Learn Editor: Update indicator-ip-domain.md

tdoucett-ms · tdoucett-ms · commit d358392e12db · 2024-10-23T16:48:52.000-04:00
diff --git a/defender-endpoint/indicator-ip-domain.md b/defender-endpoint/indicator-ip-domain.md
@@ -103,6 +103,8 @@ For processes other than Microsoft Edge and Internet Explorer, web protection sc
 - If there are conflicting URL indicator policies, the longer path is applied. For example, the URL indicator policy `https://support.microsoft.com/office` takes precedence over the URL indicator policy `https://support.microsoft.com`.
 - In the case of URL indicator policy conflicts, the longer path may not be applied due to redirection. In such cases, register a non-redirected URL.
 
+> [!NOTE]
+> Custom Indicators of Compromise and Web Content Filtering features are currently not supported in Application Guard sessions of Microsoft Edge. These containerized browser sessions can only enforce web threat blocks via the built-in SmartScreen protection. They cannot enforce any enterprise web protection policies.
 ## Network protection and the TCP three-way handshake
 
 With network protection, the determination of whether to allow or block access to a site is made after the completion of the [three-way handshake via TCP/IP](/troubleshoot/windows-server/networking/three-way-handshake-via-tcpip). Thus, when a site is blocked by network protection, you might see an action type of `ConnectionSuccess` under `NetworkConnectionEvents` in the Microsoft Defender portal, even though the site was blocked. `NetworkConnectionEvents` are reported from the TCP layer, and not from network protection. After the three-way handshake has completed, access to the site is allowed or blocked by network protection.
