{"id":34505,"date":"2023-03-17T11:59:06","date_gmt":"2023-03-17T06:29:06","guid":{"rendered":"http:\/\/198.58.113.91\/blog\/?p=34505"},"modified":"2023-05-06T08:49:03","modified_gmt":"2023-05-06T03:19:03","slug":"local-security-authority-protection-is-off","status":"publish","type":"post","link":"https:\/\/www.winhelponline.com\/blog\/local-security-authority-protection-is-off\/","title":{"rendered":"[Fix] Local Security Authority protection is off; device may be vulnerable"},"content":{"rendered":"

When you enable the Local Security Authority protection in Windows Security \u2192 Device Security \u2192 Core isolation page on your Windows 11 22H2 (and higher) computer, the yellow exclamation continues to appear.<\/p>\n

It says, “Local Security Authority protection is off. Your device may be vulnerable.<\/strong>”<\/p>\n

\"lsa<\/p>\n

\n

Update from Microsoft<\/h3>\n

May 05, 2023<\/h4>\n

Resolution:\u00a0<\/strong>This issue was resolved in an update for Microsoft Defender Antivirus antimalware platform\u00a0KB5007651<\/a>\u00a0(Version 1.0.2303.27001). If you would like to install the update before it is installed automatically, you will need to\u00a0check for updates<\/strong><\/a>.<\/p>\n

Source: Windows 11, version 22H2 known issues and notifications | Microsoft Learn<\/a><\/strong><\/p>\n

March 2023<\/h4>\n

After installing “Update for Microsoft Defender Antivirus antimalware platform – KB5007651 (Version 1.0.2302.21002)”, you might receive a security notification or warning stating that “Local Security protection is off. Your device may be vulnerable.” and once protections are enabled, your Windows device might persistently prompt that a restart is required. Important: This issue affects only “Update for Microsoft Defender Antivirus antimalware platform – KB5007651 (Version 1.0.2302.21002)”. All other Windows updates released on March 14, 2023 for affected platforms (KB5023706 and KB5023698), do not cause this issue.<\/em><\/p>\n

Workaround: If you have enabled Local Security Authority (LSA) protection and have restarted your device at least once, you can dismiss warning notifications and ignore any additional notifications prompting for a restart. You can verify that LSA protection is enabled by looking in Event Viewer using the information available here. Important: Currently, we do not recommend any other workaround for this issue.<\/strong><\/del><\/p>\n

Next steps: We are working on a resolution and will provide an update as soon as it is available.<\/del><\/p>\n<\/div>\n

Workaround<\/h2>\n

Adding a new DWORD registry value named “RunAsPPLBoot<\/code>” and setting its data to 2<\/strong> resolves the issue.<\/p>\n

Note:<\/strong> As per the latest (May 05, 2023) note above from Microsoft, the issue has been addressed by the recent antimalware platform update. However, many users still getting the same error. The following procedure removes the yellow triangle warning.<\/em><\/p>\n

Option 1: Enable LSA protection using the Registry Editor.<\/h3>\n
    \n
  1. Open the Registry Editor (RegEdit.exe) and go to the following key:\n
    HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa<\/pre>\n<\/li>\n
  2. Create a DWORD (32-bit) value named RunAsPPL<\/strong><\/li>\n
  3. Create a DWORD (32-bit) value named RunAsPPLBoot<\/strong><\/li>\n
  4. Set the value data of “RunAsPPLBoot<\/strong>” to 2.<\/li>\n
  5. Set the value data of “RunAsPPL<\/strong>” to 2.
    \n\"lsa<\/li>\n
  6. Exit the Registry Editor.<\/li>\n
  7. Restart the computer.<\/li>\n<\/ol>\n
    \n
    Using the REG.exe command-line<\/h4>\n
    To automate the above steps using command-line, open an admin Command Prompt<\/a> window and run these commands:<\/p>\n
    reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\" \/v \"RunAsPPL\" \/t REG_DWORD \/d 2 \/f\r\n\r\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\" \/v \"RunAsPPLBoot\" \/t REG_DWORD \/d 2 \/f<\/pre>\n
    \"lsa<\/p>\n<\/div>\n
    FYI, below is the REG file<\/a> configuration for the above steps:<\/p>\n
    Windows Registry Editor Version 5.00\r\n\r\n[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa]\r\n\"RunAsPPL\"=dword:00000002\r\n\"RunAsPPLBoot\"=dword:00000002<\/pre>\n
    Note:<\/strong> If you wish to revert to the default settings (set LSA protection to off), manually delete the RunAsPPLBoot<\/strong> and RunAsPPL<\/strong> values and reboot Windows.<\/em><\/p>\n
    RELATED:<\/strong> Fix: Cannot Enable Core Isolation Due to Incompatible Drivers<\/a><\/div>\n
    \n
    Option 2: Enable LSA protection using Local Group Policy Editor.<\/h3>\n
    Open Local Group Policy Editor (gpedit.msc<\/code>)<\/p>\n
    Go to the following branch:<\/p>\n
    Computer Configuration \u2192 Administrative Templates \u2192 System \u2192 Local Security Authority<\/pre>\n
    Open the Configure LSASS to run as a protected process policy<\/strong>.<\/p>\n
    Set the policy to Enabled.<\/p>\n
    Under Options, set Configure LSA to run as a protected process<\/strong> to:<\/p>\n
      \n
    • “Enabled with UEFI Lock” to configure the feature with a UEFI variable. This sets RunAsPPL to 1.<\/li>\n
    • “Enabled without UEFI Lock” to configure the feature without a UEFI variable.\u00a0This sets RunAsPPL to 2.<\/li>\n<\/ul>\n
      Restart the computer.<\/p>\n
      I hope that resolves the LSA protection yellow exclamation issue.<\/p>\n
      \n
      INFO: How to check that if the LSA Protection is effectively ON?<\/h3>\n
      To discover if LSA was started in protected mode when Windows started, search for the following WinInit event (Event ID 12) in the System log under Windows Logs:<\/p>\n
      LSASS.exe was started as a protected process with level: 4<\/pre>\n
      Here’s a sample event:<\/p>\n
      Source:        Microsoft-Windows-Wininit\r\nDate:          3\/17\/2023 11:33:58 AM\r\nEvent ID:      12\r\nTask Category: None\r\nLevel:         Information\r\nKeywords:      \r\nUser:          SYSTEM\r\nComputer:      VOSTRO-3470\r\nDescription:\r\nLSASS.exe was started as a protected process with level: 4.\r\n<\/pre>\n
      That’s it!<\/p>\n","protected":false},"excerpt":{"rendered":"
      When you enable the Local Security Authority protection in Windows Security \u2192 Device Security \u2192 Core isolation page on your Windows 11 22H2 (and higher) computer, the yellow exclamation continues to appear.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[869],"tags":[191,661,958],"class_list":["post-34505","post","type-post","status-publish","format-standard","hentry","category-windows-11","tag-error-messages","tag-windows-defender","tag-windows-security"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":30071,"url":"https:\/\/www.winhelponline.com\/blog\/windows-security-windowsdefender-urls\/","url_meta":{"origin":34505,"position":0},"title":"Windows Security URL Shortcuts for Each Page (WindowsDefender:\/\/)","author":"Ramesh","date":"November 22, 2022","format":false,"excerpt":"The Windows Security user interface has various options. Each of these pages can be opened directly using URL shortcuts, similar to the shell: commands we used to open special folders directly. Here's the list of WindowsDefender:\/\/ URL protocol commands to open individual Windows Security settings pages directly via the Run\u2026","rel":"","context":"In "Windows 10"","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5125,"url":"https:\/\/www.winhelponline.com\/blog\/windows-defender-disabled-real-time-protection-virus\/","url_meta":{"origin":34505,"position":1},"title":"Microsoft Defender: “Managed by your administrator” or “Your IT administrator has limited access”","author":"Ramesh","date":"January 23, 2017","format":false,"excerpt":"In the aftermath of a malware attack, the Windows Defender Security settings page may show the message Some settings are managed by your organization\u00a0or This setting is managed by your administrator. The real-time protection and cloud-based protection options may remain disabled or grayed out. Here is what the Windows Defender\u2026","rel":"","context":"In "Windows 10"","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"Microsoft Defender Antivirus group policy settings","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/01\/windows-defender-gpedit-ui.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/01\/windows-defender-gpedit-ui.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/01\/windows-defender-gpedit-ui.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/01\/windows-defender-gpedit-ui.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":3689,"url":"https:\/\/www.winhelponline.com\/blog\/start-windows-defender-offline-scan\/","url_meta":{"origin":34505,"position":2},"title":"How to Start Microsoft Defender Offline Scan in Windows 10\/11","author":"Ramesh","date":"August 4, 2016","format":false,"excerpt":"Malware is more complex today than it was many years ago. It operates at the filter driver, service, or rootkit level, and eliminating it is tough. Sometimes, you need to boot to the Windows RE environment and then delete the core malware files and services added to your Windows installation.\u2026","rel":"","context":"In "Windows 10"","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"Microsoft Defender Offline scan - Virus and threat protection - Windows Security","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/08\/wdo-scan-4.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/08\/wdo-scan-4.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/08\/wdo-scan-4.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":69948,"url":"https:\/\/www.winhelponline.com\/blog\/windows-security-blank-windows-11\/","url_meta":{"origin":34505,"position":3},"title":"Windows Security is Blank in Windows 11","author":"Ramesh","date":"January 13, 2024","format":false,"excerpt":"After resetting your computer or performing a clean install of Windows 11, the Windows Security app may not load. It may stall with the shield icon showing up or a blank page. This happens even if you've chosen the Cloud download option during the Reset. Cause The above issue happens\u2026","rel":"","context":"In "Windows 11"","block_context":{"text":"Windows 11","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-11\/"},"img":{"alt_text":"windows security app UI - blank screen","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/01\/sechealthui-blank-windows-11-23h2.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/01\/sechealthui-blank-windows-11-23h2.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/01\/sechealthui-blank-windows-11-23h2.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":18890,"url":"https:\/\/www.winhelponline.com\/blog\/windows-defender-service-missing-security-page-empty\/","url_meta":{"origin":34505,"position":4},"title":"Windows Defender Service Missing; Security at a glance page is Empty","author":"Ramesh","date":"September 26, 2020","format":false,"excerpt":"In the aftermath of malware infection, when you open the Services MMC on a Windows 10 or 11 computer, you may find that the Windows Defender (\"Microsoft Defender Antivirus Service\") service is missing from the Services MMC. The Windows Security settings \"Security at a glance\" page may show up empty\u2026","rel":"","context":"In "Windows 10"","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"advancedrun start regedit.exe","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2020\/09\/advancedrun-start-regedit.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2020\/09\/advancedrun-start-regedit.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2020\/09\/advancedrun-start-regedit.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":75146,"url":"https:\/\/www.winhelponline.com\/blog\/defender-definitions-update-frequency\/","url_meta":{"origin":34505,"position":5},"title":"How to Change Microsoft Defender Definitions Update Frequency","author":"Ramesh","date":"May 12, 2024","format":false,"excerpt":"Microsoft Malware Protection Center releases security intelligence updates (a.k.a, definition updates) every 3-4 hours to update the virus definitions. However, your system may not automatically install every security intelligence update. Windows Update automatically installs the Defender security intelligence update once per day. It lets you manually check for updates and\u2026","rel":"","context":"In "Windows 10"","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"defender updates - windows update","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/05\/wu-defender-update.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/05\/wu-defender-update.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/05\/wu-defender-update.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts\/34505","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/comments?post=34505"}],"version-history":[{"count":0,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts\/34505\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/media?parent=34505"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/categories?post=34505"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/tags?post=34505"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}