deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 06:47:21 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
MaratMussabekov 30bedf7c74
Update windows/client-management/mdm/policy-csp-servicecontrolmanager.md 
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
2020-11-08 07:44:42 +05:00

3.9 KiB
Raw Blame History

title, description, ms.author, ms.topic, ms.prod, ms.technology, author, ms.localizationpriority, ms.date
title description ms.author ms.topic ms.prod ms.technology author ms.localizationpriority ms.date
Policy CSP - ServiceControlManager Learn how the Policy CSP - ServiceControlManager setting enables process mitigation options on svchost.exe processes. dansimp article w10 windows Heidilohr medium 09/27/2019

Policy CSP - ServiceControlManager

ServiceControlManager policies

ServiceControlManager/SvchostProcessMitigation

ServiceControlManager/SvchostProcessMitigation

Windows Edition Supported?
Home cross mark
Pro cross mark
Business check mark6
Enterprise check mark6
Education check mark6

Scope:

[!div class = "checklist"]

  • Device

This policy setting enables process mitigation options on svchost.exe processes.

If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them.

This includes a policy requiring all binaries loaded in these processes to be signed by Microsoft, as well as a policy disallowing dynamically-generated code.

Important

Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes (for example, third-party antivirus software).

If you disable or do not configure this policy setting, the stricter security settings will not be applied.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Enable svchost.exe mitigation options
  • GP name: SvchostProcessMitigationEnable
  • GP path: System/Service Control Manager Settings/Security Settings
  • GP ADMX file name: ServiceControlManager.admx

Supported values:

  • disabled - Do not add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes.
  • enabled - Add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes.

Footnotes:

  • 1 - Available in Windows 10, version 1607.
  • 2 - Available in Windows 10, version 1703.
  • 3 - Available in Windows 10, version 1709.
  • 4 - Available in Windows 10, version 1803.
  • 5 - Available in Windows 10, version 1809.
  • 6 - Available in Windows 10, version 1903.
  • 7 - Available in Windows 10, version 1909.
  • 8 - Available in Windows 10, version 2004.