MicrosoftDocs
diff --git a/‎CloudAppSecurityDocs/behaviors.md‎
Lines changed: 2 additions & 2 deletions b/‎CloudAppSecurityDocs/behaviors.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎CloudAppSecurityDocs/in-browser-protection.md‎
Lines changed: 47 additions & 49 deletions b/‎CloudAppSecurityDocs/in-browser-protection.md‎
Lines changed: 47 additions & 49 deletions
diff --git a/‎defender-endpoint/TOC.yml‎
Lines changed: 6 additions & 0 deletions b/‎defender-endpoint/TOC.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎defender-endpoint/attack-surface-reduction.md‎
Lines changed: 1 addition & 1 deletion b/‎defender-endpoint/attack-surface-reduction.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎defender-endpoint/breadcrumb/toc.yml‎
Lines changed: 5 additions & 1 deletion b/‎defender-endpoint/breadcrumb/toc.yml‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎defender-endpoint/comprehensive-guidance-on-linux-deployment.md‎
Lines changed: 0 additions & 5 deletions b/‎defender-endpoint/comprehensive-guidance-on-linux-deployment.md‎
Lines changed: 0 additions & 5 deletions
@@ -73,8 +73,8 @@ The behaviors schema in the **Advanced hunting** page is similar to the [alerts
 
 |Table name  |Description  |
 |---------|---------|
-|[BehaviorInfo  ](/microsoft-365/security/defender/advanced-hunting-behaviorinfo-table) | Record per behavior with its metadata, including behavior title, MITRE Attack categories, and techniques. |
-|[BehaviorEntities   ](/microsoft-365/security/defender/advanced-hunting-behaviorentities-table) | Information on the entities that were part of the behavior. Can be multiple records per behavior.        |
+|[BehaviorInfo  ](/microsoft-365/security/defender/advanced-hunting-behaviorinfo-table) | Record per behavior with its metadata, including behavior title, MITRE Attack categories, and techniques. (Not available for GCC.) |
+|[BehaviorEntities   ](/microsoft-365/security/defender/advanced-hunting-behaviorentities-table) | Information on the entities that were part of the behavior. Can be multiple records per behavior. (Not available for GCC.)      |
 
 To get complete information on a behavior and its entities, use `BehaviorId` as the primary key for the join. For example:
 
 
@@ -1,7 +1,7 @@
 ---
 title: In-browser protection with Microsoft Edge for Business | Microsoft Defender for Cloud Apps
 description: Learn about using in-browser protection with Microsoft Defender for Cloud Apps session policies and Microsoft Edge for Business.
-ms.date: 03/04/2024
+ms.date: 10/31/2024
 ms.topic: conceptual
 #customerIntent: As a Defender for Cloud Apps admin, I want to learn about the user experience with in-browser protection.
 ---
@@ -14,98 +14,96 @@ Protected users experience a smooth experience with their cloud apps, without la
 
 ## In-browser protection requirements
 
-To use in-browser protection, users must be in their browser's work profile. 
+To use in-browser protection, users must be in their browser's work profile.
 
 Microsoft Edge profiles allow users to split browsing data into separate profiles, where the data that belongs to each profile is kept separate from the other profiles. For example, when users have different profiles for personal browsing and work, their personal favorites and history aren't synchronized with their work profile.
 
 When users have separate profiles, their work browser (Microsoft Edge for Business) and personal browser (Microsoft Edge) have separate caches and storage locations, and information remains separate.
 
 To use in-browser protection, users must also have the following environmental requirements in place:
 
-|Requirement  |Description  |
-|---------|---------|
-|**Operating systems**     |   Windows 10 or 11, macOS      |
-|**Identity platform**     | Microsoft Entra ID        |
-|**Microsoft Edge for Business versions**     |   The last 2 stable versions (for example, if the newest Edge is 126, in-browser protection works for v126 and v125). <br> See [Microsoft Edge releases](https://learn.microsoft.com/deployedge/microsoft-edge-release-schedule#microsoft-edge-releases)     |
-|**Supported session policies**     | - Block\Monitor of file download (all files\sensitive files) <br>- Block\Monitor file upload (all files\sensitive files) <br>- Block\Monitor copy\cut\paste <br>- Block\Monitor print <br>- Block\Monitor malware upload <br>- Block\Monitor malware download <br><br> Users that are served by multiple policies, including at least one policy that's *not* supported by Microsoft Edge for Business, their sessions are always served by the reverse proxy. <br><br>Policies defined in the Microsoft Entra ID portal are also always served by reverse proxy.   |
+|Requirement|Description|
+|---|---|
+|**Operating systems**|Windows 10 or 11, macOS|
+|**Identity platform**|Microsoft Entra ID|
+|**Microsoft Edge for Business versions**|The last two stable versions. For example, if the newest Microsoft Edge is 126, in-browser protection works for v126 and v125. <br> For more information, see [Microsoft Edge releases](/deployedge/microsoft-edge-release-schedule#microsoft-edge-releases).|
+|**Supported session policies**|<ul><li>Block\Monitor of file download (all files\sensitive files)</li><li>Block\Monitor file upload (all files\sensitive files)</li><li>Block\Monitor copy\cut\paste</li><li>Block\Monitor print</li><li>Block\Monitor malware upload</li><li>Block\Monitor malware download</li></ul> <br> Users that are served by multiple policies, including at least one policy that's *not* supported by Microsoft Edge for Business, their sessions are always served by the reverse proxy. <br><br> Policies defined in the Microsoft Entra ID portal are also always served by reverse proxy.|
 
 All other scenarios are served automatically with the standard reverse proxy technology, including user sessions from browsers that don't support in-browser protection, or for policies not supported by in-browser protection.
 
 For instance, these scenarios are served by the reverse proxy:
-- Google Chrome users
-- Microsoft Edge users who are scoped to a protect file download policy
-- Microsoft Edge users on Android devices
-- Users in apps that use the OKTA authentication method
-- Microsoft Edge users in InPrivate mode
-- Microsoft Edge users with older browser versions
-- B2B guest users
-- Session is scoped to conditional access policy defined in Microsoft Entra ID portal
+
+- Google Chrome users.
+- Microsoft Edge users who are scoped to a protect file download policy.
+- Microsoft Edge users on Android devices.
+- Users in apps that use the OKTA authentication method.
+- Microsoft Edge users in InPrivate mode.
+- Microsoft Edge users with older browser versions.
+- B2B guest users.
+- Session is scoped to a Conditional Access policy defined in Microsoft Entra ID portal.
 
 ## User experience with in-browser protection
 
-To confirm that in-browser protection is active, users need to click on the “lock” icon in the browser's address bar and look for the “suitcase” symbol in the form that appears. The symbol indicates that the session is protected by Defender for Cloud Apps. For example:
+To confirm that in-browser protection is active, users need to select the "lock" icon in the browser's address bar and look for the "suitcase" symbol in the form that appears. The symbol indicates that the session is protected by Defender for Cloud Apps. For example:
 
-![Screenshot of Edge in browser indication.](media/in-browser-protection/edge-in-browser-indication.png)
+![Screenshot of Microsoft Edge in browser indication.](media/in-browser-protection/edge-in-browser-indication.png)
 
 Also, the `.mcas.ms` suffix doesn't appear in the browser address bar with in-browser protection, as it does with standard Conditional Access app control, and developer tools are turned off with in-browser protection.
 
 ### Work profile enforcement for in-browser protection
 
-To access a work resource in *contoso.com* with in-browser protection, users must sign in with their *[email protected]* profile. If users try to access the work resource from outside the work profile, they're prompted to switch to the work profile or create one if it doesn't exist. Users can also choose to continue with their current profile, in which case they're served by the [reverse proxy architecture](proxy-intro-aad.md).
+To access a work resource in *contoso.com* with in-browser protection, users must sign in with their `[email protected]` profile. If users try to access the work resource from outside the work profile, they're prompted to switch to the work profile or create one if it doesn't exist. Users can also choose to continue with their current profile, in which case they're served by the [reverse proxy architecture](proxy-intro-aad.md).
 
 If the user decides to create a new work profile, they're prompted with the **Allow my organization to manage my device** option. In such cases, users don't need to select this option to create the work profile or benefit from in-browser protection.
 
-For more information, see [Microsoft Edge for Business](/deployedge/microsoft-edge-for-business) and [How to add new profiles to Microsoft Edge](https://www.microsoft.com/en-us/edge/learning-center/how-to-add-new-profiles).
+For more information, see [Microsoft Edge for Business](/deployedge/microsoft-edge-for-business) and [How to add new profiles to Microsoft Edge](https://www.microsoft.com/edge/learning-center/how-to-add-new-profiles).
 
 ## Configure in-browser protection settings
 
-In-browser protection with Microsoft Edge for Business is turned on by default. Admins can turn the integration off and on, and can configure a prompt for non-Edge users to switch to Microsoft Edge for enhanced performance and security.
-
-**To configure in-browser protection settings:**
-
-1. In the Microsoft Defender portal, select **Settings > Cloud Apps > Conditional Access App Control > Edge for Business protection**.
+In-browser protection with Microsoft Edge for Business is turned on by default. Admins can turn the integration off and on, and can configure a prompt for non-Microsoft Edge users to switch to Microsoft Edge for enhanced performance and security.
 
-1. Configure the following settings as needed:
+1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **System** \> **Settings** \> **Cloud apps** \> **Conditional Access App Control** section \> **Edge for Business protection**. Or, to go directly to the **Edge for Business protection** page, use <https://security.microsoft.com/cloudapps/settings?tabid=edgeIntegration>.
 
-    - Toggle the **Turn on Edge for Business protection** option **Off** or **On**.
-    - Select to **Notify users in non-Edge browsers to use Microsoft Edge for Business for better performance and security**.
+2. On the **Edge for Business protection** page, configure the following settings as needed:
+   - **Turn on Edge for Business browser protection**: The default value is **On**, but you can toggle the setting to **Off**.
+   - **Notify users in non-Edge browsers to use Microsoft Edge for Business for better performance and security**: If you select the check box, select one of the following values that appear:
+     - **Use default message** (default)
+     - **Customize message**: Enter the custom text in the box that appears.
 
-        If you selected to notify non-Edge users, select to either use the default message or customize your own message.
+     Use the **Preview** link to see the notification.
 
-1. Select **Save** when you're done to save your changes.
+   When you're finished on the **Edge for Business protection** page, select **Save**.
 
 ## Working with Microsoft Purview and Endpoint data loss prevention
 
 If the same exact context and action are configured for both Defender for Cloud Apps policies and a Microsoft Purview Endpoint data loss prevention policy (DLP), the Endpoint DLP policy is applied.
 
-For example, if you have an Endpoint DLP policy that blocks a file upload to Salesforce, and you also have a Defender for Cloud Apps policy that monitors file uploads to Salesforce, the Endpoint DLP policy is applied.
+For example, you have an Endpoint DLP policy that blocks a file upload to Salesforce, and you also have a Defender for Cloud Apps policy that monitors file uploads to Salesforce. In this scenario, the Endpoint DLP policy is applied.
 
 For more information, see [Learn about data loss prevention](/purview/dlp-learn-about-dlp).
 
-## Enforce Edge in-browser when accessing business apps
-Administrators who understand the power of Edge in-browser protection, can require their users to use Edge when accessing corporate resources. 
-A primary reason is security, since the barrier to circumventing session controls using Edge is much higher than with reverse proxy technology.
+## Enforce Microsoft Edge browser protection when accessing business apps
+
+Administrators who understand the power of Microsoft Edge browser protection can require users to use Microsoft Edge when accessing corporate resources. A primary reason is security, since the barrier to circumventing session controls using Microsoft Edge is much higher than with reverse proxy technology.
+
+1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **System** \> **Settings** \> **Cloud apps** \> **Conditional Access App Control** section \> **Edge for Business protection**. Or, to go directly to the **Edge for Business protection** page, use <https://security.microsoft.com/cloudapps/settings?tabid=edgeIntegration>.
 
-Admin experience   
-The feature is controlled through the following settings:   
-M365 Defender > Settings > Cloud Apps > Edge for Business protection > Enforce usage of Edge for business   
+2. On the **Edge for Business protection** page, as long as **Turn on Edge for Business browser protection** is on, **Enforce usage of Edge for Business** is available with the following values:
+   - **Do not enforce** (default)
+   - **Allow access only from Edge**: Access to the business application (scoped to session policies) is available only via the Microsoft Edge browser.
+   - **Enforce access from Edge when possible**: Users should use Microsoft Edge to access the application if their context permits. Otherwise, they might use a different browser to access the protected application.
 
-The following options are available:   
-- Do not enforce (default)   
-- Allow access only from Edge   
-- Enforce access from Edge when possible
+     For example, a user is subject to a policy that doesn't align with in-browser protection capabilities (for example, **Protect file upon download**) OR the operating system is incompatible (for instance, Android).
 
-Admins have the option to apply policies on all devices or only on unmanaged devices.
+     In this scenario, because the user lacks control over the context, they might opt to use a different browser.
 
-**Allow access only from Edge** means that access to the business application, scoped to session policies, can only be obtained via the Edge browser.
+     If the applicable policies allow it and the operating system is compatible (Windows 10, 11, macOS), the user is required to use Microsoft Edge.
 
-**Enforce access from Edge when possible** means that users should use Edge to access the application if their context permits, but if not, they may use a different browser to access the protected application.
+3. If you select **Allow access only from Microsoft Edge** or **Enforce access from Microsoft Edge when possible**, the **Enforce for which devices?** setting is available with the following values:
+   - **All devices** (default)
+   - **Unmanaged devices only**
 
-For example: 
-If a user is subject to a policy that does not align with in-browser protection capabilities (such as, 'Protect file upon download'), OR 
-the Operating System is incompatible (for instance, Android). 
-In that scenario, because the user lacks control over the context, they may opt to use a different browser. 
-If the policies applicable to him allow it and the operating system is compatible (Windows 10, 11, macOS), then he is required to utilize Edge. 
+4. When you're finished on the **Edge for Business protection** page, select **Save**.
 
 ## Related content
 
 
@@ -10,6 +10,8 @@
       href: zero-trust-with-microsoft-defender-endpoint.md
     - name: Trial user guide - Microsoft Defender for Endpoint
       href: defender-endpoint-trial-user-guide.md
+    - name: Pilot and deploy Defender for Endpoint
+      href: /defender-xdr/pilot-deploy-defender-endpoint?toc=/defender-xdr/TOC.json&bc=/defender-xdr/breadcrumb/toc.json
     - name: Minimum requirements
       href: minimum-requirements.md
     - name: Supported Microsoft Defender for Endpoint capabilities by platform
@@ -479,6 +481,10 @@
             href: run-analyzer-windows.md
           - name: Run the client analyzer on macOS or Linux
             href: run-analyzer-macos-linux.md
+          - name: Run the client analyzer on Linux
+            href: run-analyzer-linux.md
+          - name: Run the client analyzer on macOS
+            href: run-analyzer-macos.md
           - name: Data collection for advanced troubleshooting on Windows
             href: data-collection-analyzer.md
           - name: Understand the analyzer HTML report
 
@@ -93,7 +93,7 @@ Warn mode is supported on devices running the following versions of Windows:
 
 Microsoft Defender Antivirus must be running with real-time protection in [Active mode](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state).
 
-Also, make sure [Microsoft Defender Antivirus and antimalware updates](/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed.
+Also, make sure [Microsoft Defender Antivirus and antimalware updates](/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#platform-and-engine-releases) are installed.
 
 - Minimum platform release requirement: `4.18.2008.9`
 - Minimum engine release requirement: `1.1.17400.5`
 
@@ -5,6 +5,10 @@
     - name: 'Microsoft Defender for Endpoint'
       tocHref: /defender-endpoint/
       topicHref: /defender-endpoint/index
+      items:
+       - name: 'Microsoft Defender XDR'
+         tocHref: /defender-xdr/
+         topicHref: /defender-xdr/pilot-deploy-defender-office-365
     - name: 'Microsoft Defender for Endpoint'
       tocHref: /mem/intune/protect/
-      topicHref: /mem/intune/protect/
+      topicHref: /mem/intune/protect/
@@ -19,11 +19,6 @@ ms.date: 10/28/2024
 
 # Advanced deployment guidance for Microsoft Defender for Endpoint on Linux
 
-**Applies to:**
-
-- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
-- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
-
 This article provides advanced deployment guidance for Microsoft Defender for Endpoint on Linux. You get a brief summary of the deployment steps, learn about the system requirements, then be guided through the actual deployment steps. You'll also learn how to verify that the device has been correctly onboarded.
 
 For information about Microsoft Defender for Endpoint capabilities, see [Advanced Microsoft Defender for Endpoint capabilities](#advanced-microsoft-defender-for-endpoint-capabilities).