To identify LSA plug-ins and drivers that will fail to load in LSA Protection mode, you enable the audit mode for Lsass.exe (Microsoft's Local Security Authority Sub-System), by creating 32-bit DWORD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe\AuditLevel with a decimal value of 8 and rebooting the system.
While in the audit mode on a system running Symantec Endpoint Protection (SEP), the system generates Microsoft CodeIntegrity event IDs 3066 for sysfer.dll and snacnp.dll, indicating that they will fail to load under LSA if LSA Protection were to be enabled.
The messages are logged without blocking sysfer.dll or snacnp.dll.
Microsoft only allows Microsoft-signed binaries to run if LSA Protection is enabled. As Microsoft WHQL certification is limited to third-party drivers (SEP's drivers are Microsoft signed), it is impossible for third-party libraries to run when LSA Protection is enabled.
Given Microsoft's limitation, the only option is to work around the issue in the following manner: