From a59e627cf321c8d417783ef68ab692fe878c3596 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 27 Jan 2025 20:51:26 -0500 Subject: [PATCH 1/3] freshness review --- education/windows/federated-sign-in.md | 2 +- .../hello-for-business/rdp-sign-in.md | 2 +- ...e-hellman-protocol-over-ikev2-vpn-connections.md | 2 +- ...le-sign-on-sso-over-vpn-and-wi-fi-connections.md | 2 +- .../network-security/vpn/vpn-authentication.md | 13 +------------ .../vpn/vpn-auto-trigger-profile.md | 13 +------------ .../network-security/vpn/vpn-conditional-access.md | 13 +------------ .../network-security/vpn/vpn-connection-type.md | 12 +----------- .../network-security/vpn/vpn-guide.md | 2 +- .../network-security/vpn/vpn-name-resolution.md | 13 +------------ .../vpn/vpn-office-365-optimization.md | 2 +- .../network-security/vpn/vpn-profile-options.md | 12 +----------- .../network-security/vpn/vpn-routing.md | 13 +------------ .../network-security/vpn/vpn-security-features.md | 13 +------------ 14 files changed, 14 insertions(+), 100 deletions(-) diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md index aca908bb45..9a73ef453c 100644 --- a/education/windows/federated-sign-in.md +++ b/education/windows/federated-sign-in.md @@ -1,7 +1,7 @@ --- title: Configure federated sign-in for Windows devices description: Learn how federated sign-in in Windows works and how to configure it. -ms.date: 06/03/2024 +ms.date: 01/27/2025 ms.topic: how-to appliesto: - ✅ Windows 11 diff --git a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md index bc28fecee5..305932af9b 100644 --- a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md +++ b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md @@ -1,7 +1,7 @@ --- title: Remote Desktop sign-in with Windows Hello for Business description: Learn how to configure Remote Desktop (RDP) sign-in with Windows Hello for Business. -ms.date: 06/11/2024 +ms.date: 01/27/2025 ms.topic: how-to --- diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index c2a7ae57a8..2fc0efca6e 100644 --- a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -1,7 +1,7 @@ --- title: How to configure cryptographic settings for IKEv2 VPN connections description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: how-to --- diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index daf7f89f5d..9a4865a98c 100644 --- a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -1,7 +1,7 @@ --- title: How to use single sign-on (SSO) over VPN and Wi-Fi connections description: Explains requirements to enable single sign-on (SSO) to on-premises domain resources over WiFi or VPN connections. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: how-to --- diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md index 539eeaeda6..26a2c22a06 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md @@ -1,7 +1,7 @@ --- title: VPN authentication options description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: concept-article --- @@ -80,14 +80,3 @@ The following image shows the field for EAP XML in a Microsoft Intune VPN profil :::image type="content" source="images/vpn-eap-xml.png" alt-text="Screenshot showing EAP XML configuration in Intune profile."::: -## Related topics - -- [VPN technical guide](vpn-guide.md) -- [VPN connection types](vpn-connection-type.md) -- [VPN routing decisions](vpn-routing.md) -- [VPN and conditional access](vpn-conditional-access.md) -- [VPN name resolution](vpn-name-resolution.md) -- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) -- [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md index 85b51dd4d1..53c870afc0 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md @@ -1,7 +1,7 @@ --- title: VPN auto-triggered profile options description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: how-to --- @@ -77,14 +77,3 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien The following image shows associating apps to a VPN connection in a VPN Profile configuration policy using Microsoft Intune. :::image type="content" source="images/vpn-app-trigger.png" alt-text="Creation of VPN profile in Intune: application association options." lightbox="images/vpn-app-trigger.png"::: - -## Related articles - -- [VPN technical guide](vpn-guide.md) -- [VPN connection types](vpn-connection-type.md) -- [VPN routing decisions](vpn-routing.md) -- [VPN authentication options](vpn-authentication.md) -- [VPN and conditional access](vpn-conditional-access.md) -- [VPN name resolution](vpn-name-resolution.md) -- [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md index 8fa4ab6725..e912b38f54 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md @@ -1,7 +1,7 @@ --- title: VPN and conditional access description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Microsoft Entra connected apps. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: how-to --- @@ -92,14 +92,3 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2) - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3) - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4) - -## Related articles - -- [VPN technical guide](vpn-guide.md) -- [VPN connection types](vpn-connection-type.md) -- [VPN routing decisions](vpn-routing.md) -- [VPN authentication options](vpn-authentication.md) -- [VPN name resolution](vpn-name-resolution.md) -- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md index 7199978f6c..0c0b47c65c 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md @@ -1,7 +1,7 @@ --- title: VPN connection types description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: concept-article --- @@ -46,13 +46,3 @@ In Intune, you can also include custom XML for non-Microsoft plug-in profiles: > [!div class="mx-imgBorder"] > ![Custom XML.](images/vpn-custom-xml-intune.png) -## Related articles - -- [VPN technical guide](vpn-guide.md) -- [VPN routing decisions](vpn-routing.md) -- [VPN authentication options](vpn-authentication.md) -- [VPN and conditional access](vpn-conditional-access.md) -- [VPN name resolution](vpn-name-resolution.md) -- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md index 3233517baa..c1c9ac3826 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md @@ -1,7 +1,7 @@ --- title: Windows VPN technical guide description: Learn how to plan and configure Windows devices for your organization's VPN solution. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: overview --- diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md index 666f60d6c1..36074af74a 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md @@ -1,7 +1,7 @@ --- title: VPN name resolution description: Learn how name resolution works when using a VPN connection. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: concept-article --- @@ -58,14 +58,3 @@ The fields in **Add or edit DNS rule** in the Intune profile correspond to the X | **Name** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DomainName** | | **Servers (comma separated)** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DnsServers** | | **Proxy server** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/WebServers** | - -## Related articles - -- [VPN technical guide](vpn-guide.md) -- [VPN connection types](vpn-connection-type.md) -- [VPN routing decisions](vpn-routing.md) -- [VPN authentication options](vpn-authentication.md) -- [VPN and conditional access](vpn-conditional-access.md) -- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) \ No newline at end of file diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md index aced17dd8e..02b7c5daff 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md @@ -2,7 +2,7 @@ title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client ms.topic: how-to -ms.date: 05/06/2024 +ms.date: 01/27/2025 --- # Optimize Microsoft 365 traffic for remote workers with the Windows VPN client diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md index 4fdbb86971..43f5802163 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md @@ -1,7 +1,7 @@ --- title: VPN profile options description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: how-to --- @@ -316,13 +316,3 @@ After you configure the settings that you want using ProfileXML, you can create - [VPNv2 configuration service provider (CSP) reference](/windows/client-management/mdm/vpnv2-csp) - [How to Create VPN Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/dn261200(v=technet.10)) -## Related articles - -- [VPN technical guide](vpn-guide.md) -- [VPN connection types](vpn-connection-type.md) -- [VPN routing decisions](vpn-routing.md) -- [VPN authentication options](vpn-authentication.md) -- [VPN and conditional access](vpn-conditional-access.md) -- [VPN name resolution](vpn-name-resolution.md) -- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN security features](vpn-security-features.md) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md index e5f0bc3f68..6bbae9aa58 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md @@ -1,5 +1,5 @@ --- -ms.date: 05/06/2024 +ms.date: 01/27/2025 title: VPN routing decisions description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations. ms.topic: concept-article @@ -43,14 +43,3 @@ When you configure a VPN profile in Microsoft Intune, you can enable split tunne ![split tunnel.](images/vpn-split.png) Once enabled, you can add the routes that should use the VPN connection. - -## Related articles - -- [VPN technical guide](vpn-guide.md) -- [VPN connection types](vpn-connection-type.md) -- [VPN authentication options](vpn-authentication.md) -- [VPN and conditional access](vpn-conditional-access.md) -- [VPN name resolution](vpn-name-resolution.md) -- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) \ No newline at end of file diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md index 0ca87d7370..2e53eeeae5 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md @@ -1,7 +1,7 @@ --- title: VPN security features description: Learn about security features for VPN, including LockDown VPN and traffic filters. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: concept-article --- @@ -55,14 +55,3 @@ A VPN profile configured with LockDown secures the device to only allow network > [!CAUTION] > Be careful when deploying LockDown VPN, as the resultant connection won't be able to send or receive any network traffic without the VPN connection being established. - -## Related articles - -- [VPN technical guide](vpn-guide.md) -- [VPN connection types](vpn-connection-type.md) -- [VPN routing decisions](vpn-routing.md) -- [VPN authentication options](vpn-authentication.md) -- [VPN and conditional access](vpn-conditional-access.md) -- [VPN name resolution](vpn-name-resolution.md) -- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN profile options](vpn-profile-options.md) From fc28c60c9d565f66f1d6b86170a57b2082374839 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 27 Jan 2025 21:04:32 -0500 Subject: [PATCH 2/3] Acrolinx --- .../network-security/vpn/vpn-conditional-access.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md index e912b38f54..8b93ff6019 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md @@ -19,7 +19,7 @@ Conditional Access Platform components used for Device Compliance include the fo - [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional) - Microsoft Entra Certificate Authority - It's a requirement that the client certificate used for the cloud-based device compliance solution be issued by a Microsoft Entra ID-based Certificate Authority (CA). A Microsoft Entra CA is essentially a mini-CA cloud tenant in Azure. The Microsoft Entra CA can't be configured as part of an on-premises Enterprise CA. See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy). -- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued. +- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued. - [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started): Cloud-based device compliance uses Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things. - Antivirus status - Auto-update status and update compliance @@ -35,7 +35,7 @@ The following client-side components are also required: ## VPN device compliance -At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the <SSO> section. +At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the section. Server-side infrastructure requirements to support VPN device compliance include: @@ -60,8 +60,8 @@ Two client-side configuration service providers are leveraged for VPN device com - Upon request, forward the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification > [!NOTE] -> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This will enable the user to access on-premises resources. -> In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from AzureAD in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero). +> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This allows the user to access on-premises resources. +> In the case of Microsoft Entra joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from Microsoft Entra in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client doesn't cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero). ## Client connection flow @@ -71,7 +71,7 @@ The VPN client side connection flow works as follows: When a VPNv2 Profile is configured with \ \true<\/Enabled> the VPN client uses this connection flow: -1. The VPN client calls into Windows 10's or Windows 11's Microsoft Entra Token Broker, identifying itself as a VPN client. +1. The VPN client calls into Windows 10 or Windows 11 Microsoft Entra Token Broker, identifying itself as a VPN client. 1. The Microsoft Entra Token Broker authenticates to Microsoft Entra ID and provides it with information about the device trying to connect. The Microsoft Entra Server checks if the device is in compliance with the policies. 1. If compliant, Microsoft Entra ID requests a short-lived certificate. 1. Microsoft Entra ID pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection processing. From 245f29986b072dce32e6ab40f591d278cf2e72f8 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 27 Jan 2025 21:09:08 -0500 Subject: [PATCH 3/3] fix HTML tag --- .../network-security/vpn/vpn-conditional-access.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md index 8b93ff6019..9702c4afee 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md @@ -35,7 +35,7 @@ The following client-side components are also required: ## VPN device compliance -At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the section. +At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the `` section. Server-side infrastructure requirements to support VPN device compliance include: