From e6c94867aec4ca5b45872db6df3cf63cecc829ec Mon Sep 17 00:00:00 2001 From: chcart <120026950+chcart@users.noreply.github.com> Date: Wed, 21 Jan 2026 11:25:41 -0600 Subject: [PATCH 1/3] Update LSA protection configuration details Added opt out steps due to microsoft.com inability to host steps in a proper format. --- .../configuring-additional-lsa-protection.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/WindowsServerDocs/security/credentials-protection-and-management/configuring-additional-lsa-protection.md b/WindowsServerDocs/security/credentials-protection-and-management/configuring-additional-lsa-protection.md index 24d80282b1..bed306ce01 100644 --- a/WindowsServerDocs/security/credentials-protection-and-management/configuring-additional-lsa-protection.md +++ b/WindowsServerDocs/security/credentials-protection-and-management/configuring-additional-lsa-protection.md @@ -232,6 +232,20 @@ You can use the [Local Security Authority (LSA) Protected Process Opt-out tool]( > [!NOTE] > The Download Center offers two files named *LsaPplConfig.efi*. The smaller file is for x86-based systems and the larger file is for x64-based systems. +1. Disable the registry key (GP for the registry key, if applicable) and wait for the change to propagate to clients.The corresponding registry key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL. +2. Download the Local Security Authority (LSA) Protected Process Opt-out / LSAPPLConfig.efi tool files from the download center link above and store the efi tool that corresponds to your machines architecture on a local disk, for example at C: drive's root +3. Open a Command Prompt as an Administrator and run the following commands to bootstrap the tool: +```mountvol X: /s copy C:\LSAPPLConfig.efi X:\EFI\Microsoft\Boot\LSAPPLConfig.efi /Y +bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader +bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\LSAPPLConfig.efi" +bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} +bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions %1 +bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: +mountvol X: /d +``` +4. Restart the machine, the EFI application will start after the restart. +5. Accept the prompt to disable LSA's protection. Windows will continue to launch and LSA protection will be disabled. +6. Verify LSA protection is disabled, search for the following WinInit event in the System log under Windows Logs, and ensure that it does not exist: 12: LSASS.exe was started as a protected process with level: 4 For more information about managing Secure Boot, see [UEFI Firmware](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824898(v=win.10)). @@ -262,3 +276,4 @@ Starting in Windows 11 version 22H2, VBS and Credential Guard are enabled by def - [Partner Center for Windows Hardware](/windows-hardware/drivers/dashboard/) + From 3bb7f06f78e2b213d768abf137677bd438576a05 Mon Sep 17 00:00:00 2001 From: chcart <120026950+chcart@users.noreply.github.com> Date: Wed, 21 Jan 2026 11:35:45 -0600 Subject: [PATCH 2/3] Update LSA protection configuration details Added missing line --- .../configuring-additional-lsa-protection.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/WindowsServerDocs/security/credentials-protection-and-management/configuring-additional-lsa-protection.md b/WindowsServerDocs/security/credentials-protection-and-management/configuring-additional-lsa-protection.md index bed306ce01..34c5bb1fdb 100644 --- a/WindowsServerDocs/security/credentials-protection-and-management/configuring-additional-lsa-protection.md +++ b/WindowsServerDocs/security/credentials-protection-and-management/configuring-additional-lsa-protection.md @@ -235,7 +235,8 @@ You can use the [Local Security Authority (LSA) Protected Process Opt-out tool]( 1. Disable the registry key (GP for the registry key, if applicable) and wait for the change to propagate to clients.The corresponding registry key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL. 2. Download the Local Security Authority (LSA) Protected Process Opt-out / LSAPPLConfig.efi tool files from the download center link above and store the efi tool that corresponds to your machines architecture on a local disk, for example at C: drive's root 3. Open a Command Prompt as an Administrator and run the following commands to bootstrap the tool: -```mountvol X: /s copy C:\LSAPPLConfig.efi X:\EFI\Microsoft\Boot\LSAPPLConfig.efi /Y +``` +mountvol X: /s copy C:\LSAPPLConfig.efi X:\EFI\Microsoft\Boot\LSAPPLConfig.efi /Y bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\LSAPPLConfig.efi" bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} @@ -277,3 +278,4 @@ Starting in Windows 11 version 22H2, VBS and Credential Guard are enabled by def + From 3c30e23e17c5e6fb752aecce7e3a4329089d22f3 Mon Sep 17 00:00:00 2001 From: chcart <120026950+chcart@users.noreply.github.com> Date: Wed, 21 Jan 2026 11:57:59 -0600 Subject: [PATCH 3/3] Update article for configuring LSA protection additional format fixes --- .../configuring-additional-lsa-protection.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/WindowsServerDocs/security/credentials-protection-and-management/configuring-additional-lsa-protection.md b/WindowsServerDocs/security/credentials-protection-and-management/configuring-additional-lsa-protection.md index 34c5bb1fdb..d643419b6d 100644 --- a/WindowsServerDocs/security/credentials-protection-and-management/configuring-additional-lsa-protection.md +++ b/WindowsServerDocs/security/credentials-protection-and-management/configuring-additional-lsa-protection.md @@ -232,7 +232,7 @@ You can use the [Local Security Authority (LSA) Protected Process Opt-out tool]( > [!NOTE] > The Download Center offers two files named *LsaPplConfig.efi*. The smaller file is for x86-based systems and the larger file is for x64-based systems. -1. Disable the registry key (GP for the registry key, if applicable) and wait for the change to propagate to clients.The corresponding registry key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL. +1. Disable the registry key (Group Policy for the registry key, if applicable) and wait for the change to propagate to clients.The corresponding registry key is `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL`. 2. Download the Local Security Authority (LSA) Protected Process Opt-out / LSAPPLConfig.efi tool files from the download center link above and store the efi tool that corresponds to your machines architecture on a local disk, for example at C: drive's root 3. Open a Command Prompt as an Administrator and run the following commands to bootstrap the tool: ``` @@ -279,3 +279,4 @@ Starting in Windows 11 version 22H2, VBS and Credential Guard are enabled by def +