Secure Score How-To

← Back to Secure Score Hub

How to Block Adobe Reader from Creating Child Processes in Microsoft 365

Last updated: April 2026

Adobe Reader can launch other processes when handling files — a path attackers exploit to run malicious code. This guide walks you through enabling the Attack Surface Reduction rule in Microsoft Defender for Endpoint to block this behaviour and improve your Secure Score.

Jump to stepsSee FAQ
This is a how-to page. The CTA stays soft, the steps stay clean, and the cluster links handle the rest.

What you'll achieve

Blocked attack pathAdobe Reader will be prevented from launching child processes that attackers can exploit.
Reduced attack surfaceYour endpoint ASR rule will be active and enforced across Intune-managed devices.
Secure Score upliftOnce the rule is in Block mode, Microsoft will mark this recommendation as Completed.

Why this setting matters

PDF files are one of the most common delivery mechanisms for malware. Adobe Reader, by default, can spawn child processes — things like command prompts, scripts, or other executables — when handling certain file types or embedded content.

  • Attackers embed malicious scripts in PDFs that launch via child processes.
  • Once a child process runs, it can bypass security controls and execute payloads.
  • This ASR rule is a direct Secure Score recommendation with measurable score impact.
Blocking Adobe Reader child processes is one of the most straightforward ASR rules to implement — low disruption risk, clear security benefit, and a direct Secure Score win.

Before you start

  • Microsoft 365 Business Premium, or Microsoft Defender for Endpoint Plan 1 or Plan 2 licence.
  • Global Administrator or Security Administrator permissions in your tenant.
  • Devices onboarded to Microsoft Defender for Endpoint.
  • Microsoft Intune configured if you plan to deploy via policy (recommended).
  • Run in Audit mode first for 7–14 days before switching to Block to check for false positives.

Step-by-step

Use these five steps to locate, configure, test, and confirm the Adobe Reader ASR rule in Microsoft Defender for Endpoint.

1
Screenshot required

Open the Microsoft Defender portal

Go to security.microsoft.com and sign in with your admin account. In the left navigation, select Settings, then Endpoints. This is where endpoint-level security rules are managed.

Insert screenshot here
2
Screenshot required

Navigate to Attack Surface Reduction rules

Inside Settings → Endpoints, scroll to the Rules section and select Attack surface reduction rules. You will see a full list of ASR rules with their current enforcement state.

Insert screenshot here
3
Screenshot required

Locate the Adobe Reader rule

Find the rule named Block Adobe Reader from creating child processes. It may show as Off or Audit if not yet configured. Note the Rule ID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c — you will need this for Intune deployment.

Insert screenshot here
4
Screenshot required

Set the rule to Block mode

Select the rule and choose Block from the state dropdown, then save. If you want to test first, set to Audit — this logs events without blocking and gives you data to review before full enforcement. Switch to Block once confident.

Insert screenshot here
5
Screenshot required

Verify the rule is active

Confirm the rule shows Block in the ASR rules list. If deploying via Intune, check Endpoint security → Attack surface reduction to confirm the policy is assigned and showing Succeeded across your device groups. Allow up to 24 hours for Secure Score to update.

Insert screenshot here

How to confirm it worked

  • The rule shows Block status in the ASR rules list in the Defender portal.
  • No Adobe Reader child process events appear in Defender → Reports → Attack surface reduction.
  • Microsoft Secure Score shows the recommendation status as Completed.
  • In Intune, the ASR policy shows Succeeded across all assigned device groups.

FAQ

What does blocking Adobe Reader from creating child processes actually do?

It stops Adobe Reader from launching other processes — like command prompts or scripts — when handling PDF files. This cuts off a common attack path where malicious code embedded in a PDF tries to execute via a child process.

Will this break Adobe Reader for my users?

Standard PDF viewing is unaffected. Some advanced features — like launching embedded scripts or external applications from within a PDF — will be blocked. Run the rule in Audit mode first to identify any impact in your environment before switching to Block.

Do I need Microsoft Defender for Endpoint to use this rule?

Yes. Attack Surface Reduction rules require Microsoft Defender for Endpoint Plan 1 or Plan 2, or Microsoft 365 Business Premium. They are not available on Microsoft 365 Business Basic or Standard plans.

How long until my Secure Score updates after enabling this rule?

Secure Score typically updates within 24 hours of the rule being enforced. If it has not updated after 48 hours, confirm the rule is set to Block (not Audit) and that all relevant devices are fully onboarded to Defender for Endpoint.

Can I deploy this rule via Microsoft Intune instead of the Defender portal?

Yes. In Intune, go to Endpoint security → Attack surface reduction → Create policy and add the Adobe Reader child process rule using Rule ID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c. Assign it to your device groups and monitor compliance from the policy overview.

Need help reviewing your Microsoft 365 security?

Our team can assess your full Attack Surface Reduction configuration, prioritise the highest-impact rules, and help you build a clear remediation roadmap.

Book a Security AssessmentView the Secure Score hub