set up profile topic

windows/keep-secure/vpn-conditional-access.md

@@ -91,6 +91,11 @@ The following image shows conditional access options in a VPN Profile configurat
 - [Azure Active Directory conditional access](https://azure.microsoft.com/documentation/articles/active-directory-conditional-access/)
 - [Getting started with Azure Active Directory Conditional Access](https://azure.microsoft.com/documentation/articles/active-directory-conditional-access-azuread-connected-apps/)
 - [Control the health of Windows 10-based devices](https://technet.microsoft.com/itpro/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)
+- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn/)
+- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/14/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2/)
+- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/15/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3/)
+- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/16/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4/)
+
 
 
 ## Related topics

windows/keep-secure/vpn-profile-options.md

@@ -16,55 +16,32 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
-Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect.
+Most of the VPN settings in Windows 10 can be configured in VPN profiles using Microsoft Intune or System Center Configuration Manager. All VPN settings in Windows 10 can be configued using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt755930.aspx) 
 
-The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This is particularly useful for deploying profiles with features that are not yet supported by MDMs. 
-For more information about ProfileXML including sample profiles (both native and UWP VPN plugin): https://msdn.microsoft.com/en-us/library/windows/hardware/mt755930(v=vs.85).aspx   
+The following table lists the VPN settings and whether the setting can only be configured using **ProfileXML**.
+
+| Profile setting | Can be configured in Intune and Configuration Manager | 
+| --- | --- | 
+| Connection type | yes | 
+| Routing: split-tunnel routes | yes, except exclusion routes |
+| Routing: forced-tunnel | yes |
+| Authentication (EAP) | yes, if connection type is built-in |
+| Conditional access | yes |
+| Name resolution: NRPT | yes |
+| Name resolution: DNS suffix | no |
+| Name resolution: persistent | no |
+| Auto-trigger: app trigger | yes |
+| Auto-trigger: name trigger | yes |
+| Auto-trigger: Always On | no |
+| Auto-trigger: trusted network detection | no |
+| LockDown | no |
+| Windows Information Protection (WIP) | no |
+| Traffic filters | yes |
+
+For more information about ProfileXML including sample profiles (both native and UWP VPN plugin):    
 OMA-DM Uri: /Vendor/MSFT/VPNv2/[Profile Name]/ProfileXML
 The below is a sample Native VPN profile (found in the link above). This blob would fall under the ProfileXML node. Profiles can be created for UWP apps as well. An example can be found in the link above as well.
-
-
-
-## Always On
-
-Always On is a new feature in Windows 10 which enables the active VPN profile to connect automatically on the following triggers:
--   User sign-on
--   Network change
-
-When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* > **Let apps automatically use this VPN connection**.
-
-## App-triggered VPN
-
-VPN profiles in Windows 10 can be configured to connect automatically on the launch of a specified set of applications. This feature was included in Windows 8.1 as "On demand VPN". The applications can be defined using the following:
--   Package family name for Universal Windows Platform (UWP) apps
--   File path for Classic Windows applications
-
-## Traffic filters
-
-Traffic Filters give enterprises the ability to decide what traffic is allowed into the corporate network based on policy . With the ever-increasing landscape of remote threats on the corporate network and lesser IT controls on machines, it becomes essential to control the traffic that is allowed through. While server-side layers of firewalls and proxies help, by adding traffic filters the first layer of filtering can be moved onto the client with more advanced filtering on the server side. There are two types of Traffic Filter rules:
-
--   **App-based rules**. With app-based rules, a list of applications can be marked such that only traffic originating from these apps is allowed to go over the VPN interface.
--   **Traffic-based rules**. Traffic-based rules are 5-tuple policies (ports, addresses, protocol) that can be specified such that only traffic matching these rules is allowed to go over the VPN interface.
-
-There can be many sets of rules which are linked by **OR**. Within each set, there can be app-based rules and traffic-based rules; all the properties within the set will be linked by **AND**. This gives the IT admins a lot of power to craft the perfect policy befitting their use case.
-
-## LockDown VPN
-
-A VPN profile configured with LockDown secures the device to only allow network traffic over the VPN interface. It has the following features:
--   The system attempts to keep the VPN connected at all times.
--   The user cannot disconnect the VPN connection.
--   The user cannot delete or modify the VPN profile.
--   The VPN LockDown profile uses forced tunnel connection.
--   If the VPN connection is not available, outbound network traffic is blocked.
--   Only one VPN LockDown profile is allowed on a device.
-> **Note:**  For inbox VPN, Lockdown VPN is only available for the Internet Key Exchange version 2 (IKEv2) tunnel type.
  
-## Learn about VPN and the Conditional Access Framework in Azure Active Directory
-
-- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn/)
-- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/14/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2/)
-- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/15/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3/)
-- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/16/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4/)
 
 ## Learn more