GitBit
Blog
Sign Up

Block Office communication application from creating child processes

"Block Office communication application from creating child processes" is a security feature in Microsoft 365 that restricts the ability of Office communication applications (such as Microsoft Teams, Skype for Business, and Lync) to create child processes. Child processes are new processes created by a running process, and in some cases, they may be used maliciously by attackers to execute commands or malware.

Additionally, the feature can help prevent privilege escalation and lateral movement by limiting the ability of an attacker to execute commands or processes on other systems.

Overall, the "Block Office communication application from creating child processes" feature provides an added layer of security to your Microsoft 365 environment, helping to protect your systems and data from malicious activity. It is recommended to enable this feature as part of your overall security strategy.

Why would you not want to block Office communication applications from creating child processes?

Blocking child processes may cause compatibility issues with other software or applications that rely on those processes. So be sure to test with a pilot user or group prior to rolling it out to your entire organization.

How to set up block Office communication application from creating child processes

First, you'll need to make sure Microsoft Defender Antivirus is turned on as the primary antivirus solution, with Real-Time Protection enabled. To verify Defender Antivirus is turned on with real-time protection enabled go to Security recommendations and search for "Turn on real-time protection". From there click "Turn on real-time protection". Finally, click Exposed devices.

Turn on real-time protection

Now that our devices are ready, let's go ahead and block Office communication applications from creating child processes using Intune.

Block Office communication application from creating child processes
  1. Go to Microsoft Intune admin center (Microsoft Endpoint Manager) > Endpoint security > Attack surface reduction.
  2. Click Create Policy.
  3. Set Platform to Windows 10 Windows 11, and Windows Server.
  4. Set Profile to Attack Surface Reduction Rules.
  5. Click Create.
  6. Name your policy and click Next.
  7. Set Block Office communication application from creating child processes to Block. Click Next.
  8. Add your inclusions and exclusions. Click Next > Next > Create.
Did you like the site?