add servicecontrolmanager csp

2025-06-27 00:03:45 +00:00 · 2022-12-19 16:44:21 -08:00
parent fd21a09719
commit d9fb36ddaf
1 changed files with 77 additions and 71 deletions
--- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
+++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
@ -1,100 +1,106 @@
 ---
-title: Policy CSP - ServiceControlManager
+title: ServiceControlManager Policy CSP
-description: Learn how the Policy CSP - ServiceControlManager setting enables process mitigation options on svchost.exe processes.
+description: Learn more about the ServiceControlManager Area in Policy CSP
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.topic: article
+ms.date: 12/19/2022
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
-author: Heidilohr
+ms.topic: reference
 ms.localizationpriority: medium
 ms.date: 09/27/2019
 ---
 <!-- Auto-Generated CSP Document -->
 <!-- ServiceControlManager-Begin -->
 # Policy CSP - ServiceControlManager
-<hr/>
+> [!TIP]
 > Some of these are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 >
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 >
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-<!--Policies-->
+<!-- ServiceControlManager-Editable-Begin -->
-## ServiceControlManager policies
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ServiceControlManager-Editable-End -->
-<dl>
+<!-- SvchostProcessMitigation-Begin -->
-  <dd>
+## SvchostProcessMitigation
    <a href="#servicecontrolmanager-svchostprocessmitigation">ServiceControlManager/SvchostProcessMitigation</a>
  </dd>
 </dl>
-<hr/>
+<!-- SvchostProcessMitigation-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | :heavy_check_mark: Device <br> :x: User | :x: Home <br> :x: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
 <!-- SvchostProcessMitigation-Applicability-End -->
-<!--Policy-->
+<!-- SvchostProcessMitigation-OmaUri-Begin -->
-<a href="" id="servicecontrolmanager-svchostprocessmitigation"></a>**ServiceControlManager/SvchostProcessMitigation**
+```Device
 ./Device/Vendor/MSFT/Policy/Config/ServiceControlManager/SvchostProcessMitigation
 ```
 <!-- SvchostProcessMitigation-OmaUri-End -->
-<!--SupportedSKUs-->
+<!-- SvchostProcessMitigation-Description-Begin -->
-
+<!-- Description-Source-ADMX -->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|No|No|
 |Windows SE|No|No|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting enables process mitigation options on svchost.exe processes.
 If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them.
-These stricter security policies include a policy requiring all binaries loaded in these processes to be signed by Microsoft, and a policy disallowing dynamically generated code.
+This includes a policy requiring all binaries loaded in these processes to be signed by microsoft, as well as a policy disallowing dynamically-generated code.
 If you disable or do not configure this policy setting, these stricter security settings will not be applied.
 <!-- SvchostProcessMitigation-Description-End -->
 <!-- SvchostProcessMitigation-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 If you enable this policy, it adds code integrity guard (CIG) and arbitrary code guard (ACG) enforcement and other process mitigation/code integrity policies to SVCHOST processes.
 > [!IMPORTANT]
-> Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes (for example, third-party antivirus software).
+> Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes. For example, third-party antivirus software.
-If you disable or do not configure this policy setting, the stricter security settings will not be applied.
+<!-- SvchostProcessMitigation-Editable-End -->
-<!--/Description-->
+<!-- SvchostProcessMitigation-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | chr (string) |
 | Access Type | Add, Delete, Get, Replace |
 <!-- SvchostProcessMitigation-DFProperties-End -->
 <!-- SvchostProcessMitigation-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 >
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
 >
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-<!--ADMXBacked-->
+**ADMX mapping**:
 ADMX Info:
 -   GP Friendly name: *Enable svchost.exe mitigation options*
 -   GP name: *SvchostProcessMitigationEnable*
 -   GP path: *System/Service Control Manager Settings/Security Settings*
 -   GP ADMX file name: *ServiceControlManager.admx*
-<!--/ADMXBacked-->
+| Name | Value |
-<!--SupportedValues-->
+|:--|:--|
-Supported values:
+| Name | SvchostProcessMitigationEnable |
- Disabled - Do not add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes.
+| Friendly Name | Enable svchost.exe mitigation options |
- Enabled - Add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes.
+| Location | Computer Configuration |
-<!--/SupportedValues-->
+| Path | System > Service Control Manager Settings > Security Settings |
-<!--Example-->
+| Registry Key Name | System\CurrentControlSet\Control\SCMConfig |
 | Registry Value Name | EnableSvchostMitigationPolicy |
 | ADMX File Name | ServiceControlManager.admx |
 <!-- SvchostProcessMitigation-AdmxBacked-End -->
-<!--/Example-->
+<!-- SvchostProcessMitigation-Examples-Begin -->
-<!--Validation-->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- SvchostProcessMitigation-Examples-End -->
-<!--/Validation-->
+<!-- SvchostProcessMitigation-End -->
 <!--/Policy-->
 <hr/>
-<!--/Policies-->
+<!-- ServiceControlManager-CspMoreInfo-Begin -->
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 <!-- ServiceControlManager-CspMoreInfo-End -->
-## Related topics
+<!-- ServiceControlManager-End -->
 ## Related articles
 [Policy configuration service provider](policy-configuration-service-provider.md)