LSA Auditing

Question

Hi All

I have the following requirement to enable (Enforce LSA Auditing) through GPO on all my servers. I have an OU with a couple of test VMs, and I have created a GPO and enabled the two policies below:

Computer Configuration > Administrative Templates > SCM: Pass the Hash Mitigations > Lsass.exe audit mode > Enabled

To confirm this policy is working, I need to generate Event IDs: 3063, 3065, 3033, and 3066. How can I test this GPO? Specifically, how can I generate these event IDs on the test VMs, and where should I check for these event IDs? Will they appear in the System event logs?

Computer Configuration > Administrative Templates > SCM: Pass the Hash Mitigations > LSA Protection > Enabled

How can I test the LSA Protection policy by generating relevant events?

Answer 1

Hello,

Thank you for posting in Q&A forum.

To generate relevant events for testing LSA protection, you can enable all plug-ins and drivers that cannot be loaded under LSA when LSA protection is enabled. Please refer to the following link: Configure added LSA protection | Microsoft Learn

Configuring Additional LSA Protection | Microsoft Learn

LSA events are located in the Operations Log under Applications and Services Logs\Microsoft\Windows\CodeIntegrity. They can help you identify LSA plug-ins and drivers that cannot be loaded due to signature reasons. To manage these events, you can use the wevtutil command-line tool. Recommended reference links: Wevtutil | Microsoft Learn

I hope the information above is helpful.

Best Regards,

Yanhong Liu

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.