Enable svchost.exe mitigation options

This policy setting enables process mitigation options on svchost.exe processes.

If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them.

This includes a policy requiring all binaries loaded in these processes to be signed by microsoft, as well as a policy disallowing dynamically-generated code.

If you disable or do not configure this policy setting, these stricter security settings will not be applied.

Supported on: At least Windows 10 Server, Windows 10 or Windows 10 RT

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSystem\CurrentControlSet\Control\SCMConfig
Value NameEnableSvchostMitigationPolicy
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

servicecontrolmanager.admx

Administrative Templates (Computers)

Administrative Templates (Users)