✅ Summary
This policy applies a single Attack Surface Reduction (ASR) rule to block Adobe Reader from creating child processes.
This is one of the most important ASR rules for reducing PDF‑based malware execution, because malicious PDFs commonly attempt to spawn child processes such as:
cmd.exe
powershell.exe
wscript.exe
rundll32.exe
mshta.exe
regsvr32.exe
and exploit kit droppers
Blocking Adobe Reader from spawning child processes cuts off nearly the entire malicious PDF execution chain.
🔍 What the policy actually enforces
From the JSON:
ASR Rule:
blockadobereaderfromcreatingchildprocesses = block
That maps to the Microsoft Defender ASR GUID:
D4F940AB-401B-4EFC-AADC-AD5F3C50688A
This rule is set to Block (not Audit).
Assignment
Target: All devices
Scope Tag:
3Template: Attack Surface Reduction Rules (Endpoint Security)
Technology
"technologies": "mdm,microsoftSense"
✔ Supported by both Intune MDM and Microsoft Defender for Endpoint.
🧩 Why this is powerful for Essential Eight
✔ Essential Eight: User Application Hardening
ACSC explicitly emphasises preventing common document formats (PDF, Office, browser content) from executing active content.
PDF exploitation is one of the most common malware vectors in:
phishing campaigns
low‑grade ransomware
document exploit kits
social engineering droppers
red team tradecraft
Blocking Adobe Reader from spawning child processes:
breaks PDF‑based malware
stops initial access techniques
protects against malicious embedded JavaScript
prevents “document‑to‑payload” execution chains
mitigates CVE‑style zero‑day PDF exploits
✔ Alignment to E8 Maturity Levels
E8 Level | Requirement | This Policy |
M1 | Block common risky features in user‑exposed apps | ✔ Yes — prevents dangerous behavior |
M2 | Strong controls against malicious content execution | ✔ Yes — closes PDF -> EXE chain |
M3 | Strictly enforce application hardening | ✔ Fully aligned — no bypass, no prompts |