diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 4085972ad5..c1ad13b4dd 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 06/12/2018
+ms.date: 06/13/2018
 ---
 
 
@@ -187,6 +187,9 @@ Local Security Authority Subsystem Service (LSASS) authenticates users who log i
 >[!IMPORTANT]
 >[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
  
+ >[!NOTE]
+ >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat.
+
 ### Rule: Block process creations originating from PSExec and WMI commands
  
 This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.