ProgramName,Mitigation,Action,RemovalAllowed,Comment
msedge.exe,DisableExtensionPoints,Enable,True,Edge All Channels - This mitigation disables various extension points for an application which might be used to establish persistence or elevate privileges of malicious content.
msedge.exe,CFG,Enable,True,Edge All Channels - Enabled by default System-Wide
msedge.exe,StrictCFG,Enable,True,Edge All Channels - In strict mode all binaries loaded into the process must be compiled for Control Flow Guard (or have no executable code in them - such as resource dlls) in order to be loaded.
msedge.exe,MicrosoftSignedOnly,Enable,True,Edge All Channels - (a.k.a Code integrity guard) ensures that all binaries loaded into a process are digitally signed by Microsoft.
msedge.exe,AllowStoreSignedBinaries,Enable,True,Edge All Channels - Applications that are distributed by the Microsoft Store are digitally signed by the Microsoft Store and adding this configuration allows binaries that have gone through the store certification process to be loaded by the application.
msedge.exe,EnforceModuleDependencySigning,Enable,True,Edge All Channels - helps protect against attacks that attempt to substitute code for dlls that are statically linked by Windows binaries.
msedge.exe,BlockRemoteImageLoads,Enable,True,Edge All Channels - Prevents the application from loading images from remote devices.
msedge.exe,BlockLowLabelImageLoads,Enable,True,Edge All Channels - prevents the application from loading files that are untrusted typically because they've been downloaded from the internet from a sandboxed browser.
msedge.exe,UserShadowStack,Enable,True,Edge All Channels - user-mode Hardware-enforced Stack Protection is enabled for the process in compatibility mode. This means that the CPU verifies function return addresses at runtime by employing a shadow stack mechanism if supported by the hardware. In compatibility mode only shadow stack violations occurring in modules that are considered compatible with shadow stacks (CETCOMPAT) are fatal. For a module to be considered CETCOMPAT it needs to be either compiled with CETCOMPAT for binaries or marked using SetProcessDynamicEnforcedCetCompatibleRanges for dynamic code.
msedge.exe,UserShadowStackStrictMode,Enable,True,Edge All Channels - All shadow stack violations are fatal - No compatibility mode - See https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-process_mitigation_user_shadow_stack_policy
explorer.exe,StrictHandle,Enable,True,Explorer - A mitigation that helps protect against an attacker using an existing handle to access a protected object.
explorer.exe,DisableExtensionPoints,Enable,False,Explorer - This mitigation disables various extension points for an application which might be used to establish persistence or elevate privileges of malicious content.
vmcompute.exe,CFG,Enable,True,part of the Hyper-V Host Compute Service - Enabled by default System-Wide
vmcompute.exe,StrictCFG,Enable,True,part of the Hyper-V Host Compute Service - In strict mode all binaries loaded into the process must be compiled for Control Flow Guard (or have no executable code in them - such as resource dlls) in order to be loaded.
vmwp.exe,CFG,Enable,True,Virtual Machine Worker Process - Enabled by default System-Wide
vmwp.exe,StrictCFG,Enable,True,Virtual Machine Worker Process - In strict mode all binaries loaded into the process must be compiled for Control Flow Guard (or have no executable code in them - such as resource dlls) in order to be loaded.
QuickAssist.exe,DisableExtensionPoints,Enable,True,Quick Assist - This mitigation disables various extension points for an application which might be used to establish persistence or elevate privileges of malicious content.
QuickAssist.exe,StrictHandle,Enable,True,Quick Assist - A mitigation that helps protect against an attacker using an existing handle to access a protected object.
QuickAssist.exe,BlockDynamicCode,Enable,True,Quick Assist - (a.k.a Arbitrary code guard) protects an application from executing dynamically generated code (code that isn't loaded for example from the exe itself or a dll).
QuickAssist.exe,MicrosoftSignedOnly,Enable,True,Quick Assist - (a.k.a Code integrity guard) ensures that all binaries loaded into a process are digitally signed by Microsoft.
QuickAssist.exe,AllowStoreSignedBinaries,Enable,True,Quick Assist - Applications that are distributed by the Microsoft Store are digitally signed by the Microsoft Store and adding this configuration allows binaries that have gone through the store certification process to be loaded by the application.
QuickAssist.exe,EnforceModuleDependencySigning,Enable,True,Quick Assist - helps protect against attacks that attempt to substitute code for dlls that are statically linked by Windows binaries.
QuickAssist.exe,DisableNonSystemFonts,Enable,True,Quick Assist - Only fonts that are installed into the windows\fonts directory will be loaded for processing by GDI.
QuickAssist.exe,BlockRemoteImageLoads,Enable,True,Quick Assist - Prevents the application from loading images from remote devices.
QuickAssist.exe,BlockLowLabelImageLoads,Enable,True,Quick Assist - prevents the application from loading files that are untrusted typically because they've been downloaded from the internet from a sandboxed browser.
QuickAssist.exe,EnableExportAddressFilter,Enable,True,Quick Assist - mitigates the risk of malicious code looking at the export address table of all loaded modules to find modules that contain useful APIs for their attack.
QuickAssist.exe,EnableExportAddressFilterPlus,Enable,True,Quick Assist - (.a.k.a) EAF+ adds protections for other commonly attacked modules by expanding the support of EAF
QuickAssist.exe,EnableImportAddressFilter,Enable,True,Quick Assist - helps mitigate the risk of an adversary changing the control flow of an application by modifying the import address table (IAT) to redirect to arbitrary code of the attacker's choice when that function is called.
QuickAssist.exe,EnableRopStackPivot,Enable,True,Quick Assist - helps protect against the Stack Pivot attack; a ROP attack where an attacker creates a fake stack in heap memory and then tricks the application into returning into the fake stack that controls the flow of execution.
QuickAssist.exe,EnableRopCallerCheck,Enable,True,Quick Assist - a mitigation for return-oriented programming (ROP) techniques that validates that sensitive APIs were called from a valid caller.
QuickAssist.exe,UserShadowStack,Enable,True,Quick Assist - user-mode Hardware-enforced Stack Protection is enabled for the process in compatibility mode. This means that the CPU verifies function return addresses at runtime by employing a shadow stack mechanism if supported by the hardware. In compatibility mode only shadow stack violations occurring in modules that are considered compatible with shadow stacks (CETCOMPAT) are fatal. For a module to be considered CETCOMPAT it needs to be either compiled with CETCOMPAT for binaries or marked using SetProcessDynamicEnforcedCetCompatibleRanges for dynamic code.
QuickAssist.exe,UserShadowStackStrictMode,Enable,True,Quick Assist - All shadow stack violations are fatal - No compatibility mode - See https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-process_mitigation_user_shadow_stack_policy
Acrobat.exe,ForceRelocateImages,Enable,True,Adobe Acrobat - Enabled by default system-wide
Acrobat.exe,RequireInfo,Enable,True,Adobe Acrobat - This option blocks the loading of images that have had relocation information stripped. Some older applications strip out this information in production builds and therefore these binaries can't be rebased.
Acrobat.exe,StrictHandle,Enable,True,Adobe Acrobat - A mitigation that helps protect against an attacker using an existing handle to access a protected object.
Acrobat.exe,EnforceModuleDependencySigning,Enable,True,Adobe Acrobat - helps protect against attacks that attempt to substitute code for dlls that are statically linked by Windows binaries.
Acrobat.exe,DisableNonSystemFonts,Enable,True,Adobe Acrobat - Only fonts that are installed into the windows\fonts directory will be loaded for processing by GDI.
Acrobat.exe,BlockRemoteImageLoads,Enable,True,Adobe Acrobat - Prevents the application from loading images from remote devices.
Acrobat.exe,BlockLowLabelImageLoads,Enable,True,Adobe Acrobat - prevents the application from loading files that are untrusted typically because they've been downloaded from the internet from a sandboxed browser.
Acrobat.exe,EnableRopStackPivot,Enable,True,Adobe Acrobat - helps protect against the Stack Pivot attack; a ROP attack where an attacker creates a fake stack in heap memory and then tricks the application into returning into the fake stack that controls the flow of execution.
Acrobat.exe,EnableRopCallerCheck,Enable,True,Adobe Acrobat - a mitigation for return-oriented programming (ROP) techniques that validates that sensitive APIs were called from a valid caller.
Acrobat.exe,UserShadowStack,Enable,True,Adobe Acrobat - user-mode Hardware-enforced Stack Protection is enabled for the process in compatibility mode. This means that the CPU verifies function return addresses at runtime by employing a shadow stack mechanism if supported by the hardware. In compatibility mode only shadow stack violations occurring in modules that are considered compatible with shadow stacks (CETCOMPAT) are fatal. For a module to be considered CETCOMPAT it needs to be either compiled with CETCOMPAT for binaries or marked using SetProcessDynamicEnforcedCetCompatibleRanges for dynamic code.
OneDrive.exe,StrictHandle,Enable,True,OneDrive - A mitigation that helps protect against an attacker using an existing handle to access a protected object.
OneDrive.exe,DisableExtensionPoints,Enable,True,OneDrive - This mitigation disables various extension points for an application which might be used to establish persistence or elevate privileges of malicious content.
OneDrive.exe,MicrosoftSignedOnly,Enable,True,OneDrive - (a.k.a Code integrity guard) ensures that all binaries loaded into a process are digitally signed by Microsoft.
OneDrive.exe,AllowStoreSignedBinaries,Enable,True,OneDrive - Applications that are distributed by the Microsoft Store are digitally signed by the Microsoft Store and adding this configuration allows binaries that have gone through the store certification process to be loaded by the application.
OneDrive.exe,EnforceModuleDependencySigning,Enable,True,OneDrive - helps protect against attacks that attempt to substitute code for dlls that are statically linked by Windows binaries.
OneDrive.exe,EnableRopStackPivot,Enable,True,OneDrive - helps protect against the Stack Pivot attack; a ROP attack where an attacker creates a fake stack in heap memory and then tricks the application into returning into the fake stack that controls the flow of execution.
OneDrive.exe,EnableRopCallerCheck,Enable,True,OneDrive - a mitigation for return-oriented programming (ROP) techniques that validates that sensitive APIs were called from a valid caller.
EXCEL.EXE,StrictHandle,Enable,True,Excel - A mitigation that helps protect against an attacker using an existing handle to access a protected object.
EXCEL.EXE,DisableExtensionPoints,Enable,True,Excel - This mitigation disables various extension points for an application which might be used to establish persistence or elevate privileges of malicious content.
EXCEL.EXE,MicrosoftSignedOnly,Enable,True,Excel - (a.k.a Code integrity guard) ensures that all binaries loaded into a process are digitally signed by Microsoft.
EXCEL.EXE,AllowStoreSignedBinaries,Enable,True,Excel - Applications that are distributed by the Microsoft Store are digitally signed by the Microsoft Store and adding this configuration allows binaries that have gone through the store certification process to be loaded by the application.
EXCEL.EXE,EnforceModuleDependencySigning,Enable,True,Excel - helps protect against attacks that attempt to substitute code for dlls that are statically linked by Windows binaries.
EXCEL.EXE,EnableRopStackPivot,Enable,True,Excel - helps protect against the Stack Pivot attack; a ROP attack where an attacker creates a fake stack in heap memory and then tricks the application into returning into the fake stack that controls the flow of execution.
EXCEL.EXE,EnableRopCallerCheck,Enable,True,Excel - a mitigation for return-oriented programming (ROP) techniques that validates that sensitive APIs were called from a valid caller.
MSACCESS.EXE,StrictHandle,Enable,True,Access - A mitigation that helps protect against an attacker using an existing handle to access a protected object.
MSACCESS.EXE,DisableExtensionPoints,Enable,True,Access - This mitigation disables various extension points for an application which might be used to establish persistence or elevate privileges of malicious content.
MSACCESS.EXE,MicrosoftSignedOnly,Enable,True,Access - (a.k.a Code integrity guard) ensures that all binaries loaded into a process are digitally signed by Microsoft.
MSACCESS.EXE,AllowStoreSignedBinaries,Enable,True,Access - Applications that are distributed by the Microsoft Store are digitally signed by the Microsoft Store and adding this configuration allows binaries that have gone through the store certification process to be loaded by the application.
MSACCESS.EXE,EnforceModuleDependencySigning,Enable,True,Access - helps protect against attacks that attempt to substitute code for dlls that are statically linked by Windows binaries.
MSACCESS.EXE,EnableRopStackPivot,Enable,True,Access - helps protect against the Stack Pivot attack; a ROP attack where an attacker creates a fake stack in heap memory and then tricks the application into returning into the fake stack that controls the flow of execution.
MSACCESS.EXE,EnableRopCallerCheck,Enable,True,Access - a mitigation for return-oriented programming (ROP) techniques that validates that sensitive APIs were called from a valid caller.
MSPUB.EXE,StrictHandle,Enable,True,Publisher - A mitigation that helps protect against an attacker using an existing handle to access a protected object.
MSPUB.EXE,DisableExtensionPoints,Enable,True,Publisher - This mitigation disables various extension points for an application which might be used to establish persistence or elevate privileges of malicious content.
MSPUB.EXE,MicrosoftSignedOnly,Enable,True,Publisher - (a.k.a Code integrity guard) ensures that all binaries loaded into a process are digitally signed by Microsoft.
MSPUB.EXE,AllowStoreSignedBinaries,Enable,True,Publisher - Applications that are distributed by the Microsoft Store are digitally signed by the Microsoft Store and adding this configuration allows binaries that have gone through the store certification process to be loaded by the application.
MSPUB.EXE,EnforceModuleDependencySigning,Enable,True,Publisher - helps protect against attacks that attempt to substitute code for dlls that are statically linked by Windows binaries.
MSPUB.EXE,EnableRopStackPivot,Enable,True,Publisher - helps protect against the Stack Pivot attack; a ROP attack where an attacker creates a fake stack in heap memory and then tricks the application into returning into the fake stack that controls the flow of execution.
MSPUB.EXE,EnableRopCallerCheck,Enable,True,Publisher - a mitigation for return-oriented programming (ROP) techniques that validates that sensitive APIs were called from a valid caller.
ONENOTE.EXE,StrictHandle,Enable,True,OneNote - A mitigation that helps protect against an attacker using an existing handle to access a protected object.
ONENOTE.EXE,DisableExtensionPoints,Enable,True,OneNote - This mitigation disables various extension points for an application which might be used to establish persistence or elevate privileges of malicious content.
ONENOTE.EXE,MicrosoftSignedOnly,Enable,True,OneNote - (a.k.a Code integrity guard) ensures that all binaries loaded into a process are digitally signed by Microsoft.
ONENOTE.EXE,AllowStoreSignedBinaries,Enable,True,OneNote - Applications that are distributed by the Microsoft Store are digitally signed by the Microsoft Store and adding this configuration allows binaries that have gone through the store certification process to be loaded by the application.
ONENOTE.EXE,EnforceModuleDependencySigning,Enable,True,OneNote - helps protect against attacks that attempt to substitute code for dlls that are statically linked by Windows binaries.
ONENOTE.EXE,EnableRopStackPivot,Enable,True,OneNote - helps protect against the Stack Pivot attack; a ROP attack where an attacker creates a fake stack in heap memory and then tricks the application into returning into the fake stack that controls the flow of execution.
ONENOTE.EXE,EnableRopCallerCheck,Enable,True,OneNote - a mitigation for return-oriented programming (ROP) techniques that validates that sensitive APIs were called from a valid caller.
OUTLOOK.EXE,StrictHandle,Enable,True,Outlook - A mitigation that helps protect against an attacker using an existing handle to access a protected object.
OUTLOOK.EXE,DisableExtensionPoints,Enable,True,Outlook - This mitigation disables various extension points for an application which might be used to establish persistence or elevate privileges of malicious content.
OUTLOOK.EXE,MicrosoftSignedOnly,Enable,True,Outlook - (a.k.a Code integrity guard) ensures that all binaries loaded into a process are digitally signed by Microsoft.
OUTLOOK.EXE,AllowStoreSignedBinaries,Enable,True,Outlook - Applications that are distributed by the Microsoft Store are digitally signed by the Microsoft Store and adding this configuration allows binaries that have gone through the store certification process to be loaded by the application.
OUTLOOK.EXE,EnforceModuleDependencySigning,Enable,True,Outlook - helps protect against attacks that attempt to substitute code for dlls that are statically linked by Windows binaries.
OUTLOOK.EXE,EnableRopStackPivot,Enable,True,Outlook - helps protect against the Stack Pivot attack; a ROP attack where an attacker creates a fake stack in heap memory and then tricks the application into returning into the fake stack that controls the flow of execution.
OUTLOOK.EXE,EnableRopCallerCheck,Enable,True,Outlook - a mitigation for return-oriented programming (ROP) techniques that validates that sensitive APIs were called from a valid caller.
POWERPNT.EXE,StrictHandle,Enable,True,Power Point - A mitigation that helps protect against an attacker using an existing handle to access a protected object.
POWERPNT.EXE,DisableExtensionPoints,Enable,True,Power Point - This mitigation disables various extension points for an application which might be used to establish persistence or elevate privileges of malicious content.
POWERPNT.EXE,MicrosoftSignedOnly,Enable,True,Power Point - (a.k.a Code integrity guard) ensures that all binaries loaded into a process are digitally signed by Microsoft.
POWERPNT.EXE,AllowStoreSignedBinaries,Enable,True,Power Point - Applications that are distributed by the Microsoft Store are digitally signed by the Microsoft Store and adding this configuration allows binaries that have gone through the store certification process to be loaded by the application.
POWERPNT.EXE,EnforceModuleDependencySigning,Enable,True,Power Point - helps protect against attacks that attempt to substitute code for dlls that are statically linked by Windows binaries.
POWERPNT.EXE,EnableRopStackPivot,Enable,True,Power Point - helps protect against the Stack Pivot attack; a ROP attack where an attacker creates a fake stack in heap memory and then tricks the application into returning into the fake stack that controls the flow of execution.
POWERPNT.EXE,EnableRopCallerCheck,Enable,True,Power Point - a mitigation for return-oriented programming (ROP) techniques that validates that sensitive APIs were called from a valid caller.
WINWORD.EXE,StrictHandle,Enable,True,Word - A mitigation that helps protect against an attacker using an existing handle to access a protected object.
WINWORD.EXE,DisableExtensionPoints,Enable,True,Word - This mitigation disables various extension points for an application which might be used to establish persistence or elevate privileges of malicious content.
WINWORD.EXE,MicrosoftSignedOnly,Enable,True,Word - (a.k.a Code integrity guard) ensures that all binaries loaded into a process are digitally signed by Microsoft.
WINWORD.EXE,AllowStoreSignedBinaries,Enable,True,Word - Applications that are distributed by the Microsoft Store are digitally signed by the Microsoft Store and adding this configuration allows binaries that have gone through the store certification process to be loaded by the application.
WINWORD.EXE,EnforceModuleDependencySigning,Enable,True,Word - helps protect against attacks that attempt to substitute code for dlls that are statically linked by Windows binaries.
WINWORD.EXE,EnableRopStackPivot,Enable,True,Word - helps protect against the Stack Pivot attack; a ROP attack where an attacker creates a fake stack in heap memory and then tricks the application into returning into the fake stack that controls the flow of execution.
WINWORD.EXE,EnableRopCallerCheck,Enable,True,Word - a mitigation for return-oriented programming (ROP) techniques that validates that sensitive APIs were called from a valid caller.
lsass.exe,DisableExtensionPoints,Enable,False,Local Security Authority Subsystem Service - This mitigation disables various extension points for an application which might be used to establish persistence or elevate privileges of malicious content.
lsass.exe,BlockDynamicCode,Enable,False,Local Security Authority Subsystem Service - (a.k.a Arbitrary code guard) protects an application from executing dynamically generated code (code that isn't loaded for example from the exe itself or a dll).
lsass.exe,DisallowChildProcessCreation,Enable,False,Local Security Authority Subsystem Service
lsass.exe,BlockRemoteImageLoads,Enable,False,Protecting PPL process to prevent loading of DLLs from network locations such as SMB - WebDAV - etc.
lsass.exe,MicrosoftSignedOnly,Enable,False,(a.k.a Code integrity guard) ensures that all binaries loaded into a process are digitally signed by Microsoft.
SmartScreen.exe,DisableExtensionPoints,Enable,False,Smart Screen process - This mitigation disables various extension points for an application which might be used to establish persistence or elevate privileges of malicious content.
SmartScreen.exe,CFG,Enable,True,Smart Screen process - Enabled by default System-Wide
SmartScreen.exe,StrictCFG,Enable,True,Smart Screen process - In strict mode all binaries loaded into the process must be compiled for Control Flow Guard (or have no executable code in them - such as resource dlls) in order to be loaded.
SmartScreen.exe,MicrosoftSignedOnly,Enable,True,Smart Screen process - (a.k.a Code integrity guard) ensures that all binaries loaded into a process are digitally signed by Microsoft.
Regsvr32.exe,BlockLowLabelImageLoads,Enable,True,Register Server - prevents the application from loading files that are untrusted typically because they've been downloaded from the internet from a sandboxed browser.
WindowsSandbox.exe,StrictHandle,Enable,True,Windows Sandbox process - A mitigation that helps protect against an attacker using an existing handle to access a protected object.
WindowsSandbox.exe,DisableExtensionPoints,Enable,True,Windows Sandbox process - This mitigation disables various extension points for an application which might be used to establish persistence or elevate privileges of malicious content.
WindowsSandbox.exe,CFG,Enable,True,Windows Sandbox process - Enabled by default System-Wide
WindowsSandbox.exe,StrictCFG,Enable,True,Windows Sandbox process - In strict mode all binaries loaded into the process must be compiled for Control Flow Guard (or have no executable code in them - such as resource dlls) in order to be loaded.
WindowsSandbox.exe,MicrosoftSignedOnly,Enable,True,Windows Sandbox process - (a.k.a Code integrity guard) ensures that all binaries loaded into a process are digitally signed by Microsoft.
WindowsSandbox.exe,EnforceModuleDependencySigning,Enable,True,Windows Sandbox process - helps protect against attacks that attempt to substitute code for dlls that are statically linked by Windows binaries.
WindowsSandbox.exe,BlockRemoteImageLoads,Enable,True,Windows Sandbox process - Prevents the application from loading images from remote devices.
WindowsSandbox.exe,BlockLowLabelImageLoads,Enable,True,Windows Sandbox process - prevents the application from loading files that are untrusted typically because they've been downloaded from the internet from a sandboxed browser.
WindowsSandbox.exe,EnableExportAddressFilter,Enable,True,Windows Sandbox process - mitigates the risk of malicious code looking at the export address table of all loaded modules to find modules that contain useful APIs for their attack.
WindowsSandbox.exe,EnableExportAddressFilterPlus,Enable,True,Windows Sandbox process - (.a.k.a) EAF+ adds protections for other commonly attacked modules by expanding the support of EAF
WindowsSandboxClient.exe,StrictHandle,Enable,True,Windows Sandbox process - A mitigation that helps protect against an attacker using an existing handle to access a protected object.
WindowsSandboxClient.exe,DisableExtensionPoints,Enable,True,Windows Sandbox process - This mitigation disables various extension points for an application which might be used to establish persistence or elevate privileges of malicious content.
WindowsSandboxClient.exe,CFG,Enable,True,Windows Sandbox process - Enabled by default System-Wide
WindowsSandboxClient.exe,StrictCFG,Enable,True,Windows Sandbox process - In strict mode all binaries loaded into the process must be compiled for Control Flow Guard (or have no executable code in them - such as resource dlls) in order to be loaded.
WindowsSandboxClient.exe,MicrosoftSignedOnly,Enable,True,Windows Sandbox process - (a.k.a Code integrity guard) ensures that all binaries loaded into a process are digitally signed by Microsoft.
WindowsSandboxClient.exe,EnforceModuleDependencySigning,Enable,True,Windows Sandbox process - helps protect against attacks that attempt to substitute code for dlls that are statically linked by Windows binaries.
WindowsSandboxClient.exe,BlockRemoteImageLoads,Enable,True,Windows Sandbox process - Prevents the application from loading images from remote devices.
WindowsSandboxClient.exe,BlockLowLabelImageLoads,Enable,True,Windows Sandbox process - prevents the application from loading files that are untrusted typically because they've been downloaded from the internet from a sandboxed browser.
WindowsSandboxClient.exe,EnableExportAddressFilter,Enable,True,Windows Sandbox process - mitigates the risk of malicious code looking at the export address table of all loaded modules to find modules that contain useful APIs for their attack.
WindowsSandboxClient.exe,EnableExportAddressFilterPlus,Enable,True,Windows Sandbox process - (.a.k.a) EAF+ adds protections for other commonly attacked modules by expanding the support of EAF
RuntimeBroker.exe,DisableExtensionPoints,Enable,False,RuntimeBroker - Related to Microsoft Store apps and their permissions - This mitigation disables various extension points for an application which might be used to establish persistence or elevate privileges of malicious content.
RuntimeBroker.exe,CFG,Enable,False,RuntimeBroker - Related to Microsoft Store apps and their permissions - Enabled by default System-Wide
RuntimeBroker.exe,StrictCFG,Enable,False,RuntimeBroker - Related to Microsoft Store apps and their permissions - In strict mode all binaries loaded into the process must be compiled for Control Flow Guard (or have no executable code in them - such as resource dlls) in order to be loaded.
RuntimeBroker.exe,EnforceModuleDependencySigning,Enable,False,RuntimeBroker - Related to Microsoft Store apps and their permissions - helps protect against attacks that attempt to substitute code for dlls that are statically linked by Windows binaries.
msedgewebview2.exe,DisableExtensionPoints,Enable,True,Edge WebView 2 - Many components use it such as OneDrive;Quick Assist;Teams .etc - This mitigation disables various extension points for an application which might be used to establish persistence or elevate privileges of malicious content.
msedgewebview2.exe,CFG,Enable,True,Edge WebView 2 - Many components use it such as OneDrive;Quick Assist;Teams .etc - Enabled by default System-Wide
msedgewebview2.exe,StrictCFG,Enable,True,Edge WebView 2 - Many components use it such as OneDrive;Quick Assist;Teams .etc - In strict mode all binaries loaded into the process must be compiled for Control Flow Guard (or have no executable code in them - such as resource dlls) in order to be loaded.
msedgewebview2.exe,EnforceModuleDependencySigning,Enable,True,Edge WebView 2 - Many components use it such as OneDrive;Quick Assist;Teams .etc - helps protect against attacks that attempt to substitute code for dlls that are statically linked by Windows binaries.
csrss.exe,BlockRemoteImageLoads,Enable,True,Protecting PPL process to prevent loading of DLLs from network locations such as SMB - WebDAV - etc.
services.exe,BlockRemoteImageLoads,Enable,True,Protecting PPL process to prevent loading of DLLs from network locations such as SMB - WebDAV - etc.
rundll32.exe,BlockRemoteImageLoads,Enable,True,Prevent loading of DLLs from network locations such as SMB - WebDAV - etc.
rundll32.exe,BlockLowLabelImageLoads,Enable,True,Prevent loading of files that are untrusted typically because they've been downloaded from the internet from a sandboxed browser - Some malware use rundll32.exe to load malicious file that was just downloaded from the internet
SMSS.exe,BlockRemoteImageLoads,Enable,False,Protecting PPL process to prevent loading of DLLs from network locations such as SMB - WebDAV - etc. - It's called Session Manager SubSystem
Wininit.exe,BlockRemoteImageLoads,Enable,False,Protecting PPL process to prevent loading of DLLs from network locations such as SMB - WebDAV - etc. - It stands for Windows Initialization and is a process that is responsible for starting and terminating system services and processes during startup and shutdown
NisSrv.exe,MicrosoftSignedOnly,Enable,False,Protecting PPL process to prevent loading Non-Microsoft signed code into the process - This is a component of Microsoft Defender called Network Inspection Service