From 3e4f8d67218bda44029ae8769ccf156f7fbbadab Mon Sep 17 00:00:00 2001
From: Zac Bergquist <zac.bergquist@goteleport.com>
Date: Tue, 3 Dec 2024 13:41:03 -0700
Subject: [PATCH] docs: mention LSA protection

The Teleport package that is installed for RDP access as local
Windows users is not signed by Microsoft and therefore will not
load on systems with LSA protection enabled.

Updates gravitational/teleport.e#5615
---
 .../pages/enroll-resources/desktop-access/getting-started.mdx | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/pages/enroll-resources/desktop-access/getting-started.mdx b/docs/pages/enroll-resources/desktop-access/getting-started.mdx
index 3fefc79ec2b00..ce4eb8e951a52 100644
--- a/docs/pages/enroll-resources/desktop-access/getting-started.mdx
+++ b/docs/pages/enroll-resources/desktop-access/getting-started.mdx
@@ -62,6 +62,10 @@ interactively and select the Teleport certificate that you exported when prompte
    - Disables Network Level Authentication (NLA) for remote desktop services.
    - Enables RemoteFX compression, if using Teleport version 15 or newer.
 
+  Note: in order for the Windows Local Security Authority (LSA) to load the Teleport DLL,
+  [LSA protection](https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)
+  must be disabled.
+
 {/*lint ignore ordered-list-marker-value*/}
 5. Restart the computer.