Windows VPN technical guide

This guide walks you through the decisions to make for Windows clients in your organization's VPN solution, and how to configure your devices. This guide references the VPNv2 Configuration Service Provider (CSP) and provides mobile device management (MDM) configuration instructions using Microsoft Intune.

To create a Windows VPN device configuration profile see: Windows device settings to add VPN connections using Intune.


This guide does not explain server deployment.

Windows edition and licensing requirements

The following table lists the Windows editions that support Virtual private network (VPN):

Windows Pro Windows Enterprise Windows Pro Education/SE Windows Education
Yes Yes Yes Yes

Virtual private network (VPN) license entitlements are granted by the following licenses:

Windows Pro/Pro Education/SE Windows Enterprise E3 Windows Enterprise E5 Windows Education A3 Windows Education A5
Yes Yes Yes Yes Yes

For more information about Windows licensing, see Windows licensing overview.

In this guide

Article Description
VPN connection types Select a VPN client and tunneling protocol
VPN routing decisions Choose between split tunnel and force tunnel configuration
VPN authentication options Select a method for Extensible Authentication Protocol (EAP) authentication.
VPN and conditional access Use Microsoft Entra policy evaluation to set access policies for VPN connections.
VPN name resolution Decide how name resolution should work
VPN auto-triggered profile options Set a VPN profile to connect automatically by app or by name, to be "always on", and to not trigger VPN on trusted networks
VPN security features Configure traffic filtering, connect a VPN profile to Windows Information Protection (WIP), and more
VPN profile options Combine settings into single VPN profile using XML

Learn more