Clarify ASR rule support in Threat and Vulnerability Management

Updated notes regarding the support status of various Attack Surface Reduction rules in Threat and Vulnerability Management.

Author: ericlaw1979

defender-endpoint/attack-surface-reduction-rules-reference.md

@@ -579,9 +579,6 @@ Dependencies: Microsoft Defender Antivirus
 
 ### Block rebooting machine in Safe Mode
 
-> [!NOTE]
-> This feature isn't supported in Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show as "Not applicable" for Windows and Windows Servers.
-
 This rule prevents the execution of certain commands to restart machines in Safe Mode. In Windows' Safe Mode, many security products are either disabled or operate in a limited capacity, which allows attackers to further launch tampering commands, or execute and encrypt all files on the machine. This rule blocks such abuse of Safe Mode by preventing commonly abused commands like `bcdedit` and `bootcfg` from restarting machines in Safe Mode. Safe Mode is still accessible manually from the Windows Recovery Environment.
 
 Intune Name: ` Block rebooting machine in Safe Mode`
@@ -598,6 +595,9 @@ Advanced hunting action type:
 
 Dependencies: Microsoft Defender Antivirus
 
+> [!NOTE]
+> This rule is not yet recognized by Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show it as "Not applicable".
+
 ### Block untrusted and unsigned processes that run from USB
 
 With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr)
@@ -620,9 +620,6 @@ Dependencies: Microsoft Defender Antivirus
 
 ### Block use of copied or impersonated system tools
 
-> [!NOTE]
-> This feature isn't supported in Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show as "Not applicable" for Windows and Windows Servers.
-
 This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools. Some malicious programs might try to copy or impersonate Windows system tools to avoid detection or gain privileges. Allowing such executable files can lead to potential attacks. This rule prevents propagation and execution of such duplicates and impostors of the system tools on Windows machines. 
 
 Intune Name: `Block use of copied or impersonated system tools`
@@ -641,6 +638,9 @@ Advanced hunting action type:
 
 Dependencies: Microsoft Defender Antivirus
 
+> [!NOTE]
+> This rule is not yet recognized by Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show it as "Not applicable".
+
 ### Block Webshell creation for Servers
 
 This rule blocks web shell script creation on Microsoft Server, Exchange Role. A web shell script is a crafted script that allows an attacker to control the compromised server. 
@@ -654,7 +654,7 @@ GUID: `a8f5898e-1dc8-49a9-9878-85004b8a61e6`
 Dependencies: Microsoft Defender Antivirus
 
 > [!NOTE]
-> When managing ASR rules using Microsoft Defender for Endpoint security settings management, the setting for **Block Webshell creation for Servers** must be configured as `Not Configured` in Group Policy or other local settings. If this rule is set to any other value (such as `Enabled` or `Disabled`), it could cause conflicts and prevent the policy from applying correctly through security settings management. This feature isn't supported in Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show as "Not applicable" for Exchange servers.
+> When managing ASR rules using Microsoft Defender for Endpoint security settings management, the setting for **Block Webshell creation for Servers** must be configured as `Not Configured` in Group Policy or other local settings. If this rule is set to any other value (such as `Enabled` or `Disabled`), it could cause conflicts and prevent the policy from applying correctly through security settings management. This rule is not yet recognized by Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show it as "Not applicable".
 
 ### Block Win32 API calls from Office macros