Steps to solve the issue: Local Security Authority Protection is Off (but It's on)

Windows 11 users have reported seeing warnings that Local Security Authority (LSA) Protection has been disabled, even though it shows as being toggled on. LSA protection is a crucial security feature for defending against the theft of sensitive information, such as login credentials, by blocking process memory dumping and untrusted code injection into the LSA process. This article will provide some facts about the issue, steps to solve it, and some related questions and their answers.

Facts

Windows 11 users have reported seeing widespread Windows Security warnings that Local Security Authority (LSA) Protection has been disabled even though it shows as being toggled on. The "Local Security Authority protection is off. Your device may be vulnerable." warnings show up even though LSA Protection is enabled in Windows Security > Device security > Core isolation details[1].

LSA Protection is a crucial security feature for defending against the theft of sensitive information, such as login credentials, by blocking process memory dumping and untrusted code injection into the LSA process. Earlier this month, Microsoft announced that the latest Windows 11 build rolling out to Insiders in the Canary channel would also enable Local Security Authority (LSA) Protection by default. However, this will only apply to new installations of Windows 11[1].

Steps to solve the issue

Here are the steps to solve the issue:

  1. Open the Registry Editor by pressing the Win + R hotkeys, typing regedit, and clicking OK.
  2. Navigate to the following location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. Create a new DWORD value named RunAsPPL and set its value data to 2.
  4. Create another new DWORD value named RunAsPPLBoot and set its value data to 2.
  5. Restart the system.

Related questions and answers

Q. What is LSA Protection?

A. LSA Protection is a crucial security feature for defending against the theft of sensitive information, such as login credentials, by blocking process memory dumping and untrusted code injection into the LSA process[1].

Q. How can I enable LSA Protection?

A. There are three ways to enable LSA Protection on your computer: using the Local Group Policy Editor, using the Registry Editor, and using the Command Prompt[2].

Q. What is the difference between LSA Protection and Credential Guard?

A. LSA Protection and Credential Guard are complementary security features. LSA Protection blocks process memory dumping and untrusted code injection into the LSA process, while Credential Guard isolates and protects secrets, such as NTLM password hashes and Kerberos tickets, so that only privileged system software can access them[3].

Conclusion

The "Local Security Authority protection is off. Your device may be vulnerable." warning in Windows 11 can be solved by following the steps mentioned above. LSA Protection is a crucial security feature for defending against the theft of sensitive information, such as login credentials, by blocking process memory dumping and untrusted code injection into the LSA process. There are three ways to enable LSA Protection on your computer: using the Local Group Policy Editor, using the Registry Editor, and using the Command Prompt. LSA Protection and Credential Guard are complementary security features.