Privacy and Security Enable or Disable Local Security Authority (LSA) Protection in Windows 11


  • Staff
Windows_Security_banner.png

This tutorial will show you how to enable or disable Local Security Authority (LSA) protection for all users in Windows 11.

Core isolation is a security feature of Microsoft Windows that protects important core processes of Windows from malicious software by isolating them in memory. It does this by running those core processes in a virtualized environment.

Windows 11, version 22H2 supports additional protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials.

Windows has several critical processes to verify a user’s identity. The LSA is one of those processes, responsible for authenticating users and verifying Windows logins. It is responsible for handling user credentials, like passwords, and tokens used to provide single sign-on to Microsoft accounts and Azure services. Attackers have developed tools and have abused Microsoft tools to take advantage of this process to steal credentials. To combat this, additional LSA protection will be enabled by default in the future for new, enterprise-joined Windows 11 devices making it significantly more difficult for attackers to steal credentials by ensuring LSA loads only trusted, signed code.

Reference:
learn.microsoft.com

What's new in Windows 11, version 22H2 for IT pros - What's new in Windows

Learn more about what's new in Windows 11 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
learn.microsoft.com
learn.microsoft.com

Configuring Additional LSA Protection

Learn how to configure additional protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials.
learn.microsoft.com
www.microsoft.com

New security features for Windows 11 will help protect hybrid work - Microsoft Security Blog

Attackers haven’t wasted any time capitalizing on the rapid move to hybrid work. Every day cyber criminals and nation states alike have improved their targeting, speed and accuracy as the world adapted to working outside the office.
www.microsoft.com

You must be signed in as an administrator to enable or disable Local Security Authority (LSA) protection.

LSA requires CPU virtualization turned on.


www.elevenforum.com

Known and Resolved issues for Windows 11 version 22H2

Current status as of May 24, 2023 Windows 11, version 22H2 is broadly available to all users with eligible devices who check for updates. Microsoft is delivering continuous innovation to Windows 11 more frequently. If you’re using Home or Pro consumer devices or non-managed business devices...
www.elevenforum.com www.elevenforum.com

Mitigated

After installing "Update for Microsoft Defender Antivirus antimalware platform - KB5007651 (Version 1.0.2302.21002)", you might receive a security notification or warning stating that "Local Security protection is off. Your device may be vulnerable." and once protections are enabled, your Windows device might persistently prompt that a restart is required. Important: This issue affects only "Update for Microsoft Defender Antivirus antimalware platform - KB5007651 (Version 1.0.2302.21002)". All other Windows updates released on March 14, 2023 for affected platforms (KB5023706 and KB5023698), do not cause this issue.

Workaround: If you have enabled Local Security Authority (LSA) protection and have restarted your device at least once, you can dismiss warning notifications and ignore any additional notifications prompting for a restart. You can verify that LSA protection is enabled by looking in Event Viewer using the information available here. Important: Currently, Microsoft does not recommend any other workaround for this issue.

Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Updated May 16, 2023: This known issue was previously resolved with an update for Microsoft Defender Antivirus antimalware platform KB5007651 (Version 1.0.2303.27001) but issues were found, and that update is no longer being offered to devices. If you encounter this issue, you will need to use the above workaround until the issue is resolved. If you have installed Version 1.0.2303.27001 and receive an error with a blue screen or if your device restarts when attempting to open some games or apps, you will need to disable Kernel-mode Hardware-enforced Stack Protection.

Currently the LSA setting is missing in Windows Security since Build 22621.1635 for many.

You can use Option Two or Option Four below to enable LSA without the warning.



Contents

  • Option One: Turn On or Off Local Security Authority (LSA) Protection in Windows Security
  • Option Two: Turn On or Off Local Security Authority (LSA) Protection using REG file
  • Option Three: Enable or Disable Local Security Authority (LSA) Protection in Local Group Policy Editor
  • Option Four: Enable or Disable Local Security Authority (LSA) Protection using REG file




Option One

Turn On or Off Local Security Authority (LSA) Protection in Windows Security


1 Open Windows Security.

2 Click/tap on Device security on the left side, and click/tap on the Core isolation details link on the right side. (see screenshot below)

LSA_protection_Windows_Security-1.png

3 Turn on (default) or off Local Security Authority protection for what you want. (see screenshots below)

LSA_protection_Windows_Security-2.png
LSA_protection_Windows_Security-3.png

4 If prompted by UAC, click/tap on Yes to approve.

5 Restart the computer to apply. (see screenshot below)

LSA_protection_Windows_Security-5.png




Option Two

Turn On or Off Local Security Authority (LSA) Protection using REG file


1 Do step 2 (on without UEFI Lock), step 3 (on with UEFI Lock) or step 4 (off) below for what you want.

2 Turn On Local Security Authority (LSA) Protection without UEFI Lock

This is the default setting.


A) Click/tap on the Download button below to download the REG file below, and go to step 5 below.​

Turn_ON_Local_Security_Authority_protection_without_UEFI_Lock.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"RunAsPPL"=dword:00000002
"RunAsPPLBoot"=dword:00000002

3 Turn On Local Security Authority (LSA) Protection with UEFI Lock

When LSA is used with UEFI lock and Secure Boot, additional protection is achieved because disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key has no effect. It acts as a tamper protection.


A) Click/tap on the Download button below to download the REG file below, and go to step 5 below.​

Turn_ON_Local_Security_Authority_protection_with_UEFI_Lock.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"RunAsPPL"=dword:00000001
"RunAsPPLBoot"=dword:00000002

4 Turn Off Local Security Authority (LSA) Protection

If you turned on LSA with UEFI Lock using step 3, then you will need to use the Local Security Authority Protected Process Opt-out tool to remove the UEFI variable in the registry.


A) Click/tap on the Download button below to download the REG file below, and go to step 5 below.​

Turn_OFF_Local_Security_Authority_protection.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"RunAsPPL"=dword:00000000
"RunAsPPLBoot"=dword:00000000

5 Save the .reg file to your desktop.

6 Double click/tap on the downloaded .reg file to merge it.

7 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

8 Restart the computer to apply.

9 You can now delete the downloaded .reg file if you like.




Option Three

Enable or Disable Local Security Authority (LSA) Protection in Local Group Policy Editor


The Local Group Policy Editor is only available in the Windows 11 Pro, Enterprise, and Education editions.

All editions can use Option Four to configure the same policy.


1 Open the Local Group Policy Editor (gpedit.msc).

2 Navigate to the policy location below in the left pane of the Local Group Policy Editor. (see screenshot below)

Computer Configuration > Administrative Templates > System > Local Security Authority

LSA_protection_gpedit-1.png

3 In the right pane of Local Security Authority in the Local Group Policy Editor, double click/tap on the Configure LSASS to run as a protected process policy to edit it. (see screenshot above)

4 Do step 5 (default), step 6 (disable), step 7 (enable with UEFI Lock), or step 8 (enable without UEFI Lock) below for what you want.

5 Default User Choice Local Security Authority (LSA) Protection

This is the default setting to allow using Option One and Option Two.


A) Select (dot) Not Configured. (see screenshot below)​

B) Click/tap on OK, and go to step 9 below.​

LSA_protection_gpedit-2.png

6 Disable Local Security Authority (LSA) Protection

This will override and prevent using Option One and Option Two.


A) Select (dot) Enabled. (see screenshot below)​

B) Select Disabled in the Configure LSA to run as a protected process drop menu.​

C) Click/tap on OK, and go to step 9 below.​

LSA_protection_gpedit-3.png

7 Enable Local Security Authority (LSA) Protection with UEFI Lock

This will override and prevent using Option One and Option Two.

When LSA is used with UEFI lock and Secure Boot, additional protection is achieved because disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key has no effect. It acts as a tamper protection.


A) Select (dot) Enabled. (see screenshot below)​

B) Select Enabled with UEFI Lock in the Configure LSA to run as a protected process drop menu.​

C) Click/tap on OK, and go to step 9 below.​

LSA_protection_gpedit-4.png

8 Enable Local Security Authority (LSA) Protection without UEFI Lock

This will override and prevent using Option One and Option Two.


A) Select (dot) Enabled. (see screenshot below)​

B) Select Enabled without UEFI Lock in the Configure LSA to run as a protected process drop menu.​

C) Click/tap on OK, and go to step 9 below.​

LSA_protection_gpedit-4.png

9 You can now close the Local Group Policy Editor if you like.




Option Four

Enable or Disable Local Security Authority (LSA) Protection using REG file


1 Do step 2 (default), step 3 (disable), step 4 (enable with UEFI Lock), or step 5 (enable without UEFI Lock) below for what you want.


 2. Default User Choice Local Security Authority (LSA) Protection

This is the default setting to allow using Option One and Option Two.


A) Click/tap on the Download button below to download the file below, and go to step 6 below.​

Default_user_choice_Local_Security_Authority_protection.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"RunAsPPL"=-


 3. Disable Local Security Authority (LSA) Protection

This will override and prevent using Option One and Option Two.


A) Click/tap on the Download button below to download the file below, and go to step 6 below.​

Disable_Local_Security_Authority_protection.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"RunAsPPL"=dword:00000000


 4. Enable Local Security Authority (LSA) Protection with UEFI Lock

This will override and prevent using Option One and Option Two.

When LSA is used with UEFI lock and Secure Boot, additional protection is achieved because disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key has no effect.


A) Click/tap on the Download button below to download the file below, and go to step 6 below.​

Always_Enable_Local_Security_Authority_protection_with_UEFI_Lock.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"RunAsPPL"=dword:00000001


 5. Enable Local Security Authority (LSA) Protection without UEFI Lock

This will override and prevent using Option One and Option Two.


A) Click/tap on the Download button below to download the file below, and go to step 6 below.​

Always_Enable_Local_Security_Authority_protection_without_UEFI_Lock.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"RunAsPPL"=dword:00000002

4 Save the REG file to your desktop.

5 Double click/tap on the downloaded REG file to merge it.

6 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

7 You can now delete the downloaded REG file if you like.


That's it,
Shawn Brink


Related Tutorials

 

Attachments

  • Windows_Security.png
    Windows_Security.png
    6 KB · Views: 41
  • Turn_OFF_Local_Security_Authority_protection.reg
    684 bytes · Views: 119
  • Always_Enable_Local_Security_Authority_protection_with_UEFI_Lock.reg
    634 bytes · Views: 133
  • Always_Enable_Local_Security_Authority_protection_without_UEFI_Lock.reg
    638 bytes · Views: 135
  • Disable_Local_Security_Authority_protection.reg
    634 bytes · Views: 121
  • Default_user_choice_Local_Security_Authority_protection.reg
    608 bytes · Views: 116
  • Turn_ON_Local_Security_Authority_protection_with_UEFI_Lock.reg
    672 bytes · Views: 8
  • Turn_ON_Local_Security_Authority_protection_without_UEFI_Lock.reg
    672 bytes · Views: 10
Last edited:
Click to expand...
BrianInEngland said:
Do you have the 1.0.2302.21002-0 folder in System32\SecurityHealth? Active TPM?
Click to expand...


I use Bitdefender Internet Security... it over-rides all that Windows defender stuff.

OK... I tried Option 4-5 and rebooted... and I got no LSA...

Image1.png



Now, I'm gonna try Option 2-2 and reboot again...



Still no LSA... and the reg patch... DID work...

Image1.png
 
Last edited:

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦22621.1778 ♦♦♦♦♦♦♦22H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 4402)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Internet Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Mouse
    Logitech Optical M-BT96a
    Keyboard
    Logitech Classic Keybooard 200
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 13 years?

    http://www.xtremesystems.org/forums/showthread.php?183088-5000-B-E-on-M2N32-SLI-Dlx-Overclocked&p=2891724#post2891724
Whenever I run windows update this Antimalware update appears and says it is installed.
But it always appears again and again:

Untitled-1.jpg
 

My Computer

System One

  • OS
    Windows 11 22H2
    Computer type
    Laptop
    Manufacturer/Model
    Dell XPS 13 9360
    CPU
    Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz
    Memory
    8 GB
Well I read the references in the first post of this topic... and I can't tell whether it should work on my comp or not.
I DO have TPM and Secure boot enabled as well. I'm thinking Bitdefender may be messing it up for me.

Anyway... time for morning routine... even though it's already 11:30 am. :-)
 

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦22621.1778 ♦♦♦♦♦♦♦22H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 4402)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Internet Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Mouse
    Logitech Optical M-BT96a
    Keyboard
    Logitech Classic Keybooard 200
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 13 years?

    http://www.xtremesystems.org/forums/showthread.php?183088-5000-B-E-on-M2N32-SLI-Dlx-Overclocked&p=2891724#post2891724
Ghot said:
Well I read the references in the first post of this topic... and I can't tell whether it should work on my comp or not.
I DO have TPM and Secure boot enabled as well. I'm thinking Bitdefender may be messing it up for me.
Click to expand...
TPM and secure boot are not required, I can turn on LSA in an unsupported device with a Legacy bios and no TPM (my 'System Four' in 'My Computers > Other Info'). Also, it has no dependency on Memory Integrity, which I can't turn on due to an incompatible video driver.

1679500068571.png


1679500054969.png
 

My Computers

System One System Two

  • OS
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Acer Aspire 3 A315-23
    CPU
    AMD Athlon Silver 3050U
    Memory
    8GB
    Graphics Card(s)
    Radeon Graphics
    Monitor(s) Displays
    laptop screen
    Screen Resolution
    1366x768 native resolution, up to 2560x1440 with Radeon Virtual Super Resolution
    Hard Drives
    1TB Samsung EVO 870 SSD
    Internet Speed
    50 Mbps
    Browser
    Edge, Firefox
    Antivirus
    Defender
    Other Info
    fully 'Windows 11 ready' laptop. Windows 10 C: partition migrated from my old unsupported 'main machine' then upgraded to 11. A test migration ran Insider builds for 2 months. When 11 was released on 5th October it was re-imaged back to 10 and was offered the upgrade in Windows Update on 20th October. Windows Update offered the 22H2 Feature Update on 20th September 2022.

    My SYSTEM THREE is a Dell Latitude 5410, i7-10610U, 32GB RAM, 512GB ssd, supported device running Windows 11 Pro.

    My SYSTEM FOUR is a 2-in-1 convertible Lenovo Yoga 11e 20DA, Celeron N2930, 4GB RAM, 128GB ssd. Unsupported device: currently running Win10 Pro, plus Win11 Pro 22H2 Insider Beta and Dev, both as native boot vhdx.

    My SYSTEM FIVE is a Dell Latitude 3190 2-in-1, Pentium Silver N5030, 4GB RAM, 128GB NVMe ssd, supported device running Windows 11 Pro.
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell Lattitude E4310
    CPU
    i5 M 520
    Motherboard
    0T6M8G
    Memory
    8GB
    Screen Resolution
    1366x768
    Hard Drives
    500GB HDD
    Browser
    Firefox, Edge
    Antivirus
    Defender
    Other Info
    unsupported machine: Legacy bios, MBR, TPM 1.2, upgraded from W10 to W11 using W10/W11 hybrid install media workaround. In-place upgrade to 22H2 using ISO and a workaround.

    My SYSTEM THREE is a Dell Latitude 5410, i7-10610U, 32GB RAM, 512GB ssd, supported device running Windows 11 Pro.

    My SYSTEM FOUR is a 2-in-1 convertible Lenovo Yoga 11e 20DA, Celeron N2930, 4GB RAM, 128GB ssd. Unsupported device: currently running Win10 Pro, plus Win11 Pro 22H2 Insider Beta and Dev, both as native boot vhdx.

    My SYSTEM FIVE is a Dell Latitude 3190 2-in-1, Pentium Silver N5030, 4GB RAM, 128GB NVMe ssd, supported device running Windows 11 Pro.
Ghot said:
I use Bitdefender Internet Security... it over-rides all that Windows defender stuff.

OK... I tried Option 4-5 and rebooted... and I got no LSA...

View attachment 56001



Now, I'm gonna try Option 2-2 and reboot again...



Still no LSA... and the reg patch... DID work...

View attachment 56003



Derp! It's only for Insiders or Canary channel. Oh well... now I'm gonna turn all this OFF.
Click to expand...
I'm an Insider (Release Preview)
Bree said:
TPM and secure boot are not required, I can turn on LSA in an unsupported device with a Legacy bios and no TPM (my 'System Four' in 'My Computers > Other Info'). Also, it has no dependency on Memory Integrity, which I can't turn on due to an incompatible video driver.

View attachment 56011

View attachment 56010
Click to expand...
This is interesting as all these options are available in my Beta VM with the latest Security app, but no TPM. The Security UI doesn't crash. If I install the Malware update I can't use Security app on this PC at all. I might try it with TPM disabled when I get chance.
 

My Computer

System One

  • OS
    Windows 11 Pro 22H2 (RP channel)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Gigabyte
    CPU
    AMD Ryzen 5900X 12-core
    Motherboard
    X570 Aorus Xtreme
    Memory
    64GB Corsair Platinum RGB 3600MHz
    Graphics Card(s)
    MSI Suprim X 3080 Ti
    Sound Card
    Soundblaster AE-5 Plus
    Monitor(s) Displays
    ASUS TUF Gaming VG289
    Screen Resolution
    3840x2160
    Hard Drives
    Samsung 980 Pro 2TB
    Samsung 970 Pro Plus 1TB
    Samsung 970 Pro 1TB
    Samsung T7 Touch 1TB
    Samsung 870 Evo 2TB (on external USB connector)
    PSU
    Asus ROG Strix 1000W
    Case
    Corsair D750 Airflow
    Cooling
    Noctua NH-D15S
    Keyboard
    Logitech G810
    Mouse
    Logitech G903 with PowerPlay charger
    Internet Speed
    500Mb/sec
    Browser
    Microsoft Edge
    Antivirus
    Windows Defender
Hi,

So according to: Windows 11, version 22H2 known issues and notifications MS recommends to not do any workaround if you enabled it and it is working by checking via event viewer.

Important: Currently, we do not recommend any other workaround for this issue.
I myself did option 2 (.reg file) a while ago as MS stayed silent for so long... Should we remove the entries the reg file made...? or do anything?

Looking at: Configuring Additional LSA Protection it seems the reg keys that option 2 adds are from this article so it should be fine but MS explicitly mentioning not doing any workaround makes me think:unsure:
Any other thoughts?
 

My Computer

System One

  • OS
    Windows 11
Desertfox said:
Hi,

So according to: Windows 11, version 22H2 known issues and notifications MS recommends to not do any workaround if you enabled it and it is working by checking via event viewer.

Important: Currently, we do not recommend any other workaround for this issue.
I myself did option 2 (.reg file) a while ago as MS stayed silent for so long... Should we remove the entries the reg file made...? or do anything?

Looking at: Configuring Additional LSA Protection it seems the reg keys that option 2 adds are from this article so it should be fine but MS explicitly mentioning not doing any workaround makes me think:unsure:
Any other thoughts?
Click to expand...

No need to do anything since option 2 is just the manual registry method of using option 1.

The current bug is option 1 not currently changing all the registry entries for some reason.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    1TB Samsung 980 PRO M.2,
    6TB WD Black WD6001FZWX
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro for Workstations
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1
    CPU
    i7-1065G7 3.9 GHz
    Memory
    16 GB LPDDR4-3200
    Graphics card(s)
    Intel Iris Plus
    Sound Card
    Intel SST
    Monitor(s) Displays
    13.3" 4K UWVA AMOLED multitouch
    Screen Resolution
    3840 x 2160
    Hard Drives
    512 GB PCIe NVMe M.2 SSD
    Browser
    Google Chrome
    Antivirus
    Windows Defender and Malwarebytes Premium
Desertfox said:
Thanks for confirming. Event viewer also says this is running but any idea why MS recommends not doing any workaround?
Click to expand...

Could be for other unsupported workarounds.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    1TB Samsung 980 PRO M.2,
    6TB WD Black WD6001FZWX
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro for Workstations
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1
    CPU
    i7-1065G7 3.9 GHz
    Memory
    16 GB LPDDR4-3200
    Graphics card(s)
    Intel Iris Plus
    Sound Card
    Intel SST
    Monitor(s) Displays
    13.3" 4K UWVA AMOLED multitouch
    Screen Resolution
    3840 x 2160
    Hard Drives
    512 GB PCIe NVMe M.2 SSD
    Browser
    Google Chrome
    Antivirus
    Windows Defender and Malwarebytes Premium
Desertfox said:
Looking at: Configuring Additional LSA Protection it seems the reg keys that option 2 adds are from this article so it should be fine but MS explicitly mentioning not doing any workaround makes me think:unsure:
Any other thoughts?
Click to expand...
MS themselves include the missing RunAsPPLBoot registry entry in the latest Insider Canary build, so it should be safe to add it yourself.

Bree said:
in the Insider Canary build 25314.1010 the RunAsPPLBoot registry entry does exist, confirming that creating one is the correct solution to this bug.

1679368837398.png
Click to expand...
 

My Computers

System One System Two

  • OS
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Acer Aspire 3 A315-23
    CPU
    AMD Athlon Silver 3050U
    Memory
    8GB
    Graphics Card(s)
    Radeon Graphics
    Monitor(s) Displays
    laptop screen
    Screen Resolution
    1366x768 native resolution, up to 2560x1440 with Radeon Virtual Super Resolution
    Hard Drives
    1TB Samsung EVO 870 SSD
    Internet Speed
    50 Mbps
    Browser
    Edge, Firefox
    Antivirus
    Defender
    Other Info
    fully 'Windows 11 ready' laptop. Windows 10 C: partition migrated from my old unsupported 'main machine' then upgraded to 11. A test migration ran Insider builds for 2 months. When 11 was released on 5th October it was re-imaged back to 10 and was offered the upgrade in Windows Update on 20th October. Windows Update offered the 22H2 Feature Update on 20th September 2022.

    My SYSTEM THREE is a Dell Latitude 5410, i7-10610U, 32GB RAM, 512GB ssd, supported device running Windows 11 Pro.

    My SYSTEM FOUR is a 2-in-1 convertible Lenovo Yoga 11e 20DA, Celeron N2930, 4GB RAM, 128GB ssd. Unsupported device: currently running Win10 Pro, plus Win11 Pro 22H2 Insider Beta and Dev, both as native boot vhdx.

    My SYSTEM FIVE is a Dell Latitude 3190 2-in-1, Pentium Silver N5030, 4GB RAM, 128GB NVMe ssd, supported device running Windows 11 Pro.
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell Lattitude E4310
    CPU
    i5 M 520
    Motherboard
    0T6M8G
    Memory
    8GB
    Screen Resolution
    1366x768
    Hard Drives
    500GB HDD
    Browser
    Firefox, Edge
    Antivirus
    Defender
    Other Info
    unsupported machine: Legacy bios, MBR, TPM 1.2, upgraded from W10 to W11 using W10/W11 hybrid install media workaround. In-place upgrade to 22H2 using ISO and a workaround.

    My SYSTEM THREE is a Dell Latitude 5410, i7-10610U, 32GB RAM, 512GB ssd, supported device running Windows 11 Pro.

    My SYSTEM FOUR is a 2-in-1 convertible Lenovo Yoga 11e 20DA, Celeron N2930, 4GB RAM, 128GB ssd. Unsupported device: currently running Win10 Pro, plus Win11 Pro 22H2 Insider Beta and Dev, both as native boot vhdx.

    My SYSTEM FIVE is a Dell Latitude 3190 2-in-1, Pentium Silver N5030, 4GB RAM, 128GB NVMe ssd, supported device running Windows 11 Pro.
BrianInEngland said:
I'm an Insider (Release Preview)

This is interesting as all these options are available in my Beta VM with the latest Security app, but no TPM. The Security UI doesn't crash. If I install the Malware update I can't use Security app on this PC at all. I might try it with TPM disabled when I get chance.
Click to expand...
The registry fix will only be effective if you have KB5007651 version 1.0.2302.21002-0 installed.
Since you did hide that security update kb5007651 you don't have LSA.

Here is recent Microsoft response to an FBH on the problem.

The Windows Insider Program

Be the first to see what's next for Windows in the Windows Insider Program. Join the community, provide feedback to help make Windows even better.
aka.ms

"Thanks for taking the time to report this -
this issue and its status have been added to the release health dashboard and can now be tracked there:"

learn.microsoft.com

Windows 11, version 22H2 known issues and notifications

View announcements and review known issues and fixes for Windows 11
learn.microsoft.com
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo Yoga 920
    CPU
    Intel I7-8550U
    Motherboard
    n/a
    Memory
    16GB
    Graphics Card(s)
    Intel Graphics UHD 620
    Sound Card
    Realtek High Definition Audio (SST)
    Monitor(s) Displays
    4k Touch screen
    Screen Resolution
    3480 x 2160
    Hard Drives
    512GB NVMe
Desertfox said:
Hi,

So according to: Windows 11, version 22H2 known issues and notifications MS recommends to not do any workaround if you enabled it and it is working by checking via event viewer.

Important: Currently, we do not recommend any other workaround for this issue.
I myself did option 2 (.reg file) a while ago as MS stayed silent for so long... Should we remove the entries the reg file made...? or do anything?

Looking at: Configuring Additional LSA Protection it seems the reg keys that option 2 adds are from this article so it should be fine but MS explicitly mentioning not doing any workaround makes me think:unsure:
Any other thoughts?
Click to expand...

They have used that registry settings in Dev for quite some time, at least since Jan 2023.
Since they don't recommend a workaround for now, they may come out with a better permanent solution that allows to choose LSA enabled or disabled.
Who knows? You can never get a straight answer from MS. 😎😎🤐🤷‍♂️

learn.microsoft.com

Windows 11, version 22H2 known issues and notifications

View announcements and review known issues and fixes for Windows 11
learn.microsoft.com
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo Yoga 920
    CPU
    Intel I7-8550U
    Motherboard
    n/a
    Memory
    16GB
    Graphics Card(s)
    Intel Graphics UHD 620
    Sound Card
    Realtek High Definition Audio (SST)
    Monitor(s) Displays
    4k Touch screen
    Screen Resolution
    3480 x 2160
    Hard Drives
    512GB NVMe
OK I've done some testing this morning. Unblocked/re-installed the KB5007651 update - Security app icon immediately went to a yellow triangle and the UI wouldn't open, kept crashing.

Restarted PC - didn't fix it.
Changed BIOS setting - switched from discrete TPM (Infineon) to the AMD fTPM.
Rebooted PC - still got yellow triangle but the settings would open (slower than before the KB was installed), however it would sometimes crash and show 'Unknown' as the status. I did get the LSA settings when the UI worked.
Disabled all TPM completely - yellow triangle still there but the UI always loads quickly, and doesn't crash at all. All new options are available in the settings. The yellow triangle relating to LSA is a known issue.

Looks like these new Antimalware updates don't like TPMs which is kind of ironic. Same problem going back to last summer. Also explains why the Security is working on my Beta VM with KB5007651 - it doesn't have a TPM in VirtualBox
 

My Computer

System One

  • OS
    Windows 11 Pro 22H2 (RP channel)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Gigabyte
    CPU
    AMD Ryzen 5900X 12-core
    Motherboard
    X570 Aorus Xtreme
    Memory
    64GB Corsair Platinum RGB 3600MHz
    Graphics Card(s)
    MSI Suprim X 3080 Ti
    Sound Card
    Soundblaster AE-5 Plus
    Monitor(s) Displays
    ASUS TUF Gaming VG289
    Screen Resolution
    3840x2160
    Hard Drives
    Samsung 980 Pro 2TB
    Samsung 970 Pro Plus 1TB
    Samsung 970 Pro 1TB
    Samsung T7 Touch 1TB
    Samsung 870 Evo 2TB (on external USB connector)
    PSU
    Asus ROG Strix 1000W
    Case
    Corsair D750 Airflow
    Cooling
    Noctua NH-D15S
    Keyboard
    Logitech G810
    Mouse
    Logitech G903 with PowerPlay charger
    Internet Speed
    500Mb/sec
    Browser
    Microsoft Edge
    Antivirus
    Windows Defender
BrianInEngland said:
Looks like these new Antimalware updates don't like TPMs which is kind of ironic. Same problem going back to last summer. Also explains why the Security is working on my Beta VM with KB5007651 - it doesn't have a TPM in VirtualBox
Click to expand...
KB5007651 is not Antimalware it is the update of the Security Application Version and Security Service Version.
1679601890216.png



1679603391445.png

1679603443315.png

1679603522332.png
 
Last edited:

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo Yoga 920
    CPU
    Intel I7-8550U
    Motherboard
    n/a
    Memory
    16GB
    Graphics Card(s)
    Intel Graphics UHD 620
    Sound Card
    Realtek High Definition Audio (SST)
    Monitor(s) Displays
    4k Touch screen
    Screen Resolution
    3480 x 2160
    Hard Drives
    512GB NVMe

My Computer

System One

  • OS
    Windows 11 Pro 22H2 (RP channel)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Gigabyte
    CPU
    AMD Ryzen 5900X 12-core
    Motherboard
    X570 Aorus Xtreme
    Memory
    64GB Corsair Platinum RGB 3600MHz
    Graphics Card(s)
    MSI Suprim X 3080 Ti
    Sound Card
    Soundblaster AE-5 Plus
    Monitor(s) Displays
    ASUS TUF Gaming VG289
    Screen Resolution
    3840x2160
    Hard Drives
    Samsung 980 Pro 2TB
    Samsung 970 Pro Plus 1TB
    Samsung 970 Pro 1TB
    Samsung T7 Touch 1TB
    Samsung 870 Evo 2TB (on external USB connector)
    PSU
    Asus ROG Strix 1000W
    Case
    Corsair D750 Airflow
    Cooling
    Noctua NH-D15S
    Keyboard
    Logitech G810
    Mouse
    Logitech G903 with PowerPlay charger
    Internet Speed
    500Mb/sec
    Browser
    Microsoft Edge
    Antivirus
    Windows Defender
BrianInEngland said:
You must be one of the lucky ones! Has the Security app crashed at all?
Click to expand...
No crashes.
On some machines it just had the yellow warning because of the missing RunAsPPL and RunAsPPLBoot in the registry,
Everything is fine after fixing the missing entries.
I have 6 different machines all happy with the same version of Security 1.0.2302.21002-0

1679608812826.png
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo Yoga 920
    CPU
    Intel I7-8550U
    Motherboard
    n/a
    Memory
    16GB
    Graphics Card(s)
    Intel Graphics UHD 620
    Sound Card
    Realtek High Definition Audio (SST)
    Monitor(s) Displays
    4k Touch screen
    Screen Resolution
    3480 x 2160
    Hard Drives
    512GB NVMe
fg2001gf11F said:
No crashes.
On some machines it just had the yellow warning because of the missing RunAsPPL and RunAsPPLBoot in the registry,
Everything is fine after fixing the missing entries.
I have 6 different machines all happy with the same version of Security 1.0.2302.21002-0

View attachment 56187
Click to expand...
Yet as soon as I install the Security update 1.0.2302.21002-0, my Security app becomes unusable - unless I disable the TPM, in which case it's fine. Several other users reporting the same problem on this forum
 

My Computer

System One

  • OS
    Windows 11 Pro 22H2 (RP channel)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Gigabyte
    CPU
    AMD Ryzen 5900X 12-core
    Motherboard
    X570 Aorus Xtreme
    Memory
    64GB Corsair Platinum RGB 3600MHz
    Graphics Card(s)
    MSI Suprim X 3080 Ti
    Sound Card
    Soundblaster AE-5 Plus
    Monitor(s) Displays
    ASUS TUF Gaming VG289
    Screen Resolution
    3840x2160
    Hard Drives
    Samsung 980 Pro 2TB
    Samsung 970 Pro Plus 1TB
    Samsung 970 Pro 1TB
    Samsung T7 Touch 1TB
    Samsung 870 Evo 2TB (on external USB connector)
    PSU
    Asus ROG Strix 1000W
    Case
    Corsair D750 Airflow
    Cooling
    Noctua NH-D15S
    Keyboard
    Logitech G810
    Mouse
    Logitech G903 with PowerPlay charger
    Internet Speed
    500Mb/sec
    Browser
    Microsoft Edge
    Antivirus
    Windows Defender
BrianInEngland said:
Yet as soon as I install the Security update 1.0.2302.21002-0, my Security app becomes unusable - unless I disable the TPM, in which case it's fine. Several other users reporting the same problem on this forum
Click to expand...
I have TPM enabled on every machine. Here is one example on a Desktop Dell XPS 8940.
All my machine are with Intel processors, no AMD.

1679634964196.png


1679635014287.png


and this one on a Lenovo Laptop Yoga 920:
1679635334400.png

1679635413364.png



and one more on another desktop:
1679635739498.png
 
Last edited:

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo Yoga 920
    CPU
    Intel I7-8550U
    Motherboard
    n/a
    Memory
    16GB
    Graphics Card(s)
    Intel Graphics UHD 620
    Sound Card
    Realtek High Definition Audio (SST)
    Monitor(s) Displays
    4k Touch screen
    Screen Resolution
    3480 x 2160
    Hard Drives
    512GB NVMe

My Computer

System One

  • OS
    Windows 11 Pro 22H2 (RP channel)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Gigabyte
    CPU
    AMD Ryzen 5900X 12-core
    Motherboard
    X570 Aorus Xtreme
    Memory
    64GB Corsair Platinum RGB 3600MHz
    Graphics Card(s)
    MSI Suprim X 3080 Ti
    Sound Card
    Soundblaster AE-5 Plus
    Monitor(s) Displays
    ASUS TUF Gaming VG289
    Screen Resolution
    3840x2160
    Hard Drives
    Samsung 980 Pro 2TB
    Samsung 970 Pro Plus 1TB
    Samsung 970 Pro 1TB
    Samsung T7 Touch 1TB
    Samsung 870 Evo 2TB (on external USB connector)
    PSU
    Asus ROG Strix 1000W
    Case
    Corsair D750 Airflow
    Cooling
    Noctua NH-D15S
    Keyboard
    Logitech G810
    Mouse
    Logitech G903 with PowerPlay charger
    Internet Speed
    500Mb/sec
    Browser
    Microsoft Edge
    Antivirus
    Windows Defender
fg2001gf11F said:
KB5007651 is not Antimalware
Click to expand...

Microsoft says it is antimalware:

After installing "Update for Microsoft Defender Antivirus antimalware platform - KB5007651 (Version 1.0.2302.21002)", you might receive a security notification or warning stating that "Local Security protection is off. Your device may be vulnerable." and once protections are enabled, your Windows device might persistently prompt that a restart is required.
"Local Security Authority protection is off."
Click to expand...
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
You must log in or register to reply here.

Similar Windows 11 Tutorials

  • Article
Privacy and Security Enable or Disable Kernel-mode Hardware-enforced Stack Protection in Windows 11
Replies
1
Views
2K
Cliff S
Cliff S
  • Article
Privacy and Security Enable or Disable All Windows Security Notifications in Windows 11
Replies
10
Views
2K
Brink
Brink
  • Article
Personalization Enable or Disable Lock Screen Slideshow in Windows 11
Replies
0
Views
2K
Brink
Brink
  • Article
Browsers and Mail Enable or Disable Enhance Images in Microsoft Edge
Replies
2
Views
727
Brink
Brink
  • Article
Accounts Change UAC Behavior for Administrators in Windows 11
Replies
0
Views
1K
Brink
Brink
  • Article
Accounts Enable or Disable Show Administrators in UAC prompt for Standard Users in Windows 11
Replies
0
Views
887
Brink
Brink
  • Article
Browsers and Mail Enable or Disable Restore Pages Dialog Prompt in Microsoft Edge
Replies
0
Views
1K
Brink
Brink

Latest Tutorials

Latest Support Threads

Back
Top Bottom