Microsoft has released an update for Defender Antivirus to address a known issue that triggers false Windows Security warnings about Local Security Authority (LSA) Protection being turned off. The issue affects Windows 11 21H2 and 22H2 systems, even when LSA Protection is enabled.
LSA Protection is crucial for safeguarding users against credential theft by blocking the injection of untrusted code into the LSASS.exe process. The problem is attributed to a faulty update for the Microsoft Defender Antivirus antimalware platform, with affected users experiencing these warnings since at least January 15.
The latest update, KB5007651 (Version 1.0.2306.10002), resolves the LSA Protection issue and is now being pushed by Microsoft. Users can either check for updates manually or wait for the automatic installation.
The initial attempt to address the issue was made on April 26 with the release of KB5007651, which removed the setting causing the warnings to no longer appear in the Windows Settings app.
However, on May 17, the update was pulled due to issues causing blue screens and unexpected system restarts during gaming on Windows 11.
Microsoft advises affected users to dismiss reboot notifications if they have already enabled LSA Protection and restarted their devices at least once. To verify if LSA protection is active, users can check the Windows Event Viewer for the “LSASS.exe was started as a protected process with level:4.” Wininit event, which confirms the isolation and security provided by LSA Protection.
Microsoft had previously announced that LSA Protection would be enabled by default for Windows 11 Insiders in the Canary channel, following a compatibility audit check.
