Lsass.exe audit mode You can configure this setting to enable the auditing of Lsass.exe so that you can evaluate feasibility of enabling LSA protection. You can use the audit mode to identify LSA plug-ins and drivers that will fail to load in LSA Protection mode. While in the audit mode, the system will generate event logs, identifying all of the plug-ins and drivers that will fail to load under LSA if LSA Protection is enabled. The messages are logged without blocking the plug-ins or drivers. If you enable this setting, Lsass.exe audit mode is enabled and event are generated in the event log. If you disable or do not configure this setting, Lsass.exe audit mode is disabled and event are not generated in the event log. For more information, see http://technet.microsoft.com/en-us/library/dn408187.aspx

(1) GPO: Computer Configuration\Administrative Templates\SCM: Pass the Hash Mitigations!Lsass.exe audit mode (2) REG: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe!AuditLevel