deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/client-management/mdm/policy-csp-lsa.md
mapalko c43e3f8550 add LSA file
2022-08-26 14:43:05 -07:00

3.8 KiB
Raw Blame History

title, description, ms.author, ms.topic, ms.prod, ms.technology, author, ms.localizationpriority, ms.date, ms.reviewer, manager
title description ms.author ms.topic ms.prod ms.technology author ms.localizationpriority ms.date ms.reviewer manager
Policy CSP - LocalSecurityAuthority Define the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). dansimp article w10 windows dansimp medium 08/26/2022 dansimp

Policy CSP - LocalSecurity Authority

LocalSecurityAuthority policies

LocalSecurityAuthority/AllowCustomSSPsAPs
LocalSecurityAuthority/ConfigureLsaProtectedProcess

Tip

These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

LocalSecurityAuthority/AllowCustomSSPsAPs

Edition Windows 10 Windows 11
Home No No
Pro Yes Yes
Business Yes Yes
Enterprise Yes Yes
Education Yes Yes

Scope:

[!div class = "checklist"]

  • Device

This policy setting defines whether the Local Security Authority Subsystem Service (LSASS) will allow loading of custom security support providers (SSPs) and authentication providers (APs).

If you enable this policy setting or do not configure it, LSASS will allow loading of custom SSPs and APs.

If you disable this policy setting, LSASS will block custom SSPs and APs from loading.

ADMX Info:

  • GP Friendly name: Allow Custom SSPs and APs to be loaded into LSASS
  • GP name: AllowCustomSSPsAPs
  • GP path: System/Local Security Authority
  • GP ADMX file name: LocalSecurityAuthority.admx

Kerberos/ConfigureLsaProtectedProcess

Edition Windows 10 Windows 11
Home No No
Pro Yes Yes
Business Yes Yes
Enterprise Yes Yes
Education Yes Yes

Scope:

[!div class = "checklist"]

  • Device

This policy setting configures the Local Security Authority Subsystem Service (LSASS) to run as a protected process.

If you disable (0) or do not configure this policy setting, LSASS will not run as a protected process.

If you enable this policy with UEFI lock (1), LSASS will run as a protected process and this setting will be stored in a UEFI variable.

If you enable this policy without UEFI lock (2), LSASS will run as a protected process and this setting will not be stored in a UEFI variable.

ADMX Info:

  • GP Friendly name: Configure LSASS to run as a protected process
  • GP name: ConfigureLsaProtectedProcess
  • GP path: System/Local Security Authority
  • GP ADMX file name: LocalSecurityAuthority.admx