From 14cf38326b4766666fbc8737b898e1bc3d99361d Mon Sep 17 00:00:00 2001
From: kelleyvice-msft <kvice@microsoft.com>
Date: Tue, 7 Apr 2020 14:12:22 -0700
Subject: [PATCH] Update vpn-office-365-optimization.md

Updates per feedback
---
 .../vpn/vpn-office-365-optimization.md        | 133 +++++++++++++++++-
 1 file changed, 127 insertions(+), 6 deletions(-)

diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
index cc51ad08ac..e5f40a37e2 100644
--- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
+++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 ms.pagetype: security, networking
 author: kelleyvice-msft
 ms.localizationpriority: medium
-ms.date: 04/06/2020
+ms.date: 04/07/2020
 ms.reviewer: 
 manager: dansimp
 ms.author: jajo
@@ -28,13 +28,13 @@ The solution is based upon the use of a VPN Configuration Service Provider Refer
 
 Typically, these VPN profiles are distributed using a Mobile Device Manager solution like Intune, as described in [VPN profile options](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune).
 
-To enable the use of force tunnelling in Windows 10 VPN, the <RoutingPolicyType> setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the <NativeProfile></NativeProfile> section:
+To enable the use of force tunnelling in Windows 10 VPN, the `<RoutingPolicyType>` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `<NativeProfile></NativeProfile>` section:
 
 ```xml
 <RoutingPolicyType>ForceTunnel</RoutingPolicyType>
 ```
 
-In order to define specific force tunnel exclusions, you then need to add the following lines to your existing Profile XML (or script) for each required exclusion, and place them outside of the <NativeProfile></NativeProfile> section as follows:
+In order to define specific force tunnel exclusions, you then need to add the following lines to your existing Profile XML (or script) for each required exclusion, and place them outside of the `<NativeProfile></NativeProfile>` section as follows:
 
 ```xml
 <Route>
@@ -44,7 +44,7 @@ In order to define specific force tunnel exclusions, you then need to add the fo
 </Route>
 ```
 
-Entries defined by the **[IP Addresses or Subnet]** and **[IP Prefix]** references will consequently be added to the routing table as _more specific route entries_ that will use the Internet-connected interface as the default gateway, as opposed to using the VPN interface. You will need to define a unique and separate <Route></Route> section for each required exclusion.
+Entries defined by the `[IP Addresses or Subnet]` and `[IP Prefix]` references will consequently be added to the routing table as _more specific route entries_ that will use the Internet-connected interface as the default gateway, as opposed to using the VPN interface. You will need to define a unique and separate `<Route></Route>` section for each required exclusion.
 
 An example of a correctly formatted Profile XML configuration for force tunnel with exclusions is shown below:
 
@@ -445,7 +445,7 @@ You should also be able to adapt this approach to include necessary exclusions f
 
 ## Examples
 
-An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the inittial PowerShell script:
+An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial PowerShell script:
 
 ```powershell
 # Copyright (c) Microsoft Corporation.  All rights reserved.
@@ -667,5 +667,126 @@ Write-Host "$Message"
 An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file:
 
 ```xml
-_<VPNProfile><RememberCredentials>true</RememberCredentials><DnsSuffix>corp.contoso.com</DnsSuffix><AlwaysOn>true</AlwaysOn><TrustedNetworkDetection>corp.contoso.com</TrustedNetworkDetection><NativeProfile><Servers>edge1.contoso.com</Servers><RoutingPolicyType>ForceTunnel</RoutingPolicyType><NativeProtocolType>IKEv2</NativeProtocolType><Authentication><MachineMethod>Certificate</MachineMethod></Authentication></NativeProfile><Route><Address>13.107.6.152</Address><PrefixSize>31</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.18.10</Address><PrefixSize>31</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.128.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>23.103.160.0</Address><PrefixSize>20</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>40.96.0.0</Address><PrefixSize>13</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>40.104.0.0</Address><PrefixSize>15</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>52.96.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>131.253.33.215</Address><PrefixSize>32</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>132.245.0.0</Address><PrefixSize>16</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>150.171.32.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>191.234.140.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>204.79.197.215</Address><PrefixSize>32</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.136.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>40.108.128.0</Address><PrefixSize>17</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>52.104.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>104.146.128.0</Address><PrefixSize>17</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>150.171.40.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.60.1</Address><PrefixSize>32</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.64.0</Address><PrefixSize>18</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>52.112.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>52.120.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Proxy><AutoConfigUrl>http://webproxy.corp.contsoso.com/proxy.pac</AutoConfigUrl></Proxy></VPNProfile>_
+<VPNProfile>
+  <RememberCredentials>true</RememberCredentials>
+  <DnsSuffix>corp.contoso.com</DnsSuffix>
+  <AlwaysOn>true</AlwaysOn>
+  <TrustedNetworkDetection>corp.contoso.com</TrustedNetworkDetection>
+  <NativeProfile>
+    <Servers>edge1.contoso.com</Servers>
+    <RoutingPolicyType>ForceTunnel</RoutingPolicyType>
+    <NativeProtocolType>IKEv2</NativeProtocolType>
+    <Authentication>
+      <MachineMethod>Certificate</MachineMethod>
+    </Authentication>
+  </NativeProfile>
+  <Route>
+    <Address>13.107.6.152</Address>
+    <PrefixSize>31</PrefixSize>
+    <ExclusionRoute>true</ExclusionRoute>
+  </Route>
+  <Route>
+    <Address>13.107.18.10</Address>
+    <PrefixSize>31</PrefixSize>
+    <ExclusionRoute>true</ExclusionRoute>
+  </Route>
+  <Route>
+    <Address>13.107.128.0</Address>
+    <PrefixSize>22</PrefixSize>
+    <ExclusionRoute>true</ExclusionRoute>
+  </Route>
+  <Route>
+    <Address>23.103.160.0</Address>
+    <PrefixSize>20</PrefixSize>
+    <ExclusionRoute>true</ExclusionRoute>
+  </Route>
+  <Route>
+    <Address>40.96.0.0</Address>
+    <PrefixSize>13</PrefixSize>
+    <ExclusionRoute>true</ExclusionRoute>
+  </Route>
+  <Route>
+    <Address>40.104.0.0</Address>
+    <PrefixSize>15</PrefixSize>
+    <ExclusionRoute>true</ExclusionRoute>
+  </Route>
+  <Route>
+    <Address>52.96.0.0</Address>
+    <PrefixSize>14</PrefixSize>
+    <ExclusionRoute>true</ExclusionRoute>
+  </Route>
+  <Route>
+    <Address>131.253.33.215</Address>
+    <PrefixSize>32</PrefixSize>
+    <ExclusionRoute>true</ExclusionRoute>
+  </Route>
+  <Route>
+    <Address>132.245.0.0</Address>
+    <PrefixSize>16</PrefixSize>
+    <ExclusionRoute>true</ExclusionRoute>
+  </Route>
+  <Route>
+    <Address>150.171.32.0</Address>
+    <PrefixSize>22</PrefixSize>
+    <ExclusionRoute>true</ExclusionRoute>
+  </Route>
+  <Route>
+    <Address>191.234.140.0</Address>
+    <PrefixSize>22</PrefixSize>
+    <ExclusionRoute>true</ExclusionRoute>
+  </Route>
+  <Route>
+    <Address>204.79.197.215</Address>
+    <PrefixSize>32</PrefixSize>
+    <ExclusionRoute>true</ExclusionRoute>
+  </Route>
+  <Route>
+    <Address>13.107.136.0</Address>
+    <PrefixSize>22</PrefixSize>
+    <ExclusionRoute>true</ExclusionRoute>
+  </Route>
+  <Route>
+    <Address>40.108.128.0</Address>
+    <PrefixSize>17</PrefixSize>
+    <ExclusionRoute>true</ExclusionRoute>
+  </Route>
+  <Route>
+    <Address>52.104.0.0</Address>
+    <PrefixSize>14</PrefixSize>
+    <ExclusionRoute>true</ExclusionRoute>
+  </Route>
+  <Route>
+    <Address>104.146.128.0</Address>
+    <PrefixSize>17</PrefixSize>
+    <ExclusionRoute>true</ExclusionRoute>
+  </Route>
+  <Route>
+    <Address>150.171.40.0</Address>
+    <PrefixSize>22</PrefixSize>
+    <ExclusionRoute>true</ExclusionRoute>
+  </Route>
+  <Route>
+    <Address>13.107.60.1</Address>
+    <PrefixSize>32</PrefixSize>
+    <ExclusionRoute>true</ExclusionRoute>
+  </Route>
+  <Route>
+    <Address>13.107.64.0</Address>
+    <PrefixSize>18</PrefixSize>
+    <ExclusionRoute>true</ExclusionRoute>
+  </Route>
+  <Route>
+    <Address>52.112.0.0</Address>
+    <PrefixSize>14</PrefixSize>
+    <ExclusionRoute>true</ExclusionRoute>
+  </Route>
+  <Route>
+    <Address>52.120.0.0</Address>
+    <PrefixSize>14</PrefixSize>
+    <ExclusionRoute>true</ExclusionRoute>
+  </Route>
+  <Proxy>
+    <AutoConfigUrl>http://webproxy.corp.contsoso.com/proxy.pac</AutoConfigUrl>
+  </Proxy>
+</VPNProfile>
 ```