🛡️ Essential 8 Guide

Microsoft Office is blocked from creating child processes.

Summary

This control blocks all Office applications from creating child processes, reducing the attack surface by preventing Office from spawning subprocesses that could be abused for code execution or malware propagation¹². Implementation is achieved by importing the ASR policy for Office child process blocking into Intune, as documented in the ACSC Windows Hardening Guidelines¹.

The specific ASR rule is Block all Office applications from creating child processes (GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A). This rule blocks any child process spawned by Word, Excel, PowerPoint, OneNote, Access, or other Office applications — including PowerShell, cmd, and any external executable launched from an Office document. It complements ISM-1668 (Block Office from creating executable content), which acts at an earlier stage by preventing payload files being written to disk.

[!NOTE] Enable both ISM-1667 (child process) and ISM-1668 (executable content) rules for defence-in-depth: the executable content rule blocks payload creation; the child process rule blocks post-creation execution.

Justification

Not provided in source documentation.

Design Decision

[!NOTE] The Block all Office applications from creating child processes ASR rule will be enabled via Intune configuration profiles. This will block Office applications from creating child processes.

Prerequisites

• Licensing: Microsoft Intune Plan 1 licensing for target devices (typically in Microsoft 365 E3+)¹

• Permissions/Roles:
  • Devices must be enrolled in Entra ID (Azure AD) and managed by Intune¹
  • Access to Graph Explorer for authentication and policy import to paste the ASR policy JSON¹
• Dependencies:
  • Access to the ACSC Windows Hardening Guidelines ASR policy JSON (Attack Surface Reduction) from the ACSC guidelines to import into Intune¹
  • The ASR policy is deployed via an Intune Endpoint Security policy; plan for ASR deployment readiness¹
  • Plan to test ASR rules in audit mode before enforcement to verify compatibility¹

Implementation Steps

Enable ASR rule to block Office apps from creating child processes via Intune

1. Navigate to Graph Explorer and authenticate.¹
2. Copy the JSON in the ACSC Windows Hardening Guidelines-Attack Surface Reduction.json policy and paste it in the request body. The policy contains the specific ASR rule: Block all Office applications from creating child processes (D4F940AB-401B-4EFC-AADC-AD5F3C50688A). This ASR policy configures each of the ASR rules recommended by the ACSC in audit mode. ASR rules should be tested for compatibility issues in any environment before enforcement.¹
3. (Optional) modify the name value if necessary.¹
4. Alternatively, configure the rule directly in Intune via Endpoint security → Attack surface reduction → Create policy. Set Block all Office applications from creating child processes to Audit first, then Block after validation.
5. For direct OMA-URI deployment, use:
   • OMA-URI: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
   • Data type: String
   • Value (audit mode): D4F940AB-401B-4EFC-AADC-AD5F3C50688A=2
   • Change =2 to =1 to switch to Block mode after audit validation.
6. Monitor audit events: Event ID 1122 (audit) and 1121 (block) in Microsoft-Windows-Windows Defender/Operational. In Microsoft 365 Defender Advanced Hunting, filter on ActionType = AsrOfficeChildProcessAudited or AsrOfficeChildProcessBlocked.

[!NOTE] This implementation imports the ASR policy in audit mode to validate compatibility before enforcement.¹

Additional related information

• Windows MDM security baseline settings reference for Microsoft Intune provides Defender baseline controls and ASR guidance, including blocking Office applications from creating child processes Windows MDM security baseline settings reference for Microsoft Intune
• Block Office communication application from creating child processes rule details, including GUID and deployment guidance for Intune/ Defender for Endpoint Block Office communication application from creating child processes
• ASD Blueprint: Microsoft Office hardening provides architecture-level guidance for hardening Office deployments with Defender for Endpoint and Intune policies ASD Blueprint: Microsoft Office hardening
• Windows 365 Cloud PC security baseline settings reference for Microsoft Intune describes ASR policy and Office hardening coverage for Cloud PCs Windows 365 Cloud PC security baseline settings reference for Microsoft Intune