PDF applications are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.

Property	Value
ISM Control	ISM-1860
Revision	3
Updated	Jun-25
Guideline	Not provided
Section	User application hardening
Topic	Hardening user application configurations
Essential Eight	ML2, ML3
PSPF Levels	NC, OS, P, S, TS

Summary

PDF hardening for user applications enforces ASD and vendor guidance, with the most restrictive controls taking precedence when conflicts occur, and is implemented by applying vendor PDF hardening settings via Intune configuration profiles to standardize protection across endpoints.¹²

Justification

PDF applications are a persistent high-value attack vector due to their complex file format parsers, embedded JavaScript engines, and support for rich media and external resource loading. ACSC incident response data consistently identifies weaponised PDF files as an initial access vector against Australian Government targets.

Applying the most restrictive guidance when ASD and vendor recommendations conflict ensures that vendor defaults (which are often calibrated for usability) do not inadvertently weaken the security posture. For example, Adobe’s default allows JavaScript execution in PDFs and permits automatic loading of external resources — both of which are disabled under ASD hardening guidance.

The ISM-1670 ASR rule (Block Adobe Reader from creating child processes) provides an OS-level enforcement layer, but is only effective when combined with application-level hardening. Without locking the application settings, a user could re-enable child process creation from within Adobe Reader’s preferences, bypassing the intent of the ASR rule.

PDF hardening category	Default (vendor)	ASD/ACSC hardened setting
JavaScript execution	Enabled	Disabled
Protected Mode (sandbox)	Enabled	Enabled + locked
Protected View	Enabled for email attachments	Enabled for all sources
Allow opening non-PDF attachments	Enabled	Disabled
External content loading	Enabled	Disabled
Child process creation	Permitted	Blocked (ASR Rule ISM-1670)

For organisations using Microsoft Edge as their primary PDF viewer (default in Windows 11), the Adobe-specific ADMX templates are not required. Edge’s built-in PDF engine is controlled via Edge ADMX policies, which have a separate hardening baseline.

[!NOTE] CVE-2016-3198³ (Edge PDF security feature bypass) and CVE-2016-3203⁴ (Windows PDF Remote Code Execution) are historical examples illustrating the attack class. The hardening controls in this ISM control provide defence-in-depth against current and future vulnerabilities of this type.

Design Decision

[!NOTE] The vendor PDF hardening settings will be applied via Intune configuration profiles to enforce the vendor guidance for PDF hardening. In case of conflicts with ASD guidance, the most restrictive guidance will be applied.

Prerequisites

Licensing: Not provided in source documentation.
Permissions/Roles: Not provided in source documentation.
Dependencies:
- Devices must be managed by Intune and enrolled in Entra ID and/or hybrid Azure AD joined to support deployment of vendor PDF hardening settings via Intune configuration profiles. ¹
- Implementation relies on applying vendor PDF hardening settings through Intune configuration profiles. ¹

Implementation Steps

Intune Attack Surface Reduction policy for PDF hardening

In Intune, navigate to Endpoint Security > Attack Surface Reduction.¹
Create (or modify) a new Attack Surface Reduction Endpoint Security Policy.¹
Set Block Adobe Reader from creating child processes to Enable.¹
Assign the Attack Surface Reduction Rule policy to a group.¹

Harden Adobe Acrobat and Reader settings using custom ADMX via Intune

For organisations deploying Adobe Acrobat or Adobe Reader as their primary PDF application, ASD and vendor hardening guidance can be applied and locked through Adobe’s ADMX Group Policy templates imported into Intune. This approach mirrors the standards-based management available for Microsoft Edge and provides an auditable, policy-driven alternative to registry scripts or manual configuration.

Adobe’s FeatureLockDown registry path (HKLM\SOFTWARE\Policies\Adobe\...\FeatureLockDown) represents the vendor’s preferred, supported mechanism for enforcing security settings. Writing to this path via Group Policy or Intune ADMX prevents user overrides through the application preferences UI — satisfying both the ASD requirement to harden applications and the ISM-1824 requirement that security settings cannot be changed by users.⁵⁶

ASD hardening requirements mapped to Adobe ADMX FeatureLockDown settings:

ASD/ISM hardening requirement	Risk	Adobe ADMX setting	Recommended value
Disable JavaScript execution in PDFs	Arbitrary code execution via embedded JS engine	Allow JavaScript (`bEnableJS`)	`0` (disabled)
Enable Protected Mode (sandbox)	Sandbox escape via parser exploit	Protected Mode (`bProtectedMode`)	`1` (enabled)
Enable Protected View for all files	Script/macro execution from untrusted PDFs	Protected View (`iProtectedView`)	`2` (All files)
Enable Enhanced Security (standalone)	UNC path traversal, temp file access	Enhanced Security standalone (`bEnhancedSecurityStandalone`)	`1` (enabled)
Enable Enhanced Security (browser)	Restricted content bypass when opened via browser	Enhanced Security browser (`bEnhancedSecurityInBrowser`)	`1` (enabled)
Block external content/hyperlink loading	SSRF, DNS rebinding, exfiltration via embedded URLs	Hyperlink Internet access (`bDisableHyperlink`)	`1` (blocked)
Disable cloud connectivity	Data sovereignty, telemetry, unmanaged updates	Adobe Document Cloud services	Disabled
Centralise application updates	Prevent unmanaged version changes	Adobe Reader Product Updates	Disabled

Step 1 — Download the Adobe Acrobat ADMX template:

Go to the Adobe Acrobat Enterprise Toolkit and download the Group Policy ADMX template package.
Extract the archive and locate:
- AcrobatReaderDC.admx (or AcrobatDC.admx for Acrobat Pro)
- AcrobatReaderDC.adml (in the en-US subfolder)

[!NOTE] Reader DC policies are written to HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown. Acrobat Pro DC uses HKLM\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown. Confirm the installed product before deploying.

Step 2 — Import the ADMX template into Intune:

In the Microsoft Intune admin center, navigate to Devices > Manage devices > Configuration > Import ADMX tab.
Select Import, upload the .admx file, then upload the .adml language file on the following step.
Select Create and allow a few minutes for processing. Verify the import status shows Available before proceeding.⁵

Step 3 — Create a hardening policy using the imported template:

Navigate to Devices > Manage devices > Configuration > + Create policy.
Set Platform to Windows 10 and later and Profile type to Imported Administrative Templates (Preview).
Enter a descriptive name (e.g., Adobe Acrobat DC — ASD Hardening) and select Next.
Under Configuration settings, locate the Adobe Acrobat category and apply each setting from the table above.⁵

Alternative: Direct registry OMA-URI (custom profile):

If a setting is not exposed in the imported ADMX template, configure it via a Custom profile using the following OMA-URI paths:

Setting	OMA-URI (Reader DC)	Data type	Value
Disable JavaScript	`./Device/Vendor/MSFT/Registry/HKLM/SOFTWARE/Policies/Adobe/Acrobat Reader/DC/FeatureLockDown/bEnableJS`	Integer	`0`
Enable Protected Mode	`./Device/Vendor/MSFT/Registry/HKLM/SOFTWARE/Policies/Adobe/Acrobat Reader/DC/FeatureLockDown/bProtectedMode`	Integer	`1`
Protected View — All files	`./Device/Vendor/MSFT/Registry/HKLM/SOFTWARE/Policies/Adobe/Acrobat Reader/DC/FeatureLockDown/iProtectedView`	Integer	`2`
Enhanced Security (standalone)	`./Device/Vendor/MSFT/Registry/HKLM/SOFTWARE/Policies/Adobe/Acrobat Reader/DC/FeatureLockDown/bEnhancedSecurityStandalone`	Integer	`1`
Enhanced Security (browser)	`./Device/Vendor/MSFT/Registry/HKLM/SOFTWARE/Policies/Adobe/Acrobat Reader/DC/FeatureLockDown/bEnhancedSecurityInBrowser`	Integer	`1`
Block hyperlink internet access	`./Device/Vendor/MSFT/Registry/HKLM/SOFTWARE/Policies/Adobe/Acrobat Reader/DC/FeatureLockDown/bDisableHyperlink`	Integer	`1`

[!IMPORTANT] Replace Acrobat Reader/DC with Adobe Acrobat/DC in all paths when targeting Acrobat Pro DC. After policy assignment, verify registry values on a test device under HKLM\SOFTWARE\Policies\Adobe\...\FeatureLockDown. Values written here take precedence over any user-modified settings in HKCU\Software\Adobe\....⁶

Harden Edge built-in PDF viewer settings via Intune Settings Catalog

For organisations using Microsoft Edge as the primary PDF viewer (the default in Windows 11), Adobe ADMX templates are not required. Edge’s built-in PDF engine — powered by the Adobe Acrobat rendering engine when NewPDFReaderEnabled is active — is hardened through Edge’s native ADMX policies, which are natively available in the Intune Settings Catalog without any template import.

Edge PDF Reader policies to configure:

Edge policy	Security function	ASD alignment	Intune Settings Catalog path
`PDFSecureMode` — Enabled	Activates sandbox process isolation and enforces certificate validation for digitally signed PDFs	Aligns with vendor Protected Mode requirement	Microsoft Edge > PDF Reader > Secure mode
`NewPDFReaderEnabled` — Enabled	Uses the Adobe Acrobat-based rendering engine (additional sandboxing layer)	Vendor hardening	Microsoft Edge > PDF Reader > New PDF reader
`AlwaysOpenPdfExternally` — Disabled	Ensures PDFs open in Edge’s sandboxed viewer rather than being downloaded to an unmanaged external process	Prevents bypass of browser sandbox	Microsoft Edge > PDF Reader > Always open externally
`PDFXFAEnabled` — Disabled	Disables XFA (XML Forms Architecture) support — a legacy attack surface with no ASD-approved use case in Australian Government environments	Minimise attack surface	Microsoft Edge > PDF Reader > XFA support
`ShowAcrobatSubscriptionButton` — Disabled	Removes upsell UI that could prompt users to install external Acrobat software outside managed channels	Prevent unmanaged software installs	Microsoft Edge > PDF Reader > Show Acrobat subscription button

To configure in Intune:

Navigate to Devices > Manage devices > Configuration > + Create policy.
Set Platform to Windows 10 and later and Profile type to Settings Catalog.
In the settings picker, search for Microsoft Edge and filter by PDF Reader.
Add and configure each setting from the table above.
Assign to the same device group as your Edge baseline policy.⁷

ASD Blueprint: User application hardening describes design decisions and reference architecture for hardening user applications across environments ASD Blueprint: User application hardening
ASD Blueprint: System hardening user apps outlines technical controls for hardening user applications and macros in Office and Windows environments ASD Blueprint: System hardening user apps
ACSC Essential Eight overview provides guidance for Essential Eight controls including user application hardening ACSC Essential Eight
Microsoft Windows PDF vulnerability bulletins MS16-028 provide patches for memory-related vulnerabilities in PDF handling MS16-028 - Critical
CVE-2025-32451 Foxit PDF Reader vulnerability analysis and mitigation covers Foxit PDF vulnerabilities and mitigations CVE-2025-32451: Foxit PDF Reader vulnerability analysis and mitigation
Import custom ADMX templates in Microsoft Intune explains how to upload third-party ADMX and ADML files into Intune to create Imported Administrative Templates policies for non-Microsoft applications, including Adobe Acrobat Import custom ADMX templates
Adobe Acrobat Enterprise Toolkit (Group Policy and Registry Reference) provides the official ADMX templates and full registry key reference for all Acrobat DC and Reader DC FeatureLockDown settings, covering all ASD hardening-relevant controls Adobe Acrobat Enterprise Toolkit
Microsoft Edge PDF Reader policy reference documents PDFSecureMode, AlwaysOpenPdfExternally, NewPDFReaderEnabled, and PDFXFAEnabled policies used to harden the Edge built-in PDF viewer via Settings Catalog without any ADMX import Microsoft Edge PDF Reader policies

🛡️ Essential 8 Guide