deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-11 21:07:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

May freshness review

Browse Source
This commit is contained in:
Paolo Matarazzo 2024-05-06 09:13:19 -04:00
parent 2fae1c4bfb
commit f3e9d90507
21 changed files with 184 additions and 171 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.windows-security.json
View File

@ -9169,6 +9169,11 @@
"source_path": "windows/security/threat-protection/security-policy-settings/user-rights-assignment.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment",
"redirect_document_id": false
},
{
"source_path": "windows/security/cloud-security/index.md",
"redirect_url": "/windows/security/cloud-services",
"redirect_document_id": false
}
]
}

2
education/windows/windows-11-se-settings-list.md
View File

@ -2,7 +2,7 @@
title: Windows 11 SE settings list
description: Windows 11 SE automatically configures settings in the operating system. Learn more about the settings you can control and manage, and the settings you can't change.
ms.topic: reference
ms.date: 08/18/2023
ms.date: 05/06/2024
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
ms.collection:

10
windows/security/cloud-security/index.md → windows/security/cloud-services/index.md
View File

@ -1,18 +1,18 @@
---
title: Windows and cloud security
description: Get an overview of cloud security features in Windows.
ms.date: 08/02/2023
title: Windows and cloud services
description: Get an overview of cloud-based services in Windows.
ms.date: 05/06/2024
ms.topic: overview
author: paolomatarazzo
ms.author: paoloma
---
# Windows and cloud security
# Windows and cloud services
Today's workforce has more freedom and mobility than ever before, and the risk of data exposure is also at its highest. We're focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on zero-trust principles, Windows works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
From identity and device management to Office apps and data storage, Windows and integrated cloud services can help improve productivity, security, and resilience anywhere.
Learn more about cloud security features in Windows.
Learn more about cloud-based services in Windows.
[!INCLUDE [cloud-services](../includes/sections/cloud-services.md)]

0
windows/security/cloud-security/toc.yml → windows/security/cloud-services/toc.yml
View File

72
windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
View File

@ -1,64 +1,72 @@
---
title: Dual Enrollment
description: Learn how to configure Windows Hello for Business dual enrollment and how to configure Active Directory to support Domain Administrator enrollment.
ms.date: 07/05/2023
ms.date: 05/06/2024
ms.topic: how-to
---
# Dual Enrollment
**Requirements**
- Hybrid and On-premises Windows Hello for Business deployments
- Enterprise joined or Hybrid Azure joined devices
- Certificate trust
[!INCLUDE [intro](deploy/includes/intro.md)]
- **Deployment type:** [!INCLUDE [tooltip-deployment-onpremises](deploy/includes/tooltip-deployment-onpremises.md)], [!INCLUDE [tooltip-deployment-hybrid](deploy/includes/tooltip-deployment-hybrid.md)]
- **Trust type:** [!INCLUDE [tooltip-cert-trust](deploy/includes/tooltip-trust-cert.md)]
- **Join type:** [!INCLUDE [tooltip-join-domain](deploy/includes/tooltip-join-domain.md)], [!INCLUDE [tooltip-join-hybrid](deploy/includes/tooltip-join-hybrid.md)]
---
> [!IMPORTANT]
> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature. Microsoft encourages enterprises to use the Privileged Access Workstations for their privileged credential users. Enterprises can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature cannot be used. Read [Privileged Access Workstations](/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information.
> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature. Microsoft encourages organizations to use the Privileged Access Workstations for their privileged credential users. Organizations can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature can't be used. To learn more, see [Privileged Access Workstations](/windows-server/identity/securing-privileged-access/privileged-access-workstations).
Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device.
By design, Windows does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices.
By design, Windows doesn't enumerate all Windows Hello for Business users from within a user's session. Using the group policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices.
With this setting, administrative users can sign in to Windows 10, version 1709 or later using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command-line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign in and out, or use fast user switching when alternating between privileged and non-privileged workloads.
With this setting, administrative users can sign in to Windows using their non-privileged Windows Hello credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command-line applications by using `runas.exe` combined with the `/smartcard` argument. This enables administrators to perform their day-to-day operations without needing to sign in and out, or use fast user switching when alternating between privileged and non-privileged workloads.
> [!IMPORTANT]
> You must configure a Windows computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
> You must configure a Windows computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
## Configure Windows Hello for Business Dual Enrollment
In this task, you will
* Configure Active Directory to support Domain Administrator enrollment
* Configure Dual Enrollment using Group Policy
- Configure Active Directory to support Domain Administrator enrollment
- Configure Dual Enrollment using Group Policy
### Configure Active Directory to support Domain Administrator enrollment
The designed Windows Hello for Business configuration gives the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy.
The designed Windows Hello for Business configuration gives the `Key Admins` group read and write permissions to the `msDS-KeyCredentialsLink` attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy.
Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute.
Active Directory Domain Services uses `AdminSDHolder` to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but they will disappear from the user object unless you give the `AdminSDHolder` read and write permissions to the `msDS-KeyCredential` attribute.
Sign in to a domain controller or management workstation with access equivalent to _domain administrator_.
Sign in to a domain controller or management workstation with access equivalent to *domain administrator*
1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the **Key Admins** (or **KeyCredential Admins**) group on the AdminSDHolder object.</br>
```dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink```</br>
where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and **domainName\keyAdminGroup]** is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment. For example:</br>
```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink```
2. To trigger security descriptor propagation, open **ldp.exe**.
3. Click **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and click **OK**.
4. Click **Connection** and select **Bind...** Click **OK** to bind as the currently signed-in user.
5. Click **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type **1**. Click **Enter** to add this to the **Entry List**.
6. Click **Run** to start the task.
7. Close LDP.
1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the `Key Admins` group on the `AdminSDHolder` object
```cmd
dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink
```
where `DC=domain,DC=com` is the LDAP path of your Active Directory domain and `domainName\keyAdminGroup` is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment. For example:
```cmd
dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink
```
1. To trigger security descriptor propagation, open `ldp.exe`
1. Select **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and select **OK**
1. Select **Connection** and select **Bind...** Select **OK** to bind as the currently signed-in user
1. Select **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type `1`. Select **Enter** to add this to the **Entry List**
1. Select **Run** to start the task
1. Close LDP
### Configuring Dual Enrollment using Group Policy
You configure Windows 10 or Windows 11 to support dual enrollment using the computer configuration portion of a Group Policy object.
You configure Windows to support dual enrollment using the computer configuration portion of a Group Policy object:
1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users.
2. Edit the Group Policy object from step 1.
3. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
5. Restart computers targeted by this Group Policy object.
1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users
1. Edit the Group Policy object from step 1
1. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**
1. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC
1. Restart computers targeted by this Group Policy object
The computer is ready for dual enrollment. Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the non-privileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
The computer is ready for dual enrollment. Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the non-privileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.

2
windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
View File

@ -2,7 +2,7 @@
title: PDE settings and configuration
description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
ms.topic: how-to
ms.date: 08/11/2023
ms.date: 05/06/2024
---
# PDE settings and configuration

4
windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
View File

@ -4,7 +4,7 @@ metadata:
title: Frequently asked questions for Personal Data Encryption (PDE)
description: Answers to common questions regarding Personal Data Encryption (PDE).
ms.topic: faq
ms.date: 08/11/2023
ms.date: 05/06/2024
title: Frequently asked questions for Personal Data Encryption (PDE)
summary: |
@ -21,7 +21,7 @@ sections:
[PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) are used to select which files and content are protected using PDE.
- question: Can users manually encrypt and decrypt files with PDE?
answer: |
Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt PDE-encrypted content](configure.md#decrypt-pde-encrypted-content).
Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt PDE-encrypted content](configure.md#decrypt-pde-encrypted-content).
- question: Can PDE protected content be accessed after signing on via a Remote Desktop connection (RDP)?
answer: |
No. Accessing PDE protected content over RDP isn't currently supported.

2
windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
View File

@ -2,7 +2,7 @@
title: Personal Data Encryption (PDE)
description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
ms.topic: how-to
ms.date: 08/11/2023
ms.date: 05/06/2024
---
# Personal Data Encryption (PDE)

28
windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
View File

@ -1,7 +1,7 @@
---
title: How to configure cryptographic settings for IKEv2 VPN connections
description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections.
ms.date: 08/03/2023
ms.date: 05/06/2024
ms.topic: how-to
---
@ -9,11 +9,11 @@ ms.topic: how-to
In IKEv2 VPN connections, the default setting for IKEv2 cryptographic settings are:
- Encryption Algorithm: DES3
- Integrity, Hash Algorithm: SHA1
- Encryption Algorithm: DES3
- Integrity, Hash Algorithm: SHA1
- Diffie Hellman Group (Key Size): DH2
These settings aren't secure for IKE exchanges.
These settings aren't secure for IKE exchanges.
To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets.
@ -42,27 +42,27 @@ Set-VpnConnectionIPsecConfiguration -ConnectionName <String>
## IKEv2 Crypto Settings Example
The following commands configure the IKEv2 cryptographic settings to:
The following commands configure the IKEv2 cryptographic settings to:
- Encryption Algorithm: AES128
- Integrity, Hash Algorithm: SHA256
- Diffie Hellman Group (Key Size): DH14
- Encryption Algorithm: AES128
- Integrity, Hash Algorithm: SHA256
- Diffie Hellman Group (Key Size): DH14
### IKEv2 VPN Server
### IKEv2 VPN Server
```powershell
Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -SALifeTimeSeconds 28800 -MMSALifeTimeSeconds 86400 -SADataSizeForRenegotiationKilobytes 1024000
Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -SALifeTimeSeconds 28800 -MMSALifeTimeSeconds 86400 -SADataSizeForRenegotiationKilobytes 1024000
restart-service RemoteAccess -PassThru
```
If you need to switch back to the default IKEv2 settings, use this command:
```powershell
Set-VpnServerConfiguration -TunnelType IKEv2 -RevertToDefault
Set-VpnServerConfiguration -TunnelType IKEv2 -RevertToDefault
restart-service RemoteAccess -PassThru
```
### IKEv2 VPN Client
### IKEv2 VPN Client
```powershell
Set-VpnConnectionIPsecConfiguration -ConnectionName <String - your VPN connection name> -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PfsGroup PFS2048 -Force
@ -74,5 +74,5 @@ If you need to switch back to the default IKEv2 settings, use this command:
Set-VpnConnectionIPsecConfiguration -ConnectionName <String - your VPN connection name> -RevertToDefault -Force
```
> [!TIP]
> If you're configuring a all-user VPN connection or a Device Tunnel you must use the `-AllUserConnection` parameter in the `Set-VpnConnectionIPsecConfiguration` command.
> [!TIP]
> If you're configuring a all-user VPN connection or a Device Tunnel you must use the `-AllUserConnection` parameter in the `Set-VpnConnectionIPsecConfiguration` command.

2
windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
View File

@ -1,7 +1,7 @@
---
title: How to use single sign-on (SSO) over VPN and Wi-Fi connections
description: Explains requirements to enable single sign-on (SSO) to on-premises domain resources over WiFi or VPN connections.
ms.date: 12/12/2023
ms.date: 05/06/2024
ms.topic: how-to
---

4
windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
View File

@ -1,7 +1,7 @@
---
title: VPN authentication options
title: VPN authentication options
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
ms.date: 08/03/2023
ms.date: 05/06/2024
ms.topic: concept-article
---

6
windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
View File

@ -1,7 +1,7 @@
---
title: VPN auto-triggered profile options
description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections.
ms.date: 08/03/2023
ms.date: 05/06/2024
ms.topic: how-to
---
@ -32,7 +32,7 @@ For more information, see [Traffic filters](vpn-security-features.md#traffic-fil
## Name-based trigger
You can configure a domain name-based rule so that a specific domain name triggers the VPN connection.\
You can configure a domain name-based rule so that a specific domain name triggers the VPN connection.\
Name-based auto-trigger can be configured using the `VPNv2/<ProfileName>/DomainNameInformationList/dniRowId/AutoTrigger` setting in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
There are four types of name-based triggers:
@ -56,7 +56,7 @@ When a device has multiple profiles with Always On triggers, the user can specif
## Preserving user Always On preference
Another Windows feature is to preserve a user's Always On preference. If a user manually unchecks the **Connect automatically** checkbox, Windows remembers the user preference for the profile name by adding the profile name to the registry value *AutoTriggerDisabledProfilesList*.
Another Windows feature is to preserve a user's Always On preference. If a user manually unchecks the **Connect automatically** checkbox, Windows remembers the user preference for the profile name by adding the profile name to the registry value *AutoTriggerDisabledProfilesList*.
If a management tool removes or adds the same profile name back and set **AlwaysOn** to **true**, Windows doesn't check the box if the profile name exists in the following registry value, in order to preserve user preference.

2
windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
View File

@ -1,7 +1,7 @@
---
title: VPN and conditional access
description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Microsoft Entra connected apps.
ms.date: 08/03/2023
ms.date: 05/06/2024
ms.topic: how-to
---

2
windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
View File

@ -1,7 +1,7 @@
---
title: VPN connection types
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
ms.date: 08/03/2023
ms.date: 05/06/2024
ms.topic: concept-article
---

2
windows/security/operating-system-security/network-security/vpn/vpn-guide.md
View File

@ -1,7 +1,7 @@
---
title: Windows VPN technical guide
description: Learn how to plan and configure Windows devices for your organization's VPN solution.
ms.date: 08/03/2023
ms.date: 05/06/2024
ms.topic: overview
---

2
windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
View File

@ -1,7 +1,7 @@
---
title: VPN name resolution
description: Learn how name resolution works when using a VPN connection.
ms.date: 08/03/2023
ms.date: 05/06/2024
ms.topic: concept-article
---

20
windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
View File

@ -2,7 +2,7 @@
title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client
ms.topic: how-to
ms.date: 08/03/2023
ms.date: 05/06/2024
---
# Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
@ -70,7 +70,7 @@ An example of a PowerShell script that can be used to update a force tunnel VPN
```powershell
# Copyright (c) Microsoft Corporation. All rights reserved.
#
#
# THIS SAMPLE CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
# WHETHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
@ -113,7 +113,7 @@ To check a VPN profile XML file:
Update-VPN-Profile-Office365-Exclusion-Routes.ps1 -VPNprofilefile [FULLPATH AND NAME OF XML FILE]
"@
# Check if filename has been provided #
if ($VPNprofilefile -eq "")
{
@ -335,7 +335,7 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml")
# Clear variables to allow re-run testing #
$ARRVPN=$null # Array to hold VPN addresses from the XML file #
$In_Opt_Only=$null # Variable to hold IP Addresses that only appear in optimize list #
$In_VPN_Only=$null # Variable to hold IP Addresses that only appear in the VPN profile XML file #
$In_VPN_Only=$null # Variable to hold IP Addresses that only appear in the VPN profile XML file #
# Extract the Profile XML from the XML file #
$regex = '(?sm).*^*.<VPNProfile>\r?\n(.*?)\r?\n</VPNProfile>.*'
@ -542,12 +542,12 @@ $ProfileXML = '<VPNProfile>
<Address>104.146.128.0</Address>
<PrefixSize>17</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
</Route>
<Route>
<Address>150.171.40.0</Address>
<PrefixSize>22</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
</Route>
<Route>
<Address>13.107.60.1</Address>
<PrefixSize>32</PrefixSize>
@ -568,9 +568,9 @@ $ProfileXML = '<VPNProfile>
<PrefixSize>14</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Proxy>
<AutoConfigUrl>http://webproxy.corp.contoso.com/proxy.pac</AutoConfigUrl>
</Proxy>
<Proxy>
<AutoConfigUrl>http://webproxy.corp.contoso.com/proxy.pac</AutoConfigUrl>
</Proxy>
</VPNProfile>'
<#-- Convert ProfileXML to Escaped Format --#>
@ -625,7 +625,7 @@ try
$session.CreateInstance($namespaceName, $newInstance, $options)
$Message = "Created $ProfileName profile."
Write-Host "$Message"
Write-Host "$ProfileName profile summary:"
Write-Host "$ProfileName profile summary:"
$session.EnumerateInstances($namespaceName, $className, $options)
}
catch [Exception]

182
windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
View File

@ -1,7 +1,7 @@
---
title: VPN profile options
title: VPN profile options
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
ms.date: 08/03/2023
ms.date: 05/06/2024
ms.topic: how-to
---
@ -43,16 +43,16 @@ The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN prof
The following sample is a sample Native VPN profile. This blob would fall under the ProfileXML node.
```xml
<VPNProfile>
<ProfileName>TestVpnProfile</ProfileName>
<NativeProfile>
<Servers>testServer.VPN.com</Servers>
<NativeProtocolType>IKEv2</NativeProtocolType>
<!--Sample EAP profile (PEAP)-->
<Authentication>
<UserMethod>Eap</UserMethod>
<Eap>
<VPNProfile>
<ProfileName>TestVpnProfile</ProfileName>
<NativeProfile>
<Servers>testServer.VPN.com</Servers>
<NativeProtocolType>IKEv2</NativeProtocolType>
<!--Sample EAP profile (PEAP)-->
<Authentication>
<UserMethod>Eap</UserMethod>
<Eap>
<Configuration>
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod>
@ -118,95 +118,95 @@ The following sample is a sample Native VPN profile. This blob would fall under
</Config>
</EapHostConfig>
</Configuration>
</Eap>
</Authentication>
</Eap>
</Authentication>
<!--Sample routing policy: in this case, this is a split tunnel configuration with two routes configured-->
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
<DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
</NativeProfile>
<Route>
<Address>192.168.0.0</Address>
<PrefixSize>24</PrefixSize>
</Route>
<Route>
<Address>10.10.0.0</Address>
<PrefixSize>16</PrefixSize>
</Route>
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
<DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
</NativeProfile>
<Route>
<Address>192.168.0.0</Address>
<PrefixSize>24</PrefixSize>
</Route>
<Route>
<Address>10.10.0.0</Address>
<PrefixSize>16</PrefixSize>
</Route>
<!--VPN will be triggered for the two apps specified here-->
<AppTrigger>
<App>
<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
</App>
</AppTrigger>
<AppTrigger>
<App>
<Id>C:\windows\system32\ping.exe</Id>
</App>
</AppTrigger>
<AppTrigger>
<App>
<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
</App>
</AppTrigger>
<AppTrigger>
<App>
<Id>C:\windows\system32\ping.exe</Id>
</App>
</AppTrigger>
<!--Example of per-app VPN. This configures traffic filtering rules for two apps. Internet Explorer is configured for force tunnel, meaning that all traffic allowed through this app must go over VPN. Microsoft Edge is configured as split tunnel, so whether data goes over VPN or the physical interface is dictated by the routing configuration.-->
<TrafficFilter>
<App>
<Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>
</App>
<Protocol>6</Protocol>
<LocalPortRanges>10,20-50,100-200</LocalPortRanges>
<RemotePortRanges>20-50,100-200,300</RemotePortRanges>
<RemoteAddressRanges>30.30.0.0/16,10.10.10.10-20.20.20.20</RemoteAddressRanges>
<RoutingPolicyType>ForceTunnel</RoutingPolicyType>
</TrafficFilter>
<TrafficFilter>
<App>
<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
</App>
<LocalAddressRanges>3.3.3.3/32,1.1.1.1-2.2.2.2</LocalAddressRanges>
</TrafficFilter>
<TrafficFilter>
<App>
<Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>
</App>
<Protocol>6</Protocol>
<LocalPortRanges>10,20-50,100-200</LocalPortRanges>
<RemotePortRanges>20-50,100-200,300</RemotePortRanges>
<RemoteAddressRanges>30.30.0.0/16,10.10.10.10-20.20.20.20</RemoteAddressRanges>
<RoutingPolicyType>ForceTunnel</RoutingPolicyType>
</TrafficFilter>
<TrafficFilter>
<App>
<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
</App>
<LocalAddressRanges>3.3.3.3/32,1.1.1.1-2.2.2.2</LocalAddressRanges>
</TrafficFilter>
<!--Name resolution configuration. The AutoTrigger node configures name-based triggering. In this profile, the domain "hrsite.corporate.contoso.com" triggers VPN.-->
<DomainNameInformation>
<DomainName>hrsite.corporate.contoso.com</DomainName>
<DnsServers>1.2.3.4,5.6.7.8</DnsServers>
<WebProxyServers>5.5.5.5</WebProxyServers>
<AutoTrigger>true</AutoTrigger>
</DomainNameInformation>
<DomainNameInformation>
<DomainName>.corp.contoso.com</DomainName>
<DnsServers>10.10.10.10,20.20.20.20</DnsServers>
<WebProxyServers>100.100.100.100</WebProxyServers>
</DomainNameInformation>
<DomainNameInformation>
<DomainName>hrsite.corporate.contoso.com</DomainName>
<DnsServers>1.2.3.4,5.6.7.8</DnsServers>
<WebProxyServers>5.5.5.5</WebProxyServers>
<AutoTrigger>true</AutoTrigger>
</DomainNameInformation>
<DomainNameInformation>
<DomainName>.corp.contoso.com</DomainName>
<DnsServers>10.10.10.10,20.20.20.20</DnsServers>
<WebProxyServers>100.100.100.100</WebProxyServers>
</DomainNameInformation>
<!--EDPMode is turned on for the enterprise ID "corp.contoso.com". When a user accesses an app with that ID, VPN will be triggered.-->
<EdpModeId>corp.contoso.com</EdpModeId>
<RememberCredentials>true</RememberCredentials>
<EdpModeId>corp.contoso.com</EdpModeId>
<RememberCredentials>true</RememberCredentials>
<!--Always On is turned off, and triggering VPN for the apps and domain name specified earlier in the profile will not occur if the user is connected to the trusted network "contoso.com".-->
<AlwaysOn>false</AlwaysOn>
<DnsSuffix>corp.contoso.com</DnsSuffix>
<TrustedNetworkDetection>contoso.com</TrustedNetworkDetection>
<Proxy>
<Manual>
<Server>HelloServer</Server>
</Manual>
<AutoConfigUrl>Helloworld.Com</AutoConfigUrl>
</Proxy>
<AlwaysOn>false</AlwaysOn>
<DnsSuffix>corp.contoso.com</DnsSuffix>
<TrustedNetworkDetection>contoso.com</TrustedNetworkDetection>
<Proxy>
<Manual>
<Server>HelloServer</Server>
</Manual>
<AutoConfigUrl>Helloworld.Com</AutoConfigUrl>
</Proxy>
<!--Device compliance is enabled and an alternate certificate is specified for domain resource authentication.-->
<DeviceCompliance>
<Enabled>true</Enabled>
<Sso>
<Enabled>true</Enabled>
<Eku>This is my Eku</Eku>
<IssuerHash>This is my issuer hash</IssuerHash>
</Sso>
</DeviceCompliance>
</VPNProfile>
<DeviceCompliance>
<Enabled>true</Enabled>
<Sso>
<Enabled>true</Enabled>
<Eku>This is my Eku</Eku>
<IssuerHash>This is my issuer hash</IssuerHash>
</Sso>
</DeviceCompliance>
</VPNProfile>
```
## Sample plug-in VPN profile
The following sample is a sample plug-in VPN profile. This blob would fall under the ProfileXML node.
The following sample is a sample plug-in VPN profile. This blob would fall under the ProfileXML node.
```xml
<VPNProfile>
@ -279,7 +279,7 @@ The following sample is a sample plug-in VPN profile. This blob would fall under
</Manual>
<AutoConfigUrl>Helloworld.Com</AutoConfigUrl>
</Proxy>
</VPNProfile>
</VPNProfile>
```
## Apply ProfileXML using Intune

4
windows/security/operating-system-security/network-security/vpn/vpn-routing.md
View File

@ -1,5 +1,5 @@
---
ms.date: 08/03/2023
ms.date: 05/06/2024
title: VPN routing decisions
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.topic: concept-article
@ -23,7 +23,7 @@ For each route item in the list, you can configure the following options:
With Windows VPN, you can specify exclusion routes that shouldn't go over the physical interface.
Routes can also be added at connect time through the server for UWP VPN apps.
Routes can also be added at connect time through the server for UWP VPN apps.
## Force tunnel configuration

2
windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
View File

@ -1,7 +1,7 @@
---
title: VPN security features
description: Learn about security features for VPN, including LockDown VPN and traffic filters.
ms.date: 08/03/2023
ms.date: 05/06/2024
ms.topic: concept-article
---

2
windows/security/toc.yml
View File

@ -16,6 +16,6 @@ items:
- name: Identity protection
href: identity-protection/toc.yml
- name: Cloud security
href: cloud-security/toc.yml
href: cloud-services/toc.yml
- name: Windows Privacy 🔗
href: /windows/privacy