Failed to enable LSA on Windows VM running VMware tools prior to 10.3.5
search cancel

Failed to enable LSA on Windows VM running VMware tools prior to 10.3.5

book

Article ID: 328615

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:
  • We see following error when Local Security Authority (LSA), which includes the Local Security Authority Server Service (LSASS) process is enabled on windows machine.
  • VMware LSA plugin fails to load with LSA protection enabled.
  • Windows Event Viewer Code Integrity log shows an error message, that the VMware LSA plugin fails to load when LSA protection is enabled
  •  An error message similar to the following is displayed.

******************************************************************
* This break indicates this binary is not signed correctly: \Device\HarddiskVolume4\Windows\System32\VMWSU_V1_0.DLL

* and does not meet the system policy.

* The binary was attempted to be loaded in the process: \Device\HarddiskVolume4\Windows\System32\lsass.exe

* This is not a failure in CI, but a problem with the failing binary.

* Please contact the binary owner for getting the binary correctly signed.


Cause

Prior to 10.3.5 VMware Tools was incompatible with additional LSA protection as VMware Tools installs an LSA plugin called vmwsu_v1_0.dllwhich is not signed in the required manner and fails to load when RunAsPPL is enabled in LSA configuration

Resolution

VMware is aware of this issue and fixed in tools version 10.3.5 and you can download here

Additional Information

The Windows OS component Local Security Authority (LSA), which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. 
The Windows operating system provides additional protection for the LSA to prevent security attacks. When this feature is enabled, any LSA plugin must be signed with the file signing service for Local Security Authority (LSA). VMware Tools installs an LSA plugin called vmwsu_v1_0.dllwhich is not signed in the required manner and fails to load when RunAsPPL is enabled in LSA configuration. An error message similar to the following is displayed.