Microsoft says the latest version of Windows 11 rolling out to Insiders in the Canary channel will enable Local Security Authority (LSA) protection by default.
LSA protection is crucial in guarding against the theft of sensitive information or login credentials by blocking the injection of untrusted code into the LSA process and blocking the memory dump of the process.
As described by Microsoft in the Windows 11 security app, it “helps protect user credentials by preventing unsigned drivers and plug-ins from loading in the Local Security Authority.”
In simpler terms, LSA protection acts as a gatekeeper, ensuring that only authorized entities can access critical information required for user authentication and system security.
However, there are caveats as this new Windows 11 security option will only be enabled if it passes an audit checking for system incompatibilities (Microsoft hasn’t explained which compatibility issues it checks for).
“Starting with the upgrade, we will be auditing for a period of time to check for incompatibilities with LSA protection. If we don’t detect any incompatibilities, we will automatically enable LSA protection,” Microsoft’s Amanda Langowski and Brandon LeBlanc. said.
Windows Insiders can check if LSA protection is enabled on their systems by opening the Windows Security app and navigating to the Device Security > Core Isolation page.
They can also use the Windows Event Log to check for blocked LSA plug-ins and drivers by opening Event Viewer and looking for events with IDs 3033 and 3063 under Microsoft-Windows-Codeintegrity/Operational (More details here).
In February 2022, Microsoft also said that it would by default enable a Microsoft Defender “Attack Surface Reduction” security rule to block attempts to steal Windows credentials from the Local Security Authority Subsystem Service (LSASS) process.
BleepingComputer is still waiting for Microsoft to respond to an email asking when this rule will be enabled by default.
Windows 11 Insider Preview build 25314 rolling out today to Insiders in the Canary channel further increases Windows 11 security by disabling the Remote Mail Slot Protocol by default.
Today, Microsoft also published a new preview version of Windows 11 for the dev channel restartedwhich includes several new features, including a new notification toast button for copying 2FA codes, File Explorer access keys, and a new VPN status indicator.