diff --git a/windows/keep-secure/images/vpn-conditional-access-intune.png b/windows/keep-secure/images/vpn-conditional-access-intune.png
new file mode 100644
index 0000000000..9f4efabc3f
Binary files /dev/null and b/windows/keep-secure/images/vpn-conditional-access-intune.png differ
diff --git a/windows/keep-secure/vpn-authentication.md b/windows/keep-secure/vpn-authentication.md
index c26290863d..d772fd0e9b 100644
--- a/windows/keep-secure/vpn-authentication.md
+++ b/windows/keep-secure/vpn-authentication.md
@@ -25,7 +25,7 @@ Windows supports a number of EAP authentication methods.
| EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2) | - User name and password authentication
- Winlogon credentials - can specify authentication with computer sign-in credentials
|
| EAP-Transport Layer Security (EAP-TLS) | - Supports the following types of certificate authentication
- Certificate with keys in the software Key Storage Provider (KSP)
- Certificate with keys in Trusted Platform Module (TPM) KSP
- Smart card certficates
- Windows Hello for Business certificate
- Certificate filtering
- Certificate filtering can be enabled to search for a particular certificate to use to authenticate with
- Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based
- Server validation - with TLS, server validation can be toggled on or off
- Server name - specify the server to validate
- Server certificate - trusted root certificate to validate the server
- Notification - specify if the user should get a notification asking whether to trust the server or not
|
| Protected Extensible Authentication Protocol (PEAP) | - Server validation - with PEAP, server validation can be toggled on or off
- Server name - specify the server to validate
- Server certificate - trusted root certificate to validate the server
- Notification - specify if the user should get a notification asking whether to trust the server or not
- Inner method - the outer method creates a secure tunnel inside while the inner method is used to complete the authentication
- Fast Reconnect: reduces the delay between an authentication request by a client and the response by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS) server. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials.
- Cryptobinding: By deriving and exchanging values from the PEAP phase 1 key material (Tunnel Key) and from the PEAP phase 2 inner EAP method key material (Inner Session Key), it is possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks.
|
-| Tunneled Transport Layer Security (TTLS) | - Inner method
- Non-EAP
- Password Authentication Protocol (PAP)
- CHAP
- MSCHAP
- MSCHAPv2
- EAP
- Server validation: in TTLS, the server must be validated. The following can be configured:
- Server name
Trusted root certificate for server certificate- Whether there should be a server validation notification
|
+| Tunneled Transport Layer Security (TTLS) | - Inner method
- Non-EAP
- Password Authentication Protocol (PAP)
- CHAP
- MSCHAP
- MSCHAPv2
- EAP
- Server validation: in TTLS, the server must be validated. The following can be configured:
- Server name
- Trusted root certificate for server certificate
- Whether there should be a server validation notification
|
@@ -47,7 +47,6 @@ The following image shows the field for EAP XML in a Microsoft Intune VPN profil
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN proxy settings](vpn-proxy-settings.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
diff --git a/windows/keep-secure/vpn-auto-trigger-profile.md b/windows/keep-secure/vpn-auto-trigger-profile.md
index 1583d8f784..6bce6b2514 100644
--- a/windows/keep-secure/vpn-auto-trigger-profile.md
+++ b/windows/keep-secure/vpn-auto-trigger-profile.md
@@ -25,7 +25,6 @@ localizationpriority: high
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN proxy settings](vpn-proxy-settings.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
diff --git a/windows/keep-secure/vpn-conditional-access.md b/windows/keep-secure/vpn-conditional-access.md
index 4b6e4190d7..0e655c592d 100644
--- a/windows/keep-secure/vpn-conditional-access.md
+++ b/windows/keep-secure/vpn-conditional-access.md
@@ -61,7 +61,7 @@ Server-side infrastructure requirements to support VPN device compliance include
After the server side is set up, VPN admins can add the policy settings for conditional access to the VPN profile using the VPNv2 DeviceCompliance node.
-Two client-side configuration service providers are leveraged for VPN Device Compliance.
+Two client-side configuration service providers are leveraged for VPN device compliance.
- VPNv2 CSP DeviceCompliance settings
- **Enabled**: enables the Device Compliance flow from the client. If marked as **true**, the VPN client will attempt to communicate with Azure AD to get a certificate to use for authentication. The VPN should be set up to use certificate authentication and the VPN server must trust the server returned by Azure AD.
@@ -75,8 +75,16 @@ Two client-side configuration service providers are leveraged for VPN Device Com
- Provisions the Health Attestation Certificate received from the HAS
- Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
+## Configure conditional access
+See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.
+The following image shows conditional access options in a VPN Profile configuration policy using Microsoft Intune.
+
+
+
+>[!NOTE]
+>In Intune, the certificate selected in **Select a client certificate for client authentication** does not set any VPNv2 CSP nodes. It is simply a way to tie the VPN profile’s successful provisioning to the existence of a certificate. If you are enabling conditional access and using the Azure AD short-lived certificate for both VPN server authentication and domain resource authentication, do not select a certificate since the short-lived certificate is not a certificate that would be on the user’s device yet.
## Learn more about Conditional Access and Azure AD Health
@@ -91,7 +99,6 @@ Two client-side configuration service providers are leveraged for VPN Device Com
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
-- [VPN proxy settings](vpn-proxy-settings.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
diff --git a/windows/keep-secure/vpn-connection-type.md b/windows/keep-secure/vpn-connection-type.md
index 9347844294..ecd032bc82 100644
--- a/windows/keep-secure/vpn-connection-type.md
+++ b/windows/keep-secure/vpn-connection-type.md
@@ -76,7 +76,6 @@ In Intune, you can also include custom XML for third-party plug-in profiles.
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN proxy settings](vpn-proxy-settings.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
diff --git a/windows/keep-secure/vpn-guide.md b/windows/keep-secure/vpn-guide.md
index 7914168eeb..cef2464051 100644
--- a/windows/keep-secure/vpn-guide.md
+++ b/windows/keep-secure/vpn-guide.md
@@ -29,9 +29,8 @@ This guide will walk you through the decisions you will make for Windows 10 clie
| --- | --- |
| [VPN connection types](vpn-connection-type.md) | Select a VPN client and tunneling protocol |
| [VPN routing decisions](vpn-routing.md) | Choose beetween split tunnel and force tunnel configuration |
-| [VPN authentication options](vpn-authentication.md) | how to authenticate VPN connection: EAP-based, (?) |
-| [VPN and conditional access](vpn-conditional-access.md) | use Azure Active Directory policy evaluation to set access policies for VPN |
-| [VPN proxy settings](vpn-proxy-settings.md) | |
+| [VPN authentication options](vpn-authentication.md) | Select a method for Extensible Authentication Protocol (EAP) authentication. |
+| [VPN and conditional access](vpn-conditional-access.md) | Use Azure Active Directory policy evaluation to set access policies for VPN connections. |
| [VPN name resolution](vpn-name-resolution.md) | how name resolution should happen |
| [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) | auto-connect clients to VPN: app-triggered, name-based trigger, "always on", trusted network detection |
| [VPN security features](vpn-security-features.md) | lockdown, traffic filtering, WIP |
diff --git a/windows/keep-secure/vpn-name-resolution.md b/windows/keep-secure/vpn-name-resolution.md
index 9d73b9faa4..68db0e48c1 100644
--- a/windows/keep-secure/vpn-name-resolution.md
+++ b/windows/keep-secure/vpn-name-resolution.md
@@ -22,7 +22,6 @@ localizationpriority: high
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN proxy settings](vpn-proxy-settings.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
diff --git a/windows/keep-secure/vpn-profile-options.md b/windows/keep-secure/vpn-profile-options.md
index 1a19b83480..e56cf8f0b0 100644
--- a/windows/keep-secure/vpn-profile-options.md
+++ b/windows/keep-secure/vpn-profile-options.md
@@ -72,7 +72,6 @@ A VPN profile configured with LockDown secures the device to only allow network
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN proxy settings](vpn-proxy-settings.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
diff --git a/windows/keep-secure/vpn-proxy-settings.md b/windows/keep-secure/vpn-proxy-settings.md
index 9dcad69218..dfdc32ba3d 100644
--- a/windows/keep-secure/vpn-proxy-settings.md
+++ b/windows/keep-secure/vpn-proxy-settings.md
@@ -15,6 +15,14 @@ localizationpriority: high
- Windows 10
- Windows 10 Mobile
+
+If your organization uses a proxy, especially in the case of force tunneled VPN, you can add an Interface Specific proxy with VPN. This can be configured using the MDM/SCCM configuration where you can provide either a Proxy auto-config (PAC) or Web Proxy Autodiscovery Protocol (WPAD) file, or specify a server and port.
+
+**Bypass proxy settings for local addresses** is not currently supported.
+
+
+
+
## Related topics
- [VPN technical guide](vpn-guide.md)
diff --git a/windows/keep-secure/vpn-routing.md b/windows/keep-secure/vpn-routing.md
index 46e89c359e..215bae3fe1 100644
--- a/windows/keep-secure/vpn-routing.md
+++ b/windows/keep-secure/vpn-routing.md
@@ -61,7 +61,6 @@ Next, in **Corporate Boundaries**, you add the routes that should use the VPN co
- [VPN connection types](vpn-connection-type.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN proxy settings](vpn-proxy-settings.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
diff --git a/windows/keep-secure/vpn-security-features.md b/windows/keep-secure/vpn-security-features.md
index ae814ae70a..d6342a7305 100644
--- a/windows/keep-secure/vpn-security-features.md
+++ b/windows/keep-secure/vpn-security-features.md
@@ -22,7 +22,6 @@ localizationpriority: high
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN proxy settings](vpn-proxy-settings.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file