Policy CSP - ServiceControlManager
Tip
This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see Understanding ADMX-backed policies.
The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.
SvchostProcessMitigation
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1903 [10.0.18362] and later |
./Device/Vendor/MSFT/Policy/Config/ServiceControlManager/SvchostProcessMitigation
This policy setting enables process mitigation options on svchost.exe processes.
- If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them.
This includes a policy requiring all binaries loaded in these processes to be signed by microsoft, as well as a policy disallowing dynamically-generated code.
- If you disable or don't configure this policy setting, these stricter security settings won't be applied.
If you enable this policy, it adds code integrity guard (CIG) and arbitrary code guard (ACG) enforcement and other process mitigation/code integrity policies to SVCHOST processes.
Important
Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes. For example, third-party antivirus software.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | SvchostProcessMitigationEnable |
| Friendly Name | Enable svchost.exe mitigation options |
| Location | Computer Configuration |
| Path | System > Service Control Manager Settings > Security Settings |
| Registry Key Name | System\CurrentControlSet\Control\SCMConfig |
| Registry Value Name | EnableSvchostMitigationPolicy |
| ADMX File Name | ServiceControlManager.admx |