add LSA file

windows/client-management/mdm/policy-csp-lsa.md

@@ -0,0 +1,131 @@
+---
+title: Policy CSP - LocalSecurityAuthority
+description: Define the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: dansimp
+ms.localizationpriority: medium
+ms.date: 08/26/2022
+ms.reviewer: 
+manager: dansimp
+---
+
+# Policy CSP - LocalSecurity Authority
+
+
+<hr/>
+
+<!--Policies-->
+## LocalSecurityAuthority policies
+
+<dl>
+  <dd>
+    <a href="#localsecurityauthority-allowcustomsspsaps">LocalSecurityAuthority/AllowCustomSSPsAPs</a>
+  </dd>
+  <dd>
+    <a href="#localsecurityauthority-configurelsaprotectedprocess">LocalSecurityAuthority/ConfigureLsaProtectedProcess</a>
+  </dd>
+</dl>
+
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="localsecurityauthority-allowcustomsspsaps"></a>**LocalSecurityAuthority/AllowCustomSSPsAPs**  
+
+<!--SupportedSKUs-->
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting defines whether the Local Security Authority Subsystem Service (LSASS) will allow loading of custom security support providers (SSPs) and authentication providers (APs).
+
+If you enable this policy setting or do not configure it, LSASS will allow loading of custom SSPs and APs.
+
+If you disable this policy setting, LSASS will block custom SSPs and APs from loading.
+
+<!--/Description-->
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP Friendly name: *Allow Custom SSPs and APs to be loaded into LSASS*
+-   GP name: *AllowCustomSSPsAPs*
+-   GP path: *System/Local Security Authority*
+-   GP ADMX file name: *LocalSecurityAuthority.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="localsecurityauthority-configurelsaprotectedprocess"></a>**Kerberos/ConfigureLsaProtectedProcess**  
+
+<!--SupportedSKUs-->
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting configures the Local Security Authority Subsystem Service (LSASS) to run as a protected process.
+
+If you disable (0) or do not configure this policy setting, LSASS will not run as a protected process.
+
+If you enable this policy with UEFI lock (1), LSASS will run as a protected process and this setting will be stored in a UEFI variable.
+
+If you enable this policy without UEFI lock (2), LSASS will run as a protected process and this setting will not be stored in a UEFI variable.
+
+<!--/Description-->
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP Friendly name: *Configure LSASS to run as a protected process*
+-   GP name: *ConfigureLsaProtectedProcess*
+-   GP path: *System/Local Security Authority*
+-   GP ADMX file name: *LocalSecurityAuthority.admx*
+
+<!--/ADMXBacked-->