Microsoft Download Center Archive

Local Security Authority (LSA) Protected Process Opt-out

  • Published:
  • Version: 9600.16415.13092
  • Category: Tool
  • Language: English

An efi tool to disable LSA's protected process setting on machines with secure boot.

  • IT Administrators who enable additional LSA Protection to mitigate pass-the-hash (PtH) threats on x86-based or x64-based devices that use Secure Boot and UEFI, a UEFI variable is set in the UEFI firmware when LSA protection is enabled by using the registry key. When the setting is stored in the firmware, the UEFI variable cannot be deleted or changed in the registry key. The UEFI variable must be reset.The Local Security Authority (LSA) Protected Process Opt-out is a UEFI tool can be used to reset the UEFI variable.

Files

Status: Live

This download is still available on microsoft.com. The downloads below will come directly from the Microsoft Download Center.

FileSize
LSAPPLConfig/x64/LsaPplConfig.efi
SHA1: 1e2bbe431cee52412f81fcb61b0860261b495693
677 KB
LSAPPLConfig/x86/LsaPplConfig.efi
SHA1: 03827382d21a39a6ba10afbc42fc358578d766bf
615 KB

File sizes and hashes are retrieved from the Wayback Machine’s indexes. They may not match the latest versions of files hosted on Microsoft servers.

System Requirements

Operating Systems: Windows 8.1, Windows Server 2012 R2

  • Microsoft Windows 8.1 (x86 or x64) / Microsoft Windows Server 2012 R2 (x86 or x64)Secure Boot Enabled Device

Installation Instructions

  • Disable the registry key (GP for the registry key, if applicable) and wait for the change to propagate to clients. The corresponding registry key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL.Bootstrap the Local Security Authority (LSA) Protected Process Opt-out / LSAPPLConfig.efi tool, see steps below:Download the LSAPPLConfig files from the download center and store the efi tool that corresponds to your machines architecture on a local disk, for example at C: drive's rootOpen a Command Prompt as an Administrator and run the following commands to bootstrap the tool.mountvol X: /scopy C:\LSAPPLConfig.efi X:\EFI\Microsoft\Boot\LSAPPLConfig.efi /Ybcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\LSAPPLConfig.efi"bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions %1bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:mountvol X: /dReboot the machine, the EFI application will start after the reboot. Accept the change to disable LSA's protection.Windows will continue to launch and LSA protection will be disabled.Verify LSA protection is disabled, search for the following WinInit event in the System log under Windows Logs, and ensure that it does not exist:12: LSASS.exe was started as a protected process with level: 4

Related Resources

What is this?

In August 2020, Microsoft deleted thousands of downloads for prior versions of Windows, Office, Visual Studio, SQL Server, and countless other products. Legacy Update has catalogued the Microsoft Download Center as it stood prior to August 2020.

Check our Microsoft Download Center Archive homepage to discover more downloads.