How to exclude a DLL from being blocked by LSA Protection in Windows 11 24H2

Woody Chiu at RASI 216 Reputation points
2024-11-12T19:59:22.2933333+00:00

I got some Windows 11 23H2 Lenovo T14s Gen4 getting this following message popping up from time to time after they were updated to 24H2 via Windows Update.

User's image

The DLL is inside the program folder of our IBM i Access Client software.

These laptops are all managed by Intune.

Could you advise how to prevent the message from popping up again?

I tried creating a few Intune custom configuration profiles to exclude certain paths and etc. Nothing has worked yet.

Do you have any better suggestions to try?

Well, I don't want to block that DLL if I don't have to 'cause I am not sure if that may affect the function of the i Access Client.

It seems this is a widespread issue for whoever upgraded to Windows 11 24H2, isn't it?

Appreciated!

 

Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
10,113 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Daisy Zhou 26,246 Reputation points Microsoft Vendor
    2024-11-14T07:39:43.2333333+00:00

    Hello Woody Chiu at RASI,

    Thank you for posting in Q&A forum.

    Since your laptops are managed by Intune, you can create a policy to exclude the specific DLL from being blocked:

    Create a Custom Configuration Profile:

    Sign in to the Microsoft Intune admin center.

    Go to Devices > Configuration profiles and click + Create profile.

    Select Windows 10 and later as the platform and Custom as the profile type.

    Click Create.

    Add OMA-URI Settings: In the Configuration settings section, click Add.

    Enter the following details:

    Name: Exclude DLL from LSA Protection Description: Exclude the specified DLL from being blocked by LSA Protection.

    OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/LSAProtection Data type: String Value: Enter the path to the DLL you want to exclude, e.g., C:\Program Files\IBM\iAccessClient\yourdll.dll.

    Assign the Profile: Assign the profile to the appropriate device groups.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.