Copilot is your AI companion
Always by your side, ready to support you whenever and wherever you need it.
Local Security Authority (LSA) Protected Process Opt-out
An efi tool to disable LSA's protected process setting on machines with secure boot.
Important! Selecting a language below will dynamically change the complete page content to that language.
Version:
9600.16415.13092
Date Published:
11/4/2013
File Name:
LsaPplConfig.efi
LsaPplConfig.efi
File Size:
1.2 MB
1.4 MB
IT Administrators who enable additional LSA Protection to mitigate pass-the-hash (PtH) threats on x86-based or x64-based devices that use Secure Boot and UEFI, a UEFI variable is set in the UEFI firmware when LSA protection is enabled by using the registry key. When the setting is stored in the firmware, the UEFI variable cannot be deleted or changed in the registry key. The UEFI variable must be reset. The Local Security Authority (LSA) Protected Process Opt-out is a UEFI tool can be used to reset the UEFI variable.Supported Operating Systems
Windows Server 2012 R2, Windows 8.1
Microsoft Windows 8.1 (x86 or x64) / Microsoft Windows Server 2012 R2 (x86 or x64) and later
Secure Boot Enabled Device- Disable the registry key (GP for the registry key, if applicable) and wait for the change to propagate to clients.
The corresponding registry key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL.
- Download the Local Security Authority (LSA) Protected Process Opt-out / LSAPPLConfig.efi tool files from the download center and store the efi tool that corresponds to your machines architecture on a local disk, for example at C: drive's root
- Open a Command Prompt as an Administrator and run the following commands to bootstrap the tool:
mountvol X: /s
copy C:\LSAPPLConfig.efi X:\EFI\Microsoft\Boot\LSAPPLConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\LSAPPLConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions %1
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d
- Restart the machine, the EFI application will start after the restart.
- Accept the prompt to disable LSA's protection. Windows will continue to launch and LSA protection will be disabled.
- Verify LSA protection is disabled, search for the following WinInit event in the System log under Windows Logs, and ensure that it does not exist:
12: LSASS.exe was started as a protected process with level: 4
- Disable the registry key (GP for the registry key, if applicable) and wait for the change to propagate to clients.
Follow Microsoft