Secure Score How-To

How to Enable LSA Protection in Windows to Prevent Credential Theft

Last updated: June 2026

Local Security Authority (LSA) protection runs the LSASS process as a Protected Process Light (PPL), preventing untrusted code from reading credentials stored in memory. It is one of the most effective single controls against credential theft tools like Mimikatz — and enabling it via Intune picks up a direct Secure Score improvement.

Jump to steps See FAQ

This is a how-to page. Steps are the priority. The CTA sits at the bottom, and cluster links do the conversion work.

What you'll achieve

Credential dumping blockedUntrusted processes cannot attach to or read memory from LSASS, stopping credential theft tools like Mimikatz, ProcDump, and Task Manager-based memory dumps.

Defence in depth strengthenedLSA protection works alongside the ASR rule for LSASS credential stealing. Together they provide two independent layers of defence against the same attack vector.

Secure Score improvementMicrosoft marks the LSA protection recommendation as Completed once the setting is enforced across enrolled devices, directly lifting your Secure Score.

Why this setting matters

LSASS is the process Windows uses to validate logins, enforce security policies, and store credentials in memory. Without LSA protection, any process running with sufficient privileges can read LSASS memory and extract password hashes, Kerberos tickets, and NTLM credentials.

Credential theft is the number one enabler of lateral movement — once an attacker has hashes, they can authenticate as any user whose credentials were in memory.
LSA protection uses Protected Process Light (PPL) to ensure only digitally signed, trusted code can interact with LSASS — blocking unsigned tools entirely.
Unlike the ASR credential stealing rule (which blocks specific behaviours), LSA protection is an OS-level enforcement that applies regardless of which tool an attacker uses.

Enabling LSA protection is one of the highest-impact, lowest-disruption security controls available in Windows — it stops credential theft at the operating system level.

Before you start

Windows 11 22H2 or later, or Windows Server 2022 with the latest cumulative updates.
Devices enrolled in Microsoft Intune (or apply via registry/Group Policy as an alternative).
Global Administrator or Intune Administrator permissions.
Verify all security software and drivers are digitally signed — unsigned LSA plug-ins will be blocked once protection is enabled.
Test on a pilot group first. Check Event Viewer → Windows Logs → System for Event ID 3033 (blocked plug-in) to identify incompatible software before broad rollout.

Step-by-step

Use these five steps to configure, deploy, test, and confirm LSA protection in your Microsoft 365 environment via Intune.

Screenshot required

Open the Microsoft Intune Admin Center

Go to intune.microsoft.com. In the left navigation, click Endpoint Security, then select Account Protection. Click Create Policy. For Platform, select Windows. For Profile, choose Local Security Authority.

Insert screenshot here

Screenshot required

Name and describe the policy

Give the policy a descriptive name, for example: SEC - Enable LSA Protection (PPL). Add a description such as: Enables Protected Process Light for LSASS to prevent credential theft. Click Next.

Insert screenshot here

Screenshot required

Configure LSA protection settings

In the Configuration Settings page, find the setting Configure Lsa Protected Process. Set it to Enabled with UEFI Lock (recommended) or Enabled without UEFI Lock if you need the ability to disable it remotely later. UEFI Lock persists the setting in firmware, preventing tampering even with admin access. Click Next.

Insert screenshot here

Screenshot required

Assign to device groups

On the Assignments page, click Add groups and select your target device group. Start with a test group (e.g. Technowand-Test-Bench) and monitor for 7 days before expanding to All Devices. Click Next, then Review + create.

Insert screenshot here

Screenshot required

Verify deployment and check Secure Score

On target devices, open Task Manager → Details tab → find lsass.exe → right-click → Properties. Under the Description, if LSA protection is active, attempting to dump the process will be blocked. Also check Event Viewer → Windows Logs → System for Event ID 12 (LSA protection enabled). Return to Microsoft Secure Score after 24–48 hours — the recommendation should update to Completed.

Insert screenshot here

How to confirm it worked

Event Viewer shows Event ID 12 in Windows Logs → System, confirming LSASS is running as a protected process.
No Event ID 3033 errors appear (which would indicate a blocked unsigned LSA plug-in).
In Intune, the Account Protection policy shows Succeeded across all assigned device groups.
Microsoft Secure Score shows the LSA protection recommendation as Completed.

Related Secure Score fixes

These pages cover related Secure Score recommendations in the same cluster.

Block Credential Stealing from LSASS Enable Real-Time Behaviour Monitoring Enable Email Scanning in Microsoft Defender View all Secure Score fixes Microsoft 365 Security Assessment

FAQ

What is the difference between LSA protection and the ASR rule for LSASS?

They protect the same process but at different levels. The ASR rule blocks specific credential-stealing behaviours detected by Defender. LSA protection is an OS-level enforcement that runs LSASS as a Protected Process Light (PPL), preventing any untrusted code from attaching to it — regardless of the attack technique. Enable both for defence in depth.

What is the difference between UEFI Lock and without UEFI Lock?

With UEFI Lock, the LSA protection setting is stored in firmware. Even a local administrator cannot disable it without physical access to the device. Without UEFI Lock, the setting can be disabled remotely via Intune or registry. Use UEFI Lock for maximum security; use without UEFI Lock if you need the flexibility to roll back remotely.

Will LSA protection break any of my existing software?

Most modern software is unaffected. The only software impacted is unsigned LSA plug-ins — typically older authentication providers, smart card drivers, or legacy security tools that inject into the LSASS process. Check Event ID 3033 in Event Viewer after enabling in audit mode to identify any incompatible software before enforcing.

Can I deploy LSA protection via Group Policy instead of Intune?

Yes. In Group Policy, navigate to Computer Configuration → Administrative Templates → System → Local Security Authority and enable Configure LSASS to run as a protected process. Set it to Enabled with UEFI Lock or Enabled without UEFI Lock depending on your requirements. The Intune method is recommended for cloud-managed environments.

How long until my Secure Score updates after enabling LSA protection?

Secure Score typically updates within 24–48 hours once the policy is active and confirmed across enrolled devices. If it has not updated, verify in Intune that the policy status shows Succeeded and check Event Viewer for Event ID 12 confirming LSA protection is running.

Need help securing your Windows endpoints?

Our team can review your endpoint protection configuration, identify credential theft risks, and build a clear remediation roadmap to strengthen your Secure Score.

Book a Security Assessment View the Secure Score hub