From 9178e4ce729b15b09e800c8c4e43e737fe806cc6 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 10 May 2019 09:52:59 -0700 Subject: [PATCH 1/7] Added 19H1 new policy doc and policy --- .../policy-configuration-service-provider.md | 9 ++ .../mdm/policy-csp-servicecontrolmanager.md | 115 ++++++++++++++++++ 2 files changed, 124 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-servicecontrolmanager.md diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a27926a537..58bba60460 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -2927,6 +2927,13 @@ The following diagram shows the Policy configuration service provider in tree fo +### ServiceControlManager policies +
+
+ ServiceControlManager/SvchostProcessMitigation +
+
+ ### Settings policies
@@ -4112,6 +4119,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses) - [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells) - [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout) +- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation) - [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices) - [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) - [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) @@ -4833,6 +4841,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [Search/PreventIndexingLowDiskSpaceMB](./policy-csp-search.md#search-preventindexinglowdiskspacemb) - [Search/PreventRemoteQueries](./policy-csp-search.md#search-preventremotequeries) - [Security/ClearTPMIfNotReady](./policy-csp-security.md#security-cleartpmifnotready) +- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation) - [Settings/AllowOnlineTips](./policy-csp-settings.md#settings-allowonlinetips) - [Settings/ConfigureTaskbarCalendar](./policy-csp-settings.md#settings-configuretaskbarcalendar) - [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist) diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md new file mode 100644 index 0000000000..a2558d44fc --- /dev/null +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -0,0 +1,115 @@ +--- +title: Policy CSP - ServiceControlManager +description: Policy CSP - ServiceControlManager +ms.author: Heidi.Lohr +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: Heidilohr +ms.date: 05/10/2019 +--- + +# Policy CSP - ServiceControlManager + +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + + +
+ + +## ServiceControlManager policies + +
+
+ ServiceControlManager/SvchostProcessMitigation +
+
+ +
+ + +**ServiceControlManager/SvchostProcessMitigation** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcheck mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting enables process mitigation options on svchost.exe processes. + +If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. + +This includes Microsoft to sign a policy requiring all binaries loaded on SVCHOST processes and a policy disallowing dynamically generated code. + +If you disable or do not configure this policy setting, the stricter security settings will not be applied. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable svchost.exe mitigation options* +- GP name: *SvchostProcessMitigationEnable* +- GP path: *System/Service Control Manager Settings/Security Settings* +- GP ADMX file name: *ServiceControlManager.admx* + + + +Supported values: +- disabled - Do not add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes. +- enabled - Add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes. + + + + + + + + + + + +
+ +Footnotes: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in Windows 10, version 1903. \ No newline at end of file From 959f88dbd27966614e2401cbea3fdfec98a035b0 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 17 May 2019 12:50:09 -0700 Subject: [PATCH 2/7] Updated SKU --- .../client-management/mdm/policy-csp-servicecontrolmanager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index a2558d44fc..ec32296079 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -44,7 +44,7 @@ ms.date: 05/10/2019 cross mark - cross mark + check mark6 check mark6 check mark6 check mark6 From 5480ba46fe2edcc6eac8281bb918b6a8e805eeda Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 17 May 2019 14:52:36 -0700 Subject: [PATCH 3/7] Update SKU --- .../client-management/mdm/policy-csp-servicecontrolmanager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index ec32296079..a2558d44fc 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -44,7 +44,7 @@ ms.date: 05/10/2019 cross mark - check mark6 + cross mark check mark6 check mark6 check mark6 From 7e5a521e9daf4492560ad8268a507d2d0679214a Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 17 May 2019 15:21:38 -0700 Subject: [PATCH 4/7] Added dev comment --- .../client-management/mdm/policy-csp-servicecontrolmanager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index a2558d44fc..b879cef048 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -68,7 +68,7 @@ This policy setting enables process mitigation options on svchost.exe processes. If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. -This includes Microsoft to sign a policy requiring all binaries loaded on SVCHOST processes and a policy disallowing dynamically generated code. +This includes a policy requiring all binaries loaded in these processes to be signed by Microsoft, as well as a policy disallowing dynamically-generated code. If you disable or do not configure this policy setting, the stricter security settings will not be applied. From 4b680098dc03cf665eb03aec49cec1bbc10b74ec Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 28 May 2019 14:45:08 -0700 Subject: [PATCH 5/7] Updated what's new --- .../mdm/new-in-windows-mdm-enrollment-management.md | 4 +++- .../client-management/mdm/policy-csp-servicecontrolmanager.md | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 568389f6f7..6fecea0699 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -115,6 +115,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • [Power/UnattendedSleepTimeoutOnBattery](policy-csp-power.md#power-unattendedsleeptimeoutonbattery)
  • [Power/UnattendedSleepTimeoutPluggedIn](policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)
  • [Search/AllowFindMyFiles](policy-csp-search.md#search-allowfindmyfiles)
    • +
  • [ServiceControlManager/SvchostProcessMitigation](policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
  • [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
  • [System/TurnOffFileHistory](policy-csp-system.md#system-turnofffilehistory)
  • [Update/AutomaticMaintenanceWakeUp](policy-csp-update.md#update-automaticmaintenancewakeup)
    • @@ -1868,16 +1869,17 @@ How do I turn if off? | The service can be stopped from the "Services" console o |New or updated topic | Description| |--- | ---| +|[DeviceStatus CSP](devicestatus-csp.md)|Updated description of the following nodes:
    DeviceStatus/Antivirus/SignatureStatus, DeviceStatus/Antispyware/SignatureStatus.| |[EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md)|Added new CSP in Windows 10, version 1903.| |[Policy CSP - DeliveryOptimization](policy-csp-deliveryoptimization.md)|Added the following new policies:
    DODelayCacheServerFallbackBackground, DODelayCacheServerFallbackForeground.

    Updated description of the following policies:
    DOMinRAMAllowedToPeer, DOMinFileSizeToCache, DOMinDiskSizeAllowedToPeer.| |[Policy CSP - Experience](policy-csp-experience.md)|Added the following new policy:
    ShowLockOnUserTile.| |[Policy CSP - InternetExplorer](policy-csp-internetexplorer.md)|Added the following new policies:
    AllowEnhancedSuggestionsInAddressBar, DisableActiveXVersionListAutoDownload, DisableCompatView, DisableFeedsBackgroundSync, DisableGeolocation, DisableWebAddressAutoComplete, NewTabDefaultPage.| |[Policy CSP - Power](policy-csp-power.md)|Added the following new policies:
    EnergySaverBatteryThresholdOnBattery, EnergySaverBatteryThresholdPluggedIn, SelectLidCloseActionOnBattery, SelectLidCloseActionPluggedIn, SelectPowerButtonActionOnBattery, SelectPowerButtonActionPluggedIn, SelectSleepButtonActionOnBattery, SelectSleepButtonActionPluggedIn, TurnOffHybridSleepOnBattery, TurnOffHybridSleepPluggedIn, UnattendedSleepTimeoutOnBattery, UnattendedSleepTimeoutPluggedIn.| |[Policy CSP - Search](policy-csp-search.md)|Added the following new policy:
    AllowFindMyFiles.| +|[Policy CSP - ServiceControlManager](policy-csp-servicecontrolmanager.md)|Added the following new policy:
    SvchostProcessMitigation.| |[Policy CSP - System](policy-csp-system.md)|Added the following new policies:
    AllowCommercialDataPipeline, TurnOffFileHistory.| |[Policy CSP - Update](policy-csp-update.md)|Added the following new policies:
    AutomaticMaintenanceWakeUp, ConfigureDeadlineForFeatureUpdates, ConfigureDeadlineForQualityUpdates, ConfigureDeadlineGracePeriod, ConfigureDeadlineNoAutoReboot.| |[Policy CSP - WindowsLogon](policy-csp-windowslogon.md)|Added the following new policies:
    AllowAutomaticRestartSignOn, ConfigAutomaticRestartSignOn, EnableFirstLogonAnimation.| -|[DeviceStatus CSP](devicestatus-csp.md)|Updated description of the following nodes:
    DeviceStatus/Antivirus/SignatureStatus, DeviceStatus/Antispyware/SignatureStatus.| ### April 2019 diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index b879cef048..d8eed119eb 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: Heidilohr -ms.date: 05/10/2019 +ms.date: 05/21/2019 --- # Policy CSP - ServiceControlManager From b56cec66934ee006a0255f22b342e7b09b7ea152 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 29 May 2019 10:16:56 -0700 Subject: [PATCH 6/7] Added new policy to TOC --- windows/client-management/mdm/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 3e6ae32cb4..54ce71766b 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -245,6 +245,7 @@ #### [RestrictedGroups](policy-csp-restrictedgroups.md) #### [Search](policy-csp-search.md) #### [Security](policy-csp-security.md) +#### [ServiceControlManager](policy-csp-servicecontrolmanager.md) #### [Settings](policy-csp-settings.md) #### [SmartScreen](policy-csp-smartscreen.md) #### [Speech](policy-csp-speech.md) From fd36b9c68a09dec9ed667dc362cedd34309959ae Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 29 May 2019 10:40:28 -0700 Subject: [PATCH 7/7] Removed prerelease warning --- .../client-management/mdm/policy-csp-servicecontrolmanager.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index d8eed119eb..18c9500905 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -11,9 +11,6 @@ ms.date: 05/21/2019 # Policy CSP - ServiceControlManager -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -