How to Enable LSA Protection Safely on Windows 11

Quick fix: LSA (Local Security Authority) Protection: prevents code injection into LSA process (defends against credential theft). Enable via Windows Security → Device security → Core isolation → Local Security Authority protection → toggle on. Reboot. Test for app / plugin compatibility. If issues: same place, toggle off.

LSA Protection (RunAsPPL) hardens the credential storage process. Modern Windows 11 enables by default for new installs. For upgraded installs: may be off. Recommended for security but check app compatibility first.

What causes this need

LSA (lsass.exe) stores: cached credentials, Kerberos tickets, NTLM hashes. Attackers target it. LSA Protection runs lsass.exe as Protected Process Light (PPL): only Microsoft-signed code can interact. Mitigates: Mimikatz, credential dumping malware.

Method 1: Enable via Windows Security

The standard route.

1. Open Windows Security.
2. Pick Device security.
3. Click Core isolation details.
4. Find Local Security Authority protection.
5. Toggle On. UAC prompt.
6. Reboot.
7. After reboot: verify Windows Security shows LSA Protection: On.
8. For new Win11 installs: usually on by default.
9. For upgraded from Win10: may need manual toggle.

This is the standard setup.

Method 2: Enable via registry (if Security UI hidden)

For policy-managed PCs.

1. Open Registry Editor as Admin.
2. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
3. Find or create DWORD: RunAsPPL. Value 1 (enabled with UEFI Lock) or 2 (enabled, no lock).
4. Apply.
5. Reboot.
6. For Group Policy alternative: Computer Configuration → Administrative Templates → System → Local Security Authority → Configure LSASS to run as a protected process → Enabled.
7. For checking: Get-WmiObject -Class Win32_Service -Filter "Name='LsaSvc'" shows service running.
8. For per-process check: Process Explorer (Sysinternals) shows lsass.exe with PPL icon.

This is the registry route.

Method 3: Check compatibility before enabling

For avoiding breakage.

1. Apps that hook into LSA may break:
   • Some third-party AV (older versions).
   • Some VPN clients.
   • Some single sign-on tools.
   • Some authentication add-ons.
2. For testing: enable temporarily (UEFI Lock = no for easy revert).
3. Reboot. Test critical apps and workflows.
4. Check Event Viewer → Windows Logs → System → Lsa source. Event 3033 = denied; 3065 = code integrity violation.
5. If issues: temporarily disable (toggle off in Windows Security), update problematic app, re-enable.
6. For chronic compatibility issues: file with app vendor. They need to sign with proper EKU.
7. For corporate-managed: test in staging environment first.
8. For verifying LSA Protection: Get-MpComputerStatus | Select-Object IsTamperProtected related.

This is the compatibility check.

How to verify the fix worked

• Windows Security → Device security → Core isolation: LSA Protection On.
• Event Viewer: LSA events show protected mode start.
• Process Explorer: lsass.exe shows Protected Process.
• System boots normally without errors.

If none of these work

If LSA Protection won’t enable: Hardware requirement: requires Secure Boot. Verify: msinfo32 → Secure Boot State: On. For Hyper-V conflicts: rare. Hyper-V uses VBS / Memory Integrity. LSA Protection complements. For chronic app breakage: vendor needs to update for PPL compatibility. For Windows 11 Education / Home: feature available on all editions. For corporate: Group Policy enforcement. For Insider builds: feature may shift; check current docs. For verifying via PowerShell: $lsa = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name RunAsPPL -ErrorAction SilentlyContinue; if ($lsa) { Write-Host "Value: $($lsa.RunAsPPL)" }.

Bottom line: Windows Security → Device security → Core isolation → Local Security Authority protection → On. Reboot. Test apps for compatibility. Disable temporarily if specific app breaks.