MicrosoftDocs · HerbertMauerer · Feb 18, 2026 · Copilot · Feb 18, 2026 · Copilot
@@ -240,12 +240,18 @@ For more information about managing Secure Boot, see [UEFI Firmware](/previous-v
 
 ## Verify LSA protection
 
+# Check the status through events
 To determine whether LSA starts in protected mode when Windows starts, take the following steps:
 
 1. Open Event Viewer.
 1. Expand **Windows Logs** > **System**.
 1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**.
 
+# Check the current status from the registry
-# Check the status through events
-To determine whether LSA starts in protected mode when Windows starts, take the following steps:
-
-1. Open Event Viewer.
-1. Expand **Windows Logs** > **System**.
-1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**.
-
-# Check the current status from the registry
+### Check the status through events
+To determine whether LSA starts in protected mode when Windows starts, take the following steps:
+
+1. Open Event Viewer.
+1. Expand **Windows Logs** > **System**.
+1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**.
+
+### Check the current status from the registry
-# Check the status through events
-To determine whether LSA starts in protected mode when Windows starts, take the following steps:
-
-1. Open Event Viewer.
-1. Expand **Windows Logs** > **System**.
-1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**.
-
-# Check the current status from the registry
+### Check the status through events
+To determine whether LSA starts in protected mode when Windows starts, take the following steps:
+
+1. Open Event Viewer.
+1. Expand **Windows Logs** > **System**.
+1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**.
+
+### Check the current status from the registry
-# Check the status through events
-To determine whether LSA starts in protected mode when Windows starts, take the following steps:
-
-1. Open Event Viewer.
-1. Expand **Windows Logs** > **System**.
-1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**.
-
-# Check the current status from the registry
+### Check the status through events
+To determine whether LSA starts in protected mode when Windows starts, take the following steps:
+
+1. Open Event Viewer.
+1. Expand **Windows Logs** > **System**.
+1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**.
+
+### Check the current status from the registry
-# Check the status through events
-To determine whether LSA starts in protected mode when Windows starts, take the following steps:
-
-1. Open Event Viewer.
-1. Expand **Windows Logs** > **System**.
-1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**.
-
-# Check the current status from the registry
+### Check the status through events
+To determine whether LSA starts in protected mode when Windows starts, take the following steps:
+
+1. Open Event Viewer.
+1. Expand **Windows Logs** > **System**.
+1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**.
+
+### Check the current status from the registry
+
+1. Open the Registry Editor, or enter **RegEdit.exe** in the **Run** dialog, and then go to the **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** registry key.
+1. Look up the **RunAsPPLBoot** value, it shows the PPL Mode used for the current OS session. if for example it is set to "1" and **RunAsPPL** is 0, the UEFI variable is still active.
-1. Open the Registry Editor, or enter **RegEdit.exe** in the **Run** dialog, and then go to the **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** registry key.
-1. Look up the **RunAsPPLBoot** value, it shows the PPL Mode used for the current OS session. if for example it is set to "1" and **RunAsPPL** is 0, the UEFI variable is still active.
+1. Open Registry Editor (enter `RegEdit.exe` in the **Run** dialog), and then go to the `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa` registry key.
+1. Look up the `RunAsPPLBoot` value. It shows the PPL mode used for the current OS session. If, for example, it is set to `1` and `RunAsPPL` is `0`, the UEFI variable is still active.
-1. Open the Registry Editor, or enter **RegEdit.exe** in the **Run** dialog, and then go to the **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** registry key.
-1. Look up the **RunAsPPLBoot** value, it shows the PPL Mode used for the current OS session. if for example it is set to "1" and **RunAsPPL** is 0, the UEFI variable is still active.
+1. Open Registry Editor (enter `RegEdit.exe` in the **Run** dialog), and then go to the `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa` registry key.
+1. Look up the `RunAsPPLBoot` value. It shows the PPL mode used for the current OS session. If, for example, it is set to `1` and `RunAsPPL` is `0`, the UEFI variable is still active.
+
 ## LSA and Credential Guard
 
 LSA protection is a security feature that defends sensitive information like credentials from theft by blocking untrusted LSA code injection and process memory dumping. LSA protection runs in the background by isolating the LSA process in a container and preventing other processes, like malicious actors or apps, from accessing the feature. This isolation makes LSA protection a vital security feature, which is why it's enabled by default in Windows 11.
@@ -262,3 +268,4 @@ Starting in Windows 11 version 22H2, VBS and Credential Guard are enabled by def
 - [Partner Center for Windows Hardware](/windows-hardware/drivers/dashboard/)
 
 
+
-
-
-
-
-
-