Update attack-surface-reduction-exploit-guard.md

windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md

@@ -89,6 +89,8 @@ This rule blocks the following file types from launching from email in Microsoft
 - Executable files (such as .exe, .dll, or .scr) 
 - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
 
+This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
+
 Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
 
 SCCM name: Block executable content from email client and webmail
@@ -101,6 +103,8 @@ This rule blocks Office apps from creating child processes. This includes Word,
 
 This is a typical malware behavior, especially malware that abuses Office as a vector, using VBA macros and exploit code to download and attempt to run additional payload. Some legitimate line-of-business applications might also use behaviors like this, including spawning a command prompt or using PowerShell to configure registry settings.
 
+This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
+
 Intune name: Office apps launching child processes
 
 SCCM name: Block Office application from creating child processes
@@ -113,6 +117,8 @@ This rule prevents Office apps, including Word, Excel, and PowerPoint, from crea
 
 This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk.
 
+This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
+
 Intune name: Office apps/macros creating executable content
 
 SCCM name: Block Office applications from creating executable content
@@ -125,6 +131,8 @@ Attackers might attempt to use Office apps to migrate malicious code into other
 
 This rule applies to Word, Excel, and PowerPoint. 
 
+This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
+
 Intune name: Office apps injecting code into other processes (no exceptions)
 
 SCCM name: Block Office applications from injecting code into other processes
@@ -140,6 +148,8 @@ Malware written in JavaScript or VBS often acts as a downloader to fetch and lau
 >[!IMPORTANT]
 >File and folder exclusions don't apply to this attack surface reduction rule.
 
+This rule was introduced in:  Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
+
 Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
 
 SCCM name: Block JavaScript or VBScript from launching downloaded executable content
@@ -150,6 +160,8 @@ GUID: D3E037E1-3EB8-44C8-A917-57927947596D
 
 Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated script.
 
+This rule was introduced in:  Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
+
 Intune name: Obfuscated js/vbs/ps/macro code
 
 SCCM name: Block execution of potentially obfuscated scripts.
@@ -160,6 +172,8 @@ GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
 
 Office VBA provides the ability to use Win32 API calls, which malicious code can abuse. Most organizations don't use this functionality, but might still rely on using other macro capabilities. This rule allows you to prevent using Win32 APIs in VBA macros, which reduces the attack surface.
 
+This rule was introduced in:  Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
+
 Intune name: Win32 imports from Office macro code
 
 SCCM name: Block Win32 API calls from Office macros
@@ -180,6 +194,8 @@ This rule blocks the following file types from launching unless they either meet
 >
 >You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
 
+This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
+
 Intune name: Executables that don't meet a prevalence, age, or trusted list criteria.
 
 SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
@@ -193,6 +209,8 @@ This rule provides an extra layer of protection against ransomware. It scans exe
 >[!NOTE]
 >You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
 
+This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
+
 Intune name: Advanced ransomware protection
 
 SCCM name: Use advanced protection against ransomware
@@ -206,6 +224,8 @@ Local Security Authority Subsystem Service (LSASS) authenticates users who log i
  >[!NOTE]
  >In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
  
+This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
+
 Intune name: Flag credential stealing from the Windows local security authority subsystem
 
 SCCM name: Block credential stealing from the Windows local security authority subsystem
@@ -222,6 +242,8 @@ This rule blocks processes through PsExec and WMI commands from running, to prev
 >[!WARNING]
 >Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly.
 
+This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
+
 Intune name: Process creation from PSExec and WMI commands
 
 SCCM name: Not applicable
@@ -235,6 +257,8 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
 - Executable files (such as .exe, .dll, or .scr) 
 - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
 
+This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
+
 Intune name: Untrusted and unsigned processes that run from USB
 
 SCCM name: Block untrusted and unsigned processes that run from USB
@@ -248,6 +272,8 @@ This rule prevents Outlook from creating child processes. It protects against so
 >[!NOTE]
 >This rule applies to Outlook and Outlook.com only.
 
+This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019, SCCM CB 1810
+
 Intune name: Process creation from Office communication products (beta)
 
 SCCM name: Not yet available
@@ -258,6 +284,8 @@ GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
 
 Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes. 
 
+This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019, SCCM CB 1810
+
 Intune name: Process creation from Adobe Reader (beta)
 
 SCCM name: Not applicable