Windows 11 users report seeing widespread Windows Security warnings that Local Security Authority (LSA) Protection has been disabled even though it shows as being toggled on.
LSA protection is a crucial security feature for defending against the theft of sensitive information, such as login credentials, by blocking process memory dumping and untrusted code injection into the LSA process.
It ensures that only authorized entities can gain access to the critical info required for user authentication and system security.
While Windows users report that this issue is caused by the recently released KB5023706 Windows 11 22H2 cumulative update, this has been happening since at least January 15.
The “Local Security Authority protection is off. Your device may be vulnerable.” warnings show up even though LSA Protection is enabled in Windows Security > Device security > Core isolation details.
“There is a technical glitch with this feature, if you have successfully turned on this feature and you are being prompted to restart, kindly note that the feature is ON irrespective of the message as this is a technical glitch that we are aware of and we are working to resolve that issue soonest,” Microsoft Technical support representative reportedly told one of the affected users.
To check if LSA had actually started in protected mode on your computer when Windows started, you can search for the following WinInit event in the System logs under Windows Logs: “12: LSASS.exe was started as a protected process with level: 4”
How to remove the LSA Protection alerts
Until Microsoft rolls out a fix for this Windows 11 Local Security Authority glitch, you have to add two new DWORD registry entries and set them to ‘2’ to ensure that the LSA Protection feature is automatically enabled after the next restart, and the faulty warnings will no longer be shown.
The procedure requires you to go through these steps:
- Open the Registry Editor and go to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
- Add new RunAsPPL and RunAsPPLBoot DWORD entries and set them to 2.
- Restart the system.
Earlier this month, Redmond announced that the latest Windows 11 build rolling out to Insiders in the Canary channel would also enable Local Security Authority (LSA) Protection by default.
However, this will only happen if the systems pass an audit check for incompatibilities (Microsoft is yet to explain what compatibility issues it’s checking for).
In February 2022, Microsoft said it would toggle on a Microsoft Defender “Attack Surface Reduction” security rule by default that would also block attempts to steal Windows credentials from the Local Security Authority Subsystem Service (LSASS) process.
