Microsoft has released a recent Microsoft Defender update that is supposed to fix a known issue triggering persistent reboot alerts and Windows security warnings that Local Security Authority (LSA) protection is disabled.
LSA protection helps protect Windows users against credential theft attempts by preventing the memory dump of the LSASS process and the injection of untrusted code into the LSASS.exe process, which would otherwise allow the extraction of sensitive information.
Redmond says persistent reboot alerts triggered by this known issue will only appear on Windows 11 21H2 and 22H2 systems.
A subsequent Microsoft Defender update released weeks later LSA protection function UI setting override with a new feature called Kernel-mode hardware-enhanced stack protection. Unfortunately, Microsoft did not document this change, which confused users.
“LSA protection has not been removed – it is still built-in and enabled by default on Windows 11 machines. In the latest Windows Insider Preview, an update changed the appearance of the user interface (UI) to this feature,” Microsoft told BleepingComputer, incorrectly saying it was only in Windows 11 Insider builds when it was already available in Windows 11 22H2.
A week later, on April 26, Redmond announced that they fixed the LSA protection UI issuehowever, this was simply done by removing the setting in the KB5007651 Defender update to ensure that confusing alerts would no longer be displayed in the Windows Settings app.
Defender update causing random blue screens and reboots
Today Redmond revealed that it has decided to stop pushing the KB5007651 Defender update due to blue screens or unexpected system reboots during games affecting Windows 11 systems where the Defender update has been deployed.
“This known issue was previously addressed with an update for Microsoft Defender Antivirus Antimalware Platform KB5007651 (version 1.0.2303.27001) but issues have been detected and this update is no longer being offered to devices”, Microsoft said.
“If you have installed version 1.0.2303.27001 and receive an error with a blue screen, or if your device restarts when you try to open certain games or applications, you will need to disable hardware-enhanced battery protection in kernel mode .”
To disable kernel-mode HSP, you’ll need to navigate to Device Security > Kernel Isolation in the Windows Security app and toggle the “Hardware-enhanced stack protection in kernel mode” feature.
However, Microsoft does not provide any information on what affected users who have already installed KB5007651 should do to resolve system reboots and blue screens caused by this buggy Defender update other than to disable the Enhanced Battery Protection feature. by kernel-mode hardware.
Some of the conflicting game anti-cheat drivers causing Windows crashes or conflicts when kernel mode HSP is enabled include PUBG, Valorant (Riot Vanguard), blood hunt, Destiny 2, Genshin Impact, Star Fantasy Online 2 (Game Guard), and Dayz.
Workaround available until a fix is released
Microsoft says it is working on another fix for the incessant LSA protection warnings affecting Windows 11 systems and will provide more details as soon as possible.
Redmond also shared a workaround for customers who haven’t installed KB5007651 and are still seeing reboot warnings, instructing them to ignore reboot notifications.
“If you have enabled Local Security Authority (LSA) protection and restarted your device at least once, you can ignore warning notifications and ignore any additional notifications requesting a restart,” the company says. .
You can check if the feature is enabled on your computer using Windows Event Viewer by looking for a Wininit event that says “LSASS.exe was started as a protected process with level: 4”, indicating that the process is isolated and protected by LSA. Protection.
Whereas BleepingComputer has previously reported Although these warnings can be avoided by adding two registry entries, Microsoft does not “recommend any other workarounds for this problem”.
Two months ago, Microsoft announced that LSA protection would be enabled by default for Windows 11 Insiders in the Canary channel if their systems have passed an incompatibility audit check.
A confusing mess
Microsoft continues to confusingly discuss kernel-mode hardware-enhanced stack protection in troubleshooting steps regarding LSA protection.
Microsoft has specifically told BleepingComputer in the past that the two features are unrelated, but they continue to confuse them in support bulletins.
“Hardware-enforced LSA and kernel-mode stack protection are separate settings. In the latest Windows Insider Preview, the kernel-mode HSP setting was added. It does not replace LSA protection,” said Microsoft at BleepingComputer.
However, even this information is incorrect, as the kernel-mode HSP is already in production builds and not just Windows Insider previews, leading to even more confusion.
Microsoft still hasn’t released official documentation on kernel-mode hardware-enforced stack protection, although it’s been available in Windows 11 for almost a month.