Microsoft reports that Microsoft Defender Antivirus update KB5007651 triggers Windows Security Warnings on Windows 11 systems indicating that Local Security Authority (LSA) protection is disabled.

LSA protection is a security feature that protects sensitive information such as credentials from theft by blocking untrusted LSA code injection and process memory dumping.

Many user reports state that “Local Security Authority protection is disabled. Your device may be vulnerable”. warnings appear even when LSA protection is enabled, such as BleepingComputer reported Monday.

Today, Microsoft acknowledged that this is a new known issue causing affected Windows devices to persistently warn that they are vulnerable and that a restart is required after switching to LSA protection.

Redmond says persistent reboot alerts will only show up on systems running Windows 11 21H2 and 22H2.

“After installing ‘Update for Microsoft Defender Antivirus Antimalware Platform – KB5007651 (Version 1.0.2302.21002)’, you may receive a security notification or warning that ‘Local security protection is disabled. Your device may be vulnerable.’ and once the protections are activated, your Windows device may constantly ask that a restart is needed”, Redmond explain.

“This issue only affects ‘Update for Microsoft Defender Antivirus Antimalware Platform – KB5007651 (Version 1.0.2302.21002).’ All other Windows updates released on March 14, 2023 for affected platforms (KB5023706 and KB5023698) do not cause this issue.”

Workaround available

Microsoft says it is working on a fix for persistent LSA protection warning issues and will provide more information as it becomes available.

The company is also offering a workaround for affected customers until a resolution is available, instructing them to ignore reboot notifications.

“If you have enabled Local Security Authority (LSA) protection and restarted your device at least once, you can dismiss warning notifications and ignore any additional notifications requesting a restart,” the company says.

To check whether LSA has indeed started in protected mode on your computer when Windows starts, you can look for the following WinInit event in the system logs under Windows Logs: “12: LSASS.exe was started as a protected process with the level: 4”

While beepingComputer reported that the warnings can be ignored by adding two registry entries, Microsoft says it “does not recommend any other workarounds for this problem”.

Redmond too announcement earlier this month that it would enable Local Security Authority (LSA) protection by default for Windows 11 Insiders in the Canary channel if their systems pass an incompatibility audit check (Microsoft doesn’t has not yet explained the compatibility issues it checks for).