Windows 10: How to enable LSA protection on Windows 11

The Local Security Authority is a crucial component of the Windows security system, responsible for verifying a user's identity during the sign-in process on a local computer. It checks password changes and login attempts, generates access tokens for single sign-in sessions, and carries out other authentication and authorization tasks in Windows.



Securing the Local Security Authority subsystem is one of the most important steps you can take to safeguard your system and accounts against cyber threats. By enabling Local Security Authority protection, you will have increased control over potential cleartext password vulnerabilities and password dumping attacks, providing an extra layer of security for your system.This guide will show you how to turn on Local Security Authority (LSA) Protection in Windows 11.

How to enable LSA protection on Windows 11


Windows 11 provides support for Local Security Authority protection to help prevent unauthorized access to your system by attackers. In this post, we'll cover three methods for enabling LSA Protection in Windows 11:

• Using the Windows Security app.
• Using the Windows Registry Editor.
• Using the Local Group Policy Editor.

It's important to note that you need to have administrator privileges to enable the extra protection for Local Security Authority in Windows 11.



How to enable LSA using the Windows Security app


To enable the Local Security Authority protection in Windows 11 using the Windows Security app, follow these steps:

1. Go to the Windows search bar and type 'windows security'.
2. Select the 'Windows Security' option from the search results.
3. Expand the left menu in the Windows Security app by clicking on the menu icon.
4. Click on the 'Device Security' option.
5. Under the 'Core isolation' section, click on the 'Core isolation details' link.
6. Turn on the toggle button for the 'Local Security Authority protection' option.
7. Confirm the change by clicking 'Yes' in the User Account Control prompt that appears.
8. Finally, restart your PC to apply the changes.

By enabling the Local Security Authority protection, you can protect your device and system resources from attackers who might try to gain unauthorized access to your system by stealing your credentials. The ‘Local Security Authority protection is off, Your device may be vulnerable’ alert in Windows Security is a warning message that your device is at risk, so it's important to fix it by enabling the feature.

How to enable LSA using the Registry Editor


You can also enable the Local Security Authority protection through Windows Registry. However, before you make any changes, it's important to back up your registry or create a system restore point to keep your system secure.

Here's how you can do it:

1. Press the Win + R key combination and type 'regedit' in the Run dialogue box.
2. Hit the Enter key.
3. Say yes to the User Account Control prompt.
4. In the Registry Editor, navigate to this path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
5. On the right panel, double-click on RunAsPPL.
6. Change the value data to 1 and hit OK.
7. Finally, restart your PC to apply the changes.

How to enable LSA using the Group Policy Editor


If you have a Windows Pro or Enterprise edition, you can use the bundled Local Group Policy Editor to enable the Local Security Authority protection. If you have the Home edition, don't worry, you can still access this tool using Policy Plus freeware. Just make sure to create a system restore point before making any changes to your Windows Policy.

Here's how you can enable the Local Security Authority protection with the Local Group Policy Editor:

1. Open the Run dialog box by pressing Win+R and type 'gpedit.msc.'
2. Press Enter and navigate to Computer Configuration\Administrative Templates\System\Local Security Authority in the Local Group Policy Editor window.
3. In the right panel, double-click on 'Configure LSASS to run as a protected process' policy.

In the policy settings window, select 'Enabled' and choose either 'Enabled with UEFI Lock' or 'Enabled without UEFI Lock' in the dropdown menu.

1. If you choose 'Enabled with UEFI Lock,' LSA will run as a protected process and the configuration can't be disabled remotely.
2. Click OK, then Apply.

Thank you for being a Ghacks reader. The post How to enable LSA protection on Windows 11 appeared first on gHacks Technology News.

read more...

 

Disabling LSA protection

We have an internal issue causing something not to work when the LSA protection is enabled.

As we also have "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" ASR rule, and following this recommendation that "having both running at the same time would be redundant" we want to turn off the LSA protection.

The problem starts with the fact that all our devices support Secure Boot and since years we use UEFI based devices.

On those machines the task of disabling LSA protection seems like very cumbersome and not straight forward.

Is there more easy and centralized way to disable LSA protection on a few thousands windows machines?

Thanks in advance

 

How to fix LSA package is not signed as expected event log entries?

Solved.

Here is the article on whats happening: Configuring Additional LSA Protection | Microsoft Learn

If you are on a work computer under a domain you should probably use the Group Policy as instructed in the article.

On a local computer:

Using the Registry

1. Open the Registry Editor (RegEdit.exe), and navigate to the registry key that is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
   
2. Set the value of the registry key to:
   
   1. "RunAsPPL"=dword:00000001 to configure the feature with a UEFI variable.
      
   2. "RunAsPPL"=dword:00000002 to configure the feature without a UEFI variable (only on Windows 11, 22H2).
      
3. Restart the computer.
   

If the registry key RunAsPPL does not exist create it as a New DWORD (32-bit) Value and set the Hexadecimal value to 00000002

The device that was causing the issue for me was a G935 Gaming Headset, which re-prompted to select the device after I created the key and rebooted.

 

Clear Windows Security Center (Defender) Protection History

Did not work for me. After going through all steps I still have protection history full