🛡️ Essential 8 Guide

PDF applications are blocked from creating child processes.

Summary

The control enables the Block Adobe Reader from creating child processes ASR rule (GUID 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c) via Intune, reducing the risk of PDF-based malware execution¹. This mitigates living-off-the-land techniques that rely on spawning child processes from PDF content².

[!NOTE] This ASR rule applies only to Adobe Reader (AcroRd32.exe). It does not cover other PDF viewers such as Foxit Reader, Nitro, or browser-based PDF rendering. Organisations using non-Adobe PDF readers should implement equivalent controls via AppLocker or WDAC.

Justification

• CVE-2016-3319: PDF Remote Code Execution vulnerability. Blocking Adobe Reader from creating child processes mitigates exploitation by preventing the spawning of child processes from PDFs.³

• Block Adobe Reader from creating child processes: The ASR rule in Intune blocks Adobe Reader from creating child processes, reducing the potential for malicious PDFs to trigger code execution.¹

Design Decision

[!NOTE] The Block Adobe Reader from creating child processes ASR rule will be enabled via Intune to block Adobe Reader from creating child processes. It will be applied through the Attack Surface Reduction policy profile in Endpoint Security to enforce this setting.

Prerequisites

Licensing

• Licensing: Microsoft Intune Plan 1 is required for target devices when implementing ASR policy via Intune.²

Permissions/Roles

• Permissions/Roles: Access to the Microsoft Intune admin center with permissions to create and assign Endpoint Security Attack Surface Reduction policies.²

Dependencies

• Intune enrollment and device management: Devices must be enrolled in Microsoft Intune and joined to Entra ID (Azure AD) or hybrid Azure AD joined.²
• Endpoint Security policy management: Endpoint Security ASR policies must be managed via Intune, i.e., create and assign ASR policy in the Intune console.¹

Implementation Steps

Enable ASR Rule to Block Adobe Reader from Creating Child Processes

[!NOTE] Start in Audit mode before enforcing Block mode. Some enterprise PDF workflows (e.g., Adobe Sign integrations) may spawn child processes legitimately.

Option A — Endpoint Security profile (recommended)

1. In Intune, navigate to Endpoint Security > Attack Surface Reduction.²
2. Create (or modify) an Attack Surface Reduction Endpoint Security Policy: Platform: Windows 10 and later.²
3. Set Block Adobe Reader from creating child processes to Audit first, then Block after validation.²
4. Assign the Attack Surface Reduction Endpoint Security Policy to the target device group.²

Option B — Custom OMA-URI

Create a Device configuration → Custom profile, add the OMA-URI row, and assign it to target groups.

Verify and monitor

Events appear in Applications and Services Logs → Microsoft → Windows → Windows Defender → Operational.

In Microsoft Defender for Endpoint, use Advanced Hunting:

DeviceEvents
| where ActionType in ("AsrAdobeReaderChildProcessAudited", "AsrAdobeReaderChildProcessBlocked")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ActionType

Additional related information

• Exploit protection guidelines on blocking child processes help mitigate living-off-the-land techniques Don’t allow child processes - Exploit protection

• Windows protected print mode information highlights binary mitigations including a child process creation control More information on Windows protected print mode for enterprises and developers

• AppLocker DDF file documents the AppLocker configuration service provider for managing executable launch restrictions AppLocker DDF file

• ASD Blueprint for User application hardening describes ASD-guided controls for hardening user applications and macros ASD Blueprint: User application hardening