Easier Way to Enable Local Security Authority Protection Mode with Intune

This article will discuss how to Enable Local Security Authority (LSA) Protection Mode with Microsoft Intune. LSA Protection Mode is a security feature in Windows operating systems designed to protect against credential theft and other security threats.

When LSA Protection Mode is enabled, it restricts access to the memory and resources associated with the Local Security Authority Subsystem Service (LSASS), which manages the system’s authentication and security policies. LSA Protection Mode operates in “Restricted Mode” and “Full Mode.”

Restricted Mode: In Restricted Mode, LSA Protection restricts access to sensitive data within the LSASS process, such as credentials and tokens. This helps prevent attacks that attempt to extract sensitive information from memory, such as Pass-the-Hash attacks.

Full Mode: Full Mode goes a step further by applying additional protections to the LSASS process, making it more resilient to advanced attacks such as Mimikatz. It utilizes virtualization-based security (VBS) features to isolate LSASS in a secure container, further reducing the risk of credential theft.

Patch My PC

Enabling LSA Protection Mode helps strengthen the security posture of Windows systems by reducing the attack surface and mitigating the risk of credential theft and other security vulnerabilities. It is recommended to enable LSA Protection Mode, particularly in environments where security is a top priority, such as enterprise networks or systems handling sensitive data.

It’s important to note that enabling LSA Protection Mode may require compatible hardware and software support and careful planning and testing to ensure compatibility with existing applications and configurations. Additionally, proper monitoring and management practices should be implemented to ensure the continued effectiveness of LSA Protection Mode and to detect and respond to any security incidents or anomalies.

Adaptiva
Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 1
Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 1

What are the Advantages of Enable Local Security Authority Protection Mode?

Enabling Local Security Authority (LSA) Protection Mode offers several advantages for enhancing the security of Windows systems:

Overall, enabling LSA Protection Mode helps organizations reduce the risk of credential theft and other security vulnerabilities, enhance their security posture, and better protect sensitive data and systems from unauthorized access and exploitation.

CategoryAdvantages
Credential Theft PreventionLSA Protection Mode helps prevent various credential theft techniques, including Pass-the-Hash and Pass-the-Ticket attacks, by restricting access to sensitive data stored within the LSASS process.
Mitigation of Credential Dumping ToolsLSA Protection Mode reduces the effectiveness of credential dumping tools such as Mimikatz by limiting their ability to extract sensitive information from memory.
Enhanced Security PostureBy safeguarding the LSASS process, which manages authentication and security policies, LSA Protection Mode strengthens the overall security posture of Windows systems.
Protection Against Credential-based AttacksEnabling LSA Protection Mode mitigates the risk of credential-based attacks, which are commonly exploited by adversaries to escalate privileges and gain unauthorized access to systems.
Isolation of LSASS ProcessIn Full Mode, LSA Protection Mode utilizes virtualization-based security (VBS) features to isolate the LSASS process in a secure container, further reducing the risk of compromise.
Compliance RequirementsEnabling LSA Protection Mode may help organizations meet regulatory compliance requirements by implementing additional security controls to protect sensitive data and systems.
Defense-in-Depth StrategyLSA Protection Mode serves as an additional layer of defence in a defence-in-depth security strategy, complementing other security measures such as endpoint protection, access controls, and network security.
Resilience to Advanced ThreatsBy applying additional protections to the LSASS process, LSA Protection Mode enhances the resilience of Windows systems against advanced threats and sophisticated attack techniques.
Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Table. 1

Create Configuration Profile to Enable Local Security Authority LSA Protection Mode

Follow the steps below to create a configuration policy to Enable Local Security Authority LSA Protection Mode with Intune. Sign in to the Microsoft Intune Admin Center using your administrator credentials.

  • Navigate to Devices  Windows > Configuration Profiles
  • Click on +Create +New Policy
Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 2
Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 2

We can now create a profile using a Custom Windows template. To do that, specify the following details under the Create a profile option.

  • Platform: Windows 10 and later
  • Profile type: Templates
  • Template name: Custom

Note! Microsoft Intune includes many built-in settings to control different features on a device. You can also create custom profiles, which are created similar to built-in profiles. Custom profiles are great when you want to use device settings and features that aren’t built into Intune. These profiles include features and settings for you to control on devices in your organization. For example, you can create a custom profile that sets the same feature for every Windows device.

Note! Did you know? Consider creating a Settings catalog profile instead. The Intune Settings catalog contains many settings and values previously only available through a custom profile in a native, easy-to-search experience. More settings are continually being added.

Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 3
Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 3

In the Basics section, enter the Custom policy name as “Enable Local Security Authority LSA Protection Mode” and click Next.

Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 4
Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 4

This is a Custom policy, so we must manually add OMA-URI Settings under the Configuration Settings pane. For that, click on Add.

Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 5
Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 5

Policy CSP – LocalSecurityAuthority details are available on Microsoft’s Official site. We can find the ConfigureLsaProtectedProcess OMA-URI Settings on the same page.

  • ./Device/Vendor/MSFT/Policy/Config/LocalSecurityAuthority/ConfigureLsaProtectedProcess
ScopeEditionsApplicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Table. 2

To configure the policy for our current requirements, you must provide the details below on the OMA-URI Settings Add Row pane. Once you have added all the details, click on the Save option.

Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 6
Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 6

On the next page, leave the Scope tags as Default. Alternatively, you can select any custom scope tags available in the tenant.

Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 6
Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 6

Click on Next and assign the policy to HTMD – Test Computers. In the Included Groups option, click on Add Groups and select the required device group. As discussed earlier, this policy is only supported for Devices, not for Users.

Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 8
Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 8

In the Applicability Rules pane, you can set the rule according to your requirements. My test device runs Windows 11 23H2 Enterprise Edition, and I have set the OS edition value to Windows 10/11 Enterprise. Therefore, the policy will only apply in production scenarios when the rule is satisfied; otherwise, it will show as “Not applicable” on the monitoring page.

Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 9
Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 9

Please take a moment to carefully review all the settings you’ve defined for the “Enable Local Security Authority LSA Protection Mode” policy on the “Review + Create” page. When you’re ready, select “Create” to implement the changes.

Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 10
Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 10

Monitor Enable LSA Protection Mode Policy in Intune

The policy has been deployed to the Microsoft Entra ID groups. So once the targeted devices are synced, it will take effect as soon as possible. To monitor the policy deployment status from the Microsoft Intune Portal, follow the steps below.

Navigate to Devices > Windows > Configuration Profiles > Search for the “Enable Local Security Authority LSA Protection Mode” policy. The deployment status will appear under the Device and User check-in status.

Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 11
Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 11

End User Experience –  Enable LSA Protection Mode Policy

Log in to your targeted device, and here I am, trying to test whether the “Enable Local Security Authority LSA Protection Mode” policy is working as expected.

Open Event Viewer. Navigate to Windows Logs > System and search for Log Source Wininit. You can see Event ID 12, and it states that LSASS.exe was started as protected process with level:4

You can also confirm the successful Policy deployment with the Systems Registry for that open Registry Editor. Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa path. You will find the new registry entry, ie. RunAsPPL, and the value is (1).

Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 12
Easier Way to Enable Local Security Authority LSA Protection Mode with Intune. Fig. 12

I appreciate you taking the time to read my article. I’m excited to see you in the upcoming post. Continue to support the HTMD Community.

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Vaishnav K has over 10+ years of experience in SCCM, Device Management, and Automation Solutions. He writes and imparts his knowledge about Microsoft Intune, Azure, PowerShell scripting, and automation. Check out his profile on LinkedIn.

2 thoughts on “Easier Way to Enable Local Security Authority Protection Mode with Intune”

  1. Don’t forget to mention this only works for windows 11 (Windows 11, version 22H2 [10.0.22621] and later), most companies still run win 10.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.