deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
Vinay Pamnani 18087e39de Add IoT applicability
2023-08-11 10:31:52 -04:00

3.9 KiB
Raw Blame History

title, description, author, manager, ms.author, ms.date, ms.localizationpriority, ms.prod, ms.technology, ms.topic
title description author manager ms.author ms.date ms.localizationpriority ms.prod ms.technology ms.topic
ServiceControlManager Policy CSP Learn more about the ServiceControlManager Area in Policy CSP. vinaypamnani-msft aaroncz vinpa 08/10/2023 medium windows-client itpro-manage reference

Policy CSP - ServiceControlManager

[!INCLUDE ADMX-backed CSP tip]

SvchostProcessMitigation

Scope Editions Applicable OS
Device
User		 Pro
Enterprise
Education
Windows SE
IoT Enterprise / IoT Enterprise LTSC		 Windows 10, version 1903 [10.0.18362] and later 
./Device/Vendor/MSFT/Policy/Config/ServiceControlManager/SvchostProcessMitigation

This policy setting enables process mitigation options on svchost.exe processes.

  • If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them.

This includes a policy requiring all binaries loaded in these processes to be signed by microsoft, as well as a policy disallowing dynamically-generated code.

  • If you disable or don't configure this policy setting, these stricter security settings won't be applied.

If you enable this policy, it adds code integrity guard (CIG) and arbitrary code guard (ACG) enforcement and other process mitigation/code integrity policies to SVCHOST processes.

Important

Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes. For example, third-party antivirus software.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

[!INCLUDE ADMX-backed policy note]

ADMX mapping:

Name Value
Name SvchostProcessMitigationEnable
Friendly Name Enable svchost.exe mitigation options
Location Computer Configuration
Path System > Service Control Manager Settings > Security Settings
Registry Key Name System\CurrentControlSet\Control\SCMConfig
Registry Value Name EnableSvchostMitigationPolicy
ADMX File Name ServiceControlManager.admx

Related articles

Policy configuration service provider