Added note as suggested that policy can't be changed issue #1880

windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md

@@ -34,7 +34,8 @@ You can exclude files and folders from being evaluated by most attack surface re
 >- Block process creations originating from PSExec and WMI commands
 >- Block JavaScript or VBScript from launching downloaded executable content
 
-You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to.
+>[!IMPORTANT] The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** is owned by microsoft and is not specified by admins. It uses Microsoft CLoud's Protection to update its trusted list regularly.
+>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
 
 ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).