Reversing a Windows Kernel Exploit Mitigation - Do Not Allow Child Processes

I'm doing a series of streams to do a deep dive into the various exploit mitigations introduced over the years by Microsoft, into the Windows OS. Some of them are user mode mitigations and others are kernel mode mitigations. This stream will be specifically looking at the "Do not allow child processes" mitigations, which I had thought was a user mode enforced control. When taking a deeper look at it, I quickly discovered that it's actually enforced by the kernel.