* Key Encipherment, Digital Signature
+
+- Digital Signature
+- Key Encipherment
+- Key Encipherment, Digital Signature

 Each value maps to a registry value name in the NDES server.  The NDES server translates an incoming SCEP provided value into the corresponding certificate template.  The table below shows the SCEP profile values of the NDES certificate template registry value names.

@ -380,6 +414,7 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials.
 1. Open an elevated command prompt.
 2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD joined devices.
 3. Type the following command:
+
   ```
   reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName]
   ```
@ -387,6 +422,7 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials.
   ```
   reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication
   ```
+
 4. Type **Y** when the command asks for permission to overwrite the existing value.
 5. Close the command prompt.

@ -394,6 +430,7 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials.
 > Use the **name** of the certificate template; not the **display name**.  The certificate template name does not include spaces.  You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certificates Templates** management console (`certtmpl.msc`).

 ### Create a Web Application Proxy for the internal NDES URL.
+
 Certificate enrollment for Azure AD joined devices occurs over the Internet.  As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Azure Active Directory Application Proxy.  Azure AD Application Proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services.

 Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs.  This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests).  Microsoft Intune sends these requests to Azure AD Application Proxies.
@ -403,6 +440,7 @@ Azure AD Application proxies are serviced by lightweight Application Proxy Conne
 Connector group automatically round-robin, load balance the Azure AD Application proxy requests to the connectors within the assigned connector group.  This ensures Windows Hello for Business certificate requests have multiple dedicated Azure AD Application Proxy connectors exclusively available to satisfy enrollment requests.  Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner.

 #### Download and Install the Application Proxy Connector Agent
+
 Sign-in a workstation with access equivalent to a _domain user_.

 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
@ -424,6 +462,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments.

 #### Create a Connector Group
+
 Sign-in a workstation with access equivalent to a _domain user_.

 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
@ -436,6 +475,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 6. Click **Save**.

 #### Create the Azure Application Proxy
+
 Sign-in a workstation with access equivalent to a _domain user_.

 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
@ -456,6 +496,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
    > Write down the internal and external URLs.  You will need this information when you enroll the NDES-Intune Authentication certificate.

 ### Enroll the NDES-Intune Authentication certificate
+
 This task enrolls a client and server authentication certificate used by the Intune connector and the NDES server.

 Sign-in the NDES server with access equivalent to _local administrators_.
@ -470,10 +511,11 @@ Sign-in the NDES server with access equivalent to _local administrators_.
   ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png)
 8. Under **Subject name**, select **Common Name** from the **Type** list.  Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**.
 9. Under **Alternative name**, select **DNS** from the **Type** list.  Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**).  Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished.
-9. Click **Enroll**
-10. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD joined devices.
+10. Click **Enroll**
+11. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD joined devices.

 ### Configure the Web Server Role
+
 This task configures the Web Server role on the NDES server to use the server authentication certificate.

 Sign-in the NDES server with access equivalent to _local administrator_.
@ -491,19 +533,23 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 8. Close **Internet Information Services (IIS) Manager**.

 ### Verify the configuration
+
 This task confirms the TLS configuration for the NDES server.

 Sign-in the NDES server with access equivalent to _local administrator_.

 #### Disable Internet Explorer Enhanced Security Configuration
+
 1. Open **Server Manager**. Click **Local Server** from the navigation pane.
 2. Click **On** next to **IE Enhanced Security Configuration** in the **Properties** section.
 3. In the **Internet Explorer Enhanced Security Configuration** dialog, under **Administrators**, select **Off**.  Click **OK**.
 4. Close **Server Manager**.

 #### Test the NDES web server
+
 1. Open **Internet Explorer**.
 2. In the navigation bar, type
+
   ```
   https://[fqdnHostName]/certsrv/mscep/mscep.dll
   ```
@ -516,16 +562,18 @@ A web page similar to the following should appear in your web browser.  If you d
 Confirm the web site uses the server authentication certificate.
 ![NDES IIS Console: Confirm](images/aadjcert/ndes-https-website-test-01-show-cert.png)

-
 ## Configure Network Device Enrollment Services to work with Microsoft Intune
+
 You have successfully configured the Network Device Enrollment Services.  You must now modify the configuration to work with the Intune Certificate Connector.  In this task, you will enable the NDES server and http.sys to handle long URLs.

 - Configure NDES to support long URLs

 ### Configure NDES and HTTP to support long URLs
+
 Sign-in the NDES server with access equivalent to _local administrator_.

 #### Configure the Default Web Site
+
 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
 2. Expand the node that has the name of the NDES server.  Expand **Sites** and select **Default Web Site**.
 3. In the content pane, double-click **Request Filtering**.  Click **Edit Feature Settings...** in the action pane.
@ -539,18 +587,23 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 10. Click **OK**.  Close **Internet Information Services (IIS) Manager**.

 #### Configure Parameters for HTTP.SYS
+
 1. Open an elevated command prompt.
 2. Run the following commands:
+
   ```
   reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534
   reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534
   ```
+
 3. Restart the NDES server.

 ## Download, Install and Configure the Intune Certificate Connector
+
 The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune.

 ### Download Intune Certificate Connector
+
 Sign-in a workstation with access equivalent to a _domain user_.

 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
@ -561,6 +614,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 5. Sign-out of the Microsoft Endpoint Manager admin center.

 ### Install the Intune Certificate Connector
+
 Sign-in the NDES server with access equivalent to _domain administrator_.

 1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server.
@ -588,6 +642,7 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
    ![Intune Connector install 07.](images/aadjcert/intunecertconnectorinstall-07.png)

 ### Configure the Intune Certificate Connector
+
 Sign-in the NDES server with access equivalent to _domain administrator_.

 1. The **NDES Connector** user interface should be open from the last task.
@ -608,9 +663,11 @@ Sign-in the NDES server with access equivalent to _domain administrator_.


 ### Configure the NDES Connector for certificate revocation (**Optional**)
+
 Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users is removed, deleted, or the profile is deleted).

 #### Enabling the NDES Service account for revocation
+
 Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_.

 1. Start the **Certification Authority** management console.
@ -620,6 +677,7 @@ Sign-in the certificate authority used by the NDES Connector with access equival
 4. Close the **Certification Authority**

 #### Enable the NDES Connector for certificate revocation
+
 Sign-in the NDES server with access equivalent to _domain administrator_.

 1. Open the **NDES Connector** user interface (**\<install_Path>\NDESConnectorUI\NDESConnectorUI.exe**).
@ -628,19 +686,24 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
 3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**.

 ### Test the NDES Connector
+
 Sign-in the NDES server with access equivalent to _domain admin_.

 1. Open a command prompt.
 2. Type the following command to confirm the NDES Connector's last connection time is current.
+
   ```
   reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus
   ```
+
 3. Close the command prompt.
 4. Open **Internet Explorer**.
 5. In the navigation bar, type:
+
   ```
   https://[fqdnHostName]/certsrv/mscep/mscep.dll
   ```
+
   where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
   A web page showing a 403 error (similar to the following) should appear in your web browser.  If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights.  You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
   ![NDES web site test after Intune Certificate Connector.](images/aadjcert/ndes-https-website-test-after-intune-connector.png)
@ -649,6 +712,7 @@ Sign-in the NDES server with access equivalent to _domain admin_.
 ## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile

 ### Create an AADJ WHFB Certificate Users Group
+
 Sign-in a workstation with access equivalent to a _domain user_.

 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
@ -663,6 +727,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 9. Click **Create**.

 ### Create a SCEP Certificate Profile
+
 Sign-in a workstation with access equivalent to a _domain user_.

 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
@ -697,6 +762,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 19. Click **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and click **Create**.

 ### Assign Group to the WHFB Certificate Enrollment Certificate Profile
+
 Sign-in a workstation with access equivalent to a _domain user_.

 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
@ -710,13 +776,17 @@ Sign-in a workstation with access equivalent to a _domain user_.

 You have successfully completed the configuration.  Add users that need to enroll a Windows Hello for Business authentication certificate to the **AADJ WHFB Certificate Users** group.  This group, combined with the device enrollment Windows Hello for Business configuration prompts the user to enroll for Windows Hello for Business and enroll a certificate that can be used to authentication to on-premises resources.

+> [!NOTE]
+> The Passport for Work configuration service provider (CSP) which is used to manage Windows Hello for Business with Mobile Device Management (MDM) contains a policy called UseCertificateForOnPremAuth. This policy is not needed when deploying certificates to Windows Hello for Business users through the instructions outlined in this document and should not be configured. Devices managed with MDM where UseCertificateForOnPremAuth is enabled will fail a prerequisite check for Windows Hello for Business provisioning. This failure will block users from setting up Windows Hello for Business if they don't already have it configured.
+
 ## Section Review
+
 > [!div class="checklist"]
-> * Requirements
-> * Prepare Azure AD Connect
-> * Prepare the Network Device Enrollment Services (NDES) Service Account
-> * Prepare Active Directory Certificate Authority
-> * Install and Configure the NDES Role
-> * Configure Network Device Enrollment Services to work with Microsoft Intune
-> * Download, Install, and Configure the Intune Certificate Connector
-> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile)
+> - Requirements
+> - Prepare Azure AD Connect
+> - Prepare the Network Device Enrollment Services (NDES) Service Account
+> - Prepare Active Directory Certificate Authority
+> - Install and Configure the NDES Role
+> - Configure Network Device Enrollment Services to work with Microsoft Intune
+> - Download, Install, and Configure the Intune Certificate Connector
+> - Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile)
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
@ -45,7 +45,7 @@ For the most efficient deployment, configure these technologies in order beginni
 <hr>

 ## Follow the Windows Hello for Business hybrid key trust deployment guide
-1. [Overview](hello-hybrid-cert-trust.md)
+1. [Overview](hello-hybrid-key-trust.md)
 2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-key-new-install.md)
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
--- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@ -1,5 +1,5 @@
 ---
-title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10)
+title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10 and Windows 11)
 description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections.
 ms.prod: w10
 ms.mktglfcycl: deploy
@ -8,16 +8,17 @@ ms.pagetype: security, networking
 author: dansimp
 ms.author: dansimp
 ms.localizationpriority: medium
-ms.date: 02/08/2018
+ms.date: 09/23/2021
 ms.reviewer: 
 manager: dansimp
 ---

 # How to configure Diffie Hellman protocol over IKEv2 VPN connections

->Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows 10
+>Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows 10, Windows 11

 In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges.
+
 To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets.

 ## VPN server
@ -28,7 +29,7 @@ For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-V
 Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy
 ```

-On an earlier versions of Windows Server, run [Set-VpnServerIPsecConfiguration](/previous-versions/windows/powershell-scripting/hh918373(v=wps.620)). Since `Set-VpnServerIPsecConfiguration` doesn’t have `-TunnelType`, the configuration applies to all tunnel types on the server.
+On an earlier version of Windows Server, run [Set-VpnServerIPsecConfiguration](/previous-versions/windows/powershell-scripting/hh918373(v=wps.620)). Since `Set-VpnServerIPsecConfiguration` doesn’t have `-TunnelType`, the configuration applies to all tunnel types on the server.

 ```powershell
 Set-VpnServerIPsecConfiguration -CustomPolicy
--- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@ -1,12 +1,12 @@
 ---
-title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10)
+title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10 and Windows 11)
 description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections.
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/23/2021
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
--- a/windows/security/identity-protection/vpn/vpn-authentication.md
+++ b/windows/security/identity-protection/vpn/vpn-authentication.md
@ -1,5 +1,5 @@
 ---
-title: VPN authentication options (Windows 10)
+title: VPN authentication options (Windows 10 and Windows 11)
 description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
 ms.prod: w10
 ms.mktglfcycl: deploy
@ -7,7 +7,7 @@ ms.sitesec: library
 ms.pagetype: security, networking
 author: dansimp
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 09/23/2021
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
@ -17,7 +17,7 @@ ms.author: dansimp

 **Applies to**
 -   Windows 10
-   Windows 10 Mobile
+-   Windows 11

 In addition to older and less-secure password-based authentication methods (which should be avoided), the built-in VPN solution uses Extensible Authentication Protocol (EAP) to provide secure authentication using both user name and password, and certificate-based methods. You can only configure EAP-based authentication if you select a built-in VPN type (IKEv2, L2TP, PPTP or Automatic).

@ -27,7 +27,7 @@ Windows supports a number of EAP authentication methods.
 <thead><tr><th>Method</th><th>Details</th></thead>
 <tbody>
 <tr><td>EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2)</td><td><ul><li>User name and password authentication</li><li>Winlogon credentials - can specify authentication with computer sign-in credentials</li></ul></td></tr>
-<tr><td>EAP-Transport Layer Security (EAP-TLS) </td><td><ul><li>Supports the following types of certificate authentication<ul><li>Certificate with keys in the software Key Storage Provider (KSP)</li><li>Certificate with keys in Trusted Platform Module (TPM) KSP</li><li>Smart card certficates</li><li>Windows Hello for Business certificate</li></ul></li><li>Certificate filtering<ul><li>Certificate filtering can be enabled to search for a particular certificate to use to authenticate with</li><li>Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based</li></ul></li><li>Server validation - with TLS, server validation can be toggled on or off<ul><li>Server name - specify the server to validate</li><li>Server certificate - trusted root certificate to validate the server</li><li>Notification - specify if the user should get a notification asking whether to trust the server or not</li></ul></li></ul></td></tr>
+<tr><td>EAP-Transport Layer Security (EAP-TLS) </td><td><ul><li>Supports the following types of certificate authentication<ul><li>Certificate with keys in the software Key Storage Provider (KSP)</li><li>Certificate with keys in Trusted Platform Module (TPM) KSP</li><li>Smart card certificates</li><li>Windows Hello for Business certificate</li></ul></li><li>Certificate filtering<ul><li>Certificate filtering can be enabled to search for a particular certificate to use to authenticate with</li><li>Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based</li></ul></li><li>Server validation - with TLS, server validation can be toggled on or off<ul><li>Server name - specify the server to validate</li><li>Server certificate - trusted root certificate to validate the server</li><li>Notification - specify if the user should get a notification asking whether to trust the server or not</li></ul></li></ul></td></tr>
 <tr><td><a href="/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754179(v=ws.11)">Protected Extensible Authentication Protocol (PEAP)</a></td><td><ul><li>Server validation - with PEAP, server validation can be toggled on or off<ul><li>Server name - specify the server to validate</li><li>Server certificate - trusted root certificate to validate the server</li><li>Notification - specify if the user should get a notification asking whether to trust the server or not</li></ul></li><li>Inner method - the outer method creates a secure tunnel inside while the inner method is used to complete the authentication<ul><li>EAP-MSCHAPv2</li><li>EAP-TLS</li></ul><li>Fast Reconnect: reduces the delay between an authentication request by a client and the response by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS) server. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials.<li><a href="/openspecs/windows_protocols/ms-peap/757a16c7-0826-4ba9-bb71-8c3f1339e937">Cryptobinding</a>: By deriving and exchanging values from the PEAP phase 1 key material (<b>Tunnel Key</b>) and from the PEAP phase 2 inner EAP method key material (<b>Inner Session Key</b>), it is possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks.</li></li></ul></td></tr>
 <tr><td>Tunneled Transport Layer Security (TTLS)</td><td><ul><li>Inner method<ul><li>Non-EAP<ul><li>Password Authentication Protocol (PAP)</li><li>CHAP</li><li>MSCHAP</li><li>MSCHAPv2</li></ul></li><li>EAP<ul><li>MSCHAPv2</li><li>TLS</li></ul></li></ul></li><li>Server validation: in TTLS, the server must be validated. The following can be configured:<ul><li>Server name</li><li>Trusted root certificate for server certificate</li><li>Whether there should be a server validation notification</li></ul></li></ul></td></tr></tbody>
 </table>
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@ -1,13 +1,13 @@
 ---
-title: VPN auto-triggered profile options (Windows 10)
-description: Learn about the types of auto-trigger rules for VPNs in Windows 10, which start a VPN when it is needed to access a resource.
+title: VPN auto-triggered profile options (Windows 10 and Windows 11)
+description: Learn about the types of auto-trigger rules for VPNs in Windows, which start a VPN when it is needed to access a resource.
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: dansimp
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 09/23/2021
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
@ -17,9 +17,9 @@ ms.author: dansimp

 **Applies to**
 -   Windows 10
-   Windows 10 Mobile
+-   Windows 11

-In Windows 10, a number of features were added to auto-trigger VPN so users won’t have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules: 
+In Windows 10 and Windows 11, a number of features have been added to auto-trigger VPN so users won’t have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules: 

 - App trigger
 - Name-based trigger
@ -31,7 +31,7 @@ In Windows 10, a number of features were added to auto-trigger VPN so users won

 ## App trigger

-VPN profiles in Windows 10 can be configured to connect automatically on the launch of a specified set of applications. You can configure desktop or Universal Windows Platform (UWP) apps to trigger a VPN connection. You can also configure per-app VPN and specify traffic rules for each app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details.
+VPN profiles in Windows 10 or Windows 11 can be configured to connect automatically on the launch of a specified set of applications. You can configure desktop or Universal Windows Platform (UWP) apps to trigger a VPN connection. You can also configure per-app VPN and specify traffic rules for each app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details.

 The app identifier for a desktop app is a file path. The app identifier for a UWP app is a package family name.

@ -54,7 +54,7 @@ There are four types of name-based triggers:

 ## Always On

-Always On is a feature in Windows 10 which enables the active VPN profile to connect automatically on the following triggers: 
+Always On is a feature in Windows 10 and Windows 11 which enables the active VPN profile to connect automatically on the following triggers: 

 - User sign-in 
 - Network change 
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@ -1,5 +1,5 @@
 ---
-title: VPN and conditional access (Windows 10)
+title: VPN and conditional access (Windows 10 and Windows 11)
 description: Learn how to integrate the VPN client with the Conditional Access Platform, so you can create access rules for Azure Active Directory (Azure AD) connected apps.
 ms.prod: w10
 ms.mktglfcycl: deploy
@ -10,12 +10,12 @@ ms.author: dansimp
 manager: dansimp
 ms.reviewer: 
 ms.localizationpriority: medium
-ms.date: 03/21/2019
+ms.date: 09/23/2021
 ---

 # VPN and conditional access

->Applies to: Windows 10 and Windows 10 Mobile
+>Applies to: Windows 10 and Windows 11

 The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.  

@ -91,7 +91,7 @@ The VPN client side connection flow works as follows:
 
 When a VPNv2 Profile is configured with \<DeviceCompliance> \<Enabled>true<\/Enabled> the VPN client uses this connection flow:

-1.	 The VPN client calls into Windows 10’s Azure AD Token Broker, identifying itself as a VPN client.
+1.	 The VPN client calls into Windows 10’s or Windows 11’s Azure AD Token Broker, identifying itself as a VPN client.

 2.	 The Azure AD Token Broker authenticates to Azure AD and provides it with information about the device trying to connect. The Azure AD Server checks if the device is in compliance with the policies.

@ -110,6 +110,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
 - [Azure Active Directory conditional access](/azure/active-directory/conditional-access/overview)
 - [Getting started with Azure Active Directory Conditional Access](/azure/active-directory/authentication/tutorial-enable-azure-mfa)
 - [Control the health of Windows 10-based devices](../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
+- Control the health of Windows 11-based devices
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3)
--- a/windows/security/identity-protection/vpn/vpn-connection-type.md
+++ b/windows/security/identity-protection/vpn/vpn-connection-type.md
@ -1,5 +1,5 @@
 ---
-title: VPN connection types (Windows 10)
+title: VPN connection types (Windows 10 and Windows 11)
 description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
 ms.prod: w10
 ms.mktglfcycl: deploy
@ -7,7 +7,7 @@ ms.sitesec: library
 ms.pagetype: security, networking
 author: dansimp
 ms.localizationpriority: medium
-ms.date: 11/13/2020
+ms.date: 08/23/2021
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
@ -17,11 +17,11 @@ ms.author: dansimp

 **Applies to**
 -   Windows 10
-   Windows 10 Mobile
+-   Windows 11

 Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization’s private network.

-There are many options for VPN clients. In Windows 10, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured. 
+There are many options for VPN clients. In Windows 10 and Windows 11, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured. 

 ![VPN connection types.](images/vpn-connection.png)

@ -56,7 +56,7 @@ There are many options for VPN clients. In Windows 10, the built-in plug-in and
 
 ## Universal Windows Platform VPN plug-in

-The Universal Windows Platform (UWP) VPN plug-ins were introduced in Windows 10, although there were originally separate versions available for the Windows 8.1 Mobile and Windows 8.1 PC platforms. Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers.  
+The Universal Windows Platform (UWP) VPN plug-ins were introduced in Windows 10 and Windows 11, although there were originally separate versions available for the Windows 8.1 Mobile and Windows 8.1 PC platforms. Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers.  

 There are a number of Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, Sonicwall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution.

--- a/windows/security/identity-protection/vpn/vpn-guide.md
+++ b/windows/security/identity-protection/vpn/vpn-guide.md
@ -1,25 +1,26 @@
 ---
-title: Windows 10 VPN technical guide (Windows 10)
-description: Learn about decisions to make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment.
+title: Windows VPN technical guide (Windows 10 and Windows 11)
+description: Learn about decisions to make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment.
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: dansimp
 ms.localizationpriority: medium
-ms.date: 11/13/2020
+ms.date: 09/09/2021
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
 ---

-# Windows 10 VPN technical guide
+# Windows VPN technical guide


 **Applies to**

 - Windows 10
+- Windows 11

-This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10.
+This guide will walk you through the decisions you will make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10 and Windows 11.

 To create a Windows 10 VPN device configuration profile see: [Windows 10 and Windows Holographic device settings to add VPN connections using Intune](/mem/intune/configuration/vpn-settings-windows-10).

--- a/windows/security/identity-protection/vpn/vpn-name-resolution.md
+++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md
@ -1,5 +1,5 @@
 ---
-title: VPN name resolution (Windows 10)
+title: VPN name resolution (Windows 10 and Windows 11)
 description: Learn how the name resolution setting in the VPN profile configures how name resolution works when a VPN client connects to a VPN server.
 ms.prod: w10
 ms.mktglfcycl: deploy
@ -7,7 +7,7 @@ ms.sitesec: library
 ms.pagetype: security, networking
 author: dansimp
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 09/23/2021
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
@ -17,7 +17,7 @@ ms.author: dansimp

 **Applies to**
 -   Windows 10
-   Windows 10 Mobile
+-   Windows 11

 When the VPN client connects to the VPN server, the VPN client receives the client IP address. The client may also receive the IP address of the Domain Name System (DNS) server and the IP address of the Windows Internet Name Service (WINS) server.

--- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
+++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
@ -1,5 +1,5 @@
 ---
-title: Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client
+title: Optimizing Office 365 traffic for remote workers with the native Windows 10 or Windows 11 VPN client
 description: tbd
 ms.prod: w10
 ms.mktglfcycl: deploy
@ -9,20 +9,20 @@ audience: ITPro
 ms.topic: article
 author: kelleyvice-msft
 ms.localizationpriority: medium
-ms.date: 04/07/2020
+ms.date: 09/23/2021
 ms.reviewer: 
 manager: dansimp
 ms.author: jajo
 ---

-# Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client
+# Optimizing Office 365 traffic for remote workers with the native Windows 10 and Windows 11 VPN client

-This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](/office365/enterprise/office-365-vpn-split-tunnel) for the *native Windows 10 VPN client*. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling.
+This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](/office365/enterprise/office-365-vpn-split-tunnel) for the *native Windows 10 and Windows 11 VPN client*. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling.

-This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunneling with Exclusions_ approach. This allows you to define IP-based exclusions *even when using force tunneling* in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users.
+This can be achieved for the native/built-in Windows 10 and Windows 11 VPN client using a _Force Tunneling with Exclusions_ approach. This allows you to define IP-based exclusions *even when using force tunneling* in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users.

 > [!NOTE]
-> The term _force tunneling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunneling_ is defined differently as described in the article [VPN routing decisions](./vpn-routing.md#split-tunnel-configuration).
+> The term _force tunneling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 and Windows 11 VPN, the term _split tunneling_ is defined differently as described in the article [VPN routing decisions](./vpn-routing.md#split-tunnel-configuration).

 ## Solution Overview

@ -30,7 +30,7 @@ The solution is based upon the use of a VPN Configuration Service Provider Refer

 Typically, these VPN profiles are distributed using a Mobile Device Management solution like Intune, as described in [VPN profile options](./vpn-profile-options.md#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune).

-To enable the use of force tunneling in Windows 10 VPN, the `<RoutingPolicyType>` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `<NativeProfile></NativeProfile>` section:
+To enable the use of force tunneling in Windows 10 or Windows 11 VPN, the `<RoutingPolicyType>` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `<NativeProfile></NativeProfile>` section:

 ```xml
 <RoutingPolicyType>ForceTunnel</RoutingPolicyType>
@ -90,13 +90,13 @@ An example of a PowerShell script that can be used to update a force tunnel VPN

 <#
 .SYNOPSIS
-    Applies or updates recommended Office 365 optimize IP address exclusions to an existing force tunnel Windows 10 VPN profile
+    Applies or updates recommended Office 365 optimize IP address exclusions to an existing force tunnel Windows 10 and Windows 11 VPN profile
 .DESCRIPTION
    Connects to the Office 365 worldwide commercial service instance endpoints to obtain the latest published IP address ranges
    Compares the optimized IP addresses with those contained in the supplied VPN Profile (PowerShell or XML file)
    Adds or updates IP addresses as necessary and saves the resultant file with "-NEW" appended to the file name
 .PARAMETERS
-    Filename and path for a supplied Windows 10 VPN profile file in either PowerShell or XML format
+    Filename and path for a supplied Windows 10 or Windows 11 VPN profile file in either PowerShell or XML format
 .NOTES
    Requires at least Windows 10 Version 1803 with KB4493437, 1809 with KB4490481, or later
 .VERSION
@ -430,6 +430,7 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml")

 This solution is supported with the following versions of Windows:

+- Windows 11
 - Windows 10 1903/1909 and newer: Included, no action needed
 - Windows 10 1809: At least [KB4490481](https://support.microsoft.com/help/4490481/windows-10-update-kb4490481)
 - Windows 10 1803: At least [KB4493437](https://support.microsoft.com/help/4493437/windows-10-update-kb4493437)
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@ -1,6 +1,6 @@
 ---
-title: VPN profile options (Windows 10)
-description: Windows 10 adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
+title: VPN profile options (Windows 10 and Windows 11)
+description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
 ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523
 ms.reviewer: 
 manager: dansimp
@ -18,9 +18,9 @@ ms.date: 05/17/2018

 **Applies to**
 -   Windows 10
-   Windows 10 Mobile
+-   Windows 11

-Most of the VPN settings in Windows 10 can be configured in VPN profiles using Microsoft Intune or Microsoft Endpoint Configuration Manager. All VPN settings in Windows 10 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp). 
+Most of the VPN settings in Windows 10 and Windows 11 can be configured in VPN profiles using Microsoft Intune or Microsoft Endpoint Configuration Manager. All VPN settings in Windows 10 and Windows 11 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp). 

 >[!NOTE]
 >If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) first.
@ -56,7 +56,7 @@ The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN prof

 The following is a sample Native VPN profile. This blob would fall under the ProfileXML node. 

-```
+```xml
 <VPNProfile>  
  <ProfileName>TestVpnProfile</ProfileName>  
  <NativeProfile>  
@ -222,7 +222,7 @@ The following is a sample Native VPN profile. This blob would fall under the Pro

 The following is a sample plug-in VPN profile. This blob would fall under the ProfileXML node. 

-```
+```xml
 <VPNProfile>
 	<ProfileName>TestVpnProfile</ProfileName>
 	<PluginProfile>
@ -294,26 +294,38 @@ The following is a sample plug-in VPN profile. This blob would fall under the Pr
 		<AutoConfigUrl>Helloworld.Com</AutoConfigUrl>
 	</Proxy>
 </VPNProfile>  
-
 ```

 ## Apply ProfileXML using Intune

-After you configure the settings that you want using ProfileXML, you can apply it using Intune and a **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy.
+After you configure the settings that you want using ProfileXML, you can apply it using Intune and a **Custom Configuration (Windows 10 or Windows 11 Desktop and Mobile and later)** policy.

 1. Sign into the [Azure portal](https://portal.azure.com).
+
 2. Go to **Intune** > **Device Configuration** > **Profiles**.
+
 3. Click **Create Profile**.
+
 4. Enter a name and (optionally) a description.
+
 5. Choose **Windows 10 and later** as the platform.
+
 6. Choose **Custom** as the profile type and click **Add**.
+
 8. Enter a name and (optionally) a description.
+
 9. Enter the OMA-URI **./user/vendor/MSFT/VPNv2/_VPN profile name_/ProfileXML**.
+
 10. Set Data type to **String (XML file)**.
+
 11. Upload the profile XML file.
+
 12. Click **OK**.
+
    ![Custom VPN profile.](images/custom-vpn-profile.png)
+
 13. Click **OK**, then **Create**.
+
 14. Assign the profile.


--- a/windows/security/identity-protection/vpn/vpn-routing.md
+++ b/windows/security/identity-protection/vpn/vpn-routing.md
@ -1,5 +1,5 @@
 ---
-title: VPN routing decisions (Windows 10)
+title: VPN routing decisions (Windows 10 and Windows 10)
 description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
 ms.prod: w10
 ms.mktglfcycl: deploy
@ -7,7 +7,7 @@ ms.sitesec: library
 ms.pagetype: security, networking
 author: dansimp
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 09/23/2021
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
@ -17,7 +17,7 @@ ms.author: dansimp

 **Applies to**
 -   Windows 10
-   Windows 10 Mobile
+-   Windows 11

 Network routes are required for the stack to understand which interface to use for outbound traffic. One of the most important decision points for VPN configuration is whether you want to send all the data through VPN (*force tunnel*) or only some data through the VPN (*split tunnel*). This decision impacts the configuration and the capacity planning, as well as security expectations from the connection. 

--- a/windows/security/identity-protection/vpn/vpn-security-features.md
+++ b/windows/security/identity-protection/vpn/vpn-security-features.md
@ -1,5 +1,5 @@
 ---
-title: VPN security features (Windows 10)
+title: VPN security features (Windows 10 and Windows 11)
 description: Learn about security features for VPN, including LockDown VPN, Windows Information Protection integration with VPN, and traffic filters.
 ms.prod: w10
 ms.mktglfcycl: deploy
@ -7,7 +7,7 @@ ms.sitesec: library
 ms.pagetype: security, networking
 author: dansimp
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 09/03/2021
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
@ -17,14 +17,14 @@ ms.author: dansimp

 **Applies to**
 - Windows 10
- Windows 10 Mobile
+- Windows 11


 ## Windows Information Protection (WIP) integration with VPN

 Windows Information Protection provides capabilities allowing the separation and protection of enterprise data against disclosure across both company and personally owned devices, without requiring additional changes to the environments or the apps themselves. Additionally, when used with Rights Management Services (RMS), WIP can help to protect enterprise data locally.

-The **EdpModeId** node in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) allows a Windows 10 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include:
+The **EdpModeId** node in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) allows a Windows 10 or Windows 11 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include:

 - Core functionality: File encryption and file access blocking
 - UX policy enforcement: Restricting copy/paste, drag/drop, and sharing operations
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: greg-lindsay
-manager: laurawi
+manager: dougeby
 ms.author: greglin
 ms.localizationpriority: high
 ms.topic: article
@ -247,7 +247,7 @@ Do you have shared devices deployed in your work place? **Fast sign-in** enables
 >[!IMPORTANT]
 >This is a private preview feature and therefore not meant or recommended for production purposes.

-Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing **web sign-in**, a new way of signing into your Windows PC. Web sign-in enables Windows logon support for credentials not available on Windows (for example, Azure AD temporary access pass). Going forward, web sign-in will be restricted to only support Azure AD temporary access pass. 
+Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing **web sign-in**, a new way of signing into your Windows PC. Web sign-in enables Windows logon support for credentials not available on Windows. Web sign-in is restricted to only support Azure AD temporary access pass.

 **To try out web sign-in:**
 1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).