SAML PPL requirements

0 users found this article helpful

Symptoms

After successful authentication via SAML, you are being presented with message "To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Remote Desktop Users group have this right. If the group you re in doesn't have this right, or if the right has been removed from the Remote Desktop Users group, you need to be granted this right manually."

When clicking "OK", you are getting authentication screen with the NLA user credentials.

Cause

Starting from Windows 8.1 or later (or Window Server 2012R2 or later) extra security is provided (disabled by default) for Local Security Authority (LSA). Please note that enabling this this feature will render SAML Authentication nonfunctional, hence it is required to have PPL disabled for SAML Authentication to work.

PPL - Protected Process Light. It is a security feature in Windows that helps protect processes from being tampered with by malicious software. PPL processes run at a higher integrity level, making them more secure.

Windows Server 2025 Preview Updates present:

Windows Server 2022 Updates present:

Resolution

For Windows 8.1 or later (or Windows Server 2012R2 or later) once the feature was enabled, it can only be disabled by resetting UEFI Firmware variable. This can be done via LSA Protected Process opt-out tool

For Windows 11 22H2 or later the security feature is enabled (without UEFI lock) by default. Therefore it can be disabled through the registry by setting RunAsPPL to 0, or deleting the property.

Get current value of RunAsPPL:


Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' RunAsPPL

If the value is 2 it can be set to 0 to disable the extra security provided:


Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' RunAsPPL 0

Was this article helpful?

Tell us how we can improve it.