False alarm: Microsoft Defender warning about disabled protection is misleading
An error message from Microsoft Defender under Windows 11 irritates many users: “Protection by the local (sic) security authority is disabled. Your device may be vulnerable,” the Windows 11 Security Center is now showing. Even after activation and system restart, the warning remains. Microsoft has now confirmed the erroneous behavior.
LSA protection to secure credentials
The “Protection by Local Security Authority” is intended to protect “user credentials” by preventing the mechanism from loading unsigned drivers and plug-ins within the local security authority. This is how the Windows Security Center explains it.
In combination with SecureBoot and UEFI-Lock, the LSA protection should prevent drivers and processes from reading unauthorized memory areas and thus login information. The false positive, now dubbed as such, is that admins can enable the option and reboot the system – but after the reboot, the error message still appears.
Microsoft has since confirmed the issue in the Windows Release Health Notes for Windows 11. After installing an update for Microsoft Defender that raises it to version 1.0.2302.21002, this message can appear. Windows may keep asking for a reboot to activate protection. Only this one update for “Windows security” from Microsoft’s March patch day triggers the error, the other updates for the operating systems are not affected, Microsoft emphasizes in the note.
As a temporary workaround, the developers suggest clicking away and ignoring the message, provided the option is enabled and the computer has been restarted. The event log can be used to check whether LSA protection is active. The WinInit event “12: LSASS.exe was started as a protected process with level: 4” then appears in the system log under the Windows logs. Microsoft expressly advises against other remedies, such as those found on the Internet – some sources suggest modifications to the Windows registry.
An update should soon put an end to the spook. Microsoft writes: “We are working on a solution and will update you as soon as it is available”.