Privacy and Security Enable or Disable Local Security Authority (LSA) Protection in Windows 11


  • Staff
Windows_Security_banner.png

This tutorial will show you how to enable or disable Local Security Authority (LSA) protection for all users in Windows 11.

Core isolation is a security feature of Microsoft Windows that protects important core processes of Windows from malicious software by isolating them in memory. It does this by running those core processes in a virtualized environment.

Windows 11, version 22H2 supports additional protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials.

Windows has several critical processes to verify a user’s identity. The LSA is one of those processes, responsible for authenticating users and verifying Windows logins. It is responsible for handling user credentials, like passwords, and tokens used to provide single sign-on to Microsoft accounts and Azure services. Attackers have developed tools and have abused Microsoft tools to take advantage of this process to steal credentials. To combat this, additional LSA protection will be enabled by default in the future for new, enterprise-joined Windows 11 devices making it significantly more difficult for attackers to steal credentials by ensuring LSA loads only trusted, signed code.

Reference:

You must be signed in as an administrator to enable or disable Local Security Authority (LSA) protection.

LSA requires CPU virtualization turned on.


Resolved

After installing "Update for Microsoft Defender Antivirus antimalware platform - KB5007651 (Version 1.0.2302.21002)", you might receive a security notification or warning stating that "Local Security protection is off. Your device may be vulnerable." and once protections are enabled, your Windows device might persistently prompt that a restart is required. Important: This issue affects only "Update for Microsoft Defender Antivirus antimalware platform - KB5007651 (Version 1.0.2302.21002)". All other Windows updates released on March 14, 2023 for affected platforms (KB5023706 and KB5023698), do not cause this issue.

Workaround: If you have enabled Local Security Authority (LSA) protection and have restarted your device at least once, you can dismiss warning notifications and ignore any additional notifications prompting for a restart. You can verify that LSA protection is enabled by looking in Event Viewer using the information available here. Important: Currently, Microsoft does not recommend any other workaround for this issue.

Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Updated July 05, 2023: This issue was resolved in an update for Windows Security platform antimalware platform KB5007651 (Version 1.0.2306.10002). If you would like to install the update before it is installed automatically, you will need to check for updates.

If still needed, you can use Option Two, Option Three, or Option Five below to enable LSA without the warning.



Contents

  • Option One: Turn On or Off Local Security Authority (LSA) Protection in Windows Security
  • Option Two: Turn On or Off Local Security Authority (LSA) Protection using REG file
  • Option Three: Turn On or Off Local Security Authority (LSA) Protection using Command
  • Option Four: Enable or Disable Local Security Authority (LSA) Protection in Local Group Policy Editor
  • Option Five: Enable or Disable Local Security Authority (LSA) Protection using REG file




Option One

Turn On or Off Local Security Authority (LSA) Protection in Windows Security


1 Open Windows Security.

2 Click/tap on Device security on the left side, and click/tap on the Core isolation details link on the right side. (see screenshot below)

LSA_protection_Windows_Security-1.png

3 Turn on (default) or off Local Security Authority protection for what you want. (see screenshots below)

LSA_protection_Windows_Security-2.png
LSA_protection_Windows_Security-3.png

4 If prompted by UAC, click/tap on Yes to approve.

5 Restart the computer to apply. (see screenshot below)

6 If prompted by UAC, click/tap on Yes to approve.

LSA_protection_Windows_Security-5.png




Option Two

Turn On or Off Local Security Authority (LSA) Protection using REG file


1 Do step 2 (on without UEFI Lock), step 3 (on with UEFI Lock) or step 4 (off) below for what you want.

2 Turn On Local Security Authority (LSA) Protection without UEFI Lock

This is the default setting.


A) Click/tap on the Download button below to download the REG file below, and go to step 5 below.​

Turn_ON_Local_Security_Authority_protection_without_UEFI_Lock.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"RunAsPPL"=dword:00000002
"RunAsPPLBoot"=dword:00000002

3 Turn On Local Security Authority (LSA) Protection with UEFI Lock

When LSA is used with UEFI lock and Secure Boot, additional protection is achieved because disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key has no effect. It acts as a tamper protection.


A) Click/tap on the Download button below to download the REG file below, and go to step 5 below.​

Turn_ON_Local_Security_Authority_protection_with_UEFI_Lock.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"RunAsPPL"=dword:00000001
"RunAsPPLBoot"=dword:00000002

4 Turn Off Local Security Authority (LSA) Protection

If you turned on LSA with UEFI Lock using step 3, then you will need to use the Local Security Authority Protected Process Opt-out tool to remove the UEFI variable in the registry.


A) Click/tap on the Download button below to download the REG file below, and go to step 5 below.​

Turn_OFF_Local_Security_Authority_protection.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"RunAsPPL"=dword:00000000
"RunAsPPLBoot"=dword:00000000

5 Save the .reg file to your desktop.

6 Double click/tap on the downloaded .reg file to merge it.

7 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

8 Restart the computer to apply.

9 You can now delete the downloaded .reg file if you like.




Option Three

Turn On or Off Local Security Authority (LSA) Protection using Command


1 Open Windows Terminal (Admin), and select Command Prompt.

2 Copy and paste the command below you want to use into Windows Terminal (Admin), and press Enter.

Turn On Local Security Authority (LSA) Protection without UEFI Lock

This is the default setting.


reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 2 /f & reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPLBoot /t REG_DWORD /d 2 /f

OR​

Turn On Local Security Authority (LSA) Protection with UEFI Lock

When LSA is used with UEFI lock and Secure Boot, additional protection is achieved because disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key has no effect. It acts as a tamper protection.


reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 1 /f & reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPLBoot /t REG_DWORD /d 2 /f

OR​

Turn Off Local Security Authority (LSA) Protection

If you turned on LSA with UEFI Lock, then you will need to use the Local Security Authority Protected Process Opt-out tool to remove the UEFI variable in the registry.


reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 0 /f & reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPLBoot /t REG_DWORD /d 0 /f

3 Restart the computer to apply.




Option Four

Enable or Disable Local Security Authority (LSA) Protection in Local Group Policy Editor


The Local Group Policy Editor is only available in the Windows 11 Pro, Enterprise, and Education editions.

All editions can use Option Fve to configure the same policy.


1 Open the Local Group Policy Editor (gpedit.msc).

2 Navigate to the policy location below in the left pane of the Local Group Policy Editor. (see screenshot below)

Computer Configuration > Administrative Templates > System > Local Security Authority

LSA_protection_gpedit-1.png

3 In the right pane of Local Security Authority in the Local Group Policy Editor, double click/tap on the Configure LSASS to run as a protected process policy to edit it. (see screenshot above)

4 Do step 5 (default), step 6 (disable), step 7 (enable with UEFI Lock), or step 8 (enable without UEFI Lock) below for what you want.

5 Default User Choice Local Security Authority (LSA) Protection

This is the default setting to allow using Option One Option Two, and Option Three.


A) Select (dot) Not Configured. (see screenshot below)​

B) Click/tap on OK, and go to step 9 below.​

LSA_protection_gpedit-2.png

6 Disable Local Security Authority (LSA) Protection

This will override and prevent using Option One, Option Two, and Option Three.


A) Select (dot) Enabled. (see screenshot below)​

B) Select Disabled in the Configure LSA to run as a protected process drop menu.​

C) Click/tap on OK, and go to step 9 below.​

LSA_protection_gpedit-3.png

7 Enable Local Security Authority (LSA) Protection with UEFI Lock

This will override and prevent using Option One, Option Two, and Option Three.

When LSA is used with UEFI lock and Secure Boot, additional protection is achieved because disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key has no effect. It acts as a tamper protection.


A) Select (dot) Enabled. (see screenshot below)​

B) Select Enabled with UEFI Lock in the Configure LSA to run as a protected process drop menu.​

C) Click/tap on OK, and go to step 9 below.​

LSA_protection_gpedit-4.png

8 Enable Local Security Authority (LSA) Protection without UEFI Lock

This will override and prevent using Option One, Option Two, and Option Three.


A) Select (dot) Enabled. (see screenshot below)​

B) Select Enabled without UEFI Lock in the Configure LSA to run as a protected process drop menu.​

C) Click/tap on OK, and go to step 9 below.​

LSA_protection_gpedit-4.png

9 You can now close the Local Group Policy Editor if you like.




Option Five

Enable or Disable Local Security Authority (LSA) Protection using REG file


1 Do step 2 (default), step 3 (disable), step 4 (enable with UEFI Lock), or step 5 (enable without UEFI Lock) below for what you want.


 2. Default User Choice Local Security Authority (LSA) Protection

This is the default setting to allow using Option One, Option Two, and Option Three.


A) Click/tap on the Download button below to download the file below, and go to step 6 below.​

Default_user_choice_Local_Security_Authority_protection.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"RunAsPPL"=-


 3. Disable Local Security Authority (LSA) Protection

This will override and prevent using Option One, Option Two, and Option Three.


A) Click/tap on the Download button below to download the file below, and go to step 6 below.​

Disable_Local_Security_Authority_protection.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"RunAsPPL"=dword:00000000


 4. Enable Local Security Authority (LSA) Protection with UEFI Lock

This will override and prevent using Option One, Option Two, and Option Three.

When LSA is used with UEFI lock and Secure Boot, additional protection is achieved because disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key has no effect.


A) Click/tap on the Download button below to download the file below, and go to step 6 below.​

Always_Enable_Local_Security_Authority_protection_with_UEFI_Lock.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"RunAsPPL"=dword:00000001


 5. Enable Local Security Authority (LSA) Protection without UEFI Lock

This will override and prevent using Option One, Option Two, and Option Three.


A) Click/tap on the Download button below to download the file below, and go to step 6 below.​

Always_Enable_Local_Security_Authority_protection_without_UEFI_Lock.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"RunAsPPL"=dword:00000002

6 Save the REG file to your desktop.

7 Double click/tap on the downloaded REG file to merge it.

8 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

9 You can now delete the downloaded REG file if you like.


That's it,
Shawn Brink


 

Attachments

  • Turn_OFF_Local_Security_Authority_protection.reg
    684 bytes · Views: 234
  • Always_Enable_Local_Security_Authority_protection_without_UEFI_Lock.reg
    638 bytes · Views: 269
  • Always_Enable_Local_Security_Authority_protection_with_UEFI_Lock.reg
    634 bytes · Views: 271
  • Default_user_choice_Local_Security_Authority_protection.reg
    608 bytes · Views: 268
  • Disable_Local_Security_Authority_protection.reg
    634 bytes · Views: 284
  • Turn_ON_Local_Security_Authority_protection_with_UEFI_Lock.reg
    672 bytes · Views: 105
  • Turn_ON_Local_Security_Authority_protection_without_UEFI_Lock.reg
    672 bytes · Views: 147
Last edited:

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo Yoga 920
    CPU
    Intel I7-8550U
    Motherboard
    n/a
    Memory
    16GB
    Graphics Card(s)
    Intel Graphics UHD 620
    Sound Card
    Realtek High Definition Audio (SST)
    Monitor(s) Displays
    4k Touch screen
    Screen Resolution
    3480 x 2160
    Hard Drives
    512GB NVMe
Hi @Brink. Thank you - this post helped me fix an issue I had with Windows Security.

Re Option # 2, Step 3 above:

Do you know whether setting dword = 2 in RunAsPPLBoot turns on LSA protection with UEFI Lock, and if so, would a dword = 1 turn on LSA protection without UEFI Lock?

I read that LSA protection without UEFI Lock is the Windows 11 default, but can't find much about about it other than how to turn it on or off. Do you know the implications of setting protection "with" vs "without", and why Windows defaults to the latter, less-secure (?) "without" option?

Thanks again,
-Safron
 

My Computers

System One System Two

  • OS
    Windows 11 22H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell XPS8950
    CPU
    i7-12700K
    Motherboard
    Z690 : 9D2HH Foxconn, R6PCT Foxconn 2nd
    Memory
    16GB (2 x 8)
    Graphics Card(s)
    Intel(R) UHD Graphics 770 with shared graphics memory
    Sound Card
    Integrated
    Monitor(s) Displays
    Acer CBL282K Smiiprx
    Screen Resolution
    4K UHD (3840 x 2160) @ 60 Hz
    Hard Drives
    Western Digital PC SN810 512 GB M.2 NVMe SSD, PCIe
    PSU
    750W
    Cooling
    2G44F Asetek 125W CPU liquid cooler
    Keyboard
    Arteck Wireless
    Mouse
    Victsing-mm057 wireless
    Internet Speed
    Wi-Fi 6
    Browser
    Vivaldi
    Antivirus
    Windows Defender (native)
  • Operating System
    Win 22H2
    Computer type
    Laptop
    Manufacturer/Model
    Dell Vostro 5620
    CPU
    12th Gen Intel Core i7-1260P
    Memory
    2 x 8 GB
    Graphics card(s)
    Intel Iris Xe Graphics
    Screen Resolution
    1920 x 1200 @ 60 Hz
    Hard Drives
    NVMe 512 GB
    Case
    Aluminum
    Mouse
    Touchpad
    Browser
    Vivaldi
    Antivirus
    Windows Defender (native)
Hello @safron, :alien:

Option 1 and 2 are without UEFI lock.

UEFI lock is only available via the policy in option 3 or 4.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium
Thank you - that makes sense.
 

My Computers

System One System Two

  • OS
    Windows 11 22H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell XPS8950
    CPU
    i7-12700K
    Motherboard
    Z690 : 9D2HH Foxconn, R6PCT Foxconn 2nd
    Memory
    16GB (2 x 8)
    Graphics Card(s)
    Intel(R) UHD Graphics 770 with shared graphics memory
    Sound Card
    Integrated
    Monitor(s) Displays
    Acer CBL282K Smiiprx
    Screen Resolution
    4K UHD (3840 x 2160) @ 60 Hz
    Hard Drives
    Western Digital PC SN810 512 GB M.2 NVMe SSD, PCIe
    PSU
    750W
    Cooling
    2G44F Asetek 125W CPU liquid cooler
    Keyboard
    Arteck Wireless
    Mouse
    Victsing-mm057 wireless
    Internet Speed
    Wi-Fi 6
    Browser
    Vivaldi
    Antivirus
    Windows Defender (native)
  • Operating System
    Win 22H2
    Computer type
    Laptop
    Manufacturer/Model
    Dell Vostro 5620
    CPU
    12th Gen Intel Core i7-1260P
    Memory
    2 x 8 GB
    Graphics card(s)
    Intel Iris Xe Graphics
    Screen Resolution
    1920 x 1200 @ 60 Hz
    Hard Drives
    NVMe 512 GB
    Case
    Aluminum
    Mouse
    Touchpad
    Browser
    Vivaldi
    Antivirus
    Windows Defender (native)

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium
For anyone that has LSA telling you to reboot even though you have, check the registry entry and make sure
Code:
"RunAsPPLBoot"=dword:00000002
is there. After last patch Tuesday(14th March 2023) I had to do this.

If it wasn't for Shawn, I probably have just turned it off, and said screw it, as this is what happens when Microsoft lays of tens of thousands of people, only the ones that work for cheap stay and their work quality just plain bites.
 

My Computer

System One

  • OS
    Win10 Pro, Win10 Pro N, Win10 Home, Windows 8.1 Pro, Ubuntu
    Computer type
    PC/Desktop
    Manufacturer/Model
    ۞ΞЖ†ԘΜΞ۞
    CPU
    Intel Core i9 9900K
    Motherboard
    ASUS ROG Maximus X Hero
    Memory
    32 GB Quad Kit, G.Skill Trident Z RGB Series schwarz, DDR4-3866, 18-19-19-39-2T
    Graphics Card(s)
    ASUS GeForce RTX 3090 ROG Strix O24G, 24576 MB GDDR6X
    Sound Card
    (1) HD Webcam C270 (2) NVIDIA High Definition Audio (3) Realtek High Definition Audio
    Monitor(s) Displays
    BenQ BL2711U(4K) and a hp 27vx(1080p)
    Hard Drives
    C: Samsung 960 EVO NVMe M.2 SSD
    E: & O: Libraries & OneDrive-> Samsung 850 EVO 1TB
    D: Hyper-V VM's -> Samsung PM951 Client M.2 512Gb SSD
    G: System Images -> Samsung 860 Pro 2TB
    PSU
    Corsair HX1000i High Performance ATX Power Supply 80+ Platinum
    Case
    Phanteks Enthoo Pro TG
    Cooling
    Thermaltake Floe Riing RGB TT Premium-Edition 360mm and 2x120 Phantek& Halo front, and 1x140 Phanteks
    Keyboard
    Trust GTX THURA
    Mouse
    Trust GTX 148
    Internet Speed
    25+/5+ (+usually faster)
    Browser
    Edge; Chrome;
    Antivirus
    Windows Defender of course & Malwarebytes Anti-Exploit as an added layer between browser & OS
    Other Info
    Router: FRITZ!Box 7590 AX V2
    Sound system: SHARP HT-SBW460 Dolby Atmos Soundbar
    Webcam: Logitech BRIO ULTRA HD PRO WEBCAM 4K webcam with HDR
Hi,
I turn off all this fluff off anyway :zany:
 

My Computer

System One

  • OS
    Win-7-10-11Pro's
    Computer type
    PC/Desktop
    Manufacturer/Model
    Acer 17" Nitro 7840sn/ 2x16gb 5600c40/ 4060/ stock 1tb-os/ 4tb sn850x
    CPU
    10900k & 9940x & 5930k
    Motherboard
    z490-Apex & x299-Apex & x99-Sabertooth
    Memory
    Trident-Z Royal 4000c16 2x16gb & Trident-Z 3600c16 4x8gb & 3200c14 4x8gb
    Graphics Card(s)
    Titan Xp & 1080ti FTW3 & evga 980ti gaming
    Sound Card
    Onboard Realtek x3
    Monitor(s) Displays
    1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24"/ 3rd LG 43" series
    Screen Resolution
    1920-1080 not sure what the t.v is besides 43" class scales from 1920-1080 perfectly
    Hard Drives
    2-WD-sn850x 4tb/ 970evo+500gb/ 980 pro 2tb.
    PSU
    1000p2 & 1200p2 & 850p2
    Case
    D450 x2 & 1 Test bench in cherry Entertainment center
    Cooling
    Custom water loops x3 with 2x mora 360mm rads only 980ti gaming air cooled
    Keyboard
    G710+x3
    Mouse
    Redragon x3
    Internet Speed
    xfinity gigabyte
    Browser
    Firefox
    Antivirus
    mbam pro
Does LSA have an impact on gaming performance, like Memory Integrity/core isolation does?
And is any of this needed for a home-based PC gaming purposed PC?
 

My Computer

System One

  • OS
    Win 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self-Built
    CPU
    Ryzen 5800X3D
    Motherboard
    Gigabyte Aorus X570 Master (rev 1.2)
    Memory
    G.Skill Trident Z RGB 3600Mhz
    Graphics Card(s)
    Zotac RTX 4090 Amp Extreme Airo
    Sound Card
    On-Board Realtek ALC1220-VB, FiiO USB DAC
    Monitor(s) Displays
    LG C2 42 Main Desktop, 3x Gigabyte FI32Q in a triple array for gaming simulations
    Screen Resolution
    3840x2160, 2560x1440 (3)
    Hard Drives
    WD SN850X 2TB M.2 NVME (OS Drive), WD SN850 2TB M.2 NVME, 2x Crucial 2TB SSD, Crucial 1TB SSD, Seagate Barracuda 2TB HDD
    PSU
    EVGA SuperNOVA 1000 G6, 80 Plus Gold 1000W
    Case
    NZXT H7
    Cooling
    EK AIO Elite 360mm Elite
    Keyboard
    SteelSeries TK7 Pro
    Mouse
    Logitech G502X
    Internet Speed
    1GB
    Browser
    Edge Chromium
    Antivirus
    Windows Defender
Does LSA have an impact on gaming performance, like Memory Integrity/core isolation does?
And is any of this needed for a home-based PC gaming purposed PC?
Hi,
I you don't use virtual machine features you don't need any of this stuff.
 

My Computer

System One

  • OS
    Win-7-10-11Pro's
    Computer type
    PC/Desktop
    Manufacturer/Model
    Acer 17" Nitro 7840sn/ 2x16gb 5600c40/ 4060/ stock 1tb-os/ 4tb sn850x
    CPU
    10900k & 9940x & 5930k
    Motherboard
    z490-Apex & x299-Apex & x99-Sabertooth
    Memory
    Trident-Z Royal 4000c16 2x16gb & Trident-Z 3600c16 4x8gb & 3200c14 4x8gb
    Graphics Card(s)
    Titan Xp & 1080ti FTW3 & evga 980ti gaming
    Sound Card
    Onboard Realtek x3
    Monitor(s) Displays
    1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24"/ 3rd LG 43" series
    Screen Resolution
    1920-1080 not sure what the t.v is besides 43" class scales from 1920-1080 perfectly
    Hard Drives
    2-WD-sn850x 4tb/ 970evo+500gb/ 980 pro 2tb.
    PSU
    1000p2 & 1200p2 & 850p2
    Case
    D450 x2 & 1 Test bench in cherry Entertainment center
    Cooling
    Custom water loops x3 with 2x mora 360mm rads only 980ti gaming air cooled
    Keyboard
    G710+x3
    Mouse
    Redragon x3
    Internet Speed
    xfinity gigabyte
    Browser
    Firefox
    Antivirus
    mbam pro
For anyone that has LSA telling you to reboot even though you have, check the registry entry and make sure
Code:
"RunAsPPLBoot"=dword:00000002
is there. After last patch Tuesday(14th March 2023) I had to do this.

If it wasn't for Shawn, I probably have just turned it off, and said screw it, as this is what happens when Microsoft lays of tens of thousands of people, only the ones that work for cheap stay and their work quality just plain bites.
All my non-insider machines received kb5007651 1.0.2302.21002-0 yesterday Marh 15 and the problem showed up on all of them.
On more than one machine both RunAsPPL and RunAsPPLBoot were missing and I had to add both with a value of 2.
The same values were already set in my Dev and Canary Builds.

1678986779722.png


1678986583209.png
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo Yoga 920
    CPU
    Intel I7-8550U
    Motherboard
    n/a
    Memory
    16GB
    Graphics Card(s)
    Intel Graphics UHD 620
    Sound Card
    Realtek High Definition Audio (SST)
    Monitor(s) Displays
    4k Touch screen
    Screen Resolution
    3480 x 2160
    Hard Drives
    512GB NVMe
Hi,
I you don't use virtual machine features you don't need any of this stuff.
I understand that about Memory Integrity, but isn't LSA for everyone regardless of whether they use VM's or not? I can't see where these are only applicable to VM's?
 

My Computer

System One

  • OS
    Win 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self-Built
    CPU
    Ryzen 5800X3D
    Motherboard
    Gigabyte Aorus X570 Master (rev 1.2)
    Memory
    G.Skill Trident Z RGB 3600Mhz
    Graphics Card(s)
    Zotac RTX 4090 Amp Extreme Airo
    Sound Card
    On-Board Realtek ALC1220-VB, FiiO USB DAC
    Monitor(s) Displays
    LG C2 42 Main Desktop, 3x Gigabyte FI32Q in a triple array for gaming simulations
    Screen Resolution
    3840x2160, 2560x1440 (3)
    Hard Drives
    WD SN850X 2TB M.2 NVME (OS Drive), WD SN850 2TB M.2 NVME, 2x Crucial 2TB SSD, Crucial 1TB SSD, Seagate Barracuda 2TB HDD
    PSU
    EVGA SuperNOVA 1000 G6, 80 Plus Gold 1000W
    Case
    NZXT H7
    Cooling
    EK AIO Elite 360mm Elite
    Keyboard
    SteelSeries TK7 Pro
    Mouse
    Logitech G502X
    Internet Speed
    1GB
    Browser
    Edge Chromium
    Antivirus
    Windows Defender
I understand that about Memory Integrity, but isn't LSA for everyone regardless of whether they use VM's or not? I can't see where these are only applicable to VM's?
Hi,
VM's use cores obviously to :wink:
 

My Computer

System One

  • OS
    Win-7-10-11Pro's
    Computer type
    PC/Desktop
    Manufacturer/Model
    Acer 17" Nitro 7840sn/ 2x16gb 5600c40/ 4060/ stock 1tb-os/ 4tb sn850x
    CPU
    10900k & 9940x & 5930k
    Motherboard
    z490-Apex & x299-Apex & x99-Sabertooth
    Memory
    Trident-Z Royal 4000c16 2x16gb & Trident-Z 3600c16 4x8gb & 3200c14 4x8gb
    Graphics Card(s)
    Titan Xp & 1080ti FTW3 & evga 980ti gaming
    Sound Card
    Onboard Realtek x3
    Monitor(s) Displays
    1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24"/ 3rd LG 43" series
    Screen Resolution
    1920-1080 not sure what the t.v is besides 43" class scales from 1920-1080 perfectly
    Hard Drives
    2-WD-sn850x 4tb/ 970evo+500gb/ 980 pro 2tb.
    PSU
    1000p2 & 1200p2 & 850p2
    Case
    D450 x2 & 1 Test bench in cherry Entertainment center
    Cooling
    Custom water loops x3 with 2x mora 360mm rads only 980ti gaming air cooled
    Keyboard
    G710+x3
    Mouse
    Redragon x3
    Internet Speed
    xfinity gigabyte
    Browser
    Firefox
    Antivirus
    mbam pro
Hi,
VM's use cores obviously to :wink:
Sorry, it's probably me just not understanding this stuff - basically you are saying that if I don't use this PC for connecting to work or using it to create VM's, then I can safely turn off LSA, memory integrity and Vulnerable Driver Blocklist in Windows, then go back to BIOS and disable SVM (AMD) and just dismiss any warnings that Windows Defender throws up?
Thanks for your help, just want to be sure I am not leaving something off that could cause harm with regards to my private data.
 

My Computer

System One

  • OS
    Win 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self-Built
    CPU
    Ryzen 5800X3D
    Motherboard
    Gigabyte Aorus X570 Master (rev 1.2)
    Memory
    G.Skill Trident Z RGB 3600Mhz
    Graphics Card(s)
    Zotac RTX 4090 Amp Extreme Airo
    Sound Card
    On-Board Realtek ALC1220-VB, FiiO USB DAC
    Monitor(s) Displays
    LG C2 42 Main Desktop, 3x Gigabyte FI32Q in a triple array for gaming simulations
    Screen Resolution
    3840x2160, 2560x1440 (3)
    Hard Drives
    WD SN850X 2TB M.2 NVME (OS Drive), WD SN850 2TB M.2 NVME, 2x Crucial 2TB SSD, Crucial 1TB SSD, Seagate Barracuda 2TB HDD
    PSU
    EVGA SuperNOVA 1000 G6, 80 Plus Gold 1000W
    Case
    NZXT H7
    Cooling
    EK AIO Elite 360mm Elite
    Keyboard
    SteelSeries TK7 Pro
    Mouse
    Logitech G502X
    Internet Speed
    1GB
    Browser
    Edge Chromium
    Antivirus
    Windows Defender
What is UEFI Lock? What does that do?
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
    CPU
    Intel i7-13700K
    Motherboard
    MSI PRO Z790-A WiFi
    Memory
    Corsair Vengence 5600 - 32GB
    Graphics Card(s)
    MSI RTX3060 Ventus 2x 12GB
    Sound Card
    On board - Realtek ALC4080
    Monitor(s) Displays
    LG 27GL850
    Screen Resolution
    2560 x 1440
    Hard Drives
    WD Black SN850X Nvme - 1TB
    WD Black 6TB HDD 256MB cache CMR
    WD Black 6TB HDD 128MB cache CMR
    PSU
    Corsair RM850x
    Case
    Fractal Design - Define 7
    Cooling
    Deepcool AK400
    Keyboard
    MS KC0405
    Mouse
    MS Model 1113 / MS Wireless Mobile Mouse 3500
    Internet Speed
    940 Mbps
    Browser
    Firefox
    Antivirus
    Windows Security
    Other Info
    I have a Case Speaker!
    I have a Blueray Disk drive!
  • Operating System
    Windows 10 Pro 22H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
    CPU
    i7-9700K
    Motherboard
    Asus Prime Z390-A
    Memory
    Corsair Vengence 32GB
    Graphics card(s)
    EVGA GTX1060
    Sound Card
    On Board
    Monitor(s) Displays
    Acer 27"
    Screen Resolution
    1920 x 1080
    Hard Drives
    WD Black Nvme 500GB
    Toshiba X300 5TB
    PSU
    Corsair RM850x
    Case
    Antec P101 Silent
    Cooling
    CoolerMaster Hyper T4
    Mouse
    Logitec M-U0007
    Keyboard
    MS KC0405
    Internet Speed
    940 Mbps
    Browser
    Firefox
    Antivirus
    Avast!
    Other Info
    I have a Case Speaker!
What is UEFI Lock? What does that do?

Hello mate, :alien:

When LSA is used with UEFI lock and Secure Boot, additional protection is achieved because disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key has no effect.

It's basically tamper protection for LSA.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium
Got it (I think). Thanks!
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
    CPU
    Intel i7-13700K
    Motherboard
    MSI PRO Z790-A WiFi
    Memory
    Corsair Vengence 5600 - 32GB
    Graphics Card(s)
    MSI RTX3060 Ventus 2x 12GB
    Sound Card
    On board - Realtek ALC4080
    Monitor(s) Displays
    LG 27GL850
    Screen Resolution
    2560 x 1440
    Hard Drives
    WD Black SN850X Nvme - 1TB
    WD Black 6TB HDD 256MB cache CMR
    WD Black 6TB HDD 128MB cache CMR
    PSU
    Corsair RM850x
    Case
    Fractal Design - Define 7
    Cooling
    Deepcool AK400
    Keyboard
    MS KC0405
    Mouse
    MS Model 1113 / MS Wireless Mobile Mouse 3500
    Internet Speed
    940 Mbps
    Browser
    Firefox
    Antivirus
    Windows Security
    Other Info
    I have a Case Speaker!
    I have a Blueray Disk drive!
  • Operating System
    Windows 10 Pro 22H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
    CPU
    i7-9700K
    Motherboard
    Asus Prime Z390-A
    Memory
    Corsair Vengence 32GB
    Graphics card(s)
    EVGA GTX1060
    Sound Card
    On Board
    Monitor(s) Displays
    Acer 27"
    Screen Resolution
    1920 x 1080
    Hard Drives
    WD Black Nvme 500GB
    Toshiba X300 5TB
    PSU
    Corsair RM850x
    Case
    Antec P101 Silent
    Cooling
    CoolerMaster Hyper T4
    Mouse
    Logitec M-U0007
    Keyboard
    MS KC0405
    Internet Speed
    940 Mbps
    Browser
    Firefox
    Antivirus
    Avast!
    Other Info
    I have a Case Speaker!
If it wasn't for Shawn, I probably have just turned it off, and said screw it, as this is what happens when Microsoft lays of tens of thousands of people, only the ones that work for cheap stay and their work quality just plain bites.
I hate to jump on the Microsoft bashwagon, but there are obviously many people encountering this issue. How difficult would it be for them to ensure the two registry keys exist, and are set to 2, if someone turns this on in Settings?
It's bad enough when Windows conflicts with 3rd party software, but when it fails internally, it's egregious. It must be nice to have a virtual monopoly! Linux, anyone?
 

My Computers

System One System Two

  • OS
    Windows 11 22H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell XPS8950
    CPU
    i7-12700K
    Motherboard
    Z690 : 9D2HH Foxconn, R6PCT Foxconn 2nd
    Memory
    16GB (2 x 8)
    Graphics Card(s)
    Intel(R) UHD Graphics 770 with shared graphics memory
    Sound Card
    Integrated
    Monitor(s) Displays
    Acer CBL282K Smiiprx
    Screen Resolution
    4K UHD (3840 x 2160) @ 60 Hz
    Hard Drives
    Western Digital PC SN810 512 GB M.2 NVMe SSD, PCIe
    PSU
    750W
    Cooling
    2G44F Asetek 125W CPU liquid cooler
    Keyboard
    Arteck Wireless
    Mouse
    Victsing-mm057 wireless
    Internet Speed
    Wi-Fi 6
    Browser
    Vivaldi
    Antivirus
    Windows Defender (native)
  • Operating System
    Win 22H2
    Computer type
    Laptop
    Manufacturer/Model
    Dell Vostro 5620
    CPU
    12th Gen Intel Core i7-1260P
    Memory
    2 x 8 GB
    Graphics card(s)
    Intel Iris Xe Graphics
    Screen Resolution
    1920 x 1200 @ 60 Hz
    Hard Drives
    NVMe 512 GB
    Case
    Aluminum
    Mouse
    Touchpad
    Browser
    Vivaldi
    Antivirus
    Windows Defender (native)
I can't find (in the registry) my LSA. I even in regedit went to edit/find Local Security Authority (LSA) Protection and nothing comes up? Sorry I'm a newbee to Windows 11.
 

My Computer

System One

  • OS
    Windows 11 Home 23H2 (Build 22631.3593)
    Computer type
    Laptop
    Manufacturer/Model
    Dell
    CPU
    Processor: 11th Gen Intel(R) Core(TM) i5-1135G7 @ 2.40G
    Motherboard
    64-bit operating system Dell 0XMF7W
    Memory
    12GB
    Graphics Card(s)
    Intel R Iris R XE Graphics family
    Sound Card
    Cirrus Speakers High Definition Audio
    Monitor(s) Displays
    Generic PnP monitor
    Screen Resolution
    1920 x 1080
    Hard Drives
    NVMe 670p SSDPEKNU512GZ NVMe I NTEL 512GB
    Case
    cheap
    Mouse
    Logitech wireless
    Internet Speed
    16 Mps download
    Browser
    Google Chrome
    Antivirus
    Security: Microsoft Defender & Malwarebytes Premium (with browser guard)
    Other Info
    Dell model: Inspiron 15 3511
I can't find (in the registry) my LSA. I even in regedit went to edit/find Local Security Authority (LSA) Protection and nothing comes up? Sorry I'm a newbee to Windows 11.

That's ok. :alien:

You can download and merge the REG file in option two to do it for you.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium

Latest Support Threads

Back
Top Bottom