Do I understand it correctly that LSA Protection leverages VBS/VSM such that the "actual" Windows instance is punted into a VM while LSASS and friends run in a separate VM, with communication between the two controlled by a specialized version of Hyper-V?