Local Security Authority protection functionality is enabled.

Property	Value
ISM Control	ISM-1861
Revision	2
Updated	Dec-23
Guideline	Not provided
Section	Authentication hardening
Topic	Protecting credentials
Essential Eight	ML3
PSPF Levels	NC, OS, P, S, TS

Summary

Local Security Authority protection isolates credentials by running LSASS as a protected process under virtualization-based security, reducing credential theft risk¹. On Windows 11 version 22H2 and later, LSA protection is enabled by default when compatibility checks pass, with an audit triggered for incompatibilities; verify enablement via Event Viewer by reviewing the LSA protection logs²¹.

Justification

LSASS (Local Security Authority Subsystem Service) is the most targeted process on Windows endpoints for credential theft. It stores NTLM password hashes, Kerberos tickets, and cached domain credentials in memory — all of which are extracted by tools like Mimikatz using sekurlsa::logonpasswords when an attacker gains local administrator privileges.

Running LSASS as a Protected Process Light (PPL) under Virtualization-Based Security (VBS) prevents even processes with SeDebugPrivilege (local admin) from opening a handle to LSASS with PROCESS_VM_READ access — the prerequisite for memory scraping. This directly counters the Pass-the-Hash and Pass-the-Ticket attack chains that underpin most ransomware and APT lateral movement.

Windows 11 22H2+ enables LSA protection by default on clean-installed HVCI-capable devices, but the Intune ConfigureLsaProtectedProcess policy with UEFI lock (value = 1) prevents a local administrator from disabling the protection via registry edit — a critical additional hardening step for Maturity Level 3.

Protection mode	Registry key	Attack resistance
No protection (default pre-22H2)	N/A	Mimikatz, ProcDump, Task Manager memory dump
PPL without UEFI lock (value = 2)	Software only	Resistant to standard credential dump; can be disabled by admin
PPL with UEFI lock (value = 1)	UEFI variable + registry	Resistant to credential dump; cannot be disabled without physical UEFI access

Organisations should audit Event ID 12 (LSASS started as a protected process) and Event ID 3065/3066 (code integrity check warnings for non-PPL-compatible drivers) in the Microsoft-Windows-CodeIntegrity/Operational log to confirm protection is active and identify incompatible drivers prior to broad deployment. Known application compatibility issues include MSCHAPv2 configurations and Java GSS API when Credential Guard is simultaneously enabled.³

Design Decision

[!NOTE] The ConfigureLsaProtectedProcess policy will be applied to Windows 11 22H2 and later clients to ensure LSA protection is enabled by default, configuring LSASS to run as a protected process according to the policy values (1 = Enabled with UEFI lock, 2 = Enabled without UEFI lock) where applicable. The criteria for this outcome include devices that are clean installed, HVCI capable, and where the policy is configured or left to default when no registry setting exists. Verification will be performed using Event Viewer to confirm LSA protection is active and to review LSA protection logs for blocked plug-ins and drivers.

Prerequisites

Licensing:

Microsoft Intune Plan 1 license is required if Intune is used for implementation.⁴

Permissions/Roles:

Intune administrator access is required to create and assign configuration profiles for LSA protection.⁵

Dependencies:

Windows 11, version 22H2 or later, with LSA protection available via policy and default behavior when not configured.²
Hardware must be capable of Hypervisor-protected Code Integrity (HVCI) to support protected LSA operation.²
Device enrollment in Microsoft Intune and Entra ID (Azure AD) or hybrid Azure AD joined is required to apply Intune-based LSA configuration profiles.⁵
The LocalSecurityAuthority ConfigureLsaProtectedProcess CSP path is available for configuring LSA protection settings in policy.²

Implementation Steps

Automatic Enablement of LSA Protection on Windows 11 22H2 and Later

Ensure the device is running Windows 11 version 22H2 or later and that the upgrade has completed. An audit for incompatibilities with LSA protection runs during this upgrade; if incompatibilities are not detected, LSA protection is enabled by default.¹
Verify the enablement state in the Windows Security app. Open the Windows Security app, then navigate to Device Security and Core Isolation to confirm LSA protection is enabled. If incompatibilities are detected, enablement may not occur automatically.¹
Verify via Event Viewer. Open Event Viewer and review the LSA protection logs to confirm that LSA protection is active and to identify any programs blocked from loading into LSA.¹
If incompatibilities are detected during the upgrade, automatic enablement may not occur until those incompatibilities are addressed.¹

Configure LSA Protected Process via Policy CSP (Intune)

In the Intune admin center, go to Devices > Windows > Configuration profiles and create a profile. Choose Platform: Windows 10 and later and Profile type: Templates > Custom. Then select Create. (This uses the policy CSP path for LSA protection.)⁵
Add a configuration setting with the following values:
- Name: (any descriptive name for the setting)
- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalSecurityAuthority/ConfigureLsaProtectedProcess
- Data type: Integer
- Value: 1 to configure LSASS to run as a protected process with UEFI lock, or 2 to configure the feature without a UEFI variable (non-UEFI lock).⁵
Save the row, then select Next. On the Assignments screen, assign the profile to the appropriate devices or user groups, configure any applicability rules, and select Next. Then select Review + create to finalize the profile. Restart the computer after deployment.⁵
Default configuration behavior if the policy is not configured:
- If you don’t configure this policy and there is no current setting in the registry, LSA will run as a protected process for all clean installed, HVci capable client SKUs, and this is not UEFI locked. This default can be overridden by the policy configuration.²
Configuration details for the policy values:
- 0 (Default) = Disabled. LSA won’t run as protected process.
- 1 = Enabled with UEFI lock. LSA will run as protected process and this configuration is UEFI locked.
- 2 = Enabled without UEFI lock. LSA will run as protected process and this configuration isn’t UEFI locked.
  These values and their meanings are defined by the policy.²

[!NOTE] LSA protection enablement can be influenced by upgrade status and policy configuration. Confirm compatibility and restart impact in your environment.¹

Credential Guard overview explains how LSA protection isolates secrets and helps prevent credential theft on Windows devices Credential Guard
Essential Eight guidance covers enabling Credential Guard and Remote Credential Guard and recommends Intune deployment approaches Essential Eight restrict administrative privileges
Azure Local documentation discusses Credential Guard and LSA enablement in cloud deployments, including default enabling of LSA protection Trustworthy addition for Azure Local
Windows IoT Enterprise LTSC 2024 security updates describe LSA protection enablement and auditing when upgrading devices What’s new in Windows 11 IoT Enterprise LTSC 2024

🛡️ Essential 8 Guide