From edbd228fc6eed31c1abe9c13fae0abf7a370227e Mon Sep 17 00:00:00 2001 From: Herbert Mauerer <41573578+HerbertMauerer@users.noreply.github.com> Date: Wed, 18 Feb 2026 09:58:22 +0100 Subject: [PATCH] Update LSA protection configuration documentation added description of runaspplboot --- .../configuring-additional-lsa-protection.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/WindowsServerDocs/security/credentials-protection-and-management/configuring-additional-lsa-protection.md b/WindowsServerDocs/security/credentials-protection-and-management/configuring-additional-lsa-protection.md index ef6867d033..95a3565090 100644 --- a/WindowsServerDocs/security/credentials-protection-and-management/configuring-additional-lsa-protection.md +++ b/WindowsServerDocs/security/credentials-protection-and-management/configuring-additional-lsa-protection.md @@ -240,12 +240,18 @@ For more information about managing Secure Boot, see [UEFI Firmware](/previous-v ## Verify LSA protection +# Check the status through events To determine whether LSA starts in protected mode when Windows starts, take the following steps: 1. Open Event Viewer. 1. Expand **Windows Logs** > **System**. 1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**. +# Check the current status from the registry + +1. Open the Registry Editor, or enter **RegEdit.exe** in the **Run** dialog, and then go to the **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** registry key. +1. Look up the **RunAsPPLBoot** value, it shows the PPL Mode used for the current OS session. if for example it is set to "1" and **RunAsPPL** is 0, the UEFI variable is still active. + ## LSA and Credential Guard LSA protection is a security feature that defends sensitive information like credentials from theft by blocking untrusted LSA code injection and process memory dumping. LSA protection runs in the background by isolating the LSA process in a container and preventing other processes, like malicious actors or apps, from accessing the feature. This isolation makes LSA protection a vital security feature, which is why it's enabled by default in Windows 11. @@ -262,3 +268,4 @@ Starting in Windows 11 version 22H2, VBS and Credential Guard are enabled by def - [Partner Center for Windows Hardware](/windows-hardware/drivers/dashboard/) +