MicrosoftDocs
diff --git a/‎.openpublishing.redirection.defender-endpoint.json‎
Lines changed: 10 additions & 0 deletions b/‎.openpublishing.redirection.defender-endpoint.json‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎CloudAppSecurityDocs/tutorial-dlp.md‎
Lines changed: 0 additions & 1 deletion b/‎CloudAppSecurityDocs/tutorial-dlp.md‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎defender-endpoint/TOC.yml‎
Lines changed: 4 additions & 2 deletions b/‎defender-endpoint/TOC.yml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎defender-endpoint/aggregated-reporting.md‎
Lines changed: 3 additions & 3 deletions b/‎defender-endpoint/aggregated-reporting.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎defender-endpoint/analyzer-report.md‎
Lines changed: 15 additions & 5 deletions b/‎defender-endpoint/analyzer-report.md‎
Lines changed: 15 additions & 5 deletions
diff --git a/‎defender-endpoint/api/get-assessment-browser-extensions.md‎
Lines changed: 4 additions & 9 deletions b/‎defender-endpoint/api/get-assessment-browser-extensions.md‎
Lines changed: 4 additions & 9 deletions
diff --git a/‎defender-endpoint/api/get-live-response-result.md‎
Lines changed: 2 additions & 0 deletions b/‎defender-endpoint/api/get-live-response-result.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎defender-endpoint/api/initiate-autoir-investigation.md‎
Lines changed: 6 additions & 5 deletions b/‎defender-endpoint/api/initiate-autoir-investigation.md‎
Lines changed: 6 additions & 5 deletions
diff --git a/‎defender-endpoint/api/management-apis.md‎
Lines changed: 5 additions & 5 deletions b/‎defender-endpoint/api/management-apis.md‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎defender-endpoint/api/run-live-response.md‎
Lines changed: 5 additions & 1 deletion b/‎defender-endpoint/api/run-live-response.md‎
Lines changed: 5 additions & 1 deletion
@@ -1,5 +1,15 @@
 {
   "redirections": [
+    {
+      "source_path": "defender-endpoint/threat-analytics-analyst-reports.md",
+      "redirect_url": "/defender-xdr/threat-analytics-analyst-reports",
+      "redirect_document_id": false
+    },    
+    {
+      "source_path": "defender-endpoint/threat-analytics.md",
+      "redirect_url": "/defender-xdr/threat-analytics",
+      "redirect_document_id": false
+    },    
     {
       "source_path": "defender-endpoint/configure-microsoft-threat-experts.md",
       "redirect_url": "/defender-xdr/defender-experts-for-hunting",
 
@@ -79,7 +79,6 @@ Our approach to information protection can be split into the following phases th
     1. Under **Inspection method**, choose and configure one of the following classification services:
 
         - **[Data Classification Services](dcs-inspection.md)**: Uses classification decisions you've made across Microsoft 365, Microsoft Purview Information Protection, and Defender for Cloud Apps to provide a unified labeling experience. This is the preferred content inspection method as it provides a consistent and unified experience across Microsoft products.
-        - **[Built-in DLP](content-inspection-built-in.md)**: Inspects files for sensitive information using our built-in DLP content inspection engine.
 
     1. For highly sensitive files, select **Create an alert** and choose the alerts you require, so that you're informed when there are files with unprotected sensitive information in your organization.
     1. Select **Create**.
 
@@ -232,6 +232,8 @@
             href: mac-resources.md
           - name: Troubleshoot Microsoft Defender for Endpoint on macOS
             items:
+            - name: Troubleshoot agent health issues
+              href: mac-health-status.md
             - name: Troubleshooting mode on macOS
               href: mac-troubleshoot-mode.md
             - name: Troubleshoot macOS installation issues
@@ -1079,10 +1081,10 @@
       href: /defender-xdr/advanced-hunting-overview
 
     - name: Threat analytics overview
-      href: threat-analytics.md
+      href: /defender-xdr/threat-analytics
       items:
       - name: Read the analyst report
-        href: threat-analytics-analyst-reports.md
+        href: /defender-xdr/threat-analytics-analyst-reports
 
     - name: EDR in block mode
       href: edr-in-block-mode.md
 
@@ -12,7 +12,7 @@ ms.collection:
 - tier3
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 01/21/2025
+ms.date: 03/04/2025
 appliesto:
 - Microsoft Defender for Endpoint Plan 2
 ---
@@ -38,8 +38,8 @@ The following requirements must be met before turning on aggregated reporting:
 
 Aggregated reporting supports the following:
 
-- Client version: Windows version 2411 and above
-- Operating systems: Windows 11 22H2, Windows Server 2022, Windows 11 Enterprise, Windows 10 20H2, 21H1, 21H2, Windows Server version 20H2, and Windows Server 2019
+- Client version: Windows version 2411 and later
+- Operating systems: Windows 11 22H2, Windows 11 Enterprise, Windows 10 20H2, 21H1, 21H2, Windows Server 2025, Windows Server 2022, Windows Server 2019, or Windows Server version 20H2
 
 ## Turn on aggregated reporting
 
 
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 02/15/2024
+ms.date: 03/04/2025
 ---
 
 # Understand the client analyzer HTML report
@@ -28,28 +28,38 @@ The client analyzer produces a report in HTML format. Learn how to review the re
 
 Use the following example to understand the report.
 
- Example output from the analyzer on a machine onboarded to expired Org ID and failing to reach one of the required Microsoft Defender for Endpoint URLs:
+## Example output
+
+In this example, the [Defender for Endpoint Client Analyzer](/defender-endpoint/overview-client-analyzer) produced information about a device that was onboarded to an expired Org ID and failed to reach a required Defender for Endpoint URL:
 
 :::image type="content" source="media/147cbcf0f7b6f0ff65d200bf3e4674cb.png" alt-text="The MDE Client Analyzer Results page" lightbox="media/147cbcf0f7b6f0ff65d200bf3e4674cb.png":::
 
 - On top, the script version and script runtime are listed for reference
+
 - The **Device Information** section provides basic OS and device identifiers to uniquely identify the device on which the analyzer has run.
-- The **Endpoint Security Details** provides general information about Microsoft Defender for Endpoint-related processes including Microsoft Defender Antivirus and the sensor process. If important processes aren't online as expected,  the color will change to red.
+
+- The **Endpoint Security Details** provides general information about Microsoft Defender for Endpoint-related processes including Microsoft Defender Antivirus and the sensor process. If important processes aren't online as expected, the color changes to red.
 
     :::image type="content" source="media/85f56004dc6bd1679c3d2c063e36cb80.png" alt-text="The Check Results Summary page" lightbox="media/85f56004dc6bd1679c3d2c063e36cb80.png":::
 
 - On **Check Results Summary**, you'll have an aggregated count for error,
     warning, or informational events detected by the analyzer.
+
 - On **Detailed Results**, you'll see a list (sorted by severity) with
     the results and the guidance based on the observations made by the analyzer.
 
 ## Open a support ticket to Microsoft and include the Analyzer results
 
-To include analyzer result files [when opening a support ticket](contact-support.md#open-a-service-request), make sure you use the **Attachments** section and include the
-`MDEClientAnalyzerResult.zip` file:
+To include analyzer result files [when opening a support ticket](contact-support.md#open-a-service-request), make sure you use the **Attachments** section and include the `MDEClientAnalyzerResult.zip` file:
 
 :::image type="content" source="media/508c189656c3deb3b239daf811e33741.png" alt-text="An attachment prompt" lightbox="media/508c189656c3deb3b239daf811e33741.png":::
 
 > [!NOTE]
 > If the file size is larger than 25 MB, the support engineer assigned to your case will provide a dedicated secure workspace to upload large files for analysis.
+
+## See also
+
+- [Troubleshoot sensor health using Microsoft Defender for Endpoint Client Analyzer](overview-client-analyzer.md)
+
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
@@ -15,7 +15,7 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 01/22/2025
+ms.date: 03/04/2025
 ---
 
 # Export browser extensions assessment per device
@@ -24,14 +24,9 @@ ms.date: 01/22/2025
 
 **Applies to:**
 
-- [Microsoft Defender for Endpoint Plan 1](../microsoft-defender-endpoint.md)
-- [Microsoft Defender for Endpoint Plan 2](../microsoft-defender-endpoint.md)
-- [Microsoft Defender Vulnerability Management](/defender-vulnerability-management)
-- [Microsoft Defender XDR](/defender-xdr)
-
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630&clcid=0x409&culture=en-us&country=us).
-
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](/defender-vulnerability-management/get-defender-vulnerability-management).
+- [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint)
+- [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management-capabilities#vulnerability-management-capabilities-for-endpoints) (add-on for Defender for Endpoint Plan 2 or the standalone version)
+- [Microsoft Defender for Cloud Plan 2](/azure/defender-for-cloud/defender-for-cloud-introduction)
 
 Returns all known installed browser extensions and their details for all devices, on a per-device basis.
 
 
@@ -69,6 +69,8 @@ Before you can initiate a session on a device, make sure you fulfill the followi
 
   - **Windows Server 2022**  
 
+  - **Windows Server 2025**
+
 ## Permissions
 
 One of the following permissions is required to call this API. To learn more,
 
@@ -49,12 +49,13 @@ Your organization must have Defender for Endpoint (see [Minimum requirements for
 
 Currently, AIR only supports the following OS versions:
 
-- Windows Server 2019
-- Windows Server 2022
-- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later
-- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later
-- Windows 10, version [1803](/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later
 - Windows 11
+- Windows 10, version [1803](/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later
+- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later
+- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later
+- Windows Server 2025
+- Windows Server 2022
+- Windows Server 2019
 
 ## Permissions
 
 
@@ -33,7 +33,7 @@ Defender for Endpoint supports a wide variety of deployment, configuration, and
 
 ## Endpoint onboarding and portal access
 
-Device onboarding is fully integrated into Microsoft Intune and Microsoft Configuration Manager for client devices. For servers, you can choose from several options, such as Defender for Endpoint Server, Defender for Servers (as part of the Defender for Cloud offering), or Defender for Business servers (for small and medium-sized businesses). 
+Device onboarding is fully integrated into Microsoft Intune and Microsoft Configuration Manager for client devices. You can onboard both client and server devices using the Microsoft Defender portal. Or, for servers, you can use Defender for Cloud, which integrates with Defender for Endpoint and Defender for Business. (Server licenses are required; for more information, see [Onboard servers to Defender for Endpoint](/defender-endpoint/onboard-server) and [Onboard devices to Defender for Business](/defender-business/mdb-onboard-devices).)
 
 The Microsoft Defender portal provides your security team with a robust, end-to-end experience for configuration, deployment, and monitoring. In addition, Microsoft Defender for Endpoint supports Group Policy and other non-Microosft tools used for managing devices.
 
@@ -47,7 +47,7 @@ Defender for Endpoint provides fine-grained control over what users with access
 
 Defender for Endpoint is built on top of an integration-ready platform. 
 
-Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs enable you to automate workflows and innovate based on Defender for Endpoint capabilities. You can also the Defender for Endpoint APIs with Defender for Business, for the capabilities that are supported in Defender for Business.
+Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs enable you to automate workflows and innovate based on Defender for Endpoint capabilities. You can also use the Defender for Endpoint APIs with Defender for Business for the capabilities that are supported in Defender for Business.
 
 :::image type="content" source="../media/mdatp-apis.png" alt-text="The available API and integration in Microsoft Defender for Endpoint" lightbox="../media/mdatp-apis.png":::
 
@@ -73,7 +73,7 @@ The **Response API** exposes the ability to take actions in the service and on d
 
 Defender for Endpoint raw data streaming API provides the ability for customers to ship real-time events and alerts from their instances as they occur within a single data stream, providing a low latency, high throughput delivery mechanism.
 
-The Defender for Endpoint event information is pushed directly to Azure storage for long-term data retention, or to Azure Event Hubs for consumption by visualization services or additional data processing engines.
+The Defender for Endpoint event information is pushed directly to Azure storage for long-term data retention, or to Azure Event Hubs for consumption by visualization services or other data processing engines.
 
 For more information, see [Raw data streaming API](raw-data-export.md).
 
@@ -82,9 +82,9 @@ For more information, see [Microsoft Defender XDR Streaming API](/defender-xdr/s
 
 ## SIEM API
 
-When you enable security information and event management (SIEM) integration, it allows you to pull detections from Microsoft Defender XDR using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under your Microsoft Entra tenant. 
+When you enable security information and event management (SIEM) integration, you can pull detections from Microsoft Defender XDR using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under your Microsoft Entra tenant. 
 
-## Related topics
+## Related articles
 
 - [Access the Microsoft Defender for Endpoint APIs](apis-intro.md)
 - [Supported APIs](exposed-apis-list.md)
 
@@ -85,11 +85,15 @@ Before you can initiate a session on a device, make sure you fulfill the followi
     - Version 1809 (with [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818))
 
   - **Windows Server 2022**
+
+- **Windows Server 2025**
+
   - **macOS** [(requires other configuration profiles)](../microsoft-defender-endpoint-mac.md)
       - 13 (Ventura)
       - 12 (Monterey)
       - 11 (Big Sur)
-  - **Linux**
+
+  - **Linux Server**
       - [Supported Linux server distributions and kernel versions](../microsoft-defender-endpoint-linux.md)
 
 ## Permissions