From 8a6a3d34b60d68de2695c422067168f389ff07dc Mon Sep 17 00:00:00 2001
From: Zac Bergquist <zac.bergquist@goteleport.com>
Date: Tue, 3 Dec 2024 13:41:03 -0700
Subject: [PATCH] docs: mention LSA protection

The Teleport package that is installed for RDP access as local
Windows users is not signed by Microsoft and therefore will not
load on systems with LSA protection enabled.

Updates gravitational/teleport.e#5615
---
 .../pages/enroll-resources/desktop-access/getting-started.mdx | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/pages/enroll-resources/desktop-access/getting-started.mdx b/docs/pages/enroll-resources/desktop-access/getting-started.mdx
index 1b24837f80ca9..dc2f3f715f18f 100644
--- a/docs/pages/enroll-resources/desktop-access/getting-started.mdx
+++ b/docs/pages/enroll-resources/desktop-access/getting-started.mdx
@@ -62,6 +62,10 @@ interactively and select the Teleport certificate that you exported when prompte
    - Disables Network Level Authentication (NLA) for remote desktop services.
    - Enables RemoteFX compression, if using Teleport version 15 or newer.
 
+  Note: in order for the Windows Local Security Authority (LSA) to load the Teleport DLL,
+  [LSA protection](https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)
+  must be disabled.
+
 {/*lint ignore ordered-list-marker-value*/}
 5. Restart the computer.