Policy
Enable svchost.exe mitigation options
This policy setting enables process mitigation options on svchost.exe processes. If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. This includes a policy requiring all binaries loaded in these processes to be signed by microsoft, as well as a policy disallowing dynamically-generated code. If you disable or do not configure this policy setting, these stricter security settings will not be applied.
ae5ad6b25c1c SvchostProcessMitigationEnable Registry
Copy registry mappings
HKLM\System\CurrentControlSet\Control\SCMConfig\EnableSvchostMitigationPolicy (enabled) = 1
HKLM\System\CurrentControlSet\Control\SCMConfig\EnableSvchostMitigationPolicy (disabled) = 0Policy notes
This policy setting enables process mitigation options on svchost.exe processes. If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. This includes a policy requiring all binaries loaded in these processes to be signed by microsoft, as well as a policy disallowing dynamically-generated code. If you disable or do not configure this policy setting, these stricter security settings will not be applied.