mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-17 15:57:23 +00:00
Merge branch 'master' into asr
This commit is contained in:
Denise Vangel-MSFT
commit
17929b5a92
@ -16,7 +16,6 @@ ms.date: 10/18/2019
|
|||||||
ms.custom: bitlocker
|
ms.custom: bitlocker
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
||||||
# BitLocker cannot encrypt a drive: known TPM issues
|
# BitLocker cannot encrypt a drive: known TPM issues
|
||||||
|
|
||||||
This article describes common issues that affect the Trusted Platform Module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
|
This article describes common issues that affect the Trusted Platform Module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
|
||||||
@ -38,7 +37,7 @@ To resolve this issue, follow these steps:
|
|||||||
|
|
||||||
1. Open an elevated PowerShell window and run the following script:
|
1. Open an elevated PowerShell window and run the following script:
|
||||||
|
|
||||||
```ps
|
```powershell
|
||||||
$Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm"
|
$Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm"
|
||||||
$ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus
|
$ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus
|
||||||
if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
|
if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
|
||||||
@ -90,7 +89,7 @@ To verify that you have correctly identified this issue, use one of the followin
|
|||||||
|
|
||||||
1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command:
|
1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command:
|
||||||
|
|
||||||
```ps
|
```powershell
|
||||||
Get-ADComputer -Filter {Name -like "ComputerName"} -Property * | Format-Table name,msTPM-TPMInformationForComputer
|
Get-ADComputer -Filter {Name -like "ComputerName"} -Property * | Format-Table name,msTPM-TPMInformationForComputer
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -117,11 +116,11 @@ The domain and forest functional level of the environment may still be set to Wi
|
|||||||
To resolve this issue, follow these steps:
|
To resolve this issue, follow these steps:
|
||||||
|
|
||||||
1. Upgrade the functional level of the domain and forest to Windows Server 2012 R2.
|
1. Upgrade the functional level of the domain and forest to Windows Server 2012 R2.
|
||||||
1. Download [Add-TPMSelfWriteACE.vbs](https://go.microsoft.com/fwlink/p/?LinkId=167133).
|
2. Download [Add-TPMSelfWriteACE.vbs](https://go.microsoft.com/fwlink/p/?LinkId=167133).
|
||||||
1. In the script, modify the value of **strPathToDomain** to your domain name.
|
3. In the script, modify the value of **strPathToDomain** to your domain name.
|
||||||
1. Open an elevated PowerShell window, and run the following command:
|
4. Open an elevated PowerShell window, and run the following command:
|
||||||
|
|
||||||
```ps
|
```powershell
|
||||||
cscript <Path>Add-TPMSelfWriteACE.vbs
|
cscript <Path>Add-TPMSelfWriteACE.vbs
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|||||||
@ -46,40 +46,40 @@ The **Use default** configuration for each of the mitigation settings indicates
|
|||||||
|
|
||||||
For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this article.
|
For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this article.
|
||||||
|
|
||||||
Mitigation | Description | Can be applied to | Audit mode available
|
| Mitigation | Description | Can be applied to | Audit mode available |
|
||||||
-|-|-|-
|
| ---------- | ----------- | ----------------- | -------------------- |
|
||||||
Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
|
| Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] |
|
||||||
Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
|
| Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] |
|
||||||
Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
|
| Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] |
|
||||||
Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
|
| Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] |
|
||||||
Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
|
| Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] |
|
||||||
Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
|
| Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] |
|
||||||
Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
| Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
|
||||||
Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
| Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
|
||||||
Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
|
| Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] |
|
||||||
Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
| Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
|
||||||
Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
| Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
|
||||||
Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
|
| Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] |
|
||||||
Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
| Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
|
||||||
Don't allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
| Don't allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
|
||||||
Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
| Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
|
||||||
Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
| Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
|
||||||
Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
| Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
|
||||||
Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
| Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
|
||||||
Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
|
| Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] |
|
||||||
Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
|
| Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] |
|
||||||
Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
| Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
|
||||||
|
|
||||||
> [!IMPORTANT]
|
> [!IMPORTANT]
|
||||||
> If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
|
> If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
|
||||||
>
|
>
|
||||||
>
|
>
|
||||||
> Enabled in **Program settings** | Enabled in **System settings** | Behavior
|
> | Enabled in **Program settings** | Enabled in **System settings** | Behavior |
|
||||||
> -|-|-
|
> | ------------------------------- | ------------------------------ | -------- |
|
||||||
> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings**
|
> | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** |
|
||||||
> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings**
|
> | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** |
|
||||||
> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
|
> | [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** |
|
||||||
> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
|
> | [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option |
|
||||||
>
|
>
|
||||||
>
|
>
|
||||||
>
|
>
|
||||||
@ -218,29 +218,29 @@ This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that
|
|||||||
|
|
||||||
<a id="cmdlets-table"></a>
|
<a id="cmdlets-table"></a>
|
||||||
|
|
||||||
Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
|
| Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet |
|
||||||
- | - | - | -
|
| ---------- | ---------- | ------------------ | ----------------- |
|
||||||
Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available
|
| Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available |
|
||||||
Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available
|
| Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available |
|
||||||
Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available
|
| Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available |
|
||||||
Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
|
| Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available |
|
||||||
Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available
|
| Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available |
|
||||||
Validate heap integrity | System and app-level | TerminateOnError | Audit not available
|
| Validate heap integrity | System and app-level | TerminateOnError | Audit not available |
|
||||||
Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
|
| Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode |
|
||||||
Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
|
| Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad |
|
||||||
Block remote images | App-level only | BlockRemoteImages | Audit not available
|
| Block remote images | App-level only | BlockRemoteImages | Audit not available |
|
||||||
Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
|
| Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly |
|
||||||
Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
|
| Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned |
|
||||||
Disable extension points | App-level only | ExtensionPoint | Audit not available
|
| Disable extension points | App-level only | ExtensionPoint | Audit not available |
|
||||||
Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
|
| Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall |
|
||||||
Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess
|
| Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess |
|
||||||
Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter <a href="#r1" id="t1">\[1\]</a> | Audit not available<a href="#r2" id="t2">\[2\]</a>
|
| Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter <a href="#r1" id="t1">\[1\]</a> | Audit not available<a href="#r2" id="t2">\[2\]</a> |
|
||||||
Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available<a href="#r2" id="t2">\[2\]</a>
|
| Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available<a href="#r2" id="t2">\[2\]</a> |
|
||||||
Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available<a href="#r2" id="t2">\[2\]</a>
|
| Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available<a href="#r2" id="t2">\[2\]</a> |
|
||||||
Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available<a href="#r2" id="t2">\[2\]</a>
|
| Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available<a href="#r2" id="t2">\[2\]</a> |
|
||||||
Validate handle usage | App-level only | StrictHandle | Audit not available
|
| Validate handle usage | App-level only | StrictHandle | Audit not available |
|
||||||
Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
|
| Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available |
|
||||||
Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available<a href="#r2" id="t2">\[2\]</a>
|
| Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available<a href="#r2" id="t2">\[2\]</a> |
|
||||||
|
|
||||||
<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for dlls for a process:
|
<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for dlls for a process:
|
||||||
|
|
||||||
@ -254,7 +254,7 @@ Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlu
|
|||||||
|
|
||||||
For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center).
|
For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center).
|
||||||
|
|
||||||
## See also
|
## See also:
|
||||||
|
|
||||||
* [Protect devices from exploits](exploit-protection.md)
|
* [Protect devices from exploits](exploit-protection.md)
|
||||||
* [Evaluate exploit protection](evaluate-exploit-protection.md)
|
* [Evaluate exploit protection](evaluate-exploit-protection.md)
|
||||||
|
|||||||
Binary file not shown.
|
After Width: | Height: | Size: 66 KiB |
@ -39,18 +39,18 @@ Follow the steps below to create a compliance policy against jailbroken devices.
|
|||||||
1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Compliance policies** -> click on **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**.
|
1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Compliance policies** -> click on **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**.
|
||||||
|
|
||||||
> [!div class="mx-imgBorder"]
|
> [!div class="mx-imgBorder"]
|
||||||
> 
|
> 
|
||||||
|
|
||||||
1. Specify a name of the policy, example "Compliance Policy for Jailbreak".
|
1. Specify a name of the policy, example "Compliance Policy for Jailbreak".
|
||||||
1. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field.
|
1. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field.
|
||||||
|
|
||||||
> [!div class="mx-imgBorder"]
|
> [!div class="mx-imgBorder"]
|
||||||
> 
|
> 
|
||||||
|
|
||||||
1. In the *Action for noncompliance* section, select the actions as per your requirements and click **Next**.
|
1. In the *Action for noncompliance* section, select the actions as per your requirements and click **Next**.
|
||||||
|
|
||||||
> [!div class="mx-imgBorder"]
|
> [!div class="mx-imgBorder"]
|
||||||
> 
|
> 
|
||||||
|
|
||||||
1. In the *Assignments* section, select the user groups that you want to include for this policy and then click **Next**.
|
1. In the *Assignments* section, select the user groups that you want to include for this policy and then click **Next**.
|
||||||
1. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
|
1. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
|
||||||
@ -62,9 +62,25 @@ Defender for Endpoint for iOS enables admins to configure custom indicators on i
|
|||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains.
|
> Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains.
|
||||||
|
|
||||||
## Web Protection
|
## Web Protection and VPN
|
||||||
|
|
||||||
By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks.
|
By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Defender for Endpoint for iOS uses a local VPN in order to provide this protection.
|
||||||
|
|
||||||
|
While enabled by default, there might be some cases that require you to disable VPN. For example, you want to run some apps that do not work when a VPN is configured. In such cases, you can choose to disable VPN from the app on the device by following the steps below:
|
||||||
|
|
||||||
|
1. On your iOS device, open the **Settings** app and click or tap **VPN**.
|
||||||
|
1. Click or tap the "i" button for Microsoft Defender ATP.
|
||||||
|
1. Toggle off **Connect On Demand** to disable VPN.
|
||||||
|
|
||||||
|
> [!div class="mx-imgBorder"]
|
||||||
|
> 
|
||||||
|
|
||||||
|
> [!NOTE]
|
||||||
|
> Web Protection will not be available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and click or tap **Start VPN**.
|
||||||
|
|
||||||
|
### Co-existence of multiple VPN profiles
|
||||||
|
|
||||||
|
Apple iOS does not support multiple device-wide VPNs to be active simultaneously. While multiple VPN profiles can exist on the device, only one VPN can be active at a time.
|
||||||
|
|
||||||
## Report unsafe site
|
## Report unsafe site
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user