From c43e3f8550e7bdde12f15f74710a737da645860b Mon Sep 17 00:00:00 2001
From: mapalko <20977663+mapalko@users.noreply.github.com>
Date: Fri, 26 Aug 2022 14:43:05 -0700
Subject: [PATCH] add LSA file
---
.../client-management/mdm/policy-csp-lsa.md | 131 ++++++++++++++++++
1 file changed, 131 insertions(+)
create mode 100644 windows/client-management/mdm/policy-csp-lsa.md
diff --git a/windows/client-management/mdm/policy-csp-lsa.md b/windows/client-management/mdm/policy-csp-lsa.md
new file mode 100644
index 0000000000..68e901da4f
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-lsa.md
@@ -0,0 +1,131 @@
+---
+title: Policy CSP - LocalSecurityAuthority
+description: Define the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: dansimp
+ms.localizationpriority: medium
+ms.date: 08/26/2022
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - LocalSecurity Authority
+
+
+
+
+
+## LocalSecurityAuthority policies
+
+
+ -
+ LocalSecurityAuthority/AllowCustomSSPsAPs
+
+ -
+ LocalSecurityAuthority/ConfigureLsaProtectedProcess
+
+
+
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+
+**LocalSecurityAuthority/AllowCustomSSPsAPs**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting defines whether the Local Security Authority Subsystem Service (LSASS) will allow loading of custom security support providers (SSPs) and authentication providers (APs).
+
+If you enable this policy setting or do not configure it, LSASS will allow loading of custom SSPs and APs.
+
+If you disable this policy setting, LSASS will block custom SSPs and APs from loading.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Allow Custom SSPs and APs to be loaded into LSASS*
+- GP name: *AllowCustomSSPsAPs*
+- GP path: *System/Local Security Authority*
+- GP ADMX file name: *LocalSecurityAuthority.admx*
+
+
+
+
+
+
+
+**Kerberos/ConfigureLsaProtectedProcess**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting configures the Local Security Authority Subsystem Service (LSASS) to run as a protected process.
+
+If you disable (0) or do not configure this policy setting, LSASS will not run as a protected process.
+
+If you enable this policy with UEFI lock (1), LSASS will run as a protected process and this setting will be stored in a UEFI variable.
+
+If you enable this policy without UEFI lock (2), LSASS will run as a protected process and this setting will not be stored in a UEFI variable.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure LSASS to run as a protected process*
+- GP name: *ConfigureLsaProtectedProcess*
+- GP path: *System/Local Security Authority*
+- GP ADMX file name: *LocalSecurityAuthority.admx*
+
+