new art

windows/keep-secure/vpn-auto-trigger-profile.md

@@ -15,7 +15,7 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
-In Windows 10, a number of “auto-triggering” features were added to VPN so users won’t have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules: 
+In Windows 10, a number of features were added to auto-trigger VPN so users won’t have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules: 
 
 - App trigger
 - Name-based trigger
@@ -23,7 +23,7 @@ In Windows 10, a number of “auto-triggering” features were added to VPN so u
 
 ## App trigger
 
-You can configure apps (desktop or Universal Windows Platform) to trigger a VPN connection. You can also configure per-app VPN and specify traffic rules for each app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details.
+VPN profiles in Windows 10 can be configured to connect automatically on the launch of a specified set of applications. You can configure desktop or Universal Windows Platform (UWP) apps to trigger a VPN connection. You can also configure per-app VPN and specify traffic rules for each app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details.
 
 The app identifier for a desktop app is a file path. The app identifier for a UWP app is a package family name.
 
@@ -32,6 +32,12 @@ The app identifier for a desktop app is a file path. The app identifier for a UW
 
 ## Name-based trigger
 
+You can configure a domain name-based rule so that a specific domain name triggers the VPN connection.
+ 
+Name-based auto-trigger can be configured using the VPNv2//*ProfileName*/DomainNameInformationList/dniRowId/AutoTrigger setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
+
+Domain names can even be configured such that VPN must be used to access that resource. If VPN is not connected, that resource will be inaccessible if the persistent node is configured to be true.
+
 
 ## Always On
 
@@ -41,27 +47,31 @@ Always On is a new feature in Windows 10 which enables the active VPN profile to
 - Network change 
 - Device screen on 
 
-When the trigger occurs, VPN tries to connect. If an error occurs or anyuUser input is needed, the user is shown a toast notification for additional interaction. 
+When the trigger occurs, VPN tries to connect. If an error occurs or any user input is needed, the user is shown a toast notification for additional interaction.
+
+Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md). 
 
 When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**. 
 
 ## Trusted network detection
 
+This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffices. The VPN stack will look at the DNS suffix on the physical interface and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered.
 
+Trusted network detection  can be configured using the VPNv2//*ProfileName*/TrustedNetworkDetection setting in the [VPNv2 CCSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
 
-## Configure ,,,
+Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md).
+
+## Configure app-triggered VPN
 
 See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. 
 
-The following image shows name resolution options in a VPN Profile configuration policy using Microsoft Intune.
+The following image shows associating an app to a VPN connection in a VPN Profile configuration policy using Microsoft Intune.
 
-![Add DNS rule](images/vpn-name-intune.png)
+![Add an app for the VPN connection](images/vpn-app-trigger.png)
 
-The fields in **Add or edit DNS rule*- in the Intune profile correspond to the XML settings shown in the following table.
+After you add an associated app, if you select the **Only these apps can use this VPN connection (per-app VPN)** checkbox, the app becomes available in **Corporate Boundaries**, where you can configure rules for the app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details. 
 
-| Field | XML |
-| --- | --- |
-| **Name*- | **VPNv2//*ProfileName*/DomainNameInformationList//*dniRowId*/DomainName*-  |
+![Configure rules for the app](images/vpn-app-rules.png)
 
 ## Related topics
 

windows/keep-secure/vpn-name-resolution.md

@@ -23,13 +23,13 @@ When the VPN client connects to the VPN server, the VPN client receives the foll
 
 The VPN client can access intranet resources by using names, which can be resolved to IP addresses using DNS-based and WINS-based resolution. DNS and WINS name resolution require a server address to be provisioned on the VPN client.
 
-The name resolution setting in the VPN profile configures how name resolution should work on the system when VPN is connected. The networking stack first looks at the Name Resolution Policy table (NRPT) for any matches and tries a resolution in the case of a match. If no match is found, the DNS Suffix is appended to the name and a DNS query is sent out on all interfaces. 
+The name resolution setting in the VPN profile configures how name resolution should work on the system when VPN is connected. The networking stack first looks at the Name Resolution Policy table (NRPT) for any matches and tries a resolution in the case of a match. If no match is found, the DNS suffix is appended to the name and a DNS query is sent out on all interfaces. 
 
 ## Name Resolution Policy table (NRPT)
  
 The NRPT is a table of namespaces that determines the DNS client’s behavior when issuing name resolution queries and processing responses. It is the first place that the stack will look after the DNSCache.
 
-There are 3 types of Name matches that can be set up for NRPT
+There are 3 types of name matches that can be set up for NRPT:
 
 - Fully qualified domain name (FQDN) that can be used for direct matching to a name
 
@@ -37,8 +37,6 @@ There are 3 types of Name matches that can be set up for NRPT
 
 - Any resolution should attempt to first resolve with the proxy server/DNS server with this entry
 
-Examples of the following in VPNv2 CSP can be found here. 
-
 NRPT is set using the **VPNv2//*ProfileName*/DomainNameInformationList** node. This node also configures Web proxy server or domain name servers. 
 
 [Learn more about NRPT](https://technet.microsoft.com/library/ee649207%28v=ws.10%29.aspx)

windows/keep-secure/vpn-security-features.md

@@ -16,31 +16,61 @@ localizationpriority: high
 -   Windows 10 Mobile
 
 
-## Lockdown VPN
+## LockDown VPN
 
-Lockdown VPN is a setting in VPN which can enforce an Always On force tunneled VPN. The system will attempt to keep this VPN connection connected, and networking data will only be allowed to go over the VPN Interface. The only exceptions here are for getting underlying network connectivity going as well as for MDM configuration. Deploy this feature with caution as the resultant connection will not be able to send/receive any network traffic without the VPN being connected. 
-This can be configured using 
-VPNv2/ProfileName/LockDown
-This is not currently supported to be configured via Intune/SCCM. This can be configured via a custom XML in the ProfileXML node. 
+A VPN profile configured with LockDown secures the device to only allow network traffic over the VPN interface. It has the following features:
 
+- The system attempts to keep the VPN connected at all times.
+- The user cannot disconnect the VPN connection.
+- The user cannot delete or modify the VPN profile.
+- The VPN LockDown profile uses forced tunnel connection.
+- If the VPN connection is not available, outbound network traffic is blocked.
+- Only one VPN LockDown profile is allowed on a device. 
 
-## Traffic filters
+>[!NOTE]
+>For inbox VPN, Lockdown VPN is only available for the Internet Key Exchange version 2 (IKEv2) tunnel type.
 
-Traffic filters is a feature that enables admins to effectively add interface specific firewall rules on the VPN Interface. With this feature, admins can specify networking 5 Tuple policies (IP, Port and Protocol based) to allow through the VPN interface. In addition, these rules can be applied at a per app level or a per device level. For eg. An admin could say that the Contoso HR App must be allowed to go through the VPN and only access port 4545 additionally the Contoso finance apps is allowed to go over the VPN and only access the Remote IP ranges of 10.10.0.40 - 10.10.0.201 on port 5889, apart from this all other apps on the device should be able to access only ports 80 or 443.  
+Deploy this feature with caution as the resultant connection will not be able to send or receive any network traffic without the VPN being connected. 
+
+Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md). 
 
 ## Windows Information Protection (WIP) integration with VPN
 
-Windows Information Protection provides capabilities allowing the separation and protection of enterprise data against disclosure across both company and personally owned devices without requiring additional changes to the environments or the apps themselves.  Additionally, when used with Rights Management Services (RMS), WIP can help to protect enterprise data locally.
-In Windows 10, the Policy CSP was updated allowing administrators to enforce WIP policy. The VPNv2 CSP EdpModeId node allows a Windows 10 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include:
-•	Core Functionality: File encryption and file access blocking
-•	UX Policy Enforcement: Restricting copy/paste, drag/drop, and sharing operations
-•	EDP Network Policy Enforcement: Protecting intranet resources over corpnet and VPN
-•	Network Policy Enforcement: Protecting SMB and Internet cloud resources over corpnet and VPN
-The value of the EdpModeId is an Enterprise ID. The networking stack will look for this ID in the app token to determine whether VPN should be triggered for that particular app. 
+Windows Information Protection provides capabilities allowing the separation and protection of enterprise data against disclosure across both company and personally owned devices without requiring additional changes to the environments or the apps themselves. Additionally, when used with Rights Management Services (RMS), WIP can help to protect enterprise data locally.
 
-This is not currently supported to be configured via Intune/SCCM. This can be configured via a custom XML in the ProfileXML node. 
+The [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) **EdpModeId** node allows a Windows 10 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include:
 
+- Core Functionality: File encryption and file access blocking
+- UX Policy Enforcement: Restricting copy/paste, drag/drop, and sharing operations
+- WIP Network Policy Enforcement: Protecting intranet resources over the corporate network and VPN
+- Network Policy Enforcement: Protecting SMB and Internet cloud resources over the corporate network and VPN
 
+The value of the **EdpModeId** is an Enterprise ID. The networking stack will look for this ID in the app token to determine whether VPN should be triggered for that particular app. 
+
+Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md).
+
+## Traffic filters
+
+Traffic Filters give enterprises the ability to decide what traffic is allowed into the corporate network based on policy. Network admins to effectively add interface specific firewall rules on the VPN Interface.There are two types of Traffic Filter rules:
+
+- App-based rules. With app-based rules, a list of applications can be marked such that only traffic originating from these apps is allowed to go over the VPN interface.
+- Traffic-based rules. Traffic-based rules are 5-tuple policies (ports, addresses, protocol) that can be specified such that only traffic matching these rules is allowed to go over the VPN interface.
+
+There can be many sets of rules which are linked by OR. Within each set, there can be app-based rules and traffic-based rules; all the properties within the set will be linked by AND. In addition, these rules can be applied at a per-app level or a per-device level. 
+
+For example, an admin could define rules that specify: 
+
+- The Contoso HR App must be allowed to go through the VPN and only access port 4545. 
+- The Contoso finance apps is allowed to go over the VPN and only access the Remote IP ranges of 10.10.0.40 - 10.10.0.201 on port 5889.
+- All other apps on the device should be able to access only ports 80 or 443.  
+
+## Configure traffic filters
+
+See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. 
+
+The following image shows the interface to configure traffic rules in a VPN Profile configuration policy using Microsoft Intune.
+
+![Add a traffic rule](images/vpn-traffic-rules.png)
 
 ## Related topics