
close
close
In my previous Ask an Admin post, I described the new LSA protected mode in Windows Server 2012 R2 and Windows 8.1, how it works, and how to enable the setting. LSA protected mode is not turned on out-of-the-box, except in Windows 8.1 RT where it cannot be disabled because it may cause compatibility issues with some third-party applications, such as smart card drivers or self-service password reset applications.
In this article, I’ll describe how to enable auditing so you can identify drivers or plug-ins that fail to load in LSA protected mode.
advertisment
There are a couple of requirements that LSA drivers and plug-ins must comply with to work with protected mode:
In the example, we’ll configure LSA auditing on computers in your domain. You don’t need to enable LSA protected mode itself; if an LSA driver or plug-in doesn’t meet the necessary requirements for protected mode, an event will be logged but the driver or plug-in will not be blocked from loading.
Log on to a Windows Server 2012 R2 domain controller with an account that has permission to create and link Group Policy Objects (GPOs):
advertisment
Once the Group Policy has applied to a machine in scope, you can check in the machine’s Event Viewer for any potential problems loading LSA drivers or plug-ins in protected mode.
Event ID 3065 shows that the driver or plug-in didn’t comply with SDL best practices for Shared Sections. Event ID 3066 indicates that a plug-in or driver didn’t pass a code integrity check because it wasn’t signed by Microsoft.
In a large environment, you might want to set up Event Forwarding to collect the logs from multiple computers in a central location for convenience.
More from Russell Smith
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Security
Build 2022: Microsoft Boosts Data Analytics and Cybersecurity in New Training & Certifications
May 24, 2022 | Rabia Noureen
Microsoft Defender for Office 365 to Get Preset Security Policy Improvements In June
May 23, 2022 | Rabia Noureen
CISA Warns Federal Agencies to Mitigate Critical VMware Vulnerabilities by May 23
May 20, 2022 | Rabia Noureen
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group