Merge pull request #3936 from ojrb/Issue1168

Update The Attack Surface documentation

windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md

@@ -22,13 +22,17 @@ manager: dansimp
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
+
 >[!IMPORTANT]
 >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
-Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019. 
+
+Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1704 and 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019. 
+
 
 To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subscription, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment.
 
+
 Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including:
 
 - Executable files and scripts used in Office apps or web mail that attempt to download or run files
@@ -63,6 +67,8 @@ Event ID | Description
 1121 | Event when rule fires in Block-mode
 1122 | Event when rule fires in Audit-mode
 
+The "engine version" of attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all machines with Windows 10 installed.
+
 
 ## Attack surface reduction rules
 
@@ -207,7 +213,7 @@ GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
  
 ### Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  
-Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
+Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
 
  >[!NOTE]
  >In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
@@ -284,3 +290,5 @@ GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b
 
 - [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
 - [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
+- [Compatibility of Microsoft Defender with other antivirus/antimalware](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)
+