Microsoft has addressed a problem that triggered warnings about Local Security Authority (LSA) Protection being off by removing the feature’s user interface (UI) from settings. LSA Protection is designed to protect against credential theft by blocking untrusted code from being injected into the LSASS.exe process to extract information or dump its memory.
The alerts, which persisted despite the feature being enabled, were caused by a buggy Microsoft Defender Antivirus antimalware platform update, according to Microsoft.
The issue affected Windows 11 21H2 and 22H2 systems.
Microsoft said the alerts were fixed in a new Microsoft Defender Antivirus antimalware platform update, but the fix involved removing the LSA Protection UI altogether from the Windows Settings app. Despite the UI being removed, LSA Protection is still supported, and users can still enable or disable it using the Registry or Group/MDM policies. However, there is no way to check whether LSA Protection is enabled from the Windows settings.
Users can check using the Windows Event Viewer by looking for a Wininit event 12 that indicates that LSASS.exe is being isolated and protected by LSA Protection.
The issue of incompatible drivers triggering alerts that Kernel-mode Hardware-enforced Stack Protection (HSP) is off has also arisen following the removal of the LSA Protection UI. Kernel-mode HSP prevents control flow attacks based on Return Oriented Programming by using features such as Intel’s Control-flow Enforcement Technology or ARM’s Pointer Authentication Code.
Some game anti-cheat drivers have been flagged as incompatible, causing crashes or preventing games from launching. Microsoft has announced that LSA Protection will be enabled by default for Windows 11 Insiders in the Canary channel if their systems pass an incompatibility audit check.
