When you enable the Local Security Authority protection in Windows Security → Device Security → Core isolation page on your Windows 11 22H2 (and higher) computer, the yellow exclamation continues to appear.
It says, “Local Security Authority protection is off. Your device may be vulnerable.”
Update from Microsoft: March 2023
After installing “Update for Microsoft Defender Antivirus antimalware platform – KB5007651 (Version 1.0.2302.21002)”, you might receive a security notification or warning stating that “Local Security protection is off. Your device may be vulnerable.” and once protections are enabled, your Windows device might persistently prompt that a restart is required. Important: This issue affects only “Update for Microsoft Defender Antivirus antimalware platform – KB5007651 (Version 1.0.2302.21002)”. All other Windows updates released on March 14, 2023 for affected platforms (KB5023706 and KB5023698), do not cause this issue.
Workaround: If you have enabled Local Security Authority (LSA) protection and have restarted your device at least once, you can dismiss warning notifications and ignore any additional notifications prompting for a restart. You can verify that LSA protection is enabled by looking in Event Viewer using the information available here. Important: Currently, we do not recommend any other workaround for this issue.
Next steps: We are working on a resolution and will provide an update as soon as it is available.
Source: Windows 11, version 22H2 known issues and notifications | Microsoft Learn
Workaround
Adding a new DWORD registry value named “RunAsPPLBoot” and setting its data 2 resolves the issue.
Note: As per the latest (March 2023) note above from Microsoft, no such workarounds are supported by Microsoft. However, many users have indicated that the following procedure removes the yellow triangle warning.
Option 1: Enable LSA protection using the Registry Editor.
- Open the Registry Editor (RegEdit.exe) and go to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Create a DWORD (32-bit) value named RunAsPPL
- Create a DWORD (32-bit) value named RunAsPPLBoot
- Set the value data of “RunAsPPLBoot” to 2.
- Set the value data of “RunAsPPL” to 2.
- Exit the Registry Editor.
- Restart the computer.
Using the REG.exe command-line
To automate the above steps using command-line, open an admin Command Prompt window and run these commands:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "RunAsPPL" /t REG_DWORD /d 2 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "RunAsPPLBoot" /t REG_DWORD /d 2 /f
FYI, below is the REG file configuration for the above steps:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "RunAsPPL"=dword:00000002 "RunAsPPLBoot"=dword:00000002
Note: If you wish to revert to the default settings (set LSA protection to off), manually delete the RunAsPPLBoot and RunAsPPL values and reboot Windows.
Option 2: Enable LSA protection using Local Group Policy Editor.
Open Local Group Policy Editor (gpedit.msc)
Go to the following branch:
Computer Configuration → Administrative Templates → System → Local Security Authority
Open the Configure LSASS to run as a protected process policy.
Set the policy to Enabled.
Under Options, set Configure LSA to run as a protected process to:
- “Enabled with UEFI Lock” to configure the feature with a UEFI variable. This sets RunAsPPL to 1.
- “Enabled without UEFI Lock” to configure the feature without a UEFI variable. This sets RunAsPPL to 2.
Restart the computer.
I hope that resolves the LSA protection yellow exclamation issue.
INFO: How to check that if the LSA Protection is effectively ON?
To discover if LSA was started in protected mode when Windows started, search for the following WinInit event (Event ID 12) in the System log under Windows Logs:
LSASS.exe was started as a protected process with level: 4
Here’s a sample event:
Source: Microsoft-Windows-Wininit Date: 3/17/2023 11:33:58 AM Event ID: 12 Task Category: None Level: Information Keywords: User: SYSTEM Computer: VOSTRO-3470 Description: LSASS.exe was started as a protected process with level: 4.
That’s it!