Update LSA protection configuration details #8117
Conversation
Added opt out steps due to microsoft.com inability to host steps in a proper format.
|
@chcart : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
prmerger-automator
bot
added
Change sent to author
security/subsvc
windows-server/svc
labels
|
Learn Build status updates of commit e6c9486: ✅ Validation status: passed
For more details, please refer to the build report. |
Added missing line
additional format fixes
Update LSA protection configuration details
|
Learn Build status updates of commit 3126186: ✅ Validation status: passed
For more details, please refer to the build report. |
|
#assign: @robinharwood, @dknappettmsft @robinharwood @dknappettmsft #label:"aq-pr-triaged" |
|
Users robinharwood, dknappettmsft are already assigned. |
prmerger-automator
bot
added
the
aq-pr-triaged
There was a problem hiding this comment.
Pull request overview
This pull request adds detailed step-by-step instructions for opting out of LSA (Local Security Authority) protection by removing the UEFI variable. The content was added because microsoft.com was unable to properly format these steps.
Changes:
- Added 6-step procedure for disabling LSA protection using the LSAPPLConfig.efi tool
- Included command-line instructions for bootstrapping the opt-out tool
- Added verification step to confirm LSA protection is disabled
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| > [!NOTE] | ||
| > The Download Center offers two files named *LsaPplConfig.efi*. The smaller file is for x86-based systems and the larger file is for x64-based systems. | ||
| 1. Disable the registry key (Group Policy for the registry key, if applicable) and wait for the change to propagate to clients.The corresponding registry key is `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL`. |
There was a problem hiding this comment.
Missing space after period. The sentence should read: "...propagate to clients. The corresponding registry key..." with a space between the period and "The".
| 1. Disable the registry key (Group Policy for the registry key, if applicable) and wait for the change to propagate to clients.The corresponding registry key is `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL`. | |
| 1. Disable the registry key (Group Policy for the registry key, if applicable) and wait for the change to propagate to clients. The corresponding registry key is `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL`. |
| > [!NOTE] | ||
| > The Download Center offers two files named *LsaPplConfig.efi*. The smaller file is for x86-based systems and the larger file is for x64-based systems. | ||
| 1. Disable the registry key (Group Policy for the registry key, if applicable) and wait for the change to propagate to clients.The corresponding registry key is `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL`. | ||
| 2. Download the Local Security Authority (LSA) Protected Process Opt-out / LSAPPLConfig.efi tool files from the download center link above and store the efi tool that corresponds to your machines architecture on a local disk, for example at C: drive's root |
There was a problem hiding this comment.
Missing period at the end of the sentence. The sentence should end with a period after "root".
| 2. Download the Local Security Authority (LSA) Protected Process Opt-out / LSAPPLConfig.efi tool files from the download center link above and store the efi tool that corresponds to your machines architecture on a local disk, for example at C: drive's root | |
| 2. Download the Local Security Authority (LSA) Protected Process Opt-out / LSAPPLConfig.efi tool files from the download center link above and store the efi tool that corresponds to your machines architecture on a local disk, for example at C: drive's root. |
| > [!NOTE] | ||
| > The Download Center offers two files named *LsaPplConfig.efi*. The smaller file is for x86-based systems and the larger file is for x64-based systems. | ||
| 1. Disable the registry key (Group Policy for the registry key, if applicable) and wait for the change to propagate to clients.The corresponding registry key is `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL`. | ||
| 2. Download the Local Security Authority (LSA) Protected Process Opt-out / LSAPPLConfig.efi tool files from the download center link above and store the efi tool that corresponds to your machines architecture on a local disk, for example at C: drive's root |
There was a problem hiding this comment.
The word "machines" should be possessive: "machine's architecture" instead of "machines architecture".
| 2. Download the Local Security Authority (LSA) Protected Process Opt-out / LSAPPLConfig.efi tool files from the download center link above and store the efi tool that corresponds to your machines architecture on a local disk, for example at C: drive's root | |
| 2. Download the Local Security Authority (LSA) Protected Process Opt-out / LSAPPLConfig.efi tool files from the download center link above and store the efi tool that corresponds to your machine's architecture on a local disk, for example at C: drive's root |
| 2. Download the Local Security Authority (LSA) Protected Process Opt-out / LSAPPLConfig.efi tool files from the download center link above and store the efi tool that corresponds to your machines architecture on a local disk, for example at C: drive's root | ||
| 3. Open a Command Prompt as an Administrator and run the following commands to bootstrap the tool: | ||
| ``` | ||
| mountvol X: /s copy C:\LSAPPLConfig.efi X:\EFI\Microsoft\Boot\LSAPPLConfig.efi /Y |
There was a problem hiding this comment.
The first command on line 239 appears to combine two separate commands without proper separation. The line contains "mountvol X: /s copy" which should be two distinct commands: "mountvol X: /s" followed by "copy C:\LSAPPLConfig.efi X:\EFI\Microsoft\Boot\LSAPPLConfig.efi /Y". These should be on separate lines or properly separated.
| mountvol X: /s copy C:\LSAPPLConfig.efi X:\EFI\Microsoft\Boot\LSAPPLConfig.efi /Y | |
| mountvol X: /s | |
| copy C:\LSAPPLConfig.efi X:\EFI\Microsoft\Boot\LSAPPLConfig.efi /Y |
| bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: | ||
| mountvol X: /d | ||
| ``` | ||
| 4. Restart the machine, the EFI application will start after the restart. |
There was a problem hiding this comment.
Inconsistent punctuation. Step 4 has a comma after "machine" while other steps use periods. For consistency with the rest of the list, this should be: "Restart the machine. The EFI application will start after the restart."
| 4. Restart the machine, the EFI application will start after the restart. | |
| 4. Restart the machine. The EFI application will start after the restart. |
| 6. Verify LSA protection is disabled, search for the following WinInit event in the System log under Windows Logs, and ensure that it does not exist: 12: LSASS.exe was started as a protected process with level: 4 | ||
|
|
There was a problem hiding this comment.
The formatting of this line is problematic. The event information "12: LSASS.exe was started as a protected process with level: 4" should be on a new line or formatted differently for clarity. The excessive spaces before "12:" also make it difficult to read. Consider formatting this as a separate line or using proper markdown formatting for the event details.
| 6. Verify LSA protection is disabled, search for the following WinInit event in the System log under Windows Logs, and ensure that it does not exist: 12: LSASS.exe was started as a protected process with level: 4 | |
| 6. Verify LSA protection is disabled, search for the following WinInit event in the System log under Windows Logs, and ensure that it does not exist: | |
| `12: LSASS.exe was started as a protected process with level: 4` |
4 participants
Added opt out steps due to microsoft.com inability to host steps in a proper format.