Policy CSP - LocalSecurityAuthority

Tip

This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see Understanding ADMX-backed policies.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

AllowCustomSSPsAPs

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Device/Vendor/MSFT/Policy/Config/LocalSecurityAuthority/AllowCustomSSPsAPs

This policy controls the configuration under which LSASS loads custom SSPs and APs.

  • If you enable this setting or don't configure it, LSA allows custom SSPs and APs to be loaded.

  • If you disable this setting, LSA doesn't load custom SSPs and APs.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name AllowCustomSSPsAPs
Friendly Name Allow Custom SSPs and APs to be loaded into LSASS
Location Computer Configuration
Path System > Local Security Authority
Registry Key Name Software\Policies\Microsoft\Windows\System
Registry Value Name AllowCustomSSPsAPs
ADMX File Name LocalSecurityAuthority.admx

ConfigureLsaProtectedProcess

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Device/Vendor/MSFT/Policy/Config/LocalSecurityAuthority/ConfigureLsaProtectedProcess

This policy controls the configuration under which LSASS is run.

  • If you don't configure this policy and there is no current setting in the registry, LSA will run as protected process for all clean installed, HVCI capable, client SKUs. This configuration isn't UEFI locked. This can be overridden if the policy is configured.

  • If you configure and set this policy setting to "Disabled", LSA won't run as a protected process.

  • If you configure and set this policy setting to "EnabledWithUEFILock," LSA will run as a protected process and this configuration is UEFI locked.

  • If you configure and set this policy setting to "EnabledWithoutUEFILock", LSA will run as a protected process and this configuration isn't UEFI locked.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Disabled. Default value. LSA won't run as protected process.
1 Enabled with UEFI lock. LSA will run as protected process and this configuration is UEFI locked.
2 Enabled without UEFI lock. LSA will run as protected process and this configuration isn't UEFI locked.

Group policy mapping:

Name Value
Name ConfigureLsaProtectedProcess
Friendly Name Configures LSASS to run as a protected process
Location Computer Configuration
Path System > Local Security Authority
Registry Key Name Software\Policies\Microsoft\Windows\System
ADMX File Name LocalSecurityAuthority.admx

Policy configuration service provider