Windows 10: LSA protection and attack surface rules

Hi,We are implemting defender ssecurity.After putting ASR in audit we start to follow the recommandations.After son time we see the ASR rule "Block credential stealing from the Windows local security authority subsystem lsass.exe" is not applicable.After a long search I found the cause.The recommandation "Enable 'Local Security Authority LSA protection'" lat me c reate a registry setting. "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL" to the value 1.After deleting the registry key the ASR become applicable again.I wondering two recommandations whice don't work toghter.Whice way is th

:)

 

Disabling LSA protection

We have an internal issue causing something not to work when the LSA protection is enabled.

As we also have "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" ASR rule, and following this recommendation that "having both running at the same time would be redundant" we want to turn off the LSA protection.

The problem starts with the fact that all our devices support Secure Boot and since years we use UEFI based devices.

On those machines the task of disabling LSA protection seems like very cumbersome and not straight forward.

Is there more easy and centralized way to disable LSA protection on a few thousands windows machines?

Thanks in advance

 

LSA Protection

What I am seeing within the Core Isolation is the following

1. Memory Integrity
   
2. Memory Access Protection
   
3. Vulnerable Driver Blocklist
   

Are all of the above parts of the LSA system? If so are all supposed to be toggled on?

Kenneth

 

Attack Surface Reduction

Hello Other_side,



Welcome to Microsoft Community.



This message usually indicates that the system has detected some threatened applications or processes.

Do the planned tasks you mentioned here involve some unknown process or application? The Widnows Security Center blocked the process to protect the system security because it was judged as a potential threat.

If you are 100% sure that the process associated with the scheduled task is safe, perhaps I can recommend that you try lowering the UAC limits. (Search UAC in the taskbar to find a list of sliders)

If you think this is a false positive from the system, we recommend that you submit the corresponding application to the Widnows Security Center support team by manually submitting samples:

Provide feedbackSubmit a file for malware analysis

Also, I noticed that the error may be related to "attack surface reduction rules". I found the rule configuration tutorial for you, maybe you can manage the rule through:

Enable attack surface reduction rules

If you want to Learn more about this rule, I recommend you to visit Microsoft Learn, our advanced technology forum post. You can click on "Ask a question", there are experts who can provide more professional solutions in that place.



Best regards,

Mitchell - | Microsoft community support expert from MSFT