Merge pull request #4363 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)

windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md

@@ -1,5 +1,5 @@
 ---
-title: BitLocker cannot encrypt a drive known TPM issues 
+title: BitLocker cannot encrypt a drive known TPM issues
 description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive, and that you can attribute to the TPM
 ms.reviewer: kaushika
 ms.technology: windows
@@ -16,7 +16,6 @@ ms.date: 10/18/2019
 ms.custom: bitlocker
 ---
 
-
 # BitLocker cannot encrypt a drive: known TPM issues
 
 This article describes common issues that affect the Trusted Platform Module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
@@ -38,7 +37,7 @@ To resolve this issue, follow these steps:
 
 1. Open an elevated PowerShell window and run the following script:
 
-   ```ps
+   ```powershell
    $Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm"
    $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus
    if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
@@ -69,7 +68,7 @@ To resolve this issue, disable and re-enable the TPM. To do this, follow these s
 If you still cannot prepare the TPM, clear the existing TPM keys. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm#clear-all-the-keys-from-the-tpm).
 
 > [!WARNING]
-> Clearing the TPM can cause data loss.  
+> Clearing the TPM can cause data loss.
 
 ## Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005
 
@@ -81,7 +80,7 @@ The TPM did not have sufficient permissions on the TPM Devices container in Acti
 
 This issue appears to be limited to computers that run versions of Windows that are earlier than Windows 10.
 
-### Resolution  
+### Resolution
 
 To verify that you have correctly identified this issue, use one of the following methods:
 
@@ -90,7 +89,7 @@ To verify that you have correctly identified this issue, use one of the followin
 
 1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command:
 
-   ```ps
+   ```powershell
    Get-ADComputer -Filter {Name -like "ComputerName"} -Property * | Format-Table name,msTPM-TPMInformationForComputer
    ```
 
@@ -100,7 +99,7 @@ To verify that you have correctly identified this issue, use one of the followin
 
 ## Cannot prepare the TPM, error 0x80072030: "There is no such object on the server"
 
-Your domain controllers were upgraded from Windows Server 2008 R2to Windows Server 2012 R2. A Group Policy Object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy.  
+Your domain controllers were upgraded from Windows Server 2008 R2to Windows Server 2012 R2. A Group Policy Object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy.
 
 You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following:
 
@@ -117,14 +116,14 @@ The domain and forest functional level of the environment may still be set to Wi
 To resolve this issue, follow these steps:
 
 1. Upgrade the functional level of the domain and forest to Windows Server 2012 R2.
-1. Download [Add-TPMSelfWriteACE.vbs](https://go.microsoft.com/fwlink/p/?LinkId=167133).
-1. In the script, modify the value of **strPathToDomain** to your domain name.
-1. Open an elevated PowerShell window, and run the following command:
+2. Download [Add-TPMSelfWriteACE.vbs](https://go.microsoft.com/fwlink/p/?LinkId=167133).
+3. In the script, modify the value of **strPathToDomain** to your domain name.
+4. Open an elevated PowerShell window, and run the following command:
 
-   ```ps
+   ```powershell
    cscript <Path>Add-TPMSelfWriteACE.vbs
    ```
-   
+
    In this command \<*Path*> is the path to the script file.
 
 For more information, see the following articles:

windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md

@@ -39,18 +39,18 @@ Follow the steps below to create a compliance policy against jailbroken devices.
 1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Compliance policies** -> click on **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**.
 
     > [!div class="mx-imgBorder"]
-    > ![Image of Microsoft Endpoint Manager Admin Center](images/ios-jb-policy.png)
+    > ![Create Policy](images/ios-jb-policy.png)
 
 1. Specify a name of the policy, example "Compliance Policy for Jailbreak".
 1. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field.
 
     > [!div class="mx-imgBorder"]
-    > ![Image of Microsoft Endpoint Manager Admin Center](images/ios-jb-settings.png)
+    > ![Policy Settings](images/ios-jb-settings.png)
 
 1. In the *Action for noncompliance* section, select the actions as per your requirements and click **Next**.
 
     > [!div class="mx-imgBorder"]
-    > ![Image of Microsoft Endpoint Manager Admin Center](images/ios-jb-actions.png)
+    > ![Policy Actions](images/ios-jb-actions.png)
 
 1. In the *Assignments* section, select the user groups that you want to include for this policy and then click **Next**.
 1. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
@@ -62,9 +62,25 @@ Defender for Endpoint for iOS enables admins to configure custom indicators on i
 > [!NOTE]
 > Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains.
 
-## Web Protection
+## Web Protection and VPN
 
-By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks.
+By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Defender for Endpoint for iOS uses a local VPN in order to provide this protection.
+
+While enabled by default, there might be some cases that require you to disable VPN. For example, you want to run some apps that do not work when a VPN is configured. In such cases, you can choose to disable VPN from the app on the device by following the steps below:
+
+1. On your iOS device, open the **Settings** app and click or tap  **VPN**.
+1. Click or tap the "i" button for Microsoft Defender ATP.
+1. Toggle off **Connect On Demand** to disable VPN.
+
+    > [!div class="mx-imgBorder"]
+    > ![VPN config connect on demand](images/ios-vpn-config.png)
+
+> [!NOTE]
+> Web Protection will not be available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and click or tap **Start VPN**.
+
+### Co-existence of multiple VPN profiles
+
+Apple iOS does not support multiple device-wide VPNs to be active simultaneously. While multiple VPN profiles can exist on the device, only one VPN can be active at a time.
 
 ## Report unsafe site