deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/client-management/mdm/policy-csp-lsa.md
Liz Long b307aea55a meta client management 7
2022-10-24 18:56:09 -04:00

3.8 KiB
Raw Blame History

title, description, ms.author, author, ms.reviewer, manager, ms.topic, ms.prod, ms.technology, ms.localizationpriority, ms.date
title description ms.author author ms.reviewer manager ms.topic ms.prod ms.technology ms.localizationpriority ms.date
Policy CSP - LocalSecurityAuthority Use the LocalSecurityAuthority CSP to configure policies for the Windows Local Security Authority Subsystem Service (LSASS). vinpa vinaypamnani-msft aaroncz reference windows-client itpro-manage medium 08/26/2022

Policy CSP - LocalSecurity Authority

LocalSecurityAuthority policies

LocalSecurityAuthority/AllowCustomSSPsAPs
LocalSecurityAuthority/ConfigureLsaProtectedProcess

Tip

These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

LocalSecurityAuthority/AllowCustomSSPsAPs

Edition Windows 10 Windows 11
Home No No
Pro Yes Yes
Business Yes Yes
Enterprise Yes Yes
Education Yes Yes

Scope:

[!div class = "checklist"]

  • Device

This policy setting defines whether the Local Security Authority Subsystem Service (LSASS) will allow loading of custom security support providers (SSPs) and authentication providers (APs).

If you enable this policy setting or don't configure it, LSASS will allow loading of custom SSPs and APs.

If you disable this policy setting, LSASS will block custom SSPs and APs from loading.

ADMX Info:

  • GP Friendly name: Allow Custom SSPs and APs to be loaded into LSASS
  • GP name: AllowCustomSSPsAPs
  • GP path: System/Local Security Authority
  • GP ADMX file name: LocalSecurityAuthority.admx

Kerberos/ConfigureLsaProtectedProcess

Edition Windows 10 Windows 11
Home No No
Pro Yes Yes
Business Yes Yes
Enterprise Yes Yes
Education Yes Yes

Scope:

[!div class = "checklist"]

  • Device

This policy setting configures the Local Security Authority Subsystem Service (LSASS) to run as a protected process.

If you disable (0) or don't configure this policy setting, LSASS won't run as a protected process.

If you enable this policy with UEFI lock (1), LSASS will run as a protected process and this setting will be stored in a UEFI variable.

If you enable this policy without UEFI lock (2), LSASS will run as a protected process and this setting won't be stored in a UEFI variable.

ADMX Info:

  • GP Friendly name: Configure LSASS to run as a protected process
  • GP name: ConfigureLsaProtectedProcess
  • GP path: System/Local Security Authority
  • GP ADMX file name: LocalSecurityAuthority.admx