From 40a8d48ae3ba1533f0abdfd26c30f4faadbe1cb8 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Tue, 5 May 2020 11:41:46 -0700
Subject: [PATCH] Update
 attack-surface-reduction-rules-in-windows-10-enterprise-e3.md

---
 ...ction-rules-in-windows-10-enterprise-e3.md | 29 ++++++++++---------
 1 file changed, 16 insertions(+), 13 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
index 7dfd283a11..c2f19fa10a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
@@ -20,6 +20,7 @@ ms.custom: asr
 
 **Applies to:**
 
+- Windows 10 Enterprise E5
 - Windows 10 Enterprise E3
 
 Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature area includes the rules, monitoring, reporting, and analytics necessary for deployment that are included in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), and require the Windows 10 Enterprise E5 license. 
@@ -28,19 +29,21 @@ A limited subset of basic attack surface reduction rules can technically be used
 
 Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
 
-The limited subset of rules that can be used in Windows 10 Enterprise E3 include:
-
-- Block executable content from email client and webmail
-- Block all Office applications from creating child processes
-- Block Office applications from creating executable content
-- Block Office applications from injecting code into other processes
-- Block JavaScript or VBScript from launching downloaded executable content
-- Block execution of potentially obfuscated scripts
-- Block Win32 API calls from Office macro
-- Use advanced protection against ransomware
-- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
-- Block process creations originating from PSExec and WMI commands
-- Block untrusted and unsigned processes that run from USB
+|Rule |Windows E3 |Windows E5 |
+|--|--|--|
+[Block executable content from email client and webmail](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-content-from-email-client-and-webmail) |Yes |Yes |
+|[Block all Office applications from creating child processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-all-office-applications-from-creating-child-processes) |Yes |Yes |
+|[Block Office applications from creating executable content](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-creating-executable-content) |Yes |Yes |
+|[Block Office applications from injecting code into other processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-injecting-code-into-other-processes) |Yes |Yes |
+|[Block JavaScript or VBScript from launching downloaded executable content](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content) |Yes |Yes |
+|[Block execution of potentially obfuscated scripts](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts) |Yes |Yes |
+|[Block Win32 API calls from Office macros](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-win32-api-calls-from-office-macros) |Yes |Yes |
+|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | | |
+|[Use advanced protection against ransomware](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#use-advanced-protection-against-ransomware) | | |
+|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | | |
+|[Block untrusted and unsigned processes that run from USB](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-untrusted-and-unsigned-processes-that-run-from-usb) | | |
+|Block process creations originating from PSExec and WMI commands | | |
+| Block untrusted and unsigned processes that run from USB | | |
 
 For more information about these rules, see [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md).