Further changes

paulinbar · paulinbar · commit 2acd0f48041c · 2025-09-10T15:49:49.000+03:00
diff --git a/defender-endpoint/enable-attack-surface-reduction.md b/defender-endpoint/enable-attack-surface-reduction.md
@@ -33,7 +33,13 @@ ms.date: 09/10/2025
 > [!TIP]
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630)
 
-[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions that malware often abuses to compromise devices and networks.
+[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions that malware often abuses to compromise devices and networks. This article describes how to enable and configure attack surface reduction rules via:
+
+- [Microsoft Intune](#intune)
+- [Mobile Device Management (MDM)](#mdm)
+- [Microsoft Configuration Manager](#microsoft-configuration-manager)
+- [Group policy (GP)](#group-policy)
+- [PowerShell](#powershell)
 
 ## Prerequisites
 
@@ -65,15 +71,15 @@ To use the entire feature-set of attack surface reduction rules:
 
 - You must have [Cloud Protection network connectivity](/defender-endpoint/configure-network-connections-microsoft-defender-antivirus)
 
-- Recommended: Microsoft 365 E5 or E3 License
+- Recommended: Microsoft 365 E5
 
-   Although attack surface reduction rules don't require a [Microsoft 365 E5 license](/microsoft-365/commerce/licenses/e3-extra-features-licenses), it is recommended to use attack surface reduction rules with a Microsoft 365 E5 license  (or similar licensing SKU) to take advantage of advanced management capabilities, including monitoring, analytics, and workflows available in Defender for Endpoint, as well as reporting and configuration capabilities in the [Microsoft Defender XDR](https://go.microsoft.com/fwlink/p/?linkid=2077139) portal.
+   Although attack surface reduction rules don't require a [Microsoft 365 E5 license](/microsoft-365/commerce/licenses/e3-extra-features-licenses), it is recommended to use attack surface reduction rules with a Microsoft 365 E5 license  (or similar licensing SKU) to take advantage of advanced management capabilities, including monitoring, analytics, and workflows available in Defender for Endpoint, as well as reporting and configuration capabilities in the [Microsoft Defender XDR](https://go.microsoft.com/fwlink/p/?linkid=2077139) portal. While these advanced capabilities aren't available with an E3 license, with an E3 license you can still use Event Viewer to review attack surface reduction rule events.
 
    If you have another license, such as Windows Professional or Microsoft 365 E3 that doesn't include advanced monitoring and reporting capabilities, you can develop your own monitoring and reporting tools on top of the events that are generated at each endpoint when attack surface reduction rules are triggered (for example, Event Forwarding).
 
    To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=11091).
 
-> [!WARNING]
+> [!NOTE]
 > The following ASR rules are only enforced if Office executables are installed under the system-defined `%ProgramFiles%` or `%ProgramFiles(x86)%` directories (on most systems, `%ProgramFiles%` points to `C:\Program Files`).
 >
 > - Block Office communication applications from creating child processes (26190899-1602-49e8-8b27-eb1d0a1ce869)
@@ -82,6 +88,8 @@ To use the entire feature-set of attack surface reduction rules:
 >
 >If Office is installed in a custom path outside one of the above-mentioned system-defined directories, these rules won't apply.
 
+## Enabling attack surface reduction rules
+
 Each attack surface reduction rule contains one of four settings:
 
 - **Not configured** or **Disabled**: Disable the attack surface reduction rule
@@ -99,7 +107,7 @@ You can enable attack surface reduction rules by using any of these methods:
 
 Enterprise-level management such as Intune or Microsoft Configuration Manager is recommended. Enterprise-level management overwrites any conflicting group policy or PowerShell settings on startup.
 
-## Exclude files and folders from attack surface reduction rules
+### Excluding files and folders from attack surface reduction rules
 
 You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an attack surface reduction rule determines the file or folder contains malicious behavior, it doesn't block the file from running.
 
@@ -114,11 +122,11 @@ When adding exclusions, keep these points in mind:
 - When deployed through group policy or PowerShell, exclusions apply to all attack surface reduction rules. Using Intune, it's possible to configure an exclusion for a specific attack surface reduction rule. See [Configure attack surface reduction rules per-rule exclusions](attack-surface-reduction-rules-deployment-test.md#configure-attack-surface-reduction-per-rule-exclusions).
 - Exclusions can be added based on certificate and file hashes, by allowing specified Defender for Endpoint file and certificate indicators. See [Overview of indicators](indicators-overview.md).
 
-## Policy conflicts
+### How policy conflicts are handled
 
 If a conflicting policy is applied via MDM and GP, the setting applied from Group Policy takes precedence.
 
-Attack surface reduction rules for managed devices now support behavior for merging settings from different policies to create a policy superset for each device. Only the settings that aren't in conflict are merged, whereas policy conflicts aren't added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile were deployed. 
+Attack surface reduction rules for managed devices support behavior for merging settings from different policies to create a policy superset for each device. Only the settings that aren't in conflict are merged, whereas policy conflicts aren't added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile were deployed. 
 
 Attack surface reduction rule merge behavior works as follows:
 
