Microsoft is again offering an update to Defender Antivirus (first released in April and retired in May) that fixes a known issue triggering Windows security warnings that Local Security Authority (LSA) protection is disabled.
Microsoft recognized this issue affects Windows 11 21H2 and 22H2 systems after numerous user reports about “Local Security Authority protection is disabled. Your device may be vulnerable.” warnings, although LSA protection has already been enabled.
LSA protection protects Windows users against credential theft by blocking the injection of untrusted code into the LSASS.exe process, which could help attackers extract sensitive information.
While Redmond claims the issue stems from a faulty Microsoft Defender Antivirus anti-malware platform update released in May, affected customers have reported seeing these LSA protection alerts since at least January 15.
“This issue has been addressed in an update for Windows Security Platform Antimalware Platform KB5007651 (Version 1.0.2306.10002),” Microsoft said on Wednesday.
“If you want to install the update before it is automatically installed, you will need to Check for updates.”
April 26, Redmond first released Microsoft Defender update KB5007651 to resolve the known issue and help users get rid of persistent Windows Security restart alerts.
However, this was done by removing the setting in the Defender update to ensure that confusing warnings would no longer be displayed in the Windows Settings app.
Almost a month later, on May 17, the company shut down pushing KB5007651 to affected users due to blue screens or unexpected system reboots while gaming on Windows 11 after installing the update.
“This known issue was previously addressed with an update for Microsoft Defender Antivirus KB5007651 Antimalware Platform (version 1.0.2303.27001), but issues have been detected and this update is no longer being offered to devices”, Microsoft said at the time.
“If you have installed version 1.0.2303.27001 and receive an error with a blue screen, or if your device restarts when you try to open certain games or applications, you will need to disable hardware-enhanced stack protection in kernel mode. “
Workaround also available
Redmond has also provided a temporary fix for customers who can’t immediately install KB5007651, with the company advising them to ignore reboot notifications.
“If you have Local Security Authority (LSA) protection enabled and you have already restarted your device at least once, you can ignore warning notifications and ignore any other notifications requesting a restart,” Microsoft says. .
To check if LSA protection is enabled on your computer, you can use the Windows Event Viewer and look for “LSASS.exe was started as a protected process with level: 4”. Wininit event that confirms that the process is isolated and secured by LSA Protection.
While beepingComputer previously suggested a method involving adding two registry entries to suppress these warnings, Microsoft explicitly states that they “do not recommend any other workarounds for this problem”.
Two months ago, in March, Microsoft announced that LSA protection would be enabled by default for Windows 11 Insiders in the Canary channel, provided their systems have passed an incompatibility audit check.