18.9.25.2 Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting controls whether the Local Security Authority Subservice Service (LSASS) runs in protected mode and also has the option to lock in protected mode with Unified Extensible Firmware Interface (UEFI). The Local Security Authority (LSA), which includes the LSASS process, validates users for local and remote sign-ins and enforces local security policies.

The recommended state for this setting is: Enabled: Enabled with UEFI Lock.

Note: This additional protection to prevent reading memory and code injection by non-protected processes is supported by Windows 8.1 (and newer).

Rationale:

Provides added security for the credentials that LSA stores and manages. Enabling this setting with UEFI Lock prevents the setting from being changed remotely.

Impact:

Once this setting has been applied (Enabled), removing the group policy setting (set to Not Configured) will not reverse the impact. In order to reverse the impact, you must explicitly configure this setting to Disabled and follow Microsoft's documentation on disabling the UEFI Lock.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Enabled with UEFI Lock:

Computer Configuration\Policies\Administrative Templates\System\Local Security Authority\Configures LSASS to run as a protected process

Default Value:

Not configured. (LSA will run as protected process for clean installed, HVCI capable, client SKUs that are domain or cloud domain-joined devices. This configuration is not UEFI locked.)