Update attack-surface-reduction.md

windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md

@@ -30,9 +30,9 @@ Your attack surface is the total number of places where an attacker could compro
 
 Attack surface reduction rules target software behaviors that are often abused by attackers, such as:
 
-* Launching executable files and scripts that attempt to download or run files
+- Launching executable files and scripts that attempt to download or run files
-* Running obfuscated or otherwise suspicious scripts
+- Running obfuscated or otherwise suspicious scripts
-* Performing behaviors that apps don't usually initiate during normal day-to-day work
+- Performing behaviors that apps don't usually initiate during normal day-to-day work
 
 These behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe.
 
@@ -44,9 +44,13 @@ For more information about configuring attack surface reduction rules, see [Enab
 
 ## Attack surface reduction features across Windows versions
 
-You can set attack surface reduction rules for computers running Windows 10 versions 1709 and 1803 or later, Windows Server version 1803 (Semi-Annual Channel) or later, and Windows Server 2019.
+You can set attack surface reduction rules for computers running the following versions of Windows:
+- Windows 10 version [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
+- Windows 10, version [1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) or later
+- Windows Server version [1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) (Semi-Annual Channel) or later
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 
-To use the entire feature-set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license, you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
+To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
 
 ## Review attack surface reduction events in the Microsoft Defender Security Center
 
@@ -77,11 +81,11 @@ You can review the Windows event log to view events generated by attack surface
 
 This will create a custom view that filters events to only show the following, all of which are related to controlled folder access:
 
-Event ID | Description
+|Event ID | Description |
--|-
+|---|---|
-5007 | Event when settings are changed
+|5007 | Event when settings are changed |
-1121 | Event when rule fires in Block-mode
+|1121 | Event when rule fires in Block-mode |
-1122 | Event when rule fires in Audit-mode
+|1122 | Event when rule fires in Audit-mode |
 
 The "engine version" listed for attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not by the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all devices with Windows 10 installed.
 
@@ -89,30 +93,30 @@ The "engine version" listed for attack surface reduction events in the event log
 
 The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs:
 
- Rule name | GUID | File & folder exclusions
+| Rule name | GUID | File & folder exclusions | Minimum OS supported |
--|-|-
+|-----|----|---|---|
-[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported
+|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported
+|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported
+|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported
+|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported
+|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported | Windows 10 [1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater |
-[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported
+|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported
+|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported
+|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported
+|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported
+|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | d1e49aac-8f56-4280-b9ba-993a6d77406c | Supported
+|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | d1e49aac-8f56-4280-b9ba-993a6d77406c | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported
+|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported
+|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported
+|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported
+|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported | Windows 10 [1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater |
 
 ### Block executable content from email client and webmail
 
 This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers:
 
-* Executable files (such as .exe, .dll, or .scr)
+- Executable files (such as .exe, .dll, or .scr)
-* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
+- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
 
 This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Microsoft Endpoint Configuration Manager CB 1710