Update LSA protection configuration documentation#8121
Conversation
added description of runaspplboot
|
@HerbertMauerer : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
|
Learn Build status updates of commit edbd228:
|
| File | Status | Preview URL | Details |
|---|---|---|---|
| WindowsServerDocs/security/credentials-protection-and-management/configuring-additional-lsa-protection.md | Details |
WindowsServerDocs/security/credentials-protection-and-management/configuring-additional-lsa-protection.md
- Line 243, Column 1: [Warning: multiple-h1s - See documentation]
Multiple H1s(H1 'Check the status through events') are not allowed. You can only have one top-level heading. - Line 250, Column 1: [Warning: multiple-h1s - See documentation]
Multiple H1s(H1 'Check the current status from the registry') are not allowed. You can only have one top-level heading.
For more details, please refer to the build report.
Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.
There was a problem hiding this comment.
Pull request overview
Adds guidance for verifying LSA protection by documenting the RunAsPPLBoot registry value and how to interpret it for the current OS session.
Changes:
- Adds an Event Viewer-based check section under “Verify LSA protection”
- Adds a registry-based check describing
RunAsPPLBootand interaction withRunAsPPL - Adds a trailing blank line at end of file
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Check the status through events | ||
| To determine whether LSA starts in protected mode when Windows starts, take the following steps: | ||
|
|
||
| 1. Open Event Viewer. | ||
| 1. Expand **Windows Logs** > **System**. | ||
| 1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**. | ||
|
|
||
| # Check the current status from the registry |
There was a problem hiding this comment.
These headings are using # (H1), which will break the document’s heading hierarchy under the existing ## Verify LSA protection section. Use a deeper heading level (for example ###) so they remain subsections of Verify LSA protection.
| # Check the status through events | |
| To determine whether LSA starts in protected mode when Windows starts, take the following steps: | |
| 1. Open Event Viewer. | |
| 1. Expand **Windows Logs** > **System**. | |
| 1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**. | |
| # Check the current status from the registry | |
| ### Check the status through events | |
| To determine whether LSA starts in protected mode when Windows starts, take the following steps: | |
| 1. Open Event Viewer. | |
| 1. Expand **Windows Logs** > **System**. | |
| 1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**. | |
| ### Check the current status from the registry |
| # Check the status through events | ||
| To determine whether LSA starts in protected mode when Windows starts, take the following steps: | ||
|
|
||
| 1. Open Event Viewer. | ||
| 1. Expand **Windows Logs** > **System**. | ||
| 1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**. | ||
|
|
||
| # Check the current status from the registry |
There was a problem hiding this comment.
These headings are using # (H1), which will break the document’s heading hierarchy under the existing ## Verify LSA protection section. Use a deeper heading level (for example ###) so they remain subsections of Verify LSA protection.
| # Check the status through events | |
| To determine whether LSA starts in protected mode when Windows starts, take the following steps: | |
| 1. Open Event Viewer. | |
| 1. Expand **Windows Logs** > **System**. | |
| 1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**. | |
| # Check the current status from the registry | |
| ### Check the status through events | |
| To determine whether LSA starts in protected mode when Windows starts, take the following steps: | |
| 1. Open Event Viewer. | |
| 1. Expand **Windows Logs** > **System**. | |
| 1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**. | |
| ### Check the current status from the registry |
| 1. Open the Registry Editor, or enter **RegEdit.exe** in the **Run** dialog, and then go to the **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** registry key. | ||
| 1. Look up the **RunAsPPLBoot** value, it shows the PPL Mode used for the current OS session. if for example it is set to "1" and **RunAsPPL** is 0, the UEFI variable is still active. |
There was a problem hiding this comment.
The second step has a comma splice and a mid-sentence capitalization issue (...value, it shows... / if for example...). Consider splitting into clearer sentences, capitalizing If, and formatting registry names/values consistently (for example, use code formatting for HKEY_LOCAL_MACHINE\\..., RunAsPPLBoot, RunAsPPL, and numeric values).
| 1. Open the Registry Editor, or enter **RegEdit.exe** in the **Run** dialog, and then go to the **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** registry key. | |
| 1. Look up the **RunAsPPLBoot** value, it shows the PPL Mode used for the current OS session. if for example it is set to "1" and **RunAsPPL** is 0, the UEFI variable is still active. | |
| 1. Open Registry Editor (enter `RegEdit.exe` in the **Run** dialog), and then go to the `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa` registry key. | |
| 1. Look up the `RunAsPPLBoot` value. It shows the PPL mode used for the current OS session. If, for example, it is set to `1` and `RunAsPPL` is `0`, the UEFI variable is still active. |
|
|
||
|
|
||
|
|
There was a problem hiding this comment.
There’s an extra trailing blank line added at the end of the file. Consider removing it to avoid noisy diffs.
|
#assign: @robinharwood, @dknappettmsft Can you review the proposed changes? #label:"aq-pr-triaged" |
|
Users robinharwood are already assigned. |
…GA) (#8121) * BSL-13: refresh WS2025 baseline how-to for v2 (add Why/Benefits + Versioning sections, expand feedback) * BSL-13: bigger v2 docs rewrite (osconfig-how-to-configure-security-baselines.md) - GA scenario names, benefits (5 categories), versioning/changelog, validation * BSL-13: bigger v2 docs rewrite (osconfig-overview.md) - GA scenario names, benefits (5 categories), versioning/changelog, validation * BSL-13: overview - soften benefits wording (intent-based, no absolute claims), drop redundant per-role counts * BSL-13: overview - keep Azure Local per GA phrasing, drop disconnected-operations (not in GA docs) * BSL-13: how-to - scope to Windows Server 2025 only; remove Azure Local/DisconnectedOps/LAPS scenarios not in GA docs * BSL-13: overview - clarify audit-mode protections are initially enabled in audit mode before switching to block mode * BSL-13: keep overview platform-focused - remove baseline-specific 'why matters' + versioning, add two-scenario intro, link both how-tos in Related content * BSL-13: how-to - drop thin highlights list, fold intent-based framing into protection section * BSL-13: revert overview to current GA text (no changes) - keep PR focused on the security-baseline how-to * BSL-13: overview - drop cryptic 'Azure Local 2311.2 and later' build number, keep 'Azure Local' * BSL-13: how-to - remove internal-only version artifacts (per-role counts, v1/v2 changelog table, internal validation); keep customer-safe versioning note * BSL-13: overview - scope to Windows Server only (remove Azure Local); restructure into 'OSConfig supported scenarios' (security baselines + App Control buckets); fold platform benefits into intro * BSL-13: overview - parallel Related content wording ('Deploy ... with OSConfig') * BSL-13: how-to restructure - scenario overview, Why-it-matters, Versioning (moved up), Changelog (verified per-role counts), Implementation guide (renamed), Manage scenarios + add LAPS (MemberServer); GA scenario names confirmed against OSConfig 1.4.0 module * BSL-13: how-to - add 'Update between versions' subsection under Security baseline versioning (Update-Module + reapply + restart) * BSL-13: how-to - re-articulate Provide feedback (Problem/Suggestion, correct subcategory 'Security Configuration Management', client+server, include module version) * BSL-13: add Feedback Hub screenshot for OSConfig feedback section * BSL-13: how-to - embed Feedback Hub screenshot in Provide feedback section * BSL-13: replace Feedback Hub screenshot with light-theme version (Learn convention) * BSL-13: how-to - note that reapplying prompts to remove a previously applied baseline version * BSL-13: how-to - reorder to task-first flow (why -> what to expect -> prereqs -> install -> scenarios -> manage -> customize -> versioning -> changelog -> feedback); rename 'Implementation guide' to 'What to expect after applying the baseline' * BSL-13: how-to - rename Azure Automanage Machine Configuration to Azure Machine Configuration; expand LAPS note (standalone via Arc-enabled servers, aka.ms/LAPS4ARC link) * BSL-13: overview - rename Azure Automanage machine configuration to Azure Machine Configuration * BSL-13: correct product name to 'Azure Policy machine configuration' * BSL-13: correct product name to 'Azure Policy machine configuration' * BSL-13: apply Learn Authoring Assistant style suggestions (9: concise sentences, active voice, em-dash removal) * Refresh OSConfig security baseline docs to current Learn standards Rewrite intros (what/why/how), retype overview to concept-article, restructure, and apply metadata, links, accessibility, SEO, AI, and writing-style fixes across both articles. --------- Co-authored-by: robinharwood <19212983+robinharwood@users.noreply.github.com>
added description of runaspplboot