This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 38%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Hi,
We are implemting defender ssecurity.
After putting ASR in audit we start to follow the recommandations.
After son time we see the ASR rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" is not applicable.
After a long search I found the cause.
The recommandation "Enable 'Local Security Authority (LSA) protection'" lat me c reate a registry setting. "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL" to the value 1.
After deleting the registry key the ASR become applicable again.
I wondering two recommandations whice don't work toghter.
Whice way is the right one to follow The ASR rule or the registry setting?
Clear thank you for the information.
I understand the information.
I don't find the reason why the asr rule became not applicable.
The link tells the two work toghter (redundant)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 35%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
@Peter,Thanks for your update.
You can follow the link below to troubleshoot ASR rules.
Hope this can be helpful.
@Peter,Hope things going well.
If there is any update, feel free to let me know.
@Peter,Thanks for posting in Q&A.
From you description, I know that you want to know whether LSA protection and attack surface rules can work together.
Based on my research, I found that if you enable LSA protection rules alongside ASP rule 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)', the rule will not provide additional protection as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant.
We suggest that you can chose one of them to defender your device.
Hope this can be helpful.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.