How to configure additional LSA Protection

In today’s digital landscape, maintaining the security and integrity of sensitive data is of utmost importance. Windows operating systems provide various security features to safeguard critical system components and user credentials. Please see Smart App Control and how to enable Phishing Protection: Windows 11 New Security Features, and How to enable or disable Core Isolation Memory Integrity in Windows 10 and 11.

One such crucial component is the Local Security Authority Server Service (LSASS) process, responsible for validating user sign-ins and enforcing local security policies. Windows 8.1 and later versions offer additional protection called LSA (Local Security Authority) protection to bolster the security of the credentials managed by LSASS.

This feature aims to prevent unauthorized access, memory reading, and code injection by non-protected processes. By enabling LSA protection, administrators can reinforce the security measures surrounding user credentials, ensuring that they remain confidential and safeguarded against potential threats.

In this guide, we will explore different methods of configuration, including using the registry editor and leveraging group policies, to cater to the diverse needs and preferences of users. Additionally, we will discuss scenarios where LSA protection is automatically enabled and provide instructions on disabling the feature when necessary.

Here are other related guides on Windows security: How to turn on Windows 10 Tamper Protection for Microsoft Defender Part 1, and How to enable or disable Windows Defender Antivirus Periodic Scanning on Windows via Windows Security.

Configuring LSA Protection Using the Registry

Open the Registry Editor (RegEdit.exe) by searching for it in the Start menu.

Navigate to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Right-click on the “RunAsPPL” value in the right pane and select “Modify.“

Set the value of the “RunAsPPL” registry key:

• To configure the feature with a UEFI variable, set the Value data to 1.
• To configure the feature without a UEFI variable (only on Windows 11, 22H2), set the Value data to 2.

Restart the computer for the changes to take effect.

Please see How to enable or disable Windows Defender Credential Guard, How to install additional packages via Cygwin, and how to install and configure Active Directory Certificate Services. Learn more on Environment variables in Windows 10.

Configuring LSA Protection Using Local Group Policy

Press “Windows + R” key together to open Run, type “gpedit.msc” and hit Enter to launch the Local Group Policy Editor.

Navigate to the following path:

Computer Configuration >> Administrative Templates >> System >> Local Security Authority

Open the “Configure LSASS to run as a protected process” policy.

Set the policy to “Enabled.” Under Options, set “Configure LSA to run as a protected process” to:

• “Enabled with UEFI Lock” to configure the feature with a UEFI variable.
• “Enabled without UEFI Lock” to configure the feature without a UEFI variable.

Restart the computer for the changes to take effect.

LSA Protection Automatic Enablement

For devices running Windows RT 8.1, additional LSA protection is always enabled and cannot be turned off.

For client devices running Windows 11, 22H2, additional LSA protection will be enabled by default if the following criteria are met:

• The device is a new install of Windows 11, 22H2 (not upgraded from a previous release).
• The device is enterprise joined (Active Directory domain joined, Azure AD domain joined, or hybrid Azure AD domain joined).
• The device is capable of Hypervisor-protected code integrity (HVCI).

Please note that automatic enablement of additional LSA protection on Windows 11, 22H2 does not set a UEFI variable for the feature. If you want to set a UEFI variable, you can use a registry configuration or policy.

How to Disable LSA Protection Using the Registry

Open the Registry Editor (RegEdit.exe).

Navigate to the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Set the “RunAsPPL” Value data to 0. or delete the DWORD.

If LSA protection was enabled with a UEFI variable, use the Local Security Authority Protected Process Opt-out tool to remove the UEFI variable.

Restart the computer.

How to Disable LSA Protection Using Local Policy on Windows

Open the Local Group Policy Editor (gpedit.msc). Navigate to the following path:

Computer Configuration >> Administrative Templates >> System >> Local Security Authority

Open the “Configure LSASS to run as a protected process” policy. Set the policy to “Enabled.”

Under Options, set “Configure LSA to” to “Disabled.”

Restart the computer.

Note: If the policy was previously enabled and you set it to “Not Configured,” the previous setting will continue to be enforced. To disable the feature, set the policy to “Disabled” under the “Configure LSASS to run as a protected process” dropdown.

Conclusion

Configuring additional LSA protection on Windows devices is a critical step in fortifying the security of user credentials and system components. By enabling LSA protection, users can prevent unauthorized access, memory reading, and code injection, enhancing the overall security posture of their systems.

I hope you found this article useful on How to configure additional LSA Protection. Please let me know in the comment section if you have any questions.