diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md
index b67b8c2..7cb3fdd 100644
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@@ -73,14 +73,27 @@ To customize IKEv2 or client options, run this script without arguments.
### Windows 7, 8.x 和 10
-1. 将生成的 `.p12` 文件安全地传送到你的计算机,然后导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。
+1. 将生成的 `.p12` 文件安全地传送到你的计算机,然后导入到 "计算机账户" 证书存储。要导入 `.p12` 文件,打开 提升权限命令提示符 并运行以下命令:
- 详细的操作步骤:
+ ```console
+ certutil -f -importpfx ".p12文件的完整路径" NoExport
+ ```
+
+ 另外,你也可以手动导入 `.p12` 文件。详情参见下面的链接。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
**注:** Ubuntu 18.04 用户在尝试将生成的 `.p12` 文件导入到 Windows 时可能会遇到错误 "输入的密码不正确"。参见 [已知问题](#已知问题)。
-1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接:
+1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接。对于 Windows 8.x 和 10 用户,推荐使用下面的 Windows PowerShell 命令来创建 VPN 连接,以达到更佳的 VPN 安全性和性能。将 `你的 VPN 服务器 IP(或者域名)` 换成你自己的值。
+
+ ```console
+ # 创建 VPN 连接
+ Add-VpnConnection -Name "My IKEv2 VPN" -ServerAddress "你的 VPN 服务器 IP(或者域名)" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required -PassThru
+ # 设置 IPsec 参数
+ Set-VpnConnectionIPsecConfiguration -ConnectionName "My IKEv2 VPN" -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force
+ ```
+
+ 另外,你也可以手动创建 VPN 连接。参见这里:
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
**注:** 如果你在配置 IKEv2 时指定了服务器的域名(而不是 IP 地址),则必须在 **Internet地址** 字段中输入该域名。
diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md
index 5db0df0..042da95 100644
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@@ -73,14 +73,27 @@ To customize IKEv2 or client options, run this script without arguments.
### Windows 7, 8.x and 10
-1. Securely transfer the generated `.p12` file to your computer, then import it into the "Computer account" certificate store. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates".
+1. Securely transfer the generated `.p12` file to your computer, then import it into the "Computer account" certificate store. To import the `.p12` file, run the following from an elevated command prompt:
- Detailed instructions:
+ ```console
+ certutil -f -importpfx "path\to\your\p12\file.p12" NoExport
+ ```
+
+ Alternatively, you can manually import the `.p12` file. See instructions at the link below. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates".
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
**Note:** Ubuntu 18.04 users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. See [Known issues](#known-issues).
-1. On the Windows computer, add a new IKEv2 VPN connection:
+1. On the Windows computer, add a new IKEv2 VPN connection. For Windows 8.x and 10 users, it is recommended to create the VPN connection using these Windows PowerShell commands for improved security and performance. Replace `Your VPN Server IP (or DNS name)` with your own value.
+
+ ```console
+ # Create VPN connection
+ Add-VpnConnection -Name "My IKEv2 VPN" -ServerAddress "Your VPN Server IP (or DNS name)" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required -PassThru
+ # Set IPsec configuration
+ Set-VpnConnectionIPsecConfiguration -ConnectionName "My IKEv2 VPN" -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force
+ ```
+
+ Alternatively, you can manually create the VPN connection. See:
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
**Note:** If you specified the server's DNS name (instead of its IP address) during IKEv2 setup, you must enter the DNS name in the **Internet address** field.