Update LSA protection configuration documentation

[HerbertMauerer]

added description of runaspplboot

[prmerger-automator]

@HerbertMauerer : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change.

[learn-build-service-prod]

Learn Build status updates of commit edbd228:

⚠️ Validation status: warnings

File	Status	Preview URL	Details
WindowsServerDocs/security/credentials-protection-and-management/configuring-additional-lsa-protection.md	⚠️Warning		Details

WindowsServerDocs/security/credentials-protection-and-management/configuring-additional-lsa-protection.md

• Line 243, Column 1: [Warning: multiple-h1s - See documentation] Multiple H1s(H1 'Check the status through events') are not allowed. You can only have one top-level heading.
• Line 250, Column 1: [Warning: multiple-h1s - See documentation] Multiple H1s(H1 'Check the current status from the registry') are not allowed. You can only have one top-level heading.

For more details, please refer to the build report.

Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.

[Copilot]

Pull request overview

Adds guidance for verifying LSA protection by documenting the RunAsPPLBoot registry value and how to interpret it for the current OS session.

Changes:

• Adds an Event Viewer-based check section under “Verify LSA protection”
• Adds a registry-based check describing RunAsPPLBoot and interaction with RunAsPPL
• Adds a trailing blank line at end of file

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

These headings are using # (H1), which will break the document’s heading hierarchy under the existing ## Verify LSA protection section. Use a deeper heading level (for example ###) so they remain subsections of Verify LSA protection.

Suggested change

	# Check the status through events
	To determine whether LSA starts in protected mode when Windows starts, take the following steps:
	1. Open Event Viewer.
	1. Expand **Windows Logs** > **System**.
	1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**.
	# Check the current status from the registry
	### Check the status through events
	To determine whether LSA starts in protected mode when Windows starts, take the following steps:
	1. Open Event Viewer.
	1. Expand **Windows Logs** > **System**.
	1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**.
	### Check the current status from the registry

[Copilot]

These headings are using # (H1), which will break the document’s heading hierarchy under the existing ## Verify LSA protection section. Use a deeper heading level (for example ###) so they remain subsections of Verify LSA protection.

Suggested change

	# Check the status through events
	To determine whether LSA starts in protected mode when Windows starts, take the following steps:
	1. Open Event Viewer.
	1. Expand **Windows Logs** > **System**.
	1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**.
	# Check the current status from the registry
	### Check the status through events
	To determine whether LSA starts in protected mode when Windows starts, take the following steps:
	1. Open Event Viewer.
	1. Expand **Windows Logs** > **System**.
	1. Look for the following **WinInit** event: **12: LSASS.exe was started as a protected process with level: 4**.
	### Check the current status from the registry

[Copilot]

The second step has a comma splice and a mid-sentence capitalization issue (...value, it shows... / if for example...). Consider splitting into clearer sentences, capitalizing If, and formatting registry names/values consistently (for example, use code formatting for HKEY_LOCAL_MACHINE\\..., RunAsPPLBoot, RunAsPPL, and numeric values).

Suggested change

	1. Open the Registry Editor, or enter **RegEdit.exe** in the **Run** dialog, and then go to the **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** registry key.
	1. Look up the **RunAsPPLBoot** value, it shows the PPL Mode used for the current OS session. if for example it is set to "1" and **RunAsPPL** is 0, the UEFI variable is still active.
	1. Open Registry Editor (enter `RegEdit.exe` in the **Run** dialog), and then go to the `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa` registry key.
	1. Look up the `RunAsPPLBoot` value. It shows the PPL mode used for the current OS session. If, for example, it is set to `1` and `RunAsPPL` is `0`, the UEFI variable is still active.

[Copilot]

There’s an extra trailing blank line added at the end of the file. Consider removing it to avoid noisy diffs.

Suggested change

[ttorble]

#assign: @robinharwood, @dknappettmsft

@robinharwood @dknappettmsft

Can you review the proposed changes?

#label:"aq-pr-triaged"
@MicrosoftDocs/public-repo-pr-review-team

[prmerger-automator]

Users robinharwood are already assigned.