Local Security Authority (LSA) Protected Process Opt-out

An efi tool to disable LSA's protected process setting on machines with secure boot.
  • Note:There are multiple files available for this download.Once you click on the "Download" button, you will be prompted to select the files you need.


    File Name:



    Date Published:


    File Size:

    1.4 MB

    1.2 MB

      IT Administrators who enable additional LSA Protection to mitigate pass-the-hash (PtH) threats on x86-based or x64-based devices that use Secure Boot and UEFI, a UEFI variable is set in the UEFI firmware when LSA protection is enabled by using the registry key. When the setting is stored in the firmware, the UEFI variable cannot be deleted or changed in the registry key. The UEFI variable must be reset. The Local Security Authority (LSA) Protected Process Opt-out is a UEFI tool can be used to reset the UEFI variable.
  • Supported Operating System

    Windows 8.1, Windows Server 2012 R2

      Microsoft Windows 8.1 (x86 or x64) / Microsoft Windows Server 2012 R2 (x86 or x64) Secure Boot Enabled Device
    • Disable the registry key (GP for the registry key, if applicable) and wait for the change to propagate to clients. The corresponding registry key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL. Bootstrap the Local Security Authority (LSA) Protected Process Opt-out / LSAPPLConfig.efi tool, see steps below: Download the LSAPPLConfig files from the download center and store the efi tool that corresponds to your machines architecture on a local disk, for example at C: drive's root Open a Command Prompt as an Administrator and run the following commands to bootstrap the tool. mountvol X: /s copy C:\LSAPPLConfig.efi X:\EFI\Microsoft\Boot\LSAPPLConfig.efi /Y bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\LSAPPLConfig.efi" bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions %1 bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: mountvol X: /d Reboot the machine, the EFI application will start after the reboot. Accept the change to disable LSA's protection. Windows will continue to launch and LSA protection will be disabled. Verify LSA protection is disabled, search for the following WinInit event in the System log under Windows Logs, and ensure that it does not exist: 12: LSASS.exe was started as a protected process with level: 4
Site feedback

What category would you like to give web site feedback on?

Rate your level of satisfaction with this web page today: