-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Update LSA protection configuration documentation #8121
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -240,12 +240,18 @@ For more information about managing Secure Boot, see [UEFI Firmware](/previous-v | |||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||
| ## Verify LSA protection | ||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||
| # Check the status through events | ||||||||||||||||||||||||||||||||||
| To determine whether LSA starts in protected mode when Windows starts, take the following steps: | ||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||
| 1. Open Event Viewer. | ||||||||||||||||||||||||||||||||||
| 1. Expand **Windows Logs** > **System**. | ||||||||||||||||||||||||||||||||||
| 1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**. | ||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||
| # Check the current status from the registry | ||||||||||||||||||||||||||||||||||
|
Comment on lines
+243
to
+250
|
||||||||||||||||||||||||||||||||||
| # Check the status through events | |
| To determine whether LSA starts in protected mode when Windows starts, take the following steps: | |
| 1. Open Event Viewer. | |
| 1. Expand **Windows Logs** > **System**. | |
| 1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**. | |
| # Check the current status from the registry | |
| ### Check the status through events | |
| To determine whether LSA starts in protected mode when Windows starts, take the following steps: | |
| 1. Open Event Viewer. | |
| 1. Expand **Windows Logs** > **System**. | |
| 1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**. | |
| ### Check the current status from the registry |
Copilot
AI
Feb 18, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The second step has a comma splice and a mid-sentence capitalization issue (...value, it shows... / if for example...). Consider splitting into clearer sentences, capitalizing If, and formatting registry names/values consistently (for example, use code formatting for HKEY_LOCAL_MACHINE\\..., RunAsPPLBoot, RunAsPPL, and numeric values).
| 1. Open the Registry Editor, or enter **RegEdit.exe** in the **Run** dialog, and then go to the **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** registry key. | |
| 1. Look up the **RunAsPPLBoot** value, it shows the PPL Mode used for the current OS session. if for example it is set to "1" and **RunAsPPL** is 0, the UEFI variable is still active. | |
| 1. Open Registry Editor (enter `RegEdit.exe` in the **Run** dialog), and then go to the `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa` registry key. | |
| 1. Look up the `RunAsPPLBoot` value. It shows the PPL mode used for the current OS session. If, for example, it is set to `1` and `RunAsPPL` is `0`, the UEFI variable is still active. |
Copilot
AI
Feb 18, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There’s an extra trailing blank line added at the end of the file. Consider removing it to avoid noisy diffs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These headings are using
#(H1), which will break the document’s heading hierarchy under the existing## Verify LSA protectionsection. Use a deeper heading level (for example###) so they remain subsections ofVerify LSA protection.