Event details
Why would we want to use LSA protection without UEFI lock, isn't that less secure?
Or rather, why would we want to disable LSA Protection?
- You have to be very careful with the HVCI settings. If the PC doesn't support the setting, it will cause extreme performance issues on the PC. In my experience at a previous company, we turned this on in a GPO with UEFI lock thinking if the PC didn't support it, it just wouldn't apply. That was a huge mistake. PCs that didn't support it could barely run Excel afterwards. And to reverse the setting when UEFI lock is turned on, you have to physically touch the device. It cannot be turned off remotely.
Can You please explain - physically touch? What was needed to-do.
jirenugoMicrosoft
If UEFI lock is enabled and you want to disable the feature, you will have to select "Yes" on a confirmation screen before you boot into Windows (confirming that you want to edit a UEFI variable) which cannot be done remotely.
so not even reverting the CSP or GPO would disable it?- Not if UEFI lock was enabled. That's why it's best to thoroughly test without the UEFI lock options. I'm a huge proponent of enabling these options, but it really needs to be done carefully. I'm extremely excited that 22H2 will enable it by default on systems that support it. I'm hopeful that we can get better guidance on detecting the support ourselves for enabling the features on existing PCs.
