Microsoft is again pushing a Defender Antivirus update (first issued in April and pulled in May) that fixes a known issue triggering Windows Security warnings that Local Security Authority (LSA) Protection is off.
Microsoft acknowledged this issue impacts Windows 11 21H2 and 22H2 systems after numerous user reports about “Local Security Authority protection is off. Your device may be vulnerable.” warnings, although LSA Protection was already enabled.
LSA Protection safeguards Windows users from credential theft by blocking the injection of untrusted code into the LSASS.exe process, which could help attackers extract sensitive information.
While Redmond says the issue stems from a faulty update for the Microsoft Defender Antivirus antimalware platform issued in May, affected customers have been reporting seeing these LSA Protection alerts since at least January 15.
“This issue was resolved in an update for Windows Security platform antimalware platform KB5007651 (Version 1.0.2306.10002),” Microsoft said on Wednesday.
“If you would like to install the update before it is installed automatically, you will need to check for updates.”
On April 26, Redmond first released the KB5007651 Microsoft Defender update to fix the known issue and help users get rid of the persistent Windows Security restart alerts.
However, this was done by removing the setting in the Defender update to ensure that the confusing warnings would no longer be shown in the Windows Settings app.
Almost one month later, on May 17, the company stopped pushing KB5007651 to affected users because of blue screens or unexpected system restarts when gaming on Windows 11 after installing the update.
“This known issue was previously resolved with an update for Microsoft Defender Antivirus antimalware platform KB5007651 (Version 1.0.2303.27001) but issues were found, and that update is no longer being offered to devices,” Microsoft said at the time.
“If you have installed Version 1.0.2303.27001 and receive an error with a blue screen, or if your device restarts when attempting to open some games or apps, you will need to disable Kernel-mode Hardware-enforced Stack Protection.”
Workaround also available
Redmond also provided a temporary solution for customers who can’t immediately install KB5007651, with the company advising them to disregard the reboot notifications.
“If you have enabled Local Security Authority (LSA) protection and have already restarted your device at least once, you can dismiss warning notifications and disregard any further notifications urging a restart,” Microsoft says.
To check if LSA protection is enabled on your computer, you can use the Windows Event Viewer and look for an “LSASS.exe was started as a protected process with level:4.” Wininit event which confirms that the process is isolated and secured by LSA Protection.
While BleepingComputer previously suggested a method involving the addition of two registry entries to remove these warnings, Microsoft explicitly states that they “do not recommend any other workaround for this issue.”
Two months ago, in March, Microsoft announced that LSA Protection would be enabled by default for Windows 11 Insiders in the Canary channel, provided their systems passed an incompatibility audit check.