Windows 11 users report seeing widespread Windows Security warnings that Local Security Authority (LSA) Protection has been disabled even though it shows as being toggled on.
LSA protection is a crucial security feature for defending against the theft of sensitive information, such as login credentials, by blocking process memory dumping and untrusted code injection into the LSA process.
It ensures that only authorized entities can gain access to the critical info required for user authentication and system security.
While Windows users report that this issue is caused by the recently released KB5023706 Windows 11 22H2 cumulative update, this has been happening since at least January 15.
The "Local Security Authority protection is off. Your device may be vulnerable." warnings show up even though LSA Protection is enabled in Windows Security > Device security > Core isolation details.
"There is a technical glitch with this feature, if you have successfully turned on this feature and you are being prompted to restart, kindly note that the feature is ON irrespective of the message as this is a technical glitch that we are aware of and we are working to resolve that issue soonest," Microsoft Technical support representative reportedly told one of the affected users.
To check if LSA had actually started in protected mode on your computer when Windows started, you can search for the following WinInit event in the System logs under Windows Logs: "12: LSASS.exe was started as a protected process with level: 4"
How to remove the LSA Protection alerts
Until Microsoft rolls out a fix for this Windows 11 Local Security Authority glitch, you have to add two new DWORD registry entries and set them to '2' to ensure that the LSA Protection feature is automatically enabled after the next restart, and the faulty warnings will no longer be shown.
The procedure requires you to go through these steps:
- Open the Registry Editor and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Add new RunAsPPL and RunAsPPLBoot DWORD entries and set them to 2.
- Restart the system.
Earlier this month, Redmond announced that the latest Windows 11 build rolling out to Insiders in the Canary channel would also enable Local Security Authority (LSA) Protection by default.
However, this will only happen if the systems pass an audit check for incompatibilities (Microsoft is yet to explain what compatibility issues it's checking for).
In February 2022, Microsoft said it would toggle on a Microsoft Defender "Attack Surface Reduction" security rule by default that would also block attempts to steal Windows credentials from the Local Security Authority Subsystem Service (LSASS) process.
Comments
cybermalin - 11 months ago
And thanks for the help!
cybermalin - 11 months ago
wtf my comment disappeared - Hey, so, RunAsPPL already existed and was set to 2, does it still work to just add RunAsPPLBoot? I'm severely technically challenged and scared that I'll accidentally blow up my computer by doing something wrong. Oh and maybe add a link to an explanation on how to add entries in regedit, might seem like obvious stuff to you, but some of us are slow.
Mr.Tom - 11 months ago
It's probably best to just leave it alone and let Microsoft fix it. I'm sure once they make the repair the warning will disappear and everything will be normal.
DMW33 - 11 months ago
It's fine, you're only enabling the security policy to run, not messing with system boot entries, chillax.
In regedit at LSA right click in the right side pane and choose new D-word value, then type the name RunAsPPLBoot, or you can right click and choose rename. Then open it and set the value to 2. Close it, restart computer and problem solved. Seems to stick and warning gone too. No need to wait for Microsoft.
Thanks Sergiu