Policy

Configures LSASS to run as a protected process

Microsoft Windows

Back to Local Security AuthorityBack to main
Configures LSASS to run as a protected process
Jump to overview

Policy overview

Key metadata and intent for this policy.

Computer
Category
System > Local Security Authority
Supported on
At least Windows 10 Version 1903

Supported OS tags: Windows10, Windows10RT

This policy controls the configuration under which LSASS is run. If you do not configure this policy and there is no current setting in the registry, LSA will run as protected process for all clean installed, HVCI capable, client SKUs. This configuration is not UEFI locked. This can be overridden if the policy is configured. If you configure and set this policy setting to "Disabled", LSA will not run as a protected process. If you configure and set this policy setting to "EnabledWithUEFILock," LSA will run as a protected process and this configuration is UEFI locked. If you configure and set this policy setting to "EnabledWithoutUEFILock", LSA will run as a protected process and this configuration is not UEFI locked.

Internal name
ConfigureLsaProtectedProcess
Policy ID
a5784adde404
Elements
1

Registry values

How enabled and disabled states update the registry.

No explicit registry values are set for enabled or disabled states.

Policy elements

Inputs and configuration options exposed by this policy.

ScopeElementTypeRegistry mappingConstraints & behaviorCopy
Computer
Configure LSA to run as a protected process
ID ConfigureLsaProtectedProcess
enum
Path
Software\Policies\Microsoft\Windows\System
Value name
RunAsPPL
Type
REG_DWORD
Options: Disabled (0), Enabled with UEFI Lock (1), Enabled without UEFI Lock (2)
Configure LSA to run as a protected process
Computer · Type enum
Registry mapping
Path
Software\Policies\Microsoft\Windows\System
Value name
RunAsPPL
Type
REG_DWORD
Details
Options: Disabled (0), Enabled with UEFI Lock (1), Enabled without UEFI Lock (2)