Fix Windows Security Says Local Security Authority Protection Is Off
🔍 WiseChecker

Fix Windows Security Says Local Security Authority Protection Is Off

by

Quick fix: Open Windows Security → Device security → Core isolation → Local Security Authority protection. Toggle On. Reboot. The feature requires TPM 2.0 and a recent CPU; if toggle is greyed out, your hardware doesn’t support it.

Windows Security shows a yellow exclamation: “Local Security Authority protection is off.” This is a new defense against credential theft (LSASS process protection). Enabling adds another security layer. Some hardware can’t support it.

Symptom: Windows Security alerts about Local Security Authority Protection being off; want to enable for security.
Affects: Windows 11 22H2+ with TPM 2.0.
Fix time: ~5 minutes.

ADVERTISEMENT

What causes this

Local Security Authority (LSA) is a Windows process that handles authentication. Attackers target LSA to extract password hashes from memory (pass-the-hash, mimikatz attacks). LSA Protection runs LSA as a Protected Process Light (PPL), making it harder to dump memory.

Microsoft introduced LSA Protection in Windows 11 22H2 and started prompting users to enable. Default may be off on PCs upgraded from earlier Windows.

Method 1: Enable via Windows Security UI

The standard route.

  1. Open Windows Security: Start menu → search → Windows Security.
  2. Click Device security in the left sidebar.
  3. Find Core isolation section. Click Core isolation details.
  4. Find Local Security Authority protection. Toggle On.
  5. Windows prompts to restart. Click Restart.
  6. After reboot: LSA Protection is active. Yellow exclamation in Security center clears.
  7. If toggle is greyed out: your hardware/firmware doesn’t support it. See Method 3.

This is the canonical fix.

ADVERTISEMENT

Method 2: Enable via registry (for automation/troubleshooting)

For when UI fails or for scripted setup.

  1. Open Registry Editor.
  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
  3. Find or create DWORD value RunAsPPL.
  4. Set to 2 (enabled with UEFI lock) or 1 (enabled without UEFI lock).
  5. For RunAsPPLBoot DWORD = 2: enables protection from boot.
  6. Reboot.
  7. For Group Policy (Pro/Enterprise): gpedit.msc → Computer Configuration → Administrative Templates → System → Local Security Authority → Configure LSASS to run as a protected process. Set to Enabled, with UEFI Lock.
  8. For PowerShell: reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 2 /f.

This is the right path for scripted deployment.

Method 3: Verify hardware compatibility

For when toggle is greyed out.

  1. LSA Protection requires:
    • TPM 2.0: tpm.msc — confirm Ready.
    • Secure Boot enabled: msinfo32 — check “Secure Boot State.”
    • UEFI firmware (not legacy BIOS).
    • x64 CPU with virtualization extensions (Intel VT-x or AMD-V).
    • Virtualization-Based Security (VBS) enabled: Windows Security → Core isolation → Memory integrity should be available.
  2. If TPM missing: enable in BIOS (Intel: PTT; AMD: fTPM). Save and reboot.
  3. If Secure Boot off: enable in BIOS → Boot → Secure Boot → Enable. May require disabling CSM/Legacy boot mode.
  4. For older CPUs (pre-2017): hardware may not support all required features. LSA Protection may genuinely be unavailable.
  5. Run Microsoft’s PC Health Check app — verifies Windows 11 compatibility including security features.

This addresses hardware-side requirements.

How to verify the fix worked

  • Windows Security → Device security → LSA Protection shows On.
  • Yellow exclamation banner in Windows Security clears.
  • Run Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name RunAsPPL in PowerShell. Value 1 or 2.
  • Event Viewer → Applications and Services Logs → Microsoft → Windows → CodeIntegrity → Operational. Look for entries about LSA protection successfully enabled.

If none of these work

If LSA Protection won’t enable: Incompatible drivers: LSA Protection blocks unsigned/older drivers from injecting into LSA. Updated all drivers, especially antivirus, smart card readers. Check Event Viewer: enabling LSA may have failed silently. Look in System log for Source LsaSrv errors. For PCs with third-party authentication providers: some smart card vendors, biometric drivers don’t support LSA Protection. Vendor must release compatible driver. For domain-joined PCs: domain trust requirements may not match LSA Protection. Contact IT. Last resort — disable if causing app failures: LSA Protection can break some apps that hook LSA. RunAsPPL = 0 disables. Trade security for compatibility.

Bottom line: Windows Security → Device security → Core isolation → toggle Local Security Authority protection on. Requires TPM 2.0, Secure Boot, recent CPU. Reboot.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You