deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #10528 from MicrosoftDocs/main

Browse Source 
Published main to live, Tuesday 5:00 PM IST, 01/28
This commit is contained in:
Padma Jayaraman 2025-01-28 16:52:21 +05:30 committed by GitHub
commit e8701bbdba
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
14 changed files with 19 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
education/windows/federated-sign-in.md
View File

@ -1,7 +1,7 @@
---
title: Configure federated sign-in for Windows devices
description: Learn how federated sign-in in Windows works and how to configure it.
ms.date: 06/03/2024
ms.date: 01/27/2025
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>

2
windows/security/identity-protection/hello-for-business/rdp-sign-in.md
View File

@ -1,7 +1,7 @@
---
title: Remote Desktop sign-in with Windows Hello for Business
description: Learn how to configure Remote Desktop (RDP) sign-in with Windows Hello for Business.
ms.date: 06/11/2024
ms.date: 01/27/2025
ms.topic: how-to
---

2
windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
View File

@ -1,7 +1,7 @@
---
title: How to configure cryptographic settings for IKEv2 VPN connections
description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: how-to
---

2
windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
View File

@ -1,7 +1,7 @@
---
title: How to use single sign-on (SSO) over VPN and Wi-Fi connections
description: Explains requirements to enable single sign-on (SSO) to on-premises domain resources over WiFi or VPN connections.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: how-to
---

13
windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
View File

@ -1,7 +1,7 @@
---
title: VPN authentication options
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: concept-article
---
@ -80,14 +80,3 @@ The following image shows the field for EAP XML in a Microsoft Intune VPN profil
:::image type="content" source="images/vpn-eap-xml.png" alt-text="Screenshot showing EAP XML configuration in Intune profile.":::
## Related topics
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)
- [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access)

13
windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
View File

@ -1,7 +1,7 @@
---
title: VPN auto-triggered profile options
description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: how-to
---
@ -77,14 +77,3 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
The following image shows associating apps to a VPN connection in a VPN Profile configuration policy using Microsoft Intune.
:::image type="content" source="images/vpn-app-trigger.png" alt-text="Creation of VPN profile in Intune: application association options." lightbox="images/vpn-app-trigger.png":::
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

23
windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
View File

@ -1,7 +1,7 @@
---
title: VPN and conditional access
description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Microsoft Entra connected apps.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: how-to
---
@ -19,7 +19,7 @@ Conditional Access Platform components used for Device Compliance include the fo
- [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional)
- Microsoft Entra Certificate Authority - It's a requirement that the client certificate used for the cloud-based device compliance solution be issued by a Microsoft Entra ID-based Certificate Authority (CA). A Microsoft Entra CA is essentially a mini-CA cloud tenant in Azure. The Microsoft Entra CA can't be configured as part of an on-premises Enterprise CA.
See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued.
- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued.
- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started): Cloud-based device compliance uses Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
- Antivirus status
- Auto-update status and update compliance
@ -35,7 +35,7 @@ The following client-side components are also required:
## VPN device compliance
At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the &lt;SSO&gt; section.
At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the `<SSO>` section.
Server-side infrastructure requirements to support VPN device compliance include:
@ -60,8 +60,8 @@ Two client-side configuration service providers are leveraged for VPN device com
- Upon request, forward the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
> [!NOTE]
> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This will enable the user to access on-premises resources.
> In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from AzureAD in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero).
> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This allows the user to access on-premises resources.
> In the case of Microsoft Entra joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from Microsoft Entra in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client doesn't cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero).
## Client connection flow
@ -71,7 +71,7 @@ The VPN client side connection flow works as follows:
When a VPNv2 Profile is configured with \<DeviceCompliance> \<Enabled>true<\/Enabled> the VPN client uses this connection flow:
1. The VPN client calls into Windows 10's or Windows 11's Microsoft Entra Token Broker, identifying itself as a VPN client.
1. The VPN client calls into Windows 10 or Windows 11 Microsoft Entra Token Broker, identifying itself as a VPN client.
1. The Microsoft Entra Token Broker authenticates to Microsoft Entra ID and provides it with information about the device trying to connect. The Microsoft Entra Server checks if the device is in compliance with the policies.
1. If compliant, Microsoft Entra ID requests a short-lived certificate.
1. Microsoft Entra ID pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection processing.
@ -92,14 +92,3 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4)
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

12
windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
View File

@ -1,7 +1,7 @@
---
title: VPN connection types
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: concept-article
---
@ -46,13 +46,3 @@ In Intune, you can also include custom XML for non-Microsoft plug-in profiles:
> [!div class="mx-imgBorder"]
> ![Custom XML.](images/vpn-custom-xml-intune.png)
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

2
windows/security/operating-system-security/network-security/vpn/vpn-guide.md
View File

@ -1,7 +1,7 @@
---
title: Windows VPN technical guide
description: Learn how to plan and configure Windows devices for your organization's VPN solution.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: overview
---

13
windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
View File

@ -1,7 +1,7 @@
---
title: VPN name resolution
description: Learn how name resolution works when using a VPN connection.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: concept-article
---
@ -58,14 +58,3 @@ The fields in **Add or edit DNS rule** in the Intune profile correspond to the X
| **Name** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DomainName** |
| **Servers (comma separated)** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DnsServers** |
| **Proxy server** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/WebServers** |
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

2
windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
View File

@ -2,7 +2,7 @@
title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client
ms.topic: how-to
ms.date: 05/06/2024
ms.date: 01/27/2025
---
# Optimize Microsoft 365 traffic for remote workers with the Windows VPN client

12
windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
View File

@ -1,7 +1,7 @@
---
title: VPN profile options
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: how-to
---
@ -316,13 +316,3 @@ After you configure the settings that you want using ProfileXML, you can create
- [VPNv2 configuration service provider (CSP) reference](/windows/client-management/mdm/vpnv2-csp)
- [How to Create VPN Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/dn261200(v=technet.10))
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)

13
windows/security/operating-system-security/network-security/vpn/vpn-routing.md
View File

@ -1,5 +1,5 @@
---
ms.date: 05/06/2024
ms.date: 01/27/2025
title: VPN routing decisions
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.topic: concept-article
@ -43,14 +43,3 @@ When you configure a VPN profile in Microsoft Intune, you can enable split tunne
![split tunnel.](images/vpn-split.png)
Once enabled, you can add the routes that should use the VPN connection.
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

13
windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
View File

@ -1,7 +1,7 @@
---
title: VPN security features
description: Learn about security features for VPN, including LockDown VPN and traffic filters.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: concept-article
---
@ -55,14 +55,3 @@ A VPN profile configured with LockDown secures the device to only allow network
> [!CAUTION]
> Be careful when deploying LockDown VPN, as the resultant connection won't be able to send or receive any network traffic without the VPN connection being established.
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN profile options](vpn-profile-options.md)