Windows 10: LSA protection - Running LSASS as protected process in Windows 10 22H2

We are running Windows 10 22H2 will soon upgrade to Windows 11 23H2.We would like to enable added LSA protection preferably without UEFI lock on our machines as outlined in Configure added LSA protection Microsoft Learn. However, the methods to implement it this way only refer to Windows 11 22H2 and later.I ran a test on a Win 10 machine by editing the registry as below. Then rebooted.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"RunAsPPL"=dword:00000002And surprisingly, after reboot, the System log shows the following WinInit event:12: LSASS.exe was started as a protec

:)

 

Disabling LSA protection

We have an internal issue causing something not to work when the LSA protection is enabled.

As we also have "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" ASR rule, and following this recommendation that "having both running at the same time would be redundant" we want to turn off the LSA protection.

The problem starts with the fact that all our devices support Secure Boot and since years we use UEFI based devices.

On those machines the task of disabling LSA protection seems like very cumbersome and not straight forward.

Is there more easy and centralized way to disable LSA protection on a few thousands windows machines?

Thanks in advance

 

LSA Protection

What I am seeing within the Core Isolation is the following

1. Memory Integrity
   
2. Memory Access Protection
   
3. Vulnerable Driver Blocklist
   

Are all of the above parts of the LSA system? If so are all supposed to be toggled on?

Kenneth

 

LSA Protection

It appears that Acer is blocking this feature from me as when I type LSASS in start and run as the admin nothing happens.

I click the file location and I am taken to ACER folder.

Further to this I checked my Systems Information and notice I have Kernal DMA which is on. Is this playing the same role as the LSA

Kenneth