Microsoft has once again released a Defender Antivirus update that addresses a known issue causing Windows Security warnings indicating that Local Security Authority (LSA) Protection is off. This issue was first addressed in an update released in April, but it was withdrawn in May due to complications.
The issue in question affects Windows 11 21H2 and 22H2 systems, with users receiving warnings stating, “Local Security Authority protection is off. Your device may be vulnerable.” This occurs despite LSA Protection being enabled. LSA Protection is a crucial security feature that protects Windows users from credential theft by preventing the injection of untrusted code into the LSASS.exe process.
Microsoft attributes the problem to a faulty update for the Microsoft Defender Antivirus antimalware platform issued in May. However, customers have reported seeing these LSA Protection alerts since at least January 15.
The issue was resolved in an update for Windows Security platform antimalware platform KB5007651 (Version 1.0.2306.10002), as announced by Microsoft. Users who wish to install the update before it is installed automatically will need to check for updates.
In April, Microsoft first released the KB5007651 Microsoft Defender update to fix the known issue and help users get rid of the persistent Windows Security restart alerts. However, this was done by removing the setting in the Defender update to ensure that the confusing warnings would no longer be shown in the Windows Settings app.
In May, the company stopped pushing KB5007651 to affected users due to issues of blue screens or unexpected system restarts when gaming on Windows 11 after installing the update.
Microsoft also provided a temporary solution for customers who can’t immediately install KB5007651, advising them to disregard the reboot notifications. “If you have enabled Local Security Authority (LSA) protection and have already restarted your device at least once, you can dismiss warning notifications and disregard any further notifications urging a restart,” Microsoft says.
To check if LSA protection is enabled on your computer, you can use the Windows Event Viewer and look for an “LSASS.exe was started as a protected process with level:4.” Wininit event which confirms that the process is isolated and secured by LSA Protection.
While BleepingComputer previously suggested a method involving the addition of two registry entries to remove these warnings, Microsoft explicitly states that they “do not recommend any other workaround for this issue.”
In March, Microsoft announced that LSA Protection would be enabled by default for Windows 11 Insiders in the Canary channel, provided their systems passed an incompatibility audit check.
