Merge pull request #4363 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)
2025-05-29 13:47:23 +00:00 · 2020-12-09 10:55:19 -08:00 · 2020-12-09 10:55:19 -08:00 · 741f4f56ff
commit 741f4f56ff
parent b82cdd3274 f44ad173b8
3 changed files with 32 additions and 17 deletions
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
@ -16,7 +16,6 @@ ms.date: 10/18/2019
 ms.custom: bitlocker
 ---

-
 # BitLocker cannot encrypt a drive: known TPM issues

 This article describes common issues that affect the Trusted Platform Module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
@ -38,7 +37,7 @@ To resolve this issue, follow these steps:

 1. Open an elevated PowerShell window and run the following script:

-   ```ps
+   ```powershell
   $Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm"
   $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus
   if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
@ -90,7 +89,7 @@ To verify that you have correctly identified this issue, use one of the followin

 1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command:

-   ```ps
+   ```powershell
   Get-ADComputer -Filter {Name -like "ComputerName"} -Property * | Format-Table name,msTPM-TPMInformationForComputer
   ```

@ -117,11 +116,11 @@ The domain and forest functional level of the environment may still be set to Wi
 To resolve this issue, follow these steps:

 1. Upgrade the functional level of the domain and forest to Windows Server 2012 R2.
-1. Download [Add-TPMSelfWriteACE.vbs](https://go.microsoft.com/fwlink/p/?LinkId=167133).
-1. In the script, modify the value of **strPathToDomain** to your domain name.
-1. Open an elevated PowerShell window, and run the following command:
+2. Download [Add-TPMSelfWriteACE.vbs](https://go.microsoft.com/fwlink/p/?LinkId=167133).
+3. In the script, modify the value of **strPathToDomain** to your domain name.
+4. Open an elevated PowerShell window, and run the following command:

-   ```ps
+   ```powershell
   cscript <Path>Add-TPMSelfWriteACE.vbs
   ```

--- a/windows/security/threat-protection/microsoft-defender-atp/images/ios-vpn-config.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/ios-vpn-config.png
--- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
@ -39,18 +39,18 @@ Follow the steps below to create a compliance policy against jailbroken devices.
 1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Compliance policies** -> click on **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**.

    > [!div class="mx-imgBorder"]
-    > ![Image of Microsoft Endpoint Manager Admin Center](images/ios-jb-policy.png)
+    > ![Create Policy](images/ios-jb-policy.png)

 1. Specify a name of the policy, example "Compliance Policy for Jailbreak".
 1. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field.

    > [!div class="mx-imgBorder"]
-    > ![Image of Microsoft Endpoint Manager Admin Center](images/ios-jb-settings.png)
+    > ![Policy Settings](images/ios-jb-settings.png)

 1. In the *Action for noncompliance* section, select the actions as per your requirements and click **Next**.

    > [!div class="mx-imgBorder"]
-    > ![Image of Microsoft Endpoint Manager Admin Center](images/ios-jb-actions.png)
+    > ![Policy Actions](images/ios-jb-actions.png)

 1. In the *Assignments* section, select the user groups that you want to include for this policy and then click **Next**.
 1. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
@ -62,9 +62,25 @@ Defender for Endpoint for iOS enables admins to configure custom indicators on i
 > [!NOTE]
 > Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains.

-## Web Protection
+## Web Protection and VPN

-By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks.
+By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Defender for Endpoint for iOS uses a local VPN in order to provide this protection.
+
+While enabled by default, there might be some cases that require you to disable VPN. For example, you want to run some apps that do not work when a VPN is configured. In such cases, you can choose to disable VPN from the app on the device by following the steps below:
+
+1. On your iOS device, open the **Settings** app and click or tap  **VPN**.
+1. Click or tap the "i" button for Microsoft Defender ATP.
+1. Toggle off **Connect On Demand** to disable VPN.
+
+    > [!div class="mx-imgBorder"]
+    > ![VPN config connect on demand](images/ios-vpn-config.png)
+
+> [!NOTE]
+> Web Protection will not be available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and click or tap **Start VPN**.
+
+### Co-existence of multiple VPN profiles
+
+Apple iOS does not support multiple device-wide VPNs to be active simultaneously. While multiple VPN profiles can exist on the device, only one VPN can be active at a time.

 ## Report unsafe site