[Fix] Local Security Authority protection is off; device may be vulnerable

When you enable the Local Security Authority protection in Windows Security → Device Security → Core isolation page on your Windows 11 22H2 (and higher) computer, the yellow exclamation continues to appear.

It says, “Local Security Authority protection is off. Your device may be vulnerable.

lsa protection warning yellow exclamation

Update from Microsoft

May 05, 2023

Resolution: This issue was resolved in an update for Microsoft Defender Antivirus antimalware platform KB5007651 (Version 1.0.2303.27001). If you would like to install the update before it is installed automatically, you will need to check for updates.

Source: Windows 11, version 22H2 known issues and notifications | Microsoft Learn

March 2023

After installing “Update for Microsoft Defender Antivirus antimalware platform – KB5007651 (Version 1.0.2302.21002)”, you might receive a security notification or warning stating that “Local Security protection is off. Your device may be vulnerable.” and once protections are enabled, your Windows device might persistently prompt that a restart is required. Important: This issue affects only “Update for Microsoft Defender Antivirus antimalware platform – KB5007651 (Version 1.0.2302.21002)”. All other Windows updates released on March 14, 2023 for affected platforms (KB5023706 and KB5023698), do not cause this issue.

Workaround: If you have enabled Local Security Authority (LSA) protection and have restarted your device at least once, you can dismiss warning notifications and ignore any additional notifications prompting for a restart. You can verify that LSA protection is enabled by looking in Event Viewer using the information available here. Important: Currently, we do not recommend any other workaround for this issue.

Next steps: We are working on a resolution and will provide an update as soon as it is available.

Workaround

Adding a new DWORD registry value named “RunAsPPLBoot” and setting its data to 2 resolves the issue.

Note: As per the latest (May 05, 2023) note above from Microsoft, the issue has been addressed by the recent antimalware platform update. However, many users still getting the same error. The following procedure removes the yellow triangle warning.

Option 1: Enable LSA protection using the Registry Editor.

  1. Open the Registry Editor (RegEdit.exe) and go to the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  2. Create a DWORD (32-bit) value named RunAsPPL
  3. Create a DWORD (32-bit) value named RunAsPPLBoot
  4. Set the value data of “RunAsPPLBoot” to 2.
  5. Set the value data of “RunAsPPL” to 2.
    lsa protection warning - registry settings
  6. Exit the Registry Editor.
  7. Restart the computer.

Using the REG.exe command-line

To automate the above steps using command-line, open an admin Command Prompt window and run these commands:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "RunAsPPL" /t REG_DWORD /d 2 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "RunAsPPLBoot" /t REG_DWORD /d 2 /f

lsa protection warning - registry settings - reg.exe command

FYI, below is the REG file configuration for the above steps:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"RunAsPPL"=dword:00000002
"RunAsPPLBoot"=dword:00000002

Note: If you wish to revert to the default settings (set LSA protection to off), manually delete the RunAsPPLBoot and RunAsPPL values and reboot Windows.


Option 2: Enable LSA protection using Local Group Policy Editor.

Open Local Group Policy Editor (gpedit.msc)



Go to the following branch:

Computer Configuration → Administrative Templates → System → Local Security Authority

Open the Configure LSASS to run as a protected process policy.

Set the policy to Enabled.

Under Options, set Configure LSA to run as a protected process to:

  • “Enabled with UEFI Lock” to configure the feature with a UEFI variable. This sets RunAsPPL to 1.
  • “Enabled without UEFI Lock” to configure the feature without a UEFI variable. This sets RunAsPPL to 2.

Restart the computer.

I hope that resolves the LSA protection yellow exclamation issue.


INFO: How to check that if the LSA Protection is effectively ON?

To discover if LSA was started in protected mode when Windows started, search for the following WinInit event (Event ID 12) in the System log under Windows Logs:

LSASS.exe was started as a protected process with level: 4

Here’s a sample event:

Source:        Microsoft-Windows-Wininit
Date:          3/17/2023 11:33:58 AM
Event ID:      12
Task Category: None
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      VOSTRO-3470
Description:
LSASS.exe was started as a protected process with level: 4.

That’s it!


One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded Winhelponline.com in 2005.

1 thought on “[Fix] Local Security Authority protection is off; device may be vulnerable”

  1. Thank you so much for offering this solution, which saved my mental health. I used Option 1: Enable LSA protection using the Registry Editor. The RunAsPPL DWORD value set to 2 already existed. So I just added the RunAsPPLBoot DWORD value, crossed fingers, and restarted the computer. Voila. Problem solved.

    Reply

Leave a Comment