Policy
Configures LSASS to run as a protected process
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT
This policy controls the configuration under which LSASS is run. If you do not configure this policy and there is no current setting in the registry, LSA will run as protected process for all clean installed, HVCI capable, client SKUs. This configuration is not UEFI locked. This can be overridden if the policy is configured. If you configure and set this policy setting to "Disabled", LSA will not run as a protected process. If you configure and set this policy setting to "EnabledWithUEFILock," LSA will run as a protected process and this configuration is UEFI locked. If you configure and set this policy setting to "EnabledWithoutUEFILock", LSA will run as a protected process and this configuration is not UEFI locked.
Registry values
How enabled and disabled states update the registry.
No explicit registry values are set for enabled or disabled states.
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
Configure LSA to run as a protected process ID ConfigureLsaProtectedProcess | enum | HKLM\Software\Policies\Microsoft\Windows\System\RunAsPPL Type REG_DWORD | Options: Disabled (0), Enabled with UEFI Lock (1), Enabled without UEFI Lock (2) |
Other policies in this category
Explore related policies at the same level.