Windows 11 bug

Windows 11 users report seeing widespread Windows security warnings that Local Security Authority (LSA) protection has been disabled even though it appears to be enabled.

LSA protection is a crucial security feature to defend against the theft of sensitive information, such as login credentials, by blocking process memory dumping and the injection of untrusted code into the LSA process.

It ensures that only authorized entities can access critical information required for user authentication and system security.

While Windows users report this this issue is caused by the recently released Cumulative Update KB5023706 Windows 11 22H2, this happened since at least January 15.

The message “Local security authority protection is disabled. Your device may be vulnerable.” warnings appear even if LSA protection is enabled in Windows Security > Device Security > Core Isolation Details.

“There is a technical issue with this feature, if you have successfully enabled this feature and you are prompted to reboot, please note that the feature is enabled regardless of the message as this is a technical issue which We are aware and are working to resolve this issue as soon as possible,” Microsoft Support Representative would have said one of the affected users.

To check whether LSA has indeed started in protected mode on your computer when Windows starts, you can look for the following WinInit event in the system logs under Windows Logs: “12: LSASS.exe was started as a protected process with the level: 4”

​How to suppress LSA protection alerts

Until Microsoft rolls out a fix for this Windows 11 Local Security Authority issue, you must add two new DWORD registry entries and set them to “2” to ensure that the LSA protection feature is automatically activated after next reboot and faulty warnings. will no longer be displayed.

The procedure requires you to go through these steps:

  1. Open Registry Editor and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  2. Add new RunAsPPL and RunAsPPLBoot DWORD entries and set them to 2.
  3. Restart the system.

Earlier this month, Redmond announcement that the latest version of Windows 11 rolling out to Insiders in the Canary channel would also enable Local Security Authority (LSA) protection by default.

However, this will only happen if the systems pass an audit check for incompatibilities (Microsoft hasn’t yet explained which compatibility issues it checks for).

In February 2022, Microsoft said it would by default enable a Microsoft Defender “Attack Surface Reduction” security rule that would also block attempts to steal Windows credentials from the Local Security Authority Subsystem Service (LSASS) process.


Source link