Policy

Enable svchost.exe mitigation options

Windows 11 25H2

Back to categoryOpen picker

Policy overview

Key metadata and intent for this policy.

ClassComputer
CategorySystem > Service Control Manager Settings > Security Settings
Supported onAt least Windows Server 2016, Windows 10

Supported OS tags: Windows10, Windows10RT, Windows11, WindowsServer2016

This policy setting enables process mitigation options on svchost.exe processes. If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. This includes a policy requiring all binaries loaded in these processes to be signed by microsoft, as well as a policy disallowing dynamically-generated code. If you disable or do not configure this policy setting, these stricter security settings will not be applied.

Internal name
SvchostProcessMitigationEnable
Policy ID
ae5ad6b25c1c
Elements
0

Registry values

How enabled and disabled states update the registry.

Registry locationTypeEnabled valueDisabled value
HKLM\System\CurrentControlSet\Control\SCMConfig\EnableSvchostMitigationPolicyREG_DWORD
1
0

Policy elements

Inputs and configuration options exposed by this policy.

This policy has no additional user input fields.