Wish it away into the cornfield
Do you keep receiving a “Local Security protection is off. Your device may be vulnerable.” notification each time you boot into Windows 11’s desktop area? This troubleshooting guide will explain why that happens and what you can do to dismiss it.
What Is Local Security Authority Protection in Windows 11?
The Local Security Authority (LSA) is the system component that enforces security policies in Windows 11. It authenticates users during the login process, creates access tokens, and manages password policies. The underlying process is LSASS.exe.
To bolster security, Windows 11 offers a feature called Local Security Authority protection. It runs the LSASS process in protected mode, blocking unsigned drivers and plugins from loading and preventing potential attacks from malicious code.
Why You Keep Receiving the “LSA Protection Is Off” Notification
The “Local Security Authority protection is off” notification pops up after installing Microsoft Defender Antivirus Version 1.0.2302.21002, regardless of having the feature on or off on your computer. Microsoft has acknowledged it as a known Windows 11 version 22H2 issue.
What You Can Do to Fix “Local Security Authority Protection Is Off”
You’ve got three methods to deal with a persistent “Local Security Authority protection is off” security warning in Windows 11. You can:
- Dismiss the error: Despite the warning, the chances are Local Security Authority is running in protected mode on your computer. You can safely dismiss it after verifying the LSA state via the Event Viewer.
- Update Windows. At the time of writing, Microsoft has released an official fix with “Update for Microsoft Defender Antivirus antimalware platform – KB5007651 (Version 1.0.2306.10002).” You can install it if it’s available for you.
- Modify the registry: It’s possible to modify the system registry and manually activate Local Security Authority protection to stop the security warning from appearing.
Method 1: Check the Event Viewer and Dismiss
Unless you’re on a new Windows 11 installation, the “Local Security Authority protection is off” error likely appears when Local Security Authority protection is enabled on your system.
Microsoft’s suggestion—if Microsoft Defender Antivirus Version 1.0.2306.10002 or later is not available to you—is to check if Local Security Authority protection is active via the Event Viewer and dismiss the warning if you’ve already restarted your PC at least once after receiving it.
Begin by confirming that the Local Security Authority is running in Protected Mode via the Event Viewer. To do that:
- Right-click the Start button and select Event Viewer.
- Expand Windows Logs and select System on the sidebar.
- Select Find.
- Type lsass.exe into the Find what field and select Find next.
- Check the General pane. You should see “LSASS.exe was started as a protected process with level: 4” if Local Security Authority protection is active.
To dismiss the “Local Security Authority protection is off” notification in Windows 11:
- Restart your computer (if you still need to since receiving the notification).
- Double-click the Windows Security icon on the system tray.
- Select Device Security.
- Under Core isolation, select Core isolation details.
- Select Dismiss next to the “Local Security Authority protection is off” notification.
- Restart your computer and check if the “Local Security protection is off” warning recurs.
Method 2: Update Windows 11
According to Microsoft, newer versions of Microsoft Defender Antivirus—Version 1.0.2306.10002 and later—fix the “Local Security Authority protection is off” error in Windows 11. Hence, installing all pending updates through Windows Update is the best way to deal with the issue.
To do that:
- Right-click the Start button and select Settings.
- Scroll down the sidebar, choose Windows Update, and select Check for updates to initiate a scan for new updates.
- Select Download and install to apply all pending updates to the operating system and reboot your PC afterward.
Method 3: Modify the System Registry
If the Local Security Authority protection isn’t active when checking with the Event Viewer, updating Windows 11 fails to resolve the issue, or you don’t have newer updates to Microsoft Defender Antivirus available, you must modify the system registry to resolve the issue.
Warning: Microsoft does not recommend workarounds to dismiss the “Local Security Authority protection is off” security notification, so only go through the steps below if the methods above fail. You should also back up the system registry before you go ahead.
- Press Windows + R, type regedit into the Open field, and select OK.
- Copy and paste the following path into the address bar at the top of the Registry Editor window and press Enter:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Ensure Lsa is selected on the left navigation pane, and double-click the RunAsPPL and RunAsPPLBoot entries on the right.
- Change the hex value inside the Value data field to 2 for both entries and select OK.
Note: If one or both keys aren’t present, you must create them manually—right-click Lsa on the sidebar and select DWORD (32-bit) Value, name it after the missing key, and save with a value of 2.
- Select File > Exit to exit the Registry Editor.
- Restart Windows 11.
Alternatively, you can modify the system registry via Windows PowerShell. Here’s how:
- Right-click the Start button and select Windows Terminal (Admin).
- Copy and paste the following command into the console:
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 2 /f;reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPLBoot /t REG_DWORD /d 2 /f
- Press Enter to execute the command and restart your PC.
“Local Security Authority Protection Is Off” Warning Dismissed
As you just found out, you’ve got multiple ways to deal with the “Local security protection is off” error in Windows 11. You can dismiss the notification if Local Security Authority protection is active, install the latest Microsoft Defender Antivirus updates, or modify the system registry if the problem persists.
If none of the methods above work, use a third-party antimalware utility for protection until Microsoft addresses the issue again in a future update.