deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

localusersandgroups lockdown lsa

Browse Source
This commit is contained in:
Liz Long 2023-01-03 14:36:23 -05:00
parent 4b84283544
commit 9d3c5d14d9
3 changed files with 332 additions and 270 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

252
windows/client-management/mdm/policy-csp-localusersandgroups.md
View File

@ -1,65 +1,139 @@
--- ---
title: Policy CSP - LocalUsersAndGroups title: LocalUsersAndGroups Policy CSP
description: Policy CSP - LocalUsersAndGroups description: Learn more about the LocalUsersAndGroups Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.topic: article ms.date: 01/03/2023
ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft ms.topic: reference
ms.localizationpriority: medium
ms.date: 10/14/2020
ms.reviewer:
manager: aaroncz
--- ---
<!-- Auto-Generated CSP Document -->
<!-- LocalUsersAndGroups-Begin -->
# Policy CSP - LocalUsersAndGroups # Policy CSP - LocalUsersAndGroups
<hr/> <!-- LocalUsersAndGroups-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LocalUsersAndGroups-Editable-End -->
<!--Policies--> <!-- Configure-Begin -->
## LocalUsersAndGroups policies ## Configure
<dl> <!-- Configure-Applicability-Begin -->
<dd> | Scope | Editions | Applicable OS |
<a href="#localusersandgroups-configure">LocalUsersAndGroups/Configure</a> |:--|:--|:--|
</dd> | :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later |
</dl> <!-- Configure-Applicability-End -->
<hr/> <!-- Configure-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
```
<!-- Configure-OmaUri-End -->
<!--Policy--> <!-- Configure-Description-Begin -->
<a href="" id="localusersandgroups-configure"></a>**LocalUsersAndGroups/Configure** <!-- Description-Source-DDF -->
This Setting allows an administrator to manage local groups on a Device. Possible settings: 1. Update Group Membership: Update a group and add and/or remove members though the 'U' action. When using Update, existing group members that are not specified in the policy remain untouched. 2. Replace Group Membership: Restrict a group by replacing group membership through the 'R' action. When using Replace, existing group membership is replaced by the list of members specified in the add member section. This option works in the same way as a Restricted Group and any group members that are not specified in the policy are removed.
<!--SupportedSKUs--> > [!CAUTION]
> If the same group is configured with both Replace and Update, then Replace will win.
|Edition|Windows 10|Windows 11| <!-- Configure-Description-End -->
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device.
<!-- Configure-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE] > [!NOTE]
> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting also allows you to configure members (users or Azure Active Directory groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove. > The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting also allows you to configure members (users or Azure Active Directory groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove.
> >
> Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results. > Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results.
<!-- Configure-Editable-End -->
<!-- Configure-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Configure-DFProperties-End -->
<!-- Configure-AllowedValues-Begin -->
**Allowed values**:
<br>
<details>
<summary>Expand to see schema XML</summary>
```xml
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">
<xs:simpleType name="name">
<xs:restriction base="xs:string">
<xs:maxLength value="255" />
</xs:restriction>
</xs:simpleType>
<xs:element name="accessgroup">
<xs:complexType>
<xs:sequence>
<xs:element name="group" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>Group Configuration Action</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="action" type="name" use="required" />
</xs:complexType>
</xs:element>
<xs:element name="add" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Group Member to Add</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="member" type="name" use="required" />
</xs:complexType>
</xs:element>
<xs:element name="remove" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Group Member to Remove</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="member" type="name" use="required" />
</xs:complexType>
</xs:element>
<xs:element name="property" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Group property to configure</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="desc" type="name" use="required" />
<xs:attribute name="value" type="name" use="required" />
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="desc" type="name" use="required" />
</xs:complexType>
</xs:element>
<xs:element name="GroupConfiguration">
<xs:complexType>
<xs:sequence>
<xs:element name="accessgroup" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Local Group Configuration</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
```
</details>
<!-- Configure-AllowedValues-End -->
<!-- Configure-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
**Example**:
Here is an example of the policy definition XML for group configuration: Here is an example of the policy definition XML for group configuration:
@ -95,14 +169,10 @@ See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configura
> - `<remove member>` is not valid for the R (Restrict) action and will be ignored if present. > - `<remove member>` is not valid for the R (Restrict) action and will be ignored if present.
> - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that, if a group is present multiple times with different add/remove values, all of them will be processed in the order they are present. > - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that, if a group is present multiple times with different add/remove values, all of them will be processed in the order they are present.
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
**Examples** **Examples**
Example 1: Azure Active Directory focused. **Example 1**: Azure Active Directory focused.
The following example updates the built-in administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** with an Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine. The following example updates the built-in administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** with an Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine.
@ -116,12 +186,13 @@ The following example updates the built-in administrators group with the SID **S
</GroupConfiguration> </GroupConfiguration>
``` ```
Example 2: Replace / Restrict the built-in administrators group with an Azure AD user account. **Example 2**: Replace / Restrict the built-in administrators group with an Azure AD user account.
> [!NOTE] > [!NOTE]
> When using the R replace option to configure the built-in Administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** you should always specify the administrator as a member plus any other custom members. This is necessary because the built-in administrator must always be a member of the administrators group. > When using the R replace option to configure the built-in Administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** you should always specify the administrator as a member plus any other custom members. This is necessary because the built-in administrator must always be a member of the administrators group.
Example: **Example**:
```xml ```xml
<GroupConfiguration> <GroupConfiguration>
<accessgroup desc = "S-1-5-21-2222222222-3333333333-4444444444-500"> <accessgroup desc = "S-1-5-21-2222222222-3333333333-4444444444-500">
@ -132,7 +203,7 @@ Example:
</GroupConfiguration> </GroupConfiguration>
``` ```
Example 3: Update action for adding and removing group members on a hybrid joined machine. **Example 3**: Update action for adding and removing group members on a hybrid joined machine.
The following example shows how you can update a local group (**Administrators** with the SID **S-1-5-21-2222222222-3333333333-4444444444-500**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add an Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists. The following example shows how you can update a local group (**Administrators** with the SID **S-1-5-21-2222222222-3333333333-4444444444-500**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add an Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists.
@ -147,13 +218,6 @@ The following example shows how you can update a local group (**Administrators**
</GroupConfiguration> </GroupConfiguration>
``` ```
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
> [!NOTE] > [!NOTE]
> >
> When Azure Active Directory group SIDs are added to local groups, Azure AD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device: > When Azure Active Directory group SIDs are added to local groups, Azure AD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device:
@ -233,70 +297,16 @@ To troubleshoot Name/SID lookup APIs:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgTraceOptions -Value 0x0 -Type dword -Force Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgTraceOptions -Value 0x0 -Type dword -Force
``` ```
<!-- Configure-Examples-End -->
```xml <!-- Configure-End -->
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">
<xs:simpleType name="name">
<xs:restriction base="xs:string">
<xs:maxLength value="255" />
</xs:restriction>
</xs:simpleType>
<xs:element name="accessgroup">
<xs:complexType>
<xs:sequence>
<xs:element name="group" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>Group Configuration Action</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="action" type="name" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="add" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Group Member to Add</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="member" type="name" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="remove" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Group Member to Remove</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="member" type="name" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="property" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Group property to configure</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="desc" type="name" use="required"/>
<xs:attribute name="value" type="name" use="required"/>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="desc" type="name" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="GroupConfiguration">
<xs:complexType>
<xs:sequence>
<xs:element name="accessgroup" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Local Group Configuration</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
```
<!--/Policies--> <!-- LocalUsersAndGroups-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- LocalUsersAndGroups-CspMoreInfo-End -->
## Related topics <!-- LocalUsersAndGroups-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md) [Policy configuration service provider](policy-configuration-service-provider.md)

136
windows/client-management/mdm/policy-csp-lockdown.md
View File

@ -1,84 +1,98 @@
--- ---
title: Policy CSP - LockDown title: LockDown Policy CSP
description: Use the Policy CSP - LockDown setting to allow the user to invoke any system user interface by swiping in from any screen edge using touch. description: Learn more about the LockDown Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.topic: article ms.date: 01/03/2023
ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft ms.topic: reference
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
--- ---
<!-- Auto-Generated CSP Document -->
<!-- LockDown-Begin -->
# Policy CSP - LockDown # Policy CSP - LockDown
<hr/> <!-- LockDown-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LockDown-Editable-End -->
<!--Policies--> <!-- AllowEdgeSwipe-Begin -->
## LockDown policies ## AllowEdgeSwipe
<dl> <!-- AllowEdgeSwipe-Applicability-Begin -->
<dd> | Scope | Editions | Applicable OS |
<a href="#lockdown-allowedgeswipe">LockDown/AllowEdgeSwipe</a> |:--|:--|:--|
</dd> | :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
</dl> <!-- AllowEdgeSwipe-Applicability-End -->
<hr/> <!-- AllowEdgeSwipe-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LockDown/AllowEdgeSwipe
```
<!-- AllowEdgeSwipe-OmaUri-End -->
<!--Policy--> <!-- AllowEdgeSwipe-Description-Begin -->
<a href="" id="lockdown-allowedgeswipe"></a>**LockDown/AllowEdgeSwipe** <!-- Description-Source-ADMX -->
If you disable this policy setting, users will not be able to invoke any system UI by swiping in from any screen edge.
<!--SupportedSKUs--> If you enable or do not configure this policy setting, users will be able to invoke system UI by swiping in from the screen edges.
<!-- AllowEdgeSwipe-Description-End -->
|Edition|Windows 10|Windows 11| <!-- AllowEdgeSwipe-Editable-Begin -->
|--- |--- |--- | <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Allows the user to invoke any system user interface by swiping in from any screen edge using touch.
The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied, and then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange, that will also be disabled. The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied, and then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange, that will also be disabled.
<!-- AllowEdgeSwipe-Editable-End -->
<!--/Description--> <!-- AllowEdgeSwipe-DFProperties-Begin -->
<!--ADMXMapped--> **Description framework properties**:
ADMX Info:
- GP Friendly name: *Allow edge swipe*
- GP name: *AllowEdgeSwipe*
- GP path: *Windows Components/Edge UI*
- GP ADMX file name: *EdgeUI.admx*
<!--/ADMXMapped--> | Property name | Property value |
<!--SupportedValues--> |:--|:--|
The following list shows the supported values: | Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- AllowEdgeSwipe-DFProperties-End -->
- 0 - disallow edge swipe. <!-- AllowEdgeSwipe-AllowedValues-Begin -->
- 1 (default, not configured) - allow edge swipe. **Allowed values**:
<!--/SupportedValues--> | Value | Description |
<!--/Policy--> |:--|:--|
<hr/> | 0 | Disallow edge swipe. |
| 1 (Default) | Allow edge swipe. |
<!-- AllowEdgeSwipe-AllowedValues-End -->
<!--/Policies--> <!-- AllowEdgeSwipe-GpMapping-Begin -->
**Group policy mapping**:
## Related topics | Name | Value |
|:--|:--|
| Name | AllowEdgeSwipe |
| Friendly Name | Allow edge swipe |
| Location | Computer and User Configuration |
| Path | Windows Components > Edge UI |
| Registry Key Name | Software\Policies\Microsoft\Windows\EdgeUI |
| Registry Value Name | AllowEdgeSwipe |
| ADMX File Name | EdgeUI.admx |
<!-- AllowEdgeSwipe-GpMapping-End -->
[Policy configuration service provider](policy-configuration-service-provider.md) <!-- AllowEdgeSwipe-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowEdgeSwipe-Examples-End -->
<!-- AllowEdgeSwipe-End -->
<!-- LockDown-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- LockDown-CspMoreInfo-End -->
<!-- LockDown-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

214
windows/client-management/mdm/policy-csp-lsa.md
View File

@ -1,131 +1,169 @@
--- ---
title: Policy CSP - LocalSecurityAuthority title: LocalSecurityAuthority Policy CSP
description: Use the LocalSecurityAuthority CSP to configure policies for the Windows Local Security Authority Subsystem Service (LSASS). description: Learn more about the LocalSecurityAuthority Area in Policy CSP
ms.author: vinpa
author: vinaypamnani-msft author: vinaypamnani-msft
ms.reviewer:
manager: aaroncz manager: aaroncz
ms.topic: reference ms.author: vinpa
ms.date: 01/03/2023
ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
ms.localizationpriority: medium ms.topic: reference
ms.date: 08/26/2022
--- ---
# Policy CSP - LocalSecurity Authority <!-- Auto-Generated CSP Document -->
<!-- LocalSecurityAuthority-Begin -->
<hr/> # Policy CSP - LocalSecurityAuthority
<!--Policies-->
## LocalSecurityAuthority policies
<dl>
<dd>
<a href="#localsecurityauthority-allowcustomsspsaps">LocalSecurityAuthority/AllowCustomSSPsAPs</a>
</dd>
<dd>
<a href="#localsecurityauthority-configurelsaprotectedprocess">LocalSecurityAuthority/ConfigureLsaProtectedProcess</a>
</dd>
</dl>
> [!TIP] > [!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). > Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> >
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> >
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!-- LocalSecurityAuthority-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LocalSecurityAuthority-Editable-End -->
<hr/> <!-- AllowCustomSSPsAPs-Begin -->
## AllowCustomSSPsAPs
<!--Policy--> <!-- AllowCustomSSPsAPs-Applicability-Begin -->
<a href="" id="localsecurityauthority-allowcustomsspsaps"></a>**LocalSecurityAuthority/AllowCustomSSPsAPs** | Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- AllowCustomSSPsAPs-Applicability-End -->
<!--SupportedSKUs--> <!-- AllowCustomSSPsAPs-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LocalSecurityAuthority/AllowCustomSSPsAPs
```
<!-- AllowCustomSSPsAPs-OmaUri-End -->
|Edition|Windows 10|Windows 11| <!-- AllowCustomSSPsAPs-Description-Begin -->
|--- |--- |--- | <!-- Description-Source-ADMX -->
|Home|No|No| This policy controls the configuration under which LSASS loads custom SSPs and APs.
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs--> If you enable this setting or do not configure it, LSA allows custom SSPs and APs to be loaded.
<hr/>
<!--Scope--> If you disable this setting, LSA does not load custom SSPs and APs.
[Scope](./policy-configuration-service-provider.md#policy-scope): <!-- AllowCustomSSPsAPs-Description-End -->
> [!div class = "checklist"] <!-- AllowCustomSSPsAPs-Editable-Begin -->
> * Device <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowCustomSSPsAPs-Editable-End -->
<hr/> <!-- AllowCustomSSPsAPs-DFProperties-Begin -->
**Description framework properties**:
<!--/Scope--> | Property name | Property value |
<!--Description--> |:--|:--|
This policy setting defines whether the Local Security Authority Subsystem Service (LSASS) will allow loading of custom security support providers (SSPs) and authentication providers (APs). | Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- AllowCustomSSPsAPs-DFProperties-End -->
If you enable this policy setting or don't configure it, LSASS will allow loading of custom SSPs and APs. <!-- AllowCustomSSPsAPs-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
If you disable this policy setting, LSASS will block custom SSPs and APs from loading. **ADMX mapping**:
<!--/Description--> | Name | Value |
|:--|:--|
| Name | AllowCustomSSPsAPs |
| Friendly Name | Allow Custom SSPs and APs to be loaded into LSASS |
| Location | Computer Configuration |
| Path | System > Local Security Authority |
| Registry Key Name | Software\Policies\Microsoft\Windows\System |
| Registry Value Name | AllowCustomSSPsAPs |
| ADMX File Name | LocalSecurityAuthority.admx |
<!-- AllowCustomSSPsAPs-AdmxBacked-End -->
<!--ADMXBacked--> <!-- AllowCustomSSPsAPs-Examples-Begin -->
ADMX Info: <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
- GP Friendly name: *Allow Custom SSPs and APs to be loaded into LSASS* <!-- AllowCustomSSPsAPs-Examples-End -->
- GP name: *AllowCustomSSPsAPs*
- GP path: *System/Local Security Authority*
- GP ADMX file name: *LocalSecurityAuthority.admx*
<!--/ADMXBacked--> <!-- AllowCustomSSPsAPs-End -->
<!--/Policy-->
<hr/> <!-- ConfigureLsaProtectedProcess-Begin -->
## ConfigureLsaProtectedProcess
<!--Policy--> <!-- ConfigureLsaProtectedProcess-Applicability-Begin -->
<a href="" id="localsecurityauthority-configurelsaprotectedprocess"></a>**Kerberos/ConfigureLsaProtectedProcess** | Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- ConfigureLsaProtectedProcess-Applicability-End -->
<!--SupportedSKUs--> <!-- ConfigureLsaProtectedProcess-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LocalSecurityAuthority/ConfigureLsaProtectedProcess
```
<!-- ConfigureLsaProtectedProcess-OmaUri-End -->
|Edition|Windows 10|Windows 11| <!-- ConfigureLsaProtectedProcess-Description-Begin -->
|--- |--- |--- | <!-- Description-Source-ADMX -->
|Home|No|No| This policy controls the configuration under which LSASS is run.
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs--> If you do not configure this policy and there is no current setting in the registry, LSA will run as protected process for clean installed, HVCI capable, client SKUs that are domain or cloud domain joined devices. This configuration is not UEFI locked. This can be overridden if the policy is configured.
<hr/>
<!--Scope--> If you configure and set this policy setting to "Disabled", LSA will not run as a protected process.
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"] If you configure and set this policy setting to "EnabledWithUEFILock," LSA will run as a protected process and this configuration is UEFI locked.
> * Device
<hr/> If you configure and set this policy setting to "EnabledWithoutUEFILock", LSA will run as a protected process and this configuration is not UEFI locked.
<!-- ConfigureLsaProtectedProcess-Description-End -->
<!--/Scope--> <!-- ConfigureLsaProtectedProcess-Editable-Begin -->
<!--Description--> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
This policy setting configures the Local Security Authority Subsystem Service (LSASS) to run as a protected process. <!-- ConfigureLsaProtectedProcess-Editable-End -->
If you disable (0) or don't configure this policy setting, LSASS won't run as a protected process. <!-- ConfigureLsaProtectedProcess-DFProperties-Begin -->
**Description framework properties**:
If you enable this policy with UEFI lock (1), LSASS will run as a protected process and this setting will be stored in a UEFI variable. | Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ConfigureLsaProtectedProcess-DFProperties-End -->
If you enable this policy without UEFI lock (2), LSASS will run as a protected process and this setting won't be stored in a UEFI variable. <!-- ConfigureLsaProtectedProcess-AllowedValues-Begin -->
**Allowed values**:
<!--/Description--> | Value | Description |
|:--|:--|
| 0 (Default) | Disabled. Default value. LSA will not run as protected process. |
| 1 | Enabled with UEFI lock. LSA will run as protected process and this configuration is UEFI locked. |
| 2 | Enabled without UEFI lock. LSA will run as protected process and this configuration is not UEFI locked. |
<!-- ConfigureLsaProtectedProcess-AllowedValues-End -->
<!--ADMXBacked--> <!-- ConfigureLsaProtectedProcess-GpMapping-Begin -->
ADMX Info: **Group policy mapping**:
- GP Friendly name: *Configure LSASS to run as a protected process*
- GP name: *ConfigureLsaProtectedProcess*
- GP path: *System/Local Security Authority*
- GP ADMX file name: *LocalSecurityAuthority.admx*
<!--/ADMXBacked--> | Name | Value |
|:--|:--|
| Name | ConfigureLsaProtectedProcess |
| Friendly Name | Configures LSASS to run as a protected process |
| Location | Computer Configuration |
| Path | System > Local Security Authority |
| Registry Key Name | System\CurrentControlSet\Control\Lsa |
| ADMX File Name | LocalSecurityAuthority.admx |
<!-- ConfigureLsaProtectedProcess-GpMapping-End -->
<!-- ConfigureLsaProtectedProcess-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureLsaProtectedProcess-Examples-End -->
<!-- ConfigureLsaProtectedProcess-End -->
<!-- LocalSecurityAuthority-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- LocalSecurityAuthority-CspMoreInfo-End -->
<!-- LocalSecurityAuthority-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)