Enable lock pages in memory configuration on Github-hosted windows runners

[diogomatsubara]

Why are you starting this discussion?

Question

What GitHub Actions topic or product is this about?

Actions Runner

Discussion Details

We have a CI job that requires the following registry edit:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v LockedPagesLimit /t REG_DWORD /d 0 /f

After the edit this requires a reboot of the instance to take effect. If the runner is rebooted, I believe the job will automatically fail. Is there any way to preconfigure the instance to have such config before startup? Or any way to make the change and reboot the instance so they can take effect?

[Denoroy737]

Hi, @diogomatsubara

GitHub-hosted runners cannot be rebooted or preconfigured with custom registry edits like LockedPagesLimit. Each runner instance is ephemeral, meaning it’s destroyed after each job.

To use that configuration, you must:

• Self-host a Windows runner where you have admin access.
• Apply the registry edit and reboot that machine manually once.
• Register it as a self-hosted runner in your repository or organization.

Official docs:
🔗 GitHub Docs – Hosting your own runners

[Aqib121201]

The simplest fix is to run this job on a self hosted Windows runner. GitHub hosted runners are ephemeral and you cannot reboot or preseed them with registry or local security policy changes, so LockedPagesLimit and the Lock pages in memory right will never take effect there.

To confirm the change works after you switch to a self hosted runner, run whoami /priv and check that Lock pages in memory shows as Enabled for the runner service account.

I have coded a self contained setup you can use on your own Windows VM before registering the runner

secedit /export /cfg C:\sec.cfg
(Get-Content C:\sec.cfg) -replace '^SeLockMemoryPrivilege =.*$', 'SeLockMemoryPrivilege = *S-1-5-32-544,CONTOSO\runner' |
  Set-Content C:\sec.cfg
secedit /configure /db C:\Windows\Security\Local.sdb /cfg C:\sec.cfg /areas USER_RIGHTS

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v LockedPagesLimit /t REG_DWORD /d 0 /f

Restart-Computer

Then target that runner in your workflow

jobs:
  build:
    runs-on: [self-hosted, windows]
    steps:
      - name: Check privilege
        run: whoami /priv

If using a domain or managed environment, you can also push the setting via Group Policy and grant the privilege to the runner service account, then restart the machine once. As a fallback if you cannot host your own runner, remove the LockedPages requirement from the job or run that step on infrastructure you control outside of GitHub Actions.

If this solved it please mark the answer as helpful so others can find it easily.

[ianhaws198]

That’s an interesting setup challenge reminds me of how Top Long Range Private Jet Providers UK handle pre-flight configurations to ensure everything’s optimized before takeoff, much like preconfiguring your instance before the CI job runs.