Skip to content

Update LSA protection configuration details #8117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
chcart wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Update LSA protection configuration details #8117

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e6c9486
Update LSA protection configuration details
chcart Jan 21, 2026
3bb7f06
Update LSA protection configuration details
chcart Jan 21, 2026
3c30e23
Update article for configuring LSA protection
chcart Jan 21, 2026
3126186
Merge pull request #1 from chcart/chcart-patch-1
chcart Jan 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions .../credentials-protection-and-management/configuring-additional-lsa-protection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -232,6 +232,21 @@ You can use the [Local Security Authority (LSA) Protected Process Opt-out tool](

> [!NOTE]
> The Download Center offers two files named *LsaPplConfig.efi*. The smaller file is for x86-based systems and the larger file is for x64-based systems.
1. Disable the registry key (Group Policy for the registry key, if applicable) and wait for the change to propagate to clients.The corresponding registry key is `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL`.
Copy link

Copilot AI Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing space after period. The sentence should read: "...propagate to clients. The corresponding registry key..." with a space between the period and "The".

Suggested change
1. Disable the registry key (Group Policy for the registry key, if applicable) and wait for the change to propagate to clients.The corresponding registry key is `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL`.
1. Disable the registry key (Group Policy for the registry key, if applicable) and wait for the change to propagate to clients. The corresponding registry key is `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL`.

Copilot uses AI. Check for mistakes.
2. Download the Local Security Authority (LSA) Protected Process Opt-out / LSAPPLConfig.efi tool files from the download center link above and store the efi tool that corresponds to your machines architecture on a local disk, for example at C: drive's root
Copy link

Copilot AI Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing period at the end of the sentence. The sentence should end with a period after "root".

Suggested change
2. Download the Local Security Authority (LSA) Protected Process Opt-out / LSAPPLConfig.efi tool files from the download center link above and store the efi tool that corresponds to your machines architecture on a local disk, for example at C: drive's root
2. Download the Local Security Authority (LSA) Protected Process Opt-out / LSAPPLConfig.efi tool files from the download center link above and store the efi tool that corresponds to your machines architecture on a local disk, for example at C: drive's root.

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The word "machines" should be possessive: "machine's architecture" instead of "machines architecture".

Suggested change
2. Download the Local Security Authority (LSA) Protected Process Opt-out / LSAPPLConfig.efi tool files from the download center link above and store the efi tool that corresponds to your machines architecture on a local disk, for example at C: drive's root
2. Download the Local Security Authority (LSA) Protected Process Opt-out / LSAPPLConfig.efi tool files from the download center link above and store the efi tool that corresponds to your machine's architecture on a local disk, for example at C: drive's root

Copilot uses AI. Check for mistakes.
3. Open a Command Prompt as an Administrator and run the following commands to bootstrap the tool:
```
mountvol X: /s copy C:\LSAPPLConfig.efi X:\EFI\Microsoft\Boot\LSAPPLConfig.efi /Y
Copy link

Copilot AI Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The first command on line 239 appears to combine two separate commands without proper separation. The line contains "mountvol X: /s copy" which should be two distinct commands: "mountvol X: /s" followed by "copy C:\LSAPPLConfig.efi X:\EFI\Microsoft\Boot\LSAPPLConfig.efi /Y". These should be on separate lines or properly separated.

Suggested change
mountvol X: /s copy C:\LSAPPLConfig.efi X:\EFI\Microsoft\Boot\LSAPPLConfig.efi /Y
mountvol X: /s
copy C:\LSAPPLConfig.efi X:\EFI\Microsoft\Boot\LSAPPLConfig.efi /Y

Copilot uses AI. Check for mistakes.
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\LSAPPLConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions %1
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d
```
4. Restart the machine, the EFI application will start after the restart.
Copy link

Copilot AI Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inconsistent punctuation. Step 4 has a comma after "machine" while other steps use periods. For consistency with the rest of the list, this should be: "Restart the machine. The EFI application will start after the restart."

Suggested change
4. Restart the machine, the EFI application will start after the restart.
4. Restart the machine. The EFI application will start after the restart.

Copilot uses AI. Check for mistakes.
5. Accept the prompt to disable LSA's protection. Windows will continue to launch and LSA protection will be disabled.
6. Verify LSA protection is disabled, search for the following WinInit event in the System log under Windows Logs, and ensure that it does not exist: 12: LSASS.exe was started as a protected process with level: 4

Comment on lines +249 to 250
Copy link

Copilot AI Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The formatting of this line is problematic. The event information "12: LSASS.exe was started as a protected process with level: 4" should be on a new line or formatted differently for clarity. The excessive spaces before "12:" also make it difficult to read. Consider formatting this as a separate line or using proper markdown formatting for the event details.

Suggested change
6. Verify LSA protection is disabled, search for the following WinInit event in the System log under Windows Logs, and ensure that it does not exist: 12: LSASS.exe was started as a protected process with level: 4
6. Verify LSA protection is disabled, search for the following WinInit event in the System log under Windows Logs, and ensure that it does not exist:
`12: LSASS.exe was started as a protected process with level: 4`

Copilot uses AI. Check for mistakes.
For more information about managing Secure Boot, see [UEFI Firmware](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824898(v=win.10)).

Expand Down Expand Up @@ -262,3 +277,6 @@ Starting in Windows 11 version 22H2, VBS and Credential Guard are enabled by def
- [Partner Center for Windows Hardware](/windows-hardware/drivers/dashboard/)