Known Issues: Problems with Booting ATMs

2 min. readlast update: 06.06.2025

Overview

As of Windows 11 version 22H2, Microsoft has implemented the automatic creation of the RunAsPPL registry key. Windows versions before this do not contain this registry key. When installing the ThreatLocker agent, this registry key is automatically created on the machine, which can cause issues in ATMs, resulting in black screens upon the machine's next reboot. ThreatLocker has an existing option that can be enabled in your organization to ensure the registry key is not created.

Known Problem

Devices such as ATMs that use custom operating systems that run older versions of Windows might experience issues upon downloading ThreatLocker. By default, ThreatLocker will create a registry key called RunAsPPL found in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry path. This registry key will be given the value of 2.

When this registry key is created, upon the next reboot of the ATM, the device might encounter a black screen and suffer issues with booting. The way to resolve these issues is by enabling the Option 'DisableLSAProtection' in the organization to which the affected machine belongs.

Options can be applied to the entire organization or the computer group level.

By Computer Group

To apply an Option at the computer group level, navigate to the 'Devices' page using the left-hand side of the portal.

Select the 'Groups' tab on the top right side of the page.

Next, select the computer group to which you will apply this Option.

A side panel will now appear titled 'Edit Computer Group'. From here, select the 'Options' tab.

By Entire Organization

First, navigate to the 'Organizations' page using the left-hand side of the ThreatLocker Portal.

Select the 'gear' icon to the right of the affected Organization Name.

This will open the 'Edit Organization Settings' page. Here, navigate to the 'Options' tab.

Further Enabling the Fix

In the options tab, enter 'DisableLSAProtection' within the provided field and select the 'Save' button.

Upon inclusion of the 'DisableLSAProtection' Option, the affected device(s) will need to be restored prior to when ThreatLocker was installed. Once this restore has been completed, the ThreatLocker agent can be reinstalled on the machine. With the existence of this Option, the RunAsPPL registry key will NOT be created, and the machine will boot properly.

Was this article helpful?