Important! Selecting a language below will dynamically change the complete page content to that language.
An efi tool to disable LSA's protected process setting on machines with secure boot.
Note:
There are multiple files available for this download.
Once you click on the "Download" button, you will be prompted to select the files you need.
LSAPPLConfig\x64\LsaPplConfig.efi
LSAPPLConfig\x86\LsaPplConfig.efi
-
IT Administrators who enable additional LSA Protection to mitigate pass-the-hash (PtH) threats on x86-based or x64-based devices that use Secure Boot and UEFI, a UEFI variable is set in the UEFI firmware when LSA protection is enabled by using the registry key. When the setting is stored in the firmware, the UEFI variable cannot be deleted or changed in the registry key. The UEFI variable must be reset.
The Local Security Authority (LSA) Protected Process Opt-out is a UEFI tool can be used to reset the UEFI variable.
Supported Operating System
Windows 8.1, Windows Server 2012 R2
-
Microsoft Windows 8.1 (x86 or x64) / Microsoft Windows Server 2012 R2 (x86 or x64)
Secure Boot Enabled Device
-
Disable the registry key (GP for the registry key, if applicable) and wait for the change to propagate to clients. The corresponding registry key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL.
Bootstrap the Local Security Authority (LSA) Protected Process Opt-out / LSAPPLConfig.efi tool, see steps below:
Download the LSAPPLConfig files from the download center and store the efi tool that corresponds to your machines architecture on a local disk, for example at C: drive's root
Open a Command Prompt as an Administrator and run the following commands to bootstrap the tool.
mountvol X: /s
copy C:\LSAPPLConfig.efi X:\EFI\Microsoft\Boot\LSAPPLConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\LSAPPLConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions %1
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d
Reboot the machine, the EFI application will start after the reboot. Accept the change to disable LSA's protection.
Windows will continue to launch and LSA protection will be disabled.
Verify LSA protection is disabled, search for the following WinInit event in the System log under Windows Logs, and ensure that it does not exist:
12: LSASS.exe was started as a protected process with level: 4
