windows-itpro-docs/windows/client-management/mdm/policy-csp-lsa.md

title, description, author, manager, ms.author, ms.date, ms.localizationpriority, ms.prod, ms.technology, ms.topic

title	description	author	manager	ms.author	ms.date	ms.localizationpriority	ms.prod	ms.technology	ms.topic
LocalSecurityAuthority Policy CSP	Learn more about the LocalSecurityAuthority Area in Policy CSP	vinaypamnani-msft	aaroncz	vinpa	01/03/2023	medium	windows-client	itpro-manage	reference

Policy CSP - LocalSecurityAuthority

Tip

Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

AllowCustomSSPsAPs

Scope	Editions	Applicable OS
✔️ Device ❌ User	❌ Home ✔️ Pro ✔️ Enterprise ✔️ Education ✔️ Windows SE	✔️ Windows 11, version 22H2 [10.0.22621] and later

./Device/Vendor/MSFT/Policy/Config/LocalSecurityAuthority/AllowCustomSSPsAPs

This policy controls the configuration under which LSASS loads custom SSPs and APs.

If you enable this setting or do not configure it, LSA allows custom SSPs and APs to be loaded.

If you disable this setting, LSA does not load custom SSPs and APs.

Description framework properties:

Property name	Property value
Format	chr (string)
Access Type	Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For details, see Understanding ADMX-backed policies.

ADMX mapping:

Name	Value
Name	AllowCustomSSPsAPs
Friendly Name	Allow Custom SSPs and APs to be loaded into LSASS
Location	Computer Configuration
Path	System > Local Security Authority
Registry Key Name	Software\Policies\Microsoft\Windows\System
Registry Value Name	AllowCustomSSPsAPs
ADMX File Name	LocalSecurityAuthority.admx

ConfigureLsaProtectedProcess

Scope	Editions	Applicable OS
✔️ Device ❌ User	❌ Home ✔️ Pro ✔️ Enterprise ✔️ Education ✔️ Windows SE	✔️ Windows 11, version 22H2 [10.0.22621] and later

./Device/Vendor/MSFT/Policy/Config/LocalSecurityAuthority/ConfigureLsaProtectedProcess

This policy controls the configuration under which LSASS is run.

If you do not configure this policy and there is no current setting in the registry, LSA will run as protected process for clean installed, HVCI capable, client SKUs that are domain or cloud domain joined devices. This configuration is not UEFI locked. This can be overridden if the policy is configured.

If you configure and set this policy setting to "Disabled", LSA will not run as a protected process.

If you configure and set this policy setting to "EnabledWithUEFILock," LSA will run as a protected process and this configuration is UEFI locked.

If you configure and set this policy setting to "EnabledWithoutUEFILock", LSA will run as a protected process and this configuration is not UEFI locked.

Description framework properties:

Property name	Property value
Format	int
Access Type	Add, Delete, Get, Replace
Default Value	0

Allowed values:

Value	Description
0 (Default)	Disabled. Default value. LSA will not run as protected process.
1	Enabled with UEFI lock. LSA will run as protected process and this configuration is UEFI locked.
2	Enabled without UEFI lock. LSA will run as protected process and this configuration is not UEFI locked.

Group policy mapping:

Name	Value
Name	ConfigureLsaProtectedProcess
Friendly Name	Configures LSASS to run as a protected process
Location	Computer Configuration
Path	System > Local Security Authority
Registry Key Name	System\CurrentControlSet\Control\Lsa
ADMX File Name	LocalSecurityAuthority.admx

Related articles

Policy configuration service provider