Block Adobe Reader from creating child processes GPO

Question

There is an attack surface reduction rule we wish to establish in our environment, that is meant to block Adobe Reader from creating child processes. This appears to be very easy in InTune, but InTune is not ready for production. Therefore, GPO is the choice. Is there an ADMX template I can use, or any guidance on how the policy might be created?

Richard28667330g187 · Answer

I found the GUID for blocking Adobe Reader from creating child processes, and I know now how to add it to the GPO. For perpetutuity, this is how ASR is implemented in GPO:
1. In Group Policy Management Editor, navigate to Computer Configuration/Administrative Templates/Windows Components/Microsoft Defender Antivirus/Microsoft Defender Exploit Guard/Attack Surface Reduction

2. Open the Configure Attack Surface Reduction Rules

3. Enable rule, and click the Show button for the state for each ASR rule

4. The GUIDs for Adobe Reader (and others) are listed here:

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#asr-rule-to-guid-matrix

5. GUID in left box, and either 0, 1, or 2 in right box
0 = Disable the rule

1 = Enforce the rule

2 - Audit the rule (logged only)

Hope that helps somebody.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded