Policy CSP - ServiceControlManager

Artikel
13-02-2025

Tip

This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see Understanding ADMX-backed policies.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

SvchostProcessMitigation

Scope	Editions	Applicable OS
✅ Device ❌ User	❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC	✅ Windows 10, version 1903 [10.0.18362] and later

Device

./Device/Vendor/MSFT/Policy/Config/ServiceControlManager/SvchostProcessMitigation

This policy setting enables process mitigation options on svchost.exe processes.

If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them.

This includes a policy requiring all binaries loaded in these processes to be signed by microsoft, as well as a policy disallowing dynamically-generated code.

If you disable or don't configure this policy setting, these stricter security settings won't be applied.

If you enable this policy, it adds code integrity guard (CIG) and arbitrary code guard (ACG) enforcement and other process mitigation/code integrity policies to SVCHOST processes.

Belangrijk

Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes. For example, third-party antivirus software.

Description framework properties:

Property name	Property value
Format	`chr` (string)
Access Type	Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name	Value
Name	SvchostProcessMitigationEnable
Friendly Name	Enable svchost.exe mitigation options
Location	Computer Configuration
Path	System > Service Control Manager Settings > Security Settings
Registry Key Name	System\CurrentControlSet\Control\SCMConfig
Registry Value Name	EnableSvchostMitigationPolicy
ADMX File Name	ServiceControlManager.admx

Policy configuration service provider

Aanvullende resources

Documentatie

SystemServices Policy CSP

Learn more about the SystemServices Area in Policy CSP.
Messaging Policy CSP

Learn more about the Messaging Area in Policy CSP.
FileSystem Policy CSP

Learn more about the FileSystem Area in Policy CSP.
Handwriting Policy CSP

Learn more about the Handwriting Area in Policy CSP.
TaskManager Policy CSP

Learn more about the TaskManager Area in Policy CSP.
ADMX_GroupPolicy Policy CSP

Learn more about the ADMX_GroupPolicy Area in Policy CSP.
AppDeviceInventory Policy CSP

Learn more about the AppDeviceInventory Area in Policy CSP.
LockDown Policy CSP

Learn more about the LockDown Area in Policy CSP.

Training

Leertraject

MD-102 Eindpuntbeveiliging beheren - Training

In dit leertraject leren studenten meer over gegevensbescherming en het beveiligen van eindpunten tegen bedreigingen. Dit pad behandelt ook de belangrijkste mogelijkheden van Microsoft Defender-oplossingen.

Certificering

Microsoft Gecertificeerd: Informatiebeveiliging en Nalevingsbeheerder Assistent - Certifications

Demonstreert de basisprincipes van gegevensbeveiliging, levenscyclusbeheer, informatiebeveiliging en naleving om een Microsoft 365-implementatie te beschermen.

Delen via

Policy CSP - ServiceControlManager

SvchostProcessMitigation

Feedback

Aanvullende resources

Delen via

Policy CSP - ServiceControlManager

SvchostProcessMitigation

Related articles

Feedback

Aanvullende resources