deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

add servicecontrolmanager csp

Browse Source
This commit is contained in:
Aaron Czechowski 2022-12-19 16:44:21 -08:00
parent fd21a09719
commit d9fb36ddaf
1 changed files with 77 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

148
windows/client-management/mdm/policy-csp-servicecontrolmanager.md
View File

@ -1,100 +1,106 @@
---
title: Policy CSP - ServiceControlManager
description: Learn how the Policy CSP - ServiceControlManager setting enables process mitigation options on svchost.exe processes.
title: ServiceControlManager Policy CSP
description: Learn more about the ServiceControlManager Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.date: 12/19/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
author: Heidilohr
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- ServiceControlManager-Begin -->
# Policy CSP - ServiceControlManager
<hr/>
> [!TIP]
> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--Policies-->
## ServiceControlManager policies
<!-- ServiceControlManager-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ServiceControlManager-Editable-End -->
<dl>
<dd>
<a href="#servicecontrolmanager-svchostprocessmitigation">ServiceControlManager/SvchostProcessMitigation</a>
</dd>
</dl>
<!-- SvchostProcessMitigation-Begin -->
## SvchostProcessMitigation
<hr/>
<!-- SvchostProcessMitigation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :x: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- SvchostProcessMitigation-Applicability-End -->
<!--Policy-->
<a href="" id="servicecontrolmanager-svchostprocessmitigation"></a>**ServiceControlManager/SvchostProcessMitigation**
<!-- SvchostProcessMitigation-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ServiceControlManager/SvchostProcessMitigation
```
<!-- SvchostProcessMitigation-OmaUri-End -->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Windows SE|No|No|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!-- SvchostProcessMitigation-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting enables process mitigation options on svchost.exe processes.
If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them.
These stricter security policies include a policy requiring all binaries loaded in these processes to be signed by Microsoft, and a policy disallowing dynamically generated code.
This includes a policy requiring all binaries loaded in these processes to be signed by microsoft, as well as a policy disallowing dynamically-generated code.
If you disable or do not configure this policy setting, these stricter security settings will not be applied.
<!-- SvchostProcessMitigation-Description-End -->
<!-- SvchostProcessMitigation-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
If you enable this policy, it adds code integrity guard (CIG) and arbitrary code guard (ACG) enforcement and other process mitigation/code integrity policies to SVCHOST processes.
> [!IMPORTANT]
> Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes (for example, third-party antivirus software).
> Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes. For example, third-party antivirus software.
If you disable or do not configure this policy setting, the stricter security settings will not be applied.
<!-- SvchostProcessMitigation-Editable-End -->
<!--/Description-->
<!-- SvchostProcessMitigation-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- SvchostProcessMitigation-DFProperties-End -->
<!-- SvchostProcessMitigation-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable svchost.exe mitigation options*
- GP name: *SvchostProcessMitigationEnable*
- GP path: *System/Service Control Manager Settings/Security Settings*
- GP ADMX file name: *ServiceControlManager.admx*
**ADMX mapping**:
<!--/ADMXBacked-->
<!--SupportedValues-->
Supported values:
- Disabled - Do not add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes.
- Enabled - Add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes.
<!--/SupportedValues-->
<!--Example-->
| Name | Value |
|:--|:--|
| Name | SvchostProcessMitigationEnable |
| Friendly Name | Enable svchost.exe mitigation options |
| Location | Computer Configuration |
| Path | System > Service Control Manager Settings > Security Settings |
| Registry Key Name | System\CurrentControlSet\Control\SCMConfig |
| Registry Value Name | EnableSvchostMitigationPolicy |
| ADMX File Name | ServiceControlManager.admx |
<!-- SvchostProcessMitigation-AdmxBacked-End -->
<!--/Example-->
<!--Validation-->
<!-- SvchostProcessMitigation-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- SvchostProcessMitigation-Examples-End -->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!-- SvchostProcessMitigation-End -->
<!--/Policies-->
<!-- ServiceControlManager-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- ServiceControlManager-CspMoreInfo-End -->
## Related topics
<!-- ServiceControlManager-End -->
[Policy configuration service provider](policy-configuration-service-provider.md)
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)