Information
This policy setting controls whether the Local Security Authority Subservice Service (LSASS) runs in protected mode and also has the option to lock in protected mode with Unified Extensible Firmware Interface (UEFI). The Local Security Authority (LSA), which includes the LSASS process, validates users for local and remote sign-ins and enforces local security policies.
The recommended state for this setting is: Enabled: Enabled with UEFI Lock
Note: This additional protection to prevent reading memory and code injection by non-protected processes is supported by Windows 8.1 (and newer).
Provides added security for the credentials that LSA stores and manages. Enabling this setting with UEFI Lock prevents the setting from being changed remotely.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled: Enabled with UEFI Lock :
Computer Configuration\Policies\Administrative Templates\System\Local Security Authority\Configures LSASS to run as a protected process
Impact:
Once this setting has been applied (Enabled), removing the group policy setting (set to Not Configured) will not reverse the impact. In order to reverse the impact, you must explicitly configure this setting to Disabled and follow
Microsoft's documentation on disabling the UEFI Lock
.