Event details
Why would we want to use LSA protection without UEFI lock, isn't that less secure?
jirenugoMicrosoft
You might want to disable LSA protection as a stopgap if you have to use an application or scenario that requires being loaded into LSA.- Matthew_PalkoLSA protection without UEFI lock gives you more flexibility for testing and rolling back in case there is an issue with compatibility. Disabling the feature with UEFI lock requires special scripts and user interaction on the local device. For default enablement, we've enabled without UEFI lock so if you do need to disable the feature for compatibility purposes it is easier to do so. If you do not have any issues with LSA protection and you want better protection, you can enable UEFI lock with policy.
- Thanks, Matthew, that makes a lot of sense. It's almost like a 1.5 step between Audit Mode and Enable Mode with UEFI.
- Or rather, why would we want to disable LSA Protection?
- You have to be very careful with the HVCI settings. If the PC doesn't support the setting, it will cause extreme performance issues on the PC. In my experience at a previous company, we turned this on in a GPO with UEFI lock thinking if the PC didn't support it, it just wouldn't apply. That was a huge mistake. PCs that didn't support it could barely run Excel afterwards. And to reverse the setting when UEFI lock is turned on, you have to physically touch the device. It cannot be turned off remotely.
Can You please explain - physically touch? What was needed to-do.
