In a confusing mess, a recent update to Microsoft Defender rolled out a new security feature called “Kernel Mode Hardware-Enhanced Stack Protection”, while removing the LSA protection feature. Unfortunately, Microsoft has provided no documentation of this change, which raises more questions than answers.

Local Security Authority protection, also known as LSA protection, is a security feature that protects sensitive information, such as credentials, from theft by blocking the injection of untrusted code into the LSASS process and dumping the memory of the LSASS process.

Windows users can enable LSA protection in the Windows Security > Device Security > Core insulation settings page for processors that support virtualization.

However, for the past few weeks, Windows 11 users have been complaining that they cannot enable local security authority protection security feature in Windows security settings “Core Isolation”.

When attempting to do so, Windows prompts users to restart the computer to activate the feature, but upon restart it would not be activated and Windows would display a restart prompt again.

Repeated LSA protection warning
Repeated LSA protection warning

Microsoft later said that if you enabled LSA protection and restarted your device at least once, you could ignore these warnings.

A a workaround was also provided to check if LSA protection is enabled and how to configure two registry keys to disable the warning.

Microsoft Defender update creates confusion

A Microsoft Defender recent update made this feature even more confusing, because after installing it, the LSA protection feature is removed and replaced with a new feature called kernel-mode hardware-enhanced stack protection.

Kernel-mode hardware-enforced stack protection is a security feature that attempts to prevent Return Oriented Programming (ROP)-based control flow attacks that could lead to code execution.

“For code running in kernel mode, the processor confirms requested return addresses with a second copy of the address stored in the shadow stack to prevent attackers from substituting an address that runs malicious code instead,” explains the Windows Kernel-mode Hardware-enforced Stack. Protection setting.

“Note that not all drivers are compatible with this security feature.”

However, to use this feature, a Windows device must use Intel Tiger Lake processors or AMD Zen3 and later processors. Therefore, Windows will only show this new setting if the device has the required hardware.

Like memory integrity, when enabling hardware-enhanced stack protection in kernel mode, Windows will ensure that no incompatible drivers are loaded in Windows. If there are, the Stack Protection feature will not activate and Windows will display a list of incompatible drivers.

Windows 11 users are now reporting see Windows Security Notifications that the new feature is disabled due to conflicting drivers.

“Kernel-mode hardware-enforced stack protection is disabled. Your device may be vulnerable,” reads a warning in Windows Security Center.

New kernel-mode hardware-enhanced stack protection setting
New kernel-mode hardware-enhanced stack protection setting
Source: BleepingComputer

However, when they look at the list, it’s empty, making it difficult to enable the feature.

Worse still, some conflicting game anti-cheat drivers are not detected as incompatible, and kernel-mode hardware-enhanced stack protection is still enabled. These conflicting drivers cause Windows to hang or games to crash when security is enabled and a game is launched.

Windows 11 users reported these issues for PUBG, Valorant (Riot Vanguard), blood hunt, Destiny 2, Genshin Impact, Star Fantasy Online 2 (Game Guard) and Dayz.

Hardware-enforced stack protection warning for incompatible driver
Hardware-enforced stack protection warning for incompatible driver
Source: Reddit

What happened to LSA protection?

Even more frustratingly, Windows 11 users can no longer enable LSA protection, which did not require newer processors, from Windows Security Settings.

It’s not even clear whether LSA protection is integrated into kernel-mode hardware-enforced stack protection or has been removed entirely from the Windows Settings interface, forcing users to activate it manually through the registry.

Additionally, there has been no advice from Microsoft about exchanging these security features or adding kernel-mode hardware-enhanced stack protection other than the brief description found in Windows Security and scattered documentation. [1, 2, 3] on the battery protection feature.

BleepingComputer asked Microsoft about the new Stack Protection feature if LSA protection is now built into it, and about any conflicts users are experiencing.

This article will be updated with any responses we receive.



Source link