Event details

Explore the ins and outs of two security features enabled by default in Windows 11, version 22H2: Windows Defender Credential Guard and LSA protection. Explore the criteria for enablement, security b...
Heather_Poulsen
Updated Dec 27, 2024
Technical Takeoff
cjohnston's avatar
cjohnston
Brass Contributor
Oct 24, 2022
Why would we want to use LSA protection without UEFI lock, isn't that less secure?
Matthew_Palko's avatar
Matthew_Palko
Icon for Microsoft rankMicrosoft
Oct 24, 2022
LSA protection without UEFI lock gives you more flexibility for testing and rolling back in case there is an issue with compatibility. Disabling the feature with UEFI lock requires special scripts and user interaction on the local device. For default enablement, we've enabled without UEFI lock so if you do need to disable the feature for compatibility purposes it is easier to do so. If you do not have any issues with LSA protection and you want better protection, you can enable UEFI lock with policy.
  • cjohnston's avatar
    cjohnston
    Brass Contributor
    Oct 24, 2022
    Thanks, Matthew, that makes a lot of sense. It's almost like a 1.5 step between Audit Mode and Enable Mode with UEFI.