Windows 11 Blocking mdnsNSP.dll with Local Security Authority

Local Security Authority (LSA) is a feature now automatically turned on starting with Windows 11 22H2 with new installs of the system.  LSA is a feature that is suppose to preview code injection that can compromise credentials.  The library mdnsNSP.dll is regarded as an untrusted software.

This library comes with software such as bonjour which is typically packaged with iTunes and some older printer drivers.

There are a couple of ways to deal with this issue the easiest is to remove the software in question, but on the other hand you can also disable LSA in a few ways.

Disable by using the registry

1. Open the Registry Editor, or enter RegEdit.exe in the Run dialog, and then go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key.
   
   
2. Open the RunAsPPL value, and set its data value to 00000000. Or delete the RunAsPPL value.
   
   
3. If the protected processes light (PPL) feature was enabled with a UEFI variable, use the Local Security Authority Protected Process Opt-out tool to remove the UEFI variable.
   
   
4. Restart the computer.

Disable by using local policy on Windows 11 version 22H2 and later

1. Open the Local Group Policy Editor by entering gpedit.msc in the Run dialog.
   
   
2. Expand Computer Configuration > Administrative Templates > System > Local Security Authority.
   
   
3. Open the Configures LSASS to run as a protected process policy.
4. Set the policy to Enabled.
   
   
5. Under Options, select Disabled.
   
   
6. Select OK.
   
   
7. Restart the computer.

Remove the LSA protection UEFI variable

You can use the Local Security Authority (LSA) Protected Process Opt-out tool from the Microsoft Download Center to delete the UEFI variable if the device is using Secure Boot.

The Download Center offers two files named LsaPplConfig.efi. The smaller file is for x86-based systems and the larger file is for x64-based systems.

Sources.

https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection

Windows 11 auto login - Updated for 2024

 

Quick guide: Automatic login in Windows 10

1. Open the Registry Editor using [Windows] + [R] and “regedit”.
2. Enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\PasswordLess\Device.
3. Double click on “DevicePasswordLessBuildVersion”.
4. Set the value from “2” to “0”.
5. Open User Accounts using [Windows] + [R] and the CMD command “netplwiz”.
6. Uncheck the box beside “Users must enter a user name and password to use this computer”.

How to set up an automatic login in Windows 11

Follow these steps to set up an automatic login in Windows 11 and remove the password prompt. The steps to set up an automatic login in Windows 10 are identical.

Enable automatic login in Windows 11

Firstly, you must set up the automatic login feature.

Step 1: Open the “Run” dialog box by entering the shortcut [Windows] + [R] and enter the CMD command “regedit”. This will open your system’s Registry Editor.

 Note

Proceed with caution when making changes to the Registry Editor. Unintended changes may permanently alter the system and could permanently damage it in a worst-case scenario.

Step 2: Enter the path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\PasswordLess\Device.

Step 3: Double click on “DevicePasswordLessBuildVersion” and change the value from “2” to “0” in the Value data menu.

You can disable the password prompt in the Windows Registry Editor.

Disable the password prompt in Windows 11

You can disable the password prompt once you completed the following steps.

Step 1: Open the “Run” dialog box again with the shortcut [Windows] + [R] and enter “netplwiz”.

Step 2: The “User accounts” menu will open. Uncheck the box beside “Users must enter a user name and password to use this computer”.

Uncheck the box to disable the password prompt to set an automatic login.

Step 3: Enter the current password to confirm changes and click “OK”.

Automatic login after stand-by/energy-saving mode

It is even easier to disable the password prompt after waking the device from standby mode. This option is possible without changing anything in the Registry Editor.

Step 1: Open “Settings” with the shortcut [Windows] + [i].

Step 2: Go to the “Accounts” menu and select “Never” in “Login options”. The password prompt will not appear anymore after the device has been woken from power saving mode.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Find the following entries we will need to edit them

AutoAdminLogon

DefaultPassword

DefaultUserName

if you don't have them we will need to make these entries and set the following values, these are all string entries and will need the following values

AutoAdminLogon and set the Value data to 1

DefaultUserName and set the Value data to $domainuser

DefaultPassword and set the Value data to $userpassword

Add the user in this case "guest" to our guest group on the local machine.

Local Users and Groups

2025 - Update to How to setup an automated WakeOnLan with Cisco Meraki using MAC allow list

Back a while a go I did a post about setting up an automated WOL system using linux and cron.  With the new updates in the Linux Kernel, and other security updates things break so this is an update to my post in 2020,  as some utilities are now required to keep WOL working.

So the uplink switch that has the WOL clients is set to MAC ALLOW LIST.  with the specified VLANS.  You need to add the server sending the WOL packet, in my case is a virtual machine, and it should be set to a STATIC MAC.

The only required packages required for WOL on Linux, was SAMBA, Net-Tools and wakeonlan.  After some security updates WOL stopped working even though on the linux server it shows that it is running the magic packet but it is not getting though.  It also shows that the WOL, SAMBA and net-tools packages are up to date.

So after troubleshooting using the firewall and the Cisco Meraki Switch, testing the WOL from the firewall and the switch, with it successfully running.

I found an update where I was missing a package called etherwake.  While the windows clients on Windows 10 and 11 still require the driver settings form my post in 2020, the linux server needs to be updated with the etherwake package.  

sudo apt install etherwake

For the startup script I used this format for running cron.

####################

##Put IN ARP CACHE##

####################

sudo arp -i ethx -s $ipaddress $macaddress #Computer Label

####################

##Send WOL Packets##

####################

sudo -i -u $user -p $password wakeonlan -i $ipaddress $macaddress #Computer Label

or

wakeonlan $macaddress #Computer Label

How to setup Intel Vpro with Mesh Commander

I really like VPRO, it is one of the intel technologies that I find extremely useful.  I did a post back in 2017 for setting up VPRO on systems so you can remotely manage systems using Mesh Commander.  

Starting with the 12th generation systems, VPro systems use TLS to connect, which MeshCommander supports.  Below is a step by step setup of the BIOS/UEFI Settings required to use VPRO with MeshCommander.

Enter BIOS/UEFI

Go to Intel Manageability and enable intel manageability control

If this is the first time you have setup VPRO you will need to update the password, it needs to be at least 8 characters long, with one number, one capital and one alternative character i.e. -%#_@ 

Once we have updated the password, we will configure Intel AMT.

In AMT Configuration I enable all the redirection features

SOL - Serial Over Lan (for trouble shooting via serial interface)

Storage Redirection -  (Remotely booting images)

KVM - Allows the remote control of a client even if the OS isn't running

For User Consent I changed it to none so there is no issue to remotely access the computer, however if it is a user's workstation you may want to set it to KVM or ALL to get permission to access the system.

None  - You can access the computer anytime without alerting the user

KVM - You can access the computer anytime but need permission from the user to access the computer when using it for KVM access

ALL - You need to get permission from the user to access anything vpro function

For the network settings, you can specify a specific FQDN and a static ID

Network Access State, set the network access state to active.

Network Active - You can use VPRO Features

Network Inactive - VPRO is not available

Full Unprovision - Reset VPRO to the default state

Power Control, I set the sleep states to S0, ME Wake in S3, S4-5

Desktop: On in S0

Desktop: On in S0, ME Wake in S3, S4-5

Once configured you can add the system to mesh commander

Hit the add computer

Here is where the VPRO setup is slightily different from the 12gen version and above vs 11 gen and below.  For 11 gen and lower you need to set the Auth/Security to Digest/None, if you don't have kerberos setup.  Otherwise for 12 gen and up you need to set it up for Digest/TLS.

Auth/Seucrity Options:

Digest/None (use for 11 gen intel and below)

Digest/TLS (use for 12 gen intel and above)

Kerberos/None

Kerberos/TLS

Fill out the system information, the friendly name is the name that you will see in mesh commander for connecting and can be anything.  The important information is the hostname which can be a FQDN or IP address, use the auth/security for the system your using.  The username/password is what you have setup in the VPRO bios/UEFI.

Once your finished hit OK, if it is 12th gen intel and above you have to accept the certificate.

When you connect to access the KVM go to the remote desktop on the menu as shown below.

Enable the AMT Redirection in meshcommander

When you connect you will then be able to interact with the full system