Added notes on ASR rules available in E3.

2025-05-15 14:57:23 +00:00 · 2018-10-05 10:04:07 -07:00 · 2018-10-05 10:04:07 -07:00 · 4e0090298b
commit 4e0090298b
parent f0a536a294
1 changed files with 14 additions and 6 deletions
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 10/02/2018
+ms.date: 10/05/2018
 ---
 # Reduce attack surfaces with attack surface reduction rules 
@ -36,11 +36,19 @@ You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evalua
 ## Requirements
-Attack surface reduction rules require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
+Attack surface reduction rules are a feature of Windows Defender ATP and require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
 This feature includes:
 * Rules for enabling or disabling select behaviors that apps and scripts can use
 * Centralized monitoring and reporting
 * Analytics to enable ease of deployment
 A subset of attack surface reduction rules are also available on Windows 10 Enterprise E3 without the benefit of centralized monitoring, reporting, and analytics.
 ## Attack surface reduction rules
-The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table:
+The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table. Rules that are only supported on Windows 10 Enterprise E5 are marked with an asterisk (\*).
 Rule name | GUID
 -|-
@ -51,13 +59,13 @@ Block Office applications from injecting code into other processes | 75668C1F-73
 Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
 Block execution of potentially obfuscated scripts  | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
 Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
-Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
+\* Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
 Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
+\* Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
-Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
+\* Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 The rules apply to the following Office apps: