Privacy and Security Enable or Disable Local Security Authority (LSA) Protection in Windows 11


  • Staff
Windows_Security_banner.png

This tutorial will show you how to enable or disable Local Security Authority (LSA) protection for all users in Windows 11.

Core isolation is a security feature of Microsoft Windows that protects important core processes of Windows from malicious software by isolating them in memory. It does this by running those core processes in a virtualized environment.

Windows 11, version 22H2 supports additional protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials.

Windows has several critical processes to verify a user’s identity. The LSA is one of those processes, responsible for authenticating users and verifying Windows logins. It is responsible for handling user credentials, like passwords, and tokens used to provide single sign-on to Microsoft accounts and Azure services. Attackers have developed tools and have abused Microsoft tools to take advantage of this process to steal credentials. To combat this, additional LSA protection will be enabled by default in the future for new, enterprise-joined Windows 11 devices making it significantly more difficult for attackers to steal credentials by ensuring LSA loads only trusted, signed code.

Reference:
learn.microsoft.com

What's new in Windows 11, version 22H2 for IT pros - What's new in Windows

Learn more about what's new in Windows 11 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
learn.microsoft.com
learn.microsoft.com

Configure added LSA protection

Learn how to configure added protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials.
learn.microsoft.com
www.microsoft.com

New security features for Windows 11 will help protect hybrid work | Microsoft Security Blog

Attackers haven’t wasted any time capitalizing on the rapid move to hybrid work. Every day cyber criminals and nation states alike have improved their targeting, speed and accuracy as the world adapted to working outside the office.
www.microsoft.com www.microsoft.com

You must be signed in as an administrator to enable or disable Local Security Authority (LSA) protection.

LSA requires CPU virtualization turned on.


www.elevenforum.com

Known and Resolved issues for Windows 11 version 22H2

Windows message center: https://www.elevenforum.com/t/optional-non-security-preview-updates-for-windows-11-22h2-now-ends-june-26-2024.22977/ Current status as of September 26, 2023 Microsoft is delivering a new wave of continuous innovation to eligible Windows 11, version 22H2 devices with new...
www.elevenforum.com www.elevenforum.com

Resolved

After installing "Update for Microsoft Defender Antivirus antimalware platform - KB5007651 (Version 1.0.2302.21002)", you might receive a security notification or warning stating that "Local Security protection is off. Your device may be vulnerable." and once protections are enabled, your Windows device might persistently prompt that a restart is required. Important: This issue affects only "Update for Microsoft Defender Antivirus antimalware platform - KB5007651 (Version 1.0.2302.21002)". All other Windows updates released on March 14, 2023 for affected platforms (KB5023706 and KB5023698), do not cause this issue.

Workaround: If you have enabled Local Security Authority (LSA) protection and have restarted your device at least once, you can dismiss warning notifications and ignore any additional notifications prompting for a restart. You can verify that LSA protection is enabled by looking in Event Viewer using the information available here. Important: Currently, Microsoft does not recommend any other workaround for this issue.

Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Updated July 05, 2023: This issue was resolved in an update for Windows Security platform antimalware platform KB5007651 (Version 1.0.2306.10002). If you would like to install the update before it is installed automatically, you will need to check for updates.

If still needed, you can use Option Two, Option Three, or Option Five below to enable LSA without the warning.



Contents

  • Option One: Turn On or Off Local Security Authority (LSA) Protection in Windows Security
  • Option Two: Turn On or Off Local Security Authority (LSA) Protection using REG file
  • Option Three: Turn On or Off Local Security Authority (LSA) Protection using Command
  • Option Four: Enable or Disable Local Security Authority (LSA) Protection in Local Group Policy Editor
  • Option Five: Enable or Disable Local Security Authority (LSA) Protection using REG file




Option One

Turn On or Off Local Security Authority (LSA) Protection in Windows Security


1 Open Windows Security.

2 Click/tap on Device security on the left side, and click/tap on the Core isolation details link on the right side. (see screenshot below)

LSA_protection_Windows_Security-1.png

3 Turn on (default) or off Local Security Authority protection for what you want. (see screenshots below)

LSA_protection_Windows_Security-2.png
LSA_protection_Windows_Security-3.png

4 If prompted by UAC, click/tap on Yes to approve.

5 Restart the computer to apply. (see screenshot below)

6 If prompted by UAC, click/tap on Yes to approve.

LSA_protection_Windows_Security-5.png




Option Two

Turn On or Off Local Security Authority (LSA) Protection using REG file


1 Do step 2 (on without UEFI Lock), step 3 (on with UEFI Lock) or step 4 (off) below for what you want.

2 Turn On Local Security Authority (LSA) Protection without UEFI Lock

This is the default setting.


A) Click/tap on the Download button below to download the REG file below, and go to step 5 below.​

Turn_ON_Local_Security_Authority_protection_without_UEFI_Lock.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"RunAsPPL"=dword:00000002
"RunAsPPLBoot"=dword:00000002

3 Turn On Local Security Authority (LSA) Protection with UEFI Lock

When LSA is used with UEFI lock and Secure Boot, additional protection is achieved because disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key has no effect. It acts as a tamper protection.


A) Click/tap on the Download button below to download the REG file below, and go to step 5 below.​

Turn_ON_Local_Security_Authority_protection_with_UEFI_Lock.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"RunAsPPL"=dword:00000001
"RunAsPPLBoot"=dword:00000002

4 Turn Off Local Security Authority (LSA) Protection

If you turned on LSA with UEFI Lock using step 3, then you will need to use the Local Security Authority Protected Process Opt-out tool to remove the UEFI variable in the registry.


A) Click/tap on the Download button below to download the REG file below, and go to step 5 below.​

Turn_OFF_Local_Security_Authority_protection.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"RunAsPPL"=dword:00000000
"RunAsPPLBoot"=dword:00000000

5 Save the .reg file to your desktop.

6 Double click/tap on the downloaded .reg file to merge it.

7 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

8 Restart the computer to apply.

9 You can now delete the downloaded .reg file if you like.




Option Three

Turn On or Off Local Security Authority (LSA) Protection using Command


1 Open Windows Terminal (Admin), and select Command Prompt.

2 Copy and paste the command below you want to use into Windows Terminal (Admin), and press Enter.

Turn On Local Security Authority (LSA) Protection without UEFI Lock

This is the default setting.


reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 2 /f & reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPLBoot /t REG_DWORD /d 2 /f

OR​

Turn On Local Security Authority (LSA) Protection with UEFI Lock

When LSA is used with UEFI lock and Secure Boot, additional protection is achieved because disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key has no effect. It acts as a tamper protection.


reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 1 /f & reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPLBoot /t REG_DWORD /d 2 /f

OR​

Turn Off Local Security Authority (LSA) Protection

If you turned on LSA with UEFI Lock, then you will need to use the Local Security Authority Protected Process Opt-out tool to remove the UEFI variable in the registry.


reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 0 /f & reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPLBoot /t REG_DWORD /d 0 /f

3 Restart the computer to apply.




Option Four

Enable or Disable Local Security Authority (LSA) Protection in Local Group Policy Editor


The Local Group Policy Editor is only available in the Windows 11 Pro, Enterprise, and Education editions.

All editions can use Option Fve to configure the same policy.


1 Open the Local Group Policy Editor (gpedit.msc).

2 Navigate to the policy location below in the left pane of the Local Group Policy Editor. (see screenshot below)

Computer Configuration > Administrative Templates > System > Local Security Authority

LSA_protection_gpedit-1.png

3 In the right pane of Local Security Authority in the Local Group Policy Editor, double click/tap on the Configure LSASS to run as a protected process policy to edit it. (see screenshot above)

4 Do step 5 (default), step 6 (disable), step 7 (enable with UEFI Lock), or step 8 (enable without UEFI Lock) below for what you want.

5 Default User Choice Local Security Authority (LSA) Protection

This is the default setting to allow using Option One Option Two, and Option Three.


A) Select (dot) Not Configured. (see screenshot below)​

B) Click/tap on OK, and go to step 9 below.​

LSA_protection_gpedit-2.png

6 Disable Local Security Authority (LSA) Protection

This will override and prevent using Option One, Option Two, and Option Three.


A) Select (dot) Enabled. (see screenshot below)​

B) Select Disabled in the Configure LSA to run as a protected process drop menu.​

C) Click/tap on OK, and go to step 9 below.​

LSA_protection_gpedit-3.png

7 Enable Local Security Authority (LSA) Protection with UEFI Lock

This will override and prevent using Option One, Option Two, and Option Three.

When LSA is used with UEFI lock and Secure Boot, additional protection is achieved because disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key has no effect. It acts as a tamper protection.


A) Select (dot) Enabled. (see screenshot below)​

B) Select Enabled with UEFI Lock in the Configure LSA to run as a protected process drop menu.​

C) Click/tap on OK, and go to step 9 below.​

LSA_protection_gpedit-4.png

8 Enable Local Security Authority (LSA) Protection without UEFI Lock

This will override and prevent using Option One, Option Two, and Option Three.


A) Select (dot) Enabled. (see screenshot below)​

B) Select Enabled without UEFI Lock in the Configure LSA to run as a protected process drop menu.​

C) Click/tap on OK, and go to step 9 below.​

LSA_protection_gpedit-4.png

9 You can now close the Local Group Policy Editor if you like.




Option Five

Enable or Disable Local Security Authority (LSA) Protection using REG file


1 Do step 2 (default), step 3 (disable), step 4 (enable with UEFI Lock), or step 5 (enable without UEFI Lock) below for what you want.


 2. Default User Choice Local Security Authority (LSA) Protection

This is the default setting to allow using Option One, Option Two, and Option Three.


A) Click/tap on the Download button below to download the file below, and go to step 6 below.​

Default_user_choice_Local_Security_Authority_protection.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"RunAsPPL"=-


 3. Disable Local Security Authority (LSA) Protection

This will override and prevent using Option One, Option Two, and Option Three.


A) Click/tap on the Download button below to download the file below, and go to step 6 below.​

Disable_Local_Security_Authority_protection.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"RunAsPPL"=dword:00000000


 4. Enable Local Security Authority (LSA) Protection with UEFI Lock

This will override and prevent using Option One, Option Two, and Option Three.

When LSA is used with UEFI lock and Secure Boot, additional protection is achieved because disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key has no effect.


A) Click/tap on the Download button below to download the file below, and go to step 6 below.​

Always_Enable_Local_Security_Authority_protection_with_UEFI_Lock.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"RunAsPPL"=dword:00000001


 5. Enable Local Security Authority (LSA) Protection without UEFI Lock

This will override and prevent using Option One, Option Two, and Option Three.


A) Click/tap on the Download button below to download the file below, and go to step 6 below.​

Always_Enable_Local_Security_Authority_protection_without_UEFI_Lock.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"RunAsPPL"=dword:00000002

6 Save the REG file to your desktop.

7 Double click/tap on the downloaded REG file to merge it.

8 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

9 You can now delete the downloaded REG file if you like.


That's it,
Shawn Brink


Related Tutorials

 

Attachments

  • Windows_Security.png
    Windows_Security.png
    6 KB · Views: 99
  • Turn_OFF_Local_Security_Authority_protection.reg
    684 bytes · Views: 227
  • Always_Enable_Local_Security_Authority_protection_with_UEFI_Lock.reg
    634 bytes · Views: 262
  • Always_Enable_Local_Security_Authority_protection_without_UEFI_Lock.reg
    638 bytes · Views: 257
  • Default_user_choice_Local_Security_Authority_protection.reg
    608 bytes · Views: 257
  • Disable_Local_Security_Authority_protection.reg
    634 bytes · Views: 274
  • Turn_ON_Local_Security_Authority_protection_with_UEFI_Lock.reg
    672 bytes · Views: 95
  • Turn_ON_Local_Security_Authority_protection_without_UEFI_Lock.reg
    672 bytes · Views: 139
Last edited:
Click to expand...
AntonisCy said:
I have entered the System log in Windows Logs but how did i find it? There are alot of logs.
Click to expand...

You can filter or look for LSA under the Source column in the middle pane of Event Viewer.

LSA-1.png


LSA-2.png
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ideaCentre 510-15ICB (90HU00BHCY)
    CPU
    Intel i3-8100 CPU @ 3.60GHz
    Motherboard
    Intel B360
    Memory
    2 x 8GB 2666MHz TEAM GROUP TED48G2666C1901 (16GB Total)
    Graphics Card(s)
    Integrated Intel UHD Graphics 630
    Sound Card
    High Definition (HD) Audio, Realtek® ALC233 codec
    Monitor(s) Displays
    24" SAMSUNG LF24T450FQRXEN
    Screen Resolution
    1920 x 1080 @ 75Hz
    Hard Drives
    1x SSD GIGABYTE AORUS RGB 256GB M.2 2280 NVME PCI-EXPRESS 3.0 X4
    1x 1TB HDD 7200rpm 3.5"
    PSU
    LENOVO 100-240Vac SFF 180W PSU POWER SUPPLY 00PC745
    Case
    Factory
    Cooling
    Factory
    Keyboard
    A4Tech KL-5
    Mouse
    Logitech G502 Hero
    Internet Speed
    100 Mb/s Fiber
    Browser
    Chrome
    Antivirus
    Windows Security
    Other Info
    2.1 Logitech X-210 Speakers
AntonisCy said:
I get results same as the ones you have. Does this mean it is enabled?
Click to expand...

Windows Security shows LSA turned on for me, so I suppose so.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium
I'm getting the warning today for the first time that LSA is off. However, like someone else posted previously, the switch isn't even there. Is there a fix for the missing switch?
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
AntonisCy said:
I get results same as the ones you have. Does this mean it is enabled?
Click to expand...
Hi, I believe this is still the way to confirm if LSA is running

To discover if LSA was started in protected mode when Windows started, search for the following WinInit event in the System log under Windows Logs:

12: LSASS.exe was started as a protected process with level: 4
learn.microsoft.com

Configure added LSA protection

Learn how to configure added protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials.
learn.microsoft.com
 

My Computer

System One

  • OS
    Windows 11
Brink said:
Windows Security shows LSA turned on for me, so I suppose so.
Click to expand...

Where exactly in the screenshot days it say that it is turned on?

Thanks
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ideaCentre 510-15ICB (90HU00BHCY)
    CPU
    Intel i3-8100 CPU @ 3.60GHz
    Motherboard
    Intel B360
    Memory
    2 x 8GB 2666MHz TEAM GROUP TED48G2666C1901 (16GB Total)
    Graphics Card(s)
    Integrated Intel UHD Graphics 630
    Sound Card
    High Definition (HD) Audio, Realtek® ALC233 codec
    Monitor(s) Displays
    24" SAMSUNG LF24T450FQRXEN
    Screen Resolution
    1920 x 1080 @ 75Hz
    Hard Drives
    1x SSD GIGABYTE AORUS RGB 256GB M.2 2280 NVME PCI-EXPRESS 3.0 X4
    1x 1TB HDD 7200rpm 3.5"
    PSU
    LENOVO 100-240Vac SFF 180W PSU POWER SUPPLY 00PC745
    Case
    Factory
    Cooling
    Factory
    Keyboard
    A4Tech KL-5
    Mouse
    Logitech G502 Hero
    Internet Speed
    100 Mb/s Fiber
    Browser
    Chrome
    Antivirus
    Windows Security
    Other Info
    2.1 Logitech X-210 Speakers

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ideaCentre 510-15ICB (90HU00BHCY)
    CPU
    Intel i3-8100 CPU @ 3.60GHz
    Motherboard
    Intel B360
    Memory
    2 x 8GB 2666MHz TEAM GROUP TED48G2666C1901 (16GB Total)
    Graphics Card(s)
    Integrated Intel UHD Graphics 630
    Sound Card
    High Definition (HD) Audio, Realtek® ALC233 codec
    Monitor(s) Displays
    24" SAMSUNG LF24T450FQRXEN
    Screen Resolution
    1920 x 1080 @ 75Hz
    Hard Drives
    1x SSD GIGABYTE AORUS RGB 256GB M.2 2280 NVME PCI-EXPRESS 3.0 X4
    1x 1TB HDD 7200rpm 3.5"
    PSU
    LENOVO 100-240Vac SFF 180W PSU POWER SUPPLY 00PC745
    Case
    Factory
    Cooling
    Factory
    Keyboard
    A4Tech KL-5
    Mouse
    Logitech G502 Hero
    Internet Speed
    100 Mb/s Fiber
    Browser
    Chrome
    Antivirus
    Windows Security
    Other Info
    2.1 Logitech X-210 Speakers
AntonisCy said:
There is no toggle to enable LSA in my Windows Security menu
Click to expand...
You should be able to use an available option to either turn on or enable LSA.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium
safron said:
Hi @Brink. Thank you - this post helped me fix an issue I had with Windows Security.

Re Option # 2, Step 3 above:

I read that LSA protection without UEFI Lock is the Windows 11 default, but can't find much about about it other than how to turn it on or off. Do you know the implications of setting protection "with" vs "without", and why Windows defaults to the latter, less-secure (?) "without" option?
Click to expand...
It's the Windows 11 default from 22H2 with a New Clean Installation.

I've wondered that but my guess enforcing LSA in UEFI means it's harder to disable if you need to turn it off later. It writes the preference to your PC's UEFI.
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Tablet
    Manufacturer/Model
    Microsoft Surface Pro X
    Memory
    16GB
Brink said:
Hello @safron, :alien:

Option 1 and 2 are without UEFI lock.

UEFI lock is only available via the policy in option 3 or 4.
Click to expand...
That's not what is says here:

Configuring Additional LSA Protection

Regarding what this forum post refers to as OPTION 2 it says:

Using the Registry

  1. Open the Registry Editor (RegEdit.exe), and navigate to the registry key that is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
  2. Set the value of the registry key to:
    1. "RunAsPPL"=dword:00000001 to configure the feature with a UEFI variable.
    2. "RunAsPPL"=dword:00000002 to configure the feature without a UEFI variable (only on Windows 11, 22H2).
  3. Restart the computer.
OPTION 2 makes no mention of there being a choice from 22H2 to Turn On With or Without a UEFI variable. It just says to set RunAsPPL to = 2.

I appreciate this page assumes your Windows 11 is on 22H2 but I'm not sure what setting the RunAsPPL to 2 will do prior to 22H2 as this policy doesn't exist.
 
Last edited:

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Tablet
    Manufacturer/Model
    Microsoft Surface Pro X
    Memory
    16GB
safron said:
I hate to jump on the Microsoft bashwagon, but there are obviously many people encountering this issue. How difficult would it be for them to ensure the two registry keys exist, and are set to 2, if someone turns this on in Settings?
Click to expand...
Because it's not that simple and One doesn't follow the other.

The default Windows uses depends on whether it's Windows 8/Windows 10/Windows 11, it depends on which Windows build your PC is using and it depends on your PC's hardware capabilities.

One doesn't follow the other too, because all these settings detailed here are user override preferences to override default behaviour.
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Tablet
    Manufacturer/Model
    Microsoft Surface Pro X
    Memory
    16GB
Resolution: This issue was resolved in an update for Microsoft Defender Antivirus antimalware platform KB5007651 (Version 1.0.2303.27001). If you would like to install the update before it is installed automatically, you will need to check for updates.

It looks like the recommended way to get this update is to run the following in PowerShell:

Get-AppPackage Microsoft.SecHealthUI

I don't yet have this update still though and have just start getting this LSA warning. I'm using a Surface Pro X and WoA always seem to get updates later though.

Given this was/is a Windows Security False-Positive I'm not sure we need to be setting RunAsPPL. The Additional LSA Protection seems to be working correctly.

It's RunAsPPLBoot for me, that at least clears the warning in Windows Security. I didn't need to set RunAsPPL.

Do we know what RunAsPPLBoot does? I can't find anything about it online. Thanks.
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Tablet
    Manufacturer/Model
    Microsoft Surface Pro X
    Memory
    16GB
Hello @Bradavon , :alien:

I've updated option two to include both with and without the UEFI Lock option.

UEFI Lock acts as a tamper protection for the LSA setting.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium
Brink said:
Hello @Bradavon , :alien:

I've updated option two to include both with and without the UEFI Lock option.

UEFI Lock acts as a tamper protection for the LSA setting.
Click to expand...
Oh nice one, thanks.

That's my understanding too. It makes me wonder why then the default on Windows 11 22H2 on a Clean Installation is "Without UEFI". Previous to 22H2 it was only available "With UEFI" (i.e. RunAsPPL=2 is new to 22H2). I guess Microsoft got complains from IT Admins it was causing issues and aired on the side of caution to set the default as Without UEFI but that's just a guess.

On paper "With UEFI" seems like the better option because it should make it harder for malware to turn off LSA Protection, but that isn't the default Microsoft went with.

Do we know what RunAsPPLBoot does btw? I can't find anything about it online. Thanks.
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Tablet
    Manufacturer/Model
    Microsoft Surface Pro X
    Memory
    16GB
Bradavon said:
Oh nice one, thanks.

That's my understanding too. It makes me wonder why then the default on Windows 11 22H2 on a Clean Installation is "Without UEFI". Previous to 22H2 it was only available "With UEFI" (i.e. RunAsPPL=2 is new to 22H2). I guess Microsoft got complains from IT Admins it was causing issues and aired on the side of caution to set the default as Without UEFI but that's just a guess.

On paper "With UEFI" seems like the better option because it should make it harder for malware to turn off LSA Protection, but that isn't the default Microsoft went with.

Do we know what RunAsPPLBoot does btw? I can't find anything about it online. Thanks.
Click to expand...

Agreed. With UEFI is more secure. It just uses without UEFI by default.

RunAsPPLBoot is just the other value that gets changed in the registry when using option one to toggle LSA.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium
AntonisCy said:
There is no toggle to enable LSA in my Windows Security menu
Click to expand...
I read the official fix Microsoft pushed out "fixed it" by just removing the LSA toggle from Windows Security. I've not read an official statement from Microsoft on this though.

I've never had it to start with in Windows Security, my Mum's PC does. Her PC has Intel and mine Windows on ARM (Surface Pro X). I assumed this was why it's never been in Windows Security despite LSA being present on WoA too.

This from this page:

Resolution: This issue was resolved in an update for Microsoft Defender Antivirus antimalware platform KB5007651 (Version 1.0.2303.27001). If you would like to install the update before it is installed automatically, you will need to check for updates.
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Tablet
    Manufacturer/Model
    Microsoft Surface Pro X
    Memory
    16GB
Hello.
I have Lsa running confirmed by checking WinInit event in the System log under Windows Logs:
12: LSASS.exe was started as a protected process with level: 4
But still dont have a Lsa toogle in Windows Defender interface.
 

My Computer

System One

  • OS
    Windows 11 23H2
    Computer type
    Laptop
    Manufacturer/Model
    Dell XPS 13 9360
    CPU
    Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz
    Memory
    8 GB

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Tablet
    Manufacturer/Model
    Microsoft Surface Pro X
    Memory
    16GB
I still have the LSA setting in Windows Security on build 25357 (Canary).

build_25357.jpg
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium
You must log in or register to reply here.

Similar Windows 11 Tutorials

  • Article
Privacy and Security Verify Local Security Authority (LSA) Protection in Windows 11
Replies
0
Views
1K
Brink
Brink
  • Article
Accounts Enable or Disable Microsoft Accounts in Windows 11
Replies
0
Views
2K
Brink
Brink
  • Article
System Enable or Disable Create Dev Drive in Windows 11
Replies
0
Views
2K
Brink
Brink
  • Article
Browsers and Mail Enable or Disable Browse as Guest in Microsoft Edge
Replies
0
Views
482
Brink
Brink
  • Article
Apps Enable or Disable "Pin to taskbar" for Microsoft Store app in Windows 11
Replies
0
Views
1K
Brink
Brink
  • Article
Devices Enable or Disable Windows Protected Print Mode in Windows 11
Replies
0
Views
4K
Brink
Brink
  • Article
Browsers and Mail Enable or Disable Bypass Enhanced Security Mode in Microsoft Edge
Replies
0
Views
3K
Brink
Brink

Latest Support Threads

Latest Tutorials

Back
Top Bottom