sync progress so far

windows/keep-secure/vpn-authentication.md

@@ -1,7 +1,6 @@
 ---
 title: VPN authentication options (Windows 10)
 description: tbd
-ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -16,3 +15,19 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
+In addition to older and less-secure password-based authentication methods (which should be avoided), the Inbox solution utilizes EAP to provide secure authentication using both username/password and certificate-based methods.  
+
+
+
+
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN connection types](vpn-connection-type.md)
+- [VPN routing decisions](vpn-routing.md)
+- [VPN and conditional access](vpn-conditional-access.md)
+- [VPN proxy settings](vpn-proxy-settings.md)
+- [VPN name resolution](vpn-name-resolution.md)
+- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+- [VPN security features](vpn-security-features.md)
+- [VPN profile options](vpn-profile-options.md)

windows/keep-secure/vpn-auto-trigger-profile.md

@@ -1,7 +1,6 @@
 ---
 title: VPN auto-triggered profile options (Windows 10)
 description: tbd
-ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -16,3 +15,17 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
+
+
+
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN connection types](vpn-connection-type.md)
+- [VPN routing decisions](vpn-routing.md)
+- [VPN authentication options](vpn-authentication.md)
+- [VPN and conditional access](vpn-conditional-access.md)
+- [VPN proxy settings](vpn-proxy-settings.md)
+- [VPN name resolution](vpn-name-resolution.md)
+- [VPN security features](vpn-security-features.md)
+- [VPN profile options](vpn-profile-options.md)

windows/keep-secure/vpn-conditional-access.md

@@ -1,7 +1,6 @@
 ---
 title: VPN and conditional access (Windows 10)
 description: tbd
-ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -16,3 +15,14 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN connection types](vpn-connection-type.md)
+- [VPN routing decisions](vpn-routing.md)
+- [VPN authentication options](vpn-authentication.md)
+- [VPN proxy settings](vpn-proxy-settings.md)
+- [VPN name resolution](vpn-name-resolution.md)
+- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+- [VPN security features](vpn-security-features.md)
+- [VPN profile options](vpn-profile-options.md)

windows/keep-secure/vpn-connection-type.md

@@ -1,7 +1,6 @@
 ---
 title: VPN connection types (Windows 10)
 description: tbd
-ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -16,4 +15,75 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
+Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization’s private network.
+
+There are many options for VPN clients. In Windows 10, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured. 
+
+![VPN connection types](images/vpn-connection.png)
+
+## Built-in VPN client
+
+- Tunneling protocols
+
+    - [Internet Key Exchange version 2 (IKEv2)](https://technet.microsoft.com/en-us/library/ff687731.aspx)
+
+        Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md).
+    
+        Configure the IPsec/IKE tunnel cryptographic properties using the **Cryptography Suite** setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914776.aspx).
+           
+    - [L2TP](https://technet.microsoft.com/en-us/library/ff687761.aspx)
+
+        Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md).
+    
+        L2TP with pre-shared key (PSK) authentication can be configured using the **L2tpPsk** setting in the [VPNv2 CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914776.aspx).
+    
+    - [PPTP](https://technet.microsoft.com/en-us/library/ff687676.aspx)
+
+    - [SSTP](https://technet.microsoft.com/en-us/library/ff687819.aspx)
+
+        SSTP is supported for Windows desktop editions only. SSTP cannot be configured using mobile device management (MDM), but it is one of the protocols attempted in the **Automatic** option.
+        
+- Automatic
+
+    The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt from most secure to least secure. 
+
+    Configure **Automatic** for the **NativeProtocolType** setting in the [VPNv2 CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914776.aspx).
+    
+  
+ 
+## Universal Windows Platform VPN plug-in
+
+The Universal Windows Platform (UWP) VPN plug-ins were introduced in Windows 10, although there were originally separate versions available for the Windows 8.1 Mobile and Windows 8.1 PC platforms. Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers.  
+
+There are a number of Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, Sonicwall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution.
+
+## Configure connection type
+
+See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914776.aspx) for XML configuration. 
+
+The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune.
+
+![Available connection types](images/vpn-connection-intune.png)
+     
+In Intune, you can also include custom XML for third-party plug-in profiles.
+
+![Custom XML](images/vpn-custom-xml-intune.png)
+
+
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN routing decisions](vpn-routing.md)
+- [VPN authentication options](vpn-authentication.md)
+- [VPN and conditional access](vpn-conditional-access.md)
+- [VPN proxy settings](vpn-proxy-settings.md)
+- [VPN name resolution](vpn-name-resolution.md)
+- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+- [VPN security features](vpn-security-features.md)
+- [VPN profile options](vpn-profile-options.md)
+    
+
+
+
+
 

windows/keep-secure/vpn-guide.md

@@ -1,6 +1,6 @@
 ---
 title: Windows 10 VPN technical guide (Windows 10)
-description: tbd
+description: Use this guide to configure VPN deployment for Windows 10.
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -16,11 +16,27 @@ localizationpriority: high
 - Windows 10
 - Windows 10 Mobile
 
+This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914776.aspx). 
+
+>[!NOTE]
+>This guide does not explain server deployment. It lists server dependencies, when relevant. 
+
+## In this guide
+
+| Topic | Description (currently just notes, these are not final wording yet) |
+| --- | --- |
+| [VPN connection types](vpn-connection-type.md) | Select a VPN client and tunneling protocol |
+| [VPN routing decisions](vpn-routing.md)  | Choose beetween split tunnel and force tunnel configuration |
+| [VPN authentication options](vpn-authentication.md)  | how to authenticate VPN connection: EAP-based, (?) |
+| [VPN and conditional access](vpn-conditional-access.md)  | use Azure Active Directory policy evaluation to set access policies for VPN |
+| [VPN proxy settings](vpn-proxy-settings.md)  |  |
+| [VPN name resolution](vpn-name-resolution.md)  | how name resolution should happen |
+| [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)  | auto-connect clients to VPN: app-triggered, name-based trigger, "always on", trusted network detection |
+| [VPN security features](vpn-security-features.md)  | lockdown, traffic filtering, WIP |
+| [VPN profile options](vpn-profile-options.md)  | combine settings into single profile using XML |
 
 
 
 
 
-## Related topics
 
-- [VPN profile options](vpn-profile-options.md)

windows/keep-secure/vpn-name-resolution.md

@@ -1,7 +1,6 @@
 ---
 title: VPN name resolution (Windows 10)
 description: tbd
-ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -16,3 +15,14 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN connection types](vpn-connection-type.md)
+- [VPN routing decisions](vpn-routing.md)
+- [VPN authentication options](vpn-authentication.md)
+- [VPN and conditional access](vpn-conditional-access.md)
+- [VPN proxy settings](vpn-proxy-settings.md)
+- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+- [VPN security features](vpn-security-features.md)
+- [VPN profile options](vpn-profile-options.md)

windows/keep-secure/vpn-profile-options.md

@@ -65,3 +65,14 @@ A VPN profile configured with LockDown secures the device to only allow network
 - [VPNv2 configuration service provider (CSP) reference](https://go.microsoft.com/fwlink/p/?LinkId=617588)
 - [How to Create VPN Profiles in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=618028)
 
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN connection types](vpn-connection-type.md)
+- [VPN routing decisions](vpn-routing.md)
+- [VPN authentication options](vpn-authentication.md)
+- [VPN and conditional access](vpn-conditional-access.md)
+- [VPN proxy settings](vpn-proxy-settings.md)
+- [VPN name resolution](vpn-name-resolution.md)
+- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+- [VPN security features](vpn-security-features.md)

windows/keep-secure/vpn-proxy-settings.md

@@ -1,7 +1,6 @@
 ---
 title: VPN proxy settings (Windows 10)
 description: tbd
-ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -16,3 +15,14 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN connection types](vpn-connection-type.md)
+- [VPN routing decisions](vpn-routing.md)
+- [VPN authentication options](vpn-authentication.md)
+- [VPN and conditional access](vpn-conditional-access.md)
+- [VPN name resolution](vpn-name-resolution.md)
+- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+- [VPN security features](vpn-security-features.md)
+- [VPN profile options](vpn-profile-options.md)

windows/keep-secure/vpn-routing.md

@@ -1,7 +1,6 @@
 ---
 title: VPN routing decisions (Windows 10)
 description: tbd
-ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -16,3 +15,52 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
+Network routes are required to forward traffic across the VPN interface. One of the most important decision points for VPN configuration is whether you want to send all the data through VPN (*force tunnel*) or only some data through the VPN (*split tunnel*). This decision impacts the configuration and the capacity planning, as well as security expectations from the connection. 
+
+## Split tunnel configuration
+
+In a split tunnel configuration, routes can be specified to go over VPN and all other traffic will go over the physical interface. 
+
+Routes can be configured using the VPNv2//*ProfileName*/RouteList setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914776.aspx).
+ 
+For each route item in the list the following can be specified: 
+
+- **Address**: VPNv2//*ProfileName*/RouteList//*routeRowId*/Address
+- **Prefix size**: VPNv2//*ProfileName*/RouteList//*routeRowId*/Prefix
+- **Exclusion route**: VPNv2//*ProfileName*/RouteList//*routeRowId*/ExclusionRoute
+   
+   Windows VPN platform now supports the ability to specify exclusion routes that specifically should not go over the physical interface. Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md). 
+
+
+## Force tunnel configuration
+
+In a force tunnel configuration, all traffic will go over VPN. This is the default configuration and takes effect if no routes are specified. 
+
+The only implication of this setting is the manipulation of routing entries. In the case of a force Tunnel VPN V4 and V6 default routes (for example. 0.0.0.0/0) are added to the routing table with a lower Metric than ones for other interfaces. This sends traffic through the VPN as long as there isn’t a specific route on the Physical Interface itself. 
+
+For built-in VPN, this decision is controlled using the MDM setting **VPNv2/ProfileName/NativeProfile/RoutingPolicyType**.
+
+For a UWP VPN plug-in, this property is directly controlled by the app. If the VPN plug-in passes only 2 include routes (default route for both v4 and v6), the Windows VPN Platform marks the VPN as force tunnel.  
+
+## Configure routing
+
+When you configure a VPN profile in Microsoft Intune, you select a checkbox to enable split tunnel configuration.
+
+![split tunnel](images/vpn-split.png)
+
+Next, in **Corporate Boundaries**, you add the routes that should use the VPN connection.   
+  
+![add route for split tunnel](images/vpn-split-route.png)
+
+
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN connection types](vpn-connection-type.md)
+- [VPN authentication options](vpn-authentication.md)
+- [VPN and conditional access](vpn-conditional-access.md)
+- [VPN proxy settings](vpn-proxy-settings.md)
+- [VPN name resolution](vpn-name-resolution.md)
+- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+- [VPN security features](vpn-security-features.md)
+- [VPN profile options](vpn-profile-options.md)

windows/keep-secure/vpn-security-features.md

@@ -1,7 +1,6 @@
 ---
 title: VPN security features (Windows 10)
 description: tbd
-ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -16,3 +15,14 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN connection types](vpn-connection-type.md)
+- [VPN routing decisions](vpn-routing.md)
+- [VPN authentication options](vpn-authentication.md)
+- [VPN and conditional access](vpn-conditional-access.md)
+- [VPN proxy settings](vpn-proxy-settings.md)
+- [VPN name resolution](vpn-name-resolution.md)
+- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+- [VPN profile options](vpn-profile-options.md)