LSA Auditing

Glenn Maxwell 12,876 Reputation points
2024-05-20T19:43:17.6+00:00

Hi All

I have the following requirement to enable (Enforce LSA Auditing) through GPO on all my servers. I have an OU with a couple of test VMs, and I have created a GPO and enabled the two policies below:

Computer Configuration > Administrative Templates > SCM: Pass the Hash Mitigations > Lsass.exe audit mode > Enabled

To confirm this policy is working, I need to generate Event IDs: 3063, 3065, 3033, and 3066. How can I test this GPO? Specifically, how can I generate these event IDs on the test VMs, and where should I check for these event IDs? Will they appear in the System event logs?

Computer Configuration > Administrative Templates > SCM: Pass the Hash Mitigations > LSA Protection > Enabled

How can I test the LSA Protection policy by generating relevant events?

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments No comments
{count} votes

Accepted answer
  1. Yanhong Liu 14,200 Reputation points Microsoft External Staff
    2024-05-21T06:00:23.88+00:00

    Hello,

    Thank you for posting in Q&A forum.

    To generate relevant events for testing LSA protection, you can enable all plug-ins and drivers that cannot be loaded under LSA when LSA protection is enabled. Please refer to the following link: Configure added LSA protection | Microsoft Learn

    Configuring Additional LSA Protection | Microsoft Learn

    LSA events are located in the Operations Log under Applications and Services Logs\Microsoft\Windows\CodeIntegrity. They can help you identify LSA plug-ins and drivers that cannot be loaded due to signature reasons. To manage these events, you can use the wevtutil command-line tool. Recommended reference links: Wevtutil | Microsoft Learn

    I hope the information above is helpful.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.