🛡️ Essential 8 Guide

Implementation guidance for Australian Essential Eight controls in Microsoft environments - ISM controls with PSPF mappings

About
HOME ← ISM-1823
ISM-1859 →

PDF application security settings cannot be changed by users.

Property Value
ISM Control ISM-1824
Revision 1
Updated Jun-25
Guideline Not provided
Section User application hardening
Topic Hardening user application configurations
Essential Eight ML2, ML3
PSPF Levels NC, OS, P, S, TS

Summary

PDF security settings are locked using Intune to prevent users from altering protective configurations. This aligns with User application hardening guidance in the Essential Eight and ASD Blueprint, reducing the risk of insecure PDF usage.12

Justification

PDF readers — particularly Adobe Acrobat and Reader — have historically been a high-value exploitation target due to their complex file parsing logic, JavaScript engine, and rich media support. Allowing users to modify PDF security settings (e.g., re-enabling JavaScript execution, disabling Protected Mode, or enabling external content) directly increases the attack surface for document-based initial access.

Adobe Reader’s Protected Mode (sandbox) and Protected View confine the parser process, preventing privilege escalation to the desktop even when a malicious PDF exploits a parser vulnerability. If users can disable these settings, the effectiveness of the sandbox is entirely negated.

The ISM-1670 ASR rule (Block Adobe Reader from creating child processes, GUID 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c) provides a complementary OS-level control — but is only effective when combined with this control locking the application’s own security settings, preventing a user from re-enabling child process creation from within the application’s Trust settings.

PDF security setting Risk if user-modifiable Intune enforcement
JavaScript execution Arbitrary code execution via PDF JS engine ADMX/OMA-URI policy
Protected Mode (Adobe) Sandbox escape, file system access Adobe ADMX template
Protected View Macro/script execution from untrusted PDFs Adobe ADMX template
Automatic content loading SSRF/exfiltration via remote resource embedding ADMX/OMA-URI policy
Child process creation Dropper execution, persistence ASR Rule ISM-1670

[!NOTE] For Microsoft Edge as PDF viewer (via built-in PDF engine), edge://settings/content/pdfDocuments settings are enforced via Edge ADMX policy — the Adobe ADMX templates are not required unless Adobe Reader/Acrobat is deployed.

Design Decision

[!NOTE] The PDF security settings will be locked using Intune to prevent users from changing them.

Prerequisites

Implementation Steps

Lock Adobe Acrobat and Reader security settings using custom ADMX via Intune

Organisations that deploy Adobe Acrobat or Adobe Reader as their primary PDF application can enforce an equivalent set of security controls to those available in the Microsoft Edge PDF viewer, using Adobe’s ADMX Group Policy templates imported into Intune.

Adobe publishes ADMX templates through its Enterprise Toolkit that expose the same registry keys under HKLM\SOFTWARE\Policies\Adobe\...\FeatureLockDown that are otherwise set manually via Group Policy or registry script. Importing these ADMX files into Intune makes the settings configurable through the standard Imported Administrative Templates profile type — providing a consistent, auditable, and UI-driven management experience comparable to Edge policy.34

Edge PDF policy → Adobe Acrobat equivalent mapping:

Edge PDF Policy Edge function Adobe Acrobat equivalent Adobe ADMX setting name
PDFSecureMode Enables sandbox (Protected Mode) and blocks unsigned content Protected Mode bProtectedMode = 1
PDFSecureMode Validates certificate-based digital signatures Enhanced Security (standalone) bEnhancedSecurityStandalone = 1
PDFSecureMode Enhanced security when opening PDFs from the browser Enhanced Security (browser) bEnhancedSecurityInBrowser = 1
DefaultJavaScriptSetting (Block) Prevents JavaScript execution in PDFs Allow JavaScript bEnableJS = 0 (disable)
(Untrusted content) Opens potentially unsafe PDFs in a read-only restricted view Protected View iProtectedView = 2 (All files)
(External resource loading) Blocks requests to external URLs embedded in PDFs Hyperlink access to Internet bDisableJavaScript/URL blocking = enabled
AlwaysOpenPdfExternally = Disabled Forces PDFs to open in Edge (not external app) (inverse) Force Adobe as viewer bUpdater + deployment policy

[!NOTE] Adobe Reader and Acrobat Pro DC use slightly different registry paths. Reader DC uses HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown, while Acrobat Pro DC uses HKLM\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown. Both paths are managed by the same ADMX template categories; ensure you download the ADMX matching the installed product.

Step 1 — Download the Adobe Acrobat ADMX template:

  1. Go to the Adobe Acrobat Enterprise Toolkit and download the Group Policy ADMX template package.
  2. Extract the archive. Locate the files:
    • AcrobatReaderDC.admx (or AcrobatDC.admx for Acrobat Pro)
    • AcrobatReaderDC.adml (English language file, in the en-US subfolder)

[!NOTE] A community-maintained ADMX template (updated for Acrobat DC / Reader DC, based on the original NSA Cybersecurity Directorate template) is also available and covers a broader set of settings including AI features, cloud services, and update controls. Verify the source and review all policy definitions before deploying any community ADMX in a production environment.

Step 2 — Import the ADMX template into Intune:

  1. In the Microsoft Intune admin center, navigate to Devices > Manage devices > Configuration > Import ADMX tab.
  2. Select Import and upload the .admx file.
  3. Select Next and then upload the corresponding .adml language file.
  4. Review the import summary and select Create. Allow a few minutes for Intune to process the template.
  5. Verify the import succeeded under Devices > Configuration > Import ADMX — the status should show Available.3

Step 3 — Create a policy using the imported Adobe ADMX template:

  1. Navigate to Devices > Manage devices > Configuration > + Create policy.
  2. Set Platform to Windows 10 and later and Profile type to Imported Administrative Templates (Preview).
  3. Select Create, enter a descriptive name (e.g., Adobe Acrobat DC — Security Lockdown), and select Next.
  4. Under Configuration settings, locate the Adobe Acrobat category and configure each security setting as shown below.3

Step 4 — Configure each security setting:

Setting (in imported ADMX) Recommended value Purpose
Protected Mode Enabled Enables sandboxing — confines PDF parser to a low-privilege process
Protected View All files (iProtectedView = 2) Opens all PDFs in read-only restricted view until user explicitly trusts
Enhanced Security: standalone mode Enabled Prevents PDFs from accessing privileged locations (UNC paths, temp files)
Enhanced Security: browser mode Enabled Restricts access when PDFs open from within a browser context
Allow JavaScript Disabled (bEnableJS = 0) Prevents arbitrary code execution via the Acrobat JavaScript engine
Hyperlink access to the Internet Disabled Prevents PDFs from silently loading remote resources (SSRF, exfiltration)
Adobe Document Cloud services Disabled Prevents automatic connectivity to Adobe cloud (data sovereignty)
Adobe Reader Product Updates Disabled Centralise updates through Intune/WSUS rather than in-app updater

Alternative: Direct registry OMA-URI (custom profile):

If ADMX import is not available or a specific setting is not exposed in the ADMX template, you can set the underlying registry values directly using a Custom profile with the following OMA-URI format:

Setting OMA-URI Data type Value
Protected Mode (Reader DC) ./Device/Vendor/MSFT/Registry/HKLM/SOFTWARE/Policies/Adobe/Acrobat Reader/DC/FeatureLockDown/bProtectedMode Integer 1
Protected View (Reader DC) ./Device/Vendor/MSFT/Registry/HKLM/SOFTWARE/Policies/Adobe/Acrobat Reader/DC/FeatureLockDown/iProtectedView Integer 2
Enhanced Security (standalone) ./Device/Vendor/MSFT/Registry/HKLM/SOFTWARE/Policies/Adobe/Acrobat Reader/DC/FeatureLockDown/bEnhancedSecurityStandalone Integer 1
Enhanced Security (browser) ./Device/Vendor/MSFT/Registry/HKLM/SOFTWARE/Policies/Adobe/Acrobat Reader/DC/FeatureLockDown/bEnhancedSecurityInBrowser Integer 1
Disable JavaScript ./Device/Vendor/MSFT/Registry/HKLM/SOFTWARE/Policies/Adobe/Acrobat Reader/DC/FeatureLockDown/bEnableJS Integer 0
Block hyperlink internet access ./Device/Vendor/MSFT/Registry/HKLM/SOFTWARE/Policies/Adobe/Acrobat Reader/DC/FeatureLockDown/bDisableHyperlink Integer 1

[!IMPORTANT] Replace Acrobat Reader/DC with Adobe Acrobat/DC in all paths above when targeting Acrobat Pro DC instead of Reader DC. Assign the custom profile to the same device groups as your Acrobat deployment. Verify settings have applied using Registry Editor on a test device – all values should appear under HKLM\SOFTWARE\Policies\Adobe\...\FeatureLockDown as DWORD entries.4

Lock PDF security settings using Intune Attack Surface Reduction

  1. In Intune, navigate to Endpoint Security > Attack Surface Reduction. 1
  2. Create (or modify) a new Attack Surface Reduction Endpoint Security Policy. 1
  3. Set Block Adobe Reader from creating child processes to Enable. 1
  4. Assign the Attack Surface Reduction Rule policy to a group. 1

  1. Essential Eight user application hardening  2 3 4 5 6 7

  2. Essential Eight user application hardening 

  3. Import custom ADMX templates in Microsoft Intune  2 3

  4. Adobe Acrobat Enterprise Toolkit — Group Policy and Registry Reference  2

  5. Manage sensitivity labels in Office apps 

  6. ASD Blueprint: System hardening user apps 

HOME ← ISM-1823
ISM-1859 →