From 3e6ac7a03be69562aec0c83f4e186236097f44a6 Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Wed, 20 Jul 2022 12:51:52 -0700 Subject: [PATCH 1/8] Update vpn-security-features.md --- .../identity-protection/vpn/vpn-security-features.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md index 2efb2617f3..5f771e362a 100644 --- a/windows/security/identity-protection/vpn/vpn-security-features.md +++ b/windows/security/identity-protection/vpn/vpn-security-features.md @@ -17,6 +17,13 @@ ms.author: dansimp - Windows 11 +## Hyper-V based Containers and VPN + +Windows supports different kinds of Hyper-V based containers, which includes but not limited to, Microsoft Defender Application Guard and Windows Sandbox. When 3rd party VPN solutions are being used, these Hyper-V based containers may not be able to seamlessly connect to the internet. Additional configurational changes might be needed to resolve connectivity issues. + +Here's an example of a workaround for Cisco AnyConnect VPN: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/troubleshoot-anyconnect.html#Cisco_Task_in_List_GUI.dita_3a9a8101-f034-4e9b-b24a-486ee47b5e9f + + ## Windows Information Protection (WIP) integration with VPN Windows Information Protection provides capabilities allowing the separation and protection of enterprise data against disclosure across both company and personally owned devices, without requiring additional changes to the environments or the apps themselves. Additionally, when used with Rights Management Services (RMS), WIP can help to protect enterprise data locally. @@ -85,4 +92,4 @@ Deploy this feature with caution, as the resultant connection will not be able t - [VPN and conditional access](vpn-conditional-access.md) - [VPN name resolution](vpn-name-resolution.md) - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN profile options](vpn-profile-options.md) \ No newline at end of file +- [VPN profile options](vpn-profile-options.md) From 83ab627d9c0519d53d68d65bc513e1279530443e Mon Sep 17 00:00:00 2001 From: Erik Moreau Date: Thu, 21 Jul 2022 10:56:22 +0200 Subject: [PATCH 2/8] Update mcc-enterprise.md removed double \\ to fix the cli regkey addition --- windows/deployment/do/mcc-enterprise.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/do/mcc-enterprise.md b/windows/deployment/do/mcc-enterprise.md index 613e826b0e..8cf402179e 100644 --- a/windows/deployment/do/mcc-enterprise.md +++ b/windows/deployment/do/mcc-enterprise.md @@ -503,13 +503,13 @@ There are multiple methods that can be used to apply a policy to PCs that should You can either set your MCC IP address or FQDN using: 1. Registry Key in 1709 and higher - - [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization]
+ [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization]
"DOCacheHost"=" " From an elevated command prompt: ``` - reg add "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization" /v DOCacheHost /t REG_SZ /d "10.137.187.38" /f + reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DOCacheHost /t REG_SZ /d "10.137.187.38" /f ``` 2. MDM Path in 1809 or higher: From e9011081d7e2caa5317c8b8ab1ae5c748c2569a3 Mon Sep 17 00:00:00 2001 From: Stephen Devlin <43003164+TheITCloudGuy@users.noreply.github.com> Date: Thu, 21 Jul 2022 14:24:26 +0100 Subject: [PATCH 3/8] Update mcc-enterprise.md Clarification for Intune Configuration setting. Current doc doesn't indicate to the user that they're required to point the profile to the EFLOW machine and NOT the Windows Server. --- windows/deployment/do/mcc-enterprise.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/mcc-enterprise.md b/windows/deployment/do/mcc-enterprise.md index 613e826b0e..75318781d7 100644 --- a/windows/deployment/do/mcc-enterprise.md +++ b/windows/deployment/do/mcc-enterprise.md @@ -351,7 +351,7 @@ If the test fails, see the common issues section for more information. ### Intune (or other management software) configuration for MCC -Example of setting the cache host policy to the MCC’s IP address / FQDN: +For an Intune deployment, create a Configuration Profile and include the Cache Host eFlow IP Address or FQDN: ![eMCC img23](images/emcc23.png) From e0ac3700a356fa58fbaa2853b2d2e2137c9f04d1 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 21 Jul 2022 09:41:07 -0700 Subject: [PATCH 4/8] editorial revision --- .../identity-protection/vpn/vpn-security-features.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md index 5f771e362a..34d9f772e4 100644 --- a/windows/security/identity-protection/vpn/vpn-security-features.md +++ b/windows/security/identity-protection/vpn/vpn-security-features.md @@ -1,10 +1,10 @@ --- -title: VPN security features (Windows 10 and Windows 11) +title: VPN security features description: Learn about security features for VPN, including LockDown VPN, Windows Information Protection integration with VPN, and traffic filters. ms.prod: m365-security author: dansimp ms.localizationpriority: medium -ms.date: 09/03/2021 +ms.date: 07/21/2022 ms.reviewer: manager: dansimp ms.author: dansimp @@ -17,12 +17,11 @@ ms.author: dansimp - Windows 11 -## Hyper-V based Containers and VPN +## Hyper-V based containers and VPN -Windows supports different kinds of Hyper-V based containers, which includes but not limited to, Microsoft Defender Application Guard and Windows Sandbox. When 3rd party VPN solutions are being used, these Hyper-V based containers may not be able to seamlessly connect to the internet. Additional configurational changes might be needed to resolve connectivity issues. - -Here's an example of a workaround for Cisco AnyConnect VPN: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/troubleshoot-anyconnect.html#Cisco_Task_in_List_GUI.dita_3a9a8101-f034-4e9b-b24a-486ee47b5e9f +Windows supports different kinds of Hyper-V based containers. This support includes, but isn't limited to, Microsoft Defender Application Guard and Windows Sandbox. When you use 3rd party VPN solutions, these Hyper-V based containers may not be able to seamlessly connect to the internet. Additional configurational changes might be needed to resolve connectivity issues. +For example, for more information on a workaround for Cisco AnyConnect VPN, see [Cisco AnyConnect Secure Mobility Client Administrator Guide: Connectivity issues with VM-based subsystems](https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/troubleshoot-anyconnect.html#Cisco_Task_in_List_GUI.dita_3a9a8101-f034-4e9b-b24a-486ee47b5e9f). ## Windows Information Protection (WIP) integration with VPN From f34288a524b7d7b22dfb0ddcb57c4317257c882e Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Thu, 21 Jul 2022 12:11:46 -0500 Subject: [PATCH 5/8] Update mcc-enterprise.md --- windows/deployment/do/mcc-enterprise.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/mcc-enterprise.md b/windows/deployment/do/mcc-enterprise.md index 198b011789..a23d4fab27 100644 --- a/windows/deployment/do/mcc-enterprise.md +++ b/windows/deployment/do/mcc-enterprise.md @@ -164,7 +164,7 @@ Once you take the survey above and the MCC team adds your subscription ID to the ### Create an MCC node in Azure -Creating a MCC node is a multi-step process and the first step is to access the MCC private preview management portal. +Creating an MCC node is a multi-step process and the first step is to access the MCC private preview management portal. 1. After the successful resource creation click on the **Go to resource**. 2. Under **Cache Node Management** section on the leftmost panel, click on **Cache Nodes**. From e76667951adc8e74a0daf954eafcdf43f1e520ea Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Thu, 21 Jul 2022 12:12:22 -0500 Subject: [PATCH 6/8] Update mcc-enterprise.md --- windows/deployment/do/mcc-enterprise.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/mcc-enterprise.md b/windows/deployment/do/mcc-enterprise.md index a23d4fab27..d1d1e81f9a 100644 --- a/windows/deployment/do/mcc-enterprise.md +++ b/windows/deployment/do/mcc-enterprise.md @@ -24,7 +24,7 @@ ms.topic: article Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many physical servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying a client policy using your management tool, such as [Intune](/mem/intune/). -MCC is a hybrid (a mix of on-prem and cloud resources) SaaS solution built as an Azure IoT Edge module; it's a Docker compatible Linux container that is deployed to your Windows devices. IoT Edge for Linux on Windows (EFLOW) was chosen because it's a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS. +MCC is a hybrid (a mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module; it's a Docker compatible Linux container that is deployed to your Windows devices. IoT Edge for Linux on Windows (EFLOW) was chosen because it's a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS. Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container, deployment, and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs the following important functions to manage MCC on your edge device: From c7ae176998d0179cc61b49dae448860c95b18e59 Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Thu, 21 Jul 2022 12:13:26 -0500 Subject: [PATCH 7/8] Update mcc-enterprise.md --- windows/deployment/do/mcc-enterprise.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/do/mcc-enterprise.md b/windows/deployment/do/mcc-enterprise.md index d1d1e81f9a..844c0fd501 100644 --- a/windows/deployment/do/mcc-enterprise.md +++ b/windows/deployment/do/mcc-enterprise.md @@ -111,7 +111,7 @@ For questions regarding these instructions contact [msconnectedcache@microsoft.c As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft. > [!IMPORTANT] -> [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allow list for this preview. You will not be able to proceed if you skip this step. +> [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allowlist for this preview. You will not be able to proceed if you skip this step. For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](#steps-to-obtain-an-azure-subscription-id). @@ -119,7 +119,7 @@ For information about creating or locating your subscription ID, see [Steps to o The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. -Once you take the survey above and the MCC team adds your subscription ID to the allow list, you will be given a link to the Azure portal where you can create the resource described below. +Once you take the survey above and the MCC team adds your subscription ID to the allowlist, you will be given a link to the Azure portal where you can create the resource described below. 1. On the Azure portal home page, choose **Create a resource**: ![eMCC img02](images/emcc02.png) From 309d30be1a1b77e9011ee3ae8095720412c5bf14 Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Thu, 21 Jul 2022 12:22:52 -0500 Subject: [PATCH 8/8] Update mcc-enterprise.md --- windows/deployment/do/mcc-enterprise.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/mcc-enterprise.md b/windows/deployment/do/mcc-enterprise.md index 844c0fd501..6b83267846 100644 --- a/windows/deployment/do/mcc-enterprise.md +++ b/windows/deployment/do/mcc-enterprise.md @@ -329,7 +329,7 @@ You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edge #### Verify server side -For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace with the IP address of the cache server. +For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace with the IP address of the cache server. ```powershell wget [http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com]