May freshness review

windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md

@@ -1,7 +1,7 @@
 ---
 title: How to configure cryptographic settings for IKEv2 VPN connections
 description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: how-to
 ---
 
@@ -9,11 +9,11 @@ ms.topic: how-to
 
 In IKEv2 VPN connections, the default setting for IKEv2 cryptographic settings are:
 
-- Encryption Algorithm: DES3  
-- Integrity, Hash Algorithm: SHA1  
+- Encryption Algorithm: DES3
+- Integrity, Hash Algorithm: SHA1
 - Diffie Hellman Group (Key Size): DH2
 
-These settings aren't secure for IKE exchanges.  
+These settings aren't secure for IKE exchanges.
 
 To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets.
 
@@ -42,27 +42,27 @@ Set-VpnConnectionIPsecConfiguration -ConnectionName <String>
 
 ## IKEv2 Crypto Settings Example
 
-The following commands configure the IKEv2 cryptographic settings to:  
+The following commands configure the IKEv2 cryptographic settings to:
 
-- Encryption Algorithm: AES128  
-- Integrity, Hash Algorithm: SHA256  
-- Diffie Hellman Group (Key Size): DH14  
+- Encryption Algorithm: AES128
+- Integrity, Hash Algorithm: SHA256
+- Diffie Hellman Group (Key Size): DH14
 
-### IKEv2 VPN Server  
+### IKEv2 VPN Server
 
 ```powershell
-Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -SALifeTimeSeconds 28800 -MMSALifeTimeSeconds 86400 -SADataSizeForRenegotiationKilobytes 1024000  
+Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -SALifeTimeSeconds 28800 -MMSALifeTimeSeconds 86400 -SADataSizeForRenegotiationKilobytes 1024000
 restart-service RemoteAccess -PassThru
 ```
 
 If you need to switch back to the default IKEv2 settings, use this command:
 
 ```powershell
-Set-VpnServerConfiguration -TunnelType IKEv2 -RevertToDefault  
+Set-VpnServerConfiguration -TunnelType IKEv2 -RevertToDefault
 restart-service RemoteAccess -PassThru
 ```
 
-### IKEv2 VPN Client  
+### IKEv2 VPN Client
 
 ```powershell
 Set-VpnConnectionIPsecConfiguration -ConnectionName <String - your VPN connection name> -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PfsGroup PFS2048 -Force
@@ -74,5 +74,5 @@ If you need to switch back to the default IKEv2 settings, use this command:
 Set-VpnConnectionIPsecConfiguration -ConnectionName <String - your VPN connection name> -RevertToDefault -Force
 ```
 
-> [!TIP]  
-> If you're configuring a all-user VPN connection or a Device Tunnel you must use the `-AllUserConnection` parameter in the `Set-VpnConnectionIPsecConfiguration` command.  
+> [!TIP]
+> If you're configuring a all-user VPN connection or a Device Tunnel you must use the `-AllUserConnection` parameter in the `Set-VpnConnectionIPsecConfiguration` command.

windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md

@@ -1,7 +1,7 @@
 ---
 title: How to use single sign-on (SSO) over VPN and Wi-Fi connections
 description: Explains requirements to enable single sign-on (SSO) to on-premises domain resources over WiFi or VPN connections.
-ms.date: 12/12/2023
+ms.date: 05/06/2024
 ms.topic: how-to
 ---
 

windows/security/operating-system-security/network-security/vpn/vpn-authentication.md

@@ -1,7 +1,7 @@
 ---
-title: VPN authentication options 
+title: VPN authentication options
 description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: concept-article
 ---
 

windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md

@@ -1,7 +1,7 @@
 ---
 title: VPN auto-triggered profile options
 description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: how-to
 ---
 
@@ -32,7 +32,7 @@ For more information, see [Traffic filters](vpn-security-features.md#traffic-fil
 
 ## Name-based trigger
 
-You can configure a domain name-based rule so that a specific domain name triggers the VPN connection.\ 
+You can configure a domain name-based rule so that a specific domain name triggers the VPN connection.\
 Name-based auto-trigger can be configured using the `VPNv2/<ProfileName>/DomainNameInformationList/dniRowId/AutoTrigger` setting in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
 
 There are four types of name-based triggers:
@@ -56,7 +56,7 @@ When a device has multiple profiles with Always On triggers, the user can specif
 
 ## Preserving user Always On preference
 
-Another Windows feature is to preserve a user's Always On preference. If a user manually unchecks the **Connect automatically** checkbox, Windows remembers the user preference for the profile name by adding the profile name to the registry value *AutoTriggerDisabledProfilesList*.  
+Another Windows feature is to preserve a user's Always On preference. If a user manually unchecks the **Connect automatically** checkbox, Windows remembers the user preference for the profile name by adding the profile name to the registry value *AutoTriggerDisabledProfilesList*.
 
 If a management tool removes or adds the same profile name back and set **AlwaysOn** to **true**, Windows doesn't check the box if the profile name exists in the following registry value, in order to preserve user preference.
 

windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md

@@ -1,7 +1,7 @@
 ---
 title: VPN and conditional access
 description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Microsoft Entra connected apps.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: how-to
 ---
 

windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md

@@ -1,7 +1,7 @@
 ---
 title: VPN connection types
 description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: concept-article
 ---
 

windows/security/operating-system-security/network-security/vpn/vpn-guide.md

@@ -1,7 +1,7 @@
 ---
 title: Windows VPN technical guide
 description: Learn how to plan and configure Windows devices for your organization's VPN solution.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: overview
 ---
 

windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md

@@ -1,7 +1,7 @@
 ---
 title: VPN name resolution
 description: Learn how name resolution works when using a VPN connection.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: concept-article
 ---
 

windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md

@@ -2,7 +2,7 @@
 title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
 description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client
 ms.topic: how-to
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ---
 # Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
 
@@ -70,7 +70,7 @@ An example of a PowerShell script that can be used to update a force tunnel VPN
 
 ```powershell
 # Copyright (c) Microsoft Corporation.  All rights reserved.
-#  
+#
 # THIS SAMPLE CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
 # WHETHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
 # WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
@@ -113,7 +113,7 @@ To check a VPN profile XML file:
 Update-VPN-Profile-Office365-Exclusion-Routes.ps1 -VPNprofilefile [FULLPATH AND NAME OF XML FILE]
 
 "@
-  
+
 # Check if filename has been provided #
 if ($VPNprofilefile -eq "")
 {
@@ -335,7 +335,7 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml")
     # Clear variables to allow re-run testing #
     $ARRVPN=$null              # Array to hold VPN addresses from the XML file #
     $In_Opt_Only=$null         # Variable to hold IP Addresses that only appear in optimize list #
-    $In_VPN_Only=$null         # Variable to hold IP Addresses that only appear in the VPN profile XML file #  
+    $In_VPN_Only=$null         # Variable to hold IP Addresses that only appear in the VPN profile XML file #
 
     # Extract the Profile XML from the XML file #
     $regex = '(?sm).*^*.<VPNProfile>\r?\n(.*?)\r?\n</VPNProfile>.*'
@@ -542,12 +542,12 @@ $ProfileXML = '<VPNProfile>
       <Address>104.146.128.0</Address>
       <PrefixSize>17</PrefixSize>
       <ExclusionRoute>true</ExclusionRoute>
-    </Route>  
+    </Route>
     <Route>
       <Address>150.171.40.0</Address>
       <PrefixSize>22</PrefixSize>
       <ExclusionRoute>true</ExclusionRoute>
-    </Route>  
+    </Route>
     <Route>
       <Address>13.107.60.1</Address>
       <PrefixSize>32</PrefixSize>
@@ -568,9 +568,9 @@ $ProfileXML = '<VPNProfile>
       <PrefixSize>14</PrefixSize>
     <ExclusionRoute>true</ExclusionRoute>
     </Route>
-    <Proxy>  
-            <AutoConfigUrl>http://webproxy.corp.contoso.com/proxy.pac</AutoConfigUrl>  
-      </Proxy>  
+    <Proxy>
+            <AutoConfigUrl>http://webproxy.corp.contoso.com/proxy.pac</AutoConfigUrl>
+      </Proxy>
 </VPNProfile>'
 
 <#-- Convert ProfileXML to Escaped Format --#>
@@ -625,7 +625,7 @@ try
     $session.CreateInstance($namespaceName, $newInstance, $options)
     $Message = "Created $ProfileName profile."
     Write-Host "$Message"
-    Write-Host "$ProfileName profile summary:"  
+    Write-Host "$ProfileName profile summary:"
     $session.EnumerateInstances($namespaceName, $className, $options)
 }
 catch [Exception]

windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md

@@ -1,7 +1,7 @@
 ---
-title: VPN profile options 
+title: VPN profile options
 description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: how-to
 ---
 
@@ -43,16 +43,16 @@ The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN prof
 The following sample is a sample Native VPN profile. This blob would fall under the ProfileXML node.
 
 ```xml
-<VPNProfile>  
-  <ProfileName>TestVpnProfile</ProfileName>  
-  <NativeProfile>  
-    <Servers>testServer.VPN.com</Servers>  
-    <NativeProtocolType>IKEv2</NativeProtocolType> 
-    
-    <!--Sample EAP profile (PEAP)--> 
-    <Authentication>  
-      <UserMethod>Eap</UserMethod> 
-      <Eap>  
+<VPNProfile>
+  <ProfileName>TestVpnProfile</ProfileName>
+  <NativeProfile>
+    <Servers>testServer.VPN.com</Servers>
+    <NativeProtocolType>IKEv2</NativeProtocolType>
+
+    <!--Sample EAP profile (PEAP)-->
+    <Authentication>
+      <UserMethod>Eap</UserMethod>
+      <Eap>
        <Configuration>
           <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
             <EapMethod>
@@ -118,95 +118,95 @@ The following sample is a sample Native VPN profile. This blob would fall under
             </Config>
           </EapHostConfig>
         </Configuration>
-      </Eap>  
-    </Authentication>  
-    
+      </Eap>
+    </Authentication>
+
     <!--Sample routing policy: in this case, this is a split tunnel configuration with two routes configured-->
-    <RoutingPolicyType>SplitTunnel</RoutingPolicyType>  
-    <DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>  
-  </NativeProfile>  
-    <Route>  
-    <Address>192.168.0.0</Address>  
-    <PrefixSize>24</PrefixSize>  
-  </Route>  
-  <Route>  
-    <Address>10.10.0.0</Address>  
-    <PrefixSize>16</PrefixSize>  
-  </Route>  
-  
+    <RoutingPolicyType>SplitTunnel</RoutingPolicyType>
+    <DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
+  </NativeProfile>
+    <Route>
+    <Address>192.168.0.0</Address>
+    <PrefixSize>24</PrefixSize>
+  </Route>
+  <Route>
+    <Address>10.10.0.0</Address>
+    <PrefixSize>16</PrefixSize>
+  </Route>
+
   <!--VPN will be triggered for the two apps specified here-->
-  <AppTrigger>  
-    <App>  
-      <Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>  
-    </App>  
-  </AppTrigger>  
-  <AppTrigger>  
-    <App>  
-      <Id>C:\windows\system32\ping.exe</Id>  
-    </App>  
-  </AppTrigger>  
-  
+  <AppTrigger>
+    <App>
+      <Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
+    </App>
+  </AppTrigger>
+  <AppTrigger>
+    <App>
+      <Id>C:\windows\system32\ping.exe</Id>
+    </App>
+  </AppTrigger>
+
   <!--Example of per-app VPN. This configures traffic filtering rules for two apps. Internet Explorer is configured for force tunnel, meaning that all traffic allowed through this app must go over VPN. Microsoft Edge is configured as split tunnel, so whether data goes over VPN or the physical interface is dictated by the routing configuration.-->
-  <TrafficFilter>  
-    <App>  
-      <Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>  
-    </App>  
-    <Protocol>6</Protocol>  
-    <LocalPortRanges>10,20-50,100-200</LocalPortRanges>  
-    <RemotePortRanges>20-50,100-200,300</RemotePortRanges>  
-    <RemoteAddressRanges>30.30.0.0/16,10.10.10.10-20.20.20.20</RemoteAddressRanges>  
-    <RoutingPolicyType>ForceTunnel</RoutingPolicyType>  
-  </TrafficFilter>  
-  <TrafficFilter>  
-    <App>  
-      <Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>  
-    </App>  
-    <LocalAddressRanges>3.3.3.3/32,1.1.1.1-2.2.2.2</LocalAddressRanges>  
-  </TrafficFilter>  
-  
+  <TrafficFilter>
+    <App>
+      <Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>
+    </App>
+    <Protocol>6</Protocol>
+    <LocalPortRanges>10,20-50,100-200</LocalPortRanges>
+    <RemotePortRanges>20-50,100-200,300</RemotePortRanges>
+    <RemoteAddressRanges>30.30.0.0/16,10.10.10.10-20.20.20.20</RemoteAddressRanges>
+    <RoutingPolicyType>ForceTunnel</RoutingPolicyType>
+  </TrafficFilter>
+  <TrafficFilter>
+    <App>
+      <Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
+    </App>
+    <LocalAddressRanges>3.3.3.3/32,1.1.1.1-2.2.2.2</LocalAddressRanges>
+  </TrafficFilter>
+
   <!--Name resolution configuration. The AutoTrigger node configures name-based triggering. In this profile, the domain "hrsite.corporate.contoso.com" triggers VPN.-->
-  <DomainNameInformation>  
-    <DomainName>hrsite.corporate.contoso.com</DomainName>  
-    <DnsServers>1.2.3.4,5.6.7.8</DnsServers>  
-    <WebProxyServers>5.5.5.5</WebProxyServers>  
-    <AutoTrigger>true</AutoTrigger>  
-  </DomainNameInformation>  
-  <DomainNameInformation>  
-    <DomainName>.corp.contoso.com</DomainName>  
-    <DnsServers>10.10.10.10,20.20.20.20</DnsServers>  
-    <WebProxyServers>100.100.100.100</WebProxyServers>  
-  </DomainNameInformation>  
-  
+  <DomainNameInformation>
+    <DomainName>hrsite.corporate.contoso.com</DomainName>
+    <DnsServers>1.2.3.4,5.6.7.8</DnsServers>
+    <WebProxyServers>5.5.5.5</WebProxyServers>
+    <AutoTrigger>true</AutoTrigger>
+  </DomainNameInformation>
+  <DomainNameInformation>
+    <DomainName>.corp.contoso.com</DomainName>
+    <DnsServers>10.10.10.10,20.20.20.20</DnsServers>
+    <WebProxyServers>100.100.100.100</WebProxyServers>
+  </DomainNameInformation>
+
   <!--EDPMode is turned on for the enterprise ID "corp.contoso.com". When a user accesses an app with that ID, VPN will be triggered.-->
-  <EdpModeId>corp.contoso.com</EdpModeId>  
-  <RememberCredentials>true</RememberCredentials>  
-  
+  <EdpModeId>corp.contoso.com</EdpModeId>
+  <RememberCredentials>true</RememberCredentials>
+
   <!--Always On is turned off, and triggering VPN for the apps and domain name specified earlier in the profile will not occur if the user is connected to the trusted network "contoso.com".-->
-  <AlwaysOn>false</AlwaysOn>  
-  <DnsSuffix>corp.contoso.com</DnsSuffix>  
-  <TrustedNetworkDetection>contoso.com</TrustedNetworkDetection>  
-  <Proxy>  
-    <Manual>  
-      <Server>HelloServer</Server>  
-    </Manual>  
-    <AutoConfigUrl>Helloworld.Com</AutoConfigUrl>  
-  </Proxy>  
-  
+  <AlwaysOn>false</AlwaysOn>
+  <DnsSuffix>corp.contoso.com</DnsSuffix>
+  <TrustedNetworkDetection>contoso.com</TrustedNetworkDetection>
+  <Proxy>
+    <Manual>
+      <Server>HelloServer</Server>
+    </Manual>
+    <AutoConfigUrl>Helloworld.Com</AutoConfigUrl>
+  </Proxy>
+
   <!--Device compliance is enabled and an alternate certificate is specified for domain resource authentication.-->
-  <DeviceCompliance>  
-        <Enabled>true</Enabled>  
-        <Sso>  
-            <Enabled>true</Enabled>  
-            <Eku>This is my Eku</Eku>  
-            <IssuerHash>This is my issuer hash</IssuerHash>  
-        </Sso>  
-    </DeviceCompliance>  
-</VPNProfile> 
+  <DeviceCompliance>
+        <Enabled>true</Enabled>
+        <Sso>
+            <Enabled>true</Enabled>
+            <Eku>This is my Eku</Eku>
+            <IssuerHash>This is my issuer hash</IssuerHash>
+        </Sso>
+    </DeviceCompliance>
+</VPNProfile>
 ```
 
 ## Sample plug-in VPN profile
 
-The following sample is a sample plug-in VPN profile. This blob would fall under the ProfileXML node. 
+The following sample is a sample plug-in VPN profile. This blob would fall under the ProfileXML node.
 
 ```xml
 <VPNProfile>
@@ -279,7 +279,7 @@ The following sample is a sample plug-in VPN profile. This blob would fall under
         </Manual>
         <AutoConfigUrl>Helloworld.Com</AutoConfigUrl>
     </Proxy>
-</VPNProfile>  
+</VPNProfile>
 ```
 
 ## Apply ProfileXML using Intune

windows/security/operating-system-security/network-security/vpn/vpn-routing.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 title: VPN routing decisions
 description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
 ms.topic: concept-article
@@ -23,7 +23,7 @@ For each route item in the list, you can configure the following options:
 
 With Windows VPN, you can specify exclusion routes that shouldn't go over the physical interface.
 
-Routes can also be added at connect time through the server for UWP VPN apps.  
+Routes can also be added at connect time through the server for UWP VPN apps.
 
 ## Force tunnel configuration
 

windows/security/operating-system-security/network-security/vpn/vpn-security-features.md

@@ -1,7 +1,7 @@
 ---
 title: VPN security features
 description: Learn about security features for VPN, including LockDown VPN and traffic filters.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: concept-article
 ---