Trace Id is missing

Unlock your potential with Microsoft Copilot

Get things done faster and unleash your creativity with the power of AI anywhere you go.
Download the Copilot app
Microsoft Copilot app being utilized to generate pictures of a singing dog, assisting to identify a flower, and helping to generate an email to congratulate a coworker on a promotion.

Local Security Authority (LSA) Protected Process Opt-out

An efi tool to disable LSA's protected process setting on machines with secure boot.

Important! Selecting a language below will dynamically change the complete page content to that language.

  • Version:

    9600.16415.13092

    Date Published:

    11/4/2013

    File Name:

    LsaPplConfig.efi

    LsaPplConfig.efi

    File Size:

    1.2 MB

    1.4 MB

    IT Administrators who enable additional LSA Protection to mitigate pass-the-hash (PtH) threats on x86-based or x64-based devices that use Secure Boot and UEFI, a UEFI variable is set in the UEFI firmware when LSA protection is enabled by using the registry key. When the setting is stored in the firmware, the UEFI variable cannot be deleted or changed in the registry key. The UEFI variable must be reset. The Local Security Authority (LSA) Protected Process Opt-out is a UEFI tool can be used to reset the UEFI variable.

  • Supported Operating Systems

    Windows Server 2012 R2, Windows 8.1

    Microsoft Windows 8.1 (x86 or x64) / Microsoft Windows Server 2012 R2 (x86 or x64) and later

    Secure Boot Enabled Device

    1. Disable the registry key (GP for the registry key, if applicable) and wait for the change to propagate to clients.

      The corresponding registry key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL.

    2. Download the Local Security Authority (LSA) Protected Process Opt-out / LSAPPLConfig.efi tool files from the download center and store the efi tool that corresponds to your machines architecture on a local disk, for example at C: drive's root

    3. Open a Command Prompt as an Administrator and run the following commands to bootstrap the tool:

            mountvol X: /s

            copy C:\LSAPPLConfig.efi X:\EFI\Microsoft\Boot\LSAPPLConfig.efi /Y

            bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader

            bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\LSAPPLConfig.efi"

            bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}

            bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions %1

            bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:

            mountvol X: /d

    4. Restart the machine, the EFI application will start after the restart.

    5. Accept the prompt to disable LSA's protection. Windows will continue to launch and LSA protection will be disabled.

    6. Verify LSA protection is disabled, search for the following WinInit event in the System log under Windows Logs, and ensure that it does not exist:

            12: LSASS.exe was started as a protected process with level: 4

Follow Microsoft

Back To Top