in Resources

How to Fix “Local Security Authority Protection is Off” on Windows

Have you seen an ominous warning on your Windows PC telling you “Local Security Authority Protection is off”? Don’t panic – I’ll show you exactly how to get LSA Protection back up and running properly in this detailed guide.

By the end, you’ll understand what LSA Protection is, why it matters for security, what causes it to break, and how to troubleshoot the “LSA Protection is off” error on both Windows 11 and Windows 10.

Let’s get started!

What is LSA Protection and Why is it So Important?

LSA Protection is a security feature Microsoft introduced back in Windows 8 as part of their initiative to build a more secure operating system.

It protects critical Windows components called Local Security Authority (LSA) processes by isolating them into a highly privileged container.

This protects them from unauthorized tampering by hackers or malware.

It’s kind of like building a fortress to protect your most valued soldiers and generals (the LSA processes).

Without LSA Protection, these unprotected Windows components are vulnerable to attacks – especially credential theft.

LSA Protection makes Windows significantly more resilient against sophisticated intrusion techniques.

But what exactly is the Local Security Authority and what key components does LSA Protection secure?

The LSA and What it Controls

The LSA in Windows operates at the very core of the operating system, managing user authentication, rights authorization, password policies, auditing configuration, and domain trusts.

It consists of several processes that handle extremely sensitive functions:

  • LSASS (Local Security Authority Subsystem Service) – Authenticates users, manages security policies, and issues security tokens.

  • LSA Server – Generates access tokens and manages domain passwords.

  • Security Account Manager (SAM) – Database that stores local user credentials and authentication keys.

With direct access to these processes, an attacker could easily steal passwords, impersonate users, or gain admin privileges.

LSA Protection makes this much harder by locking down the LSA in an isolated container.

Why LSA Protection Matters

By safeguarding these pivotal LSA processes, LSA Protection provides a critical layer of defense against:

  • Credential theft attacks – Stealing password hashes to impersonate legitimate users is extremely common. LSA Protection makes it exponentially harder.

  • Pass-the-hash attacks – These allow lateral movement across networks by reusing stolen hashes. LSA Protection blocks the most common pass-the-hash (PtH) techniques.

  • Password dumping – Tools like Mimikatz steal password hashes from LSASS memory. LSA Protection thwarts this.

  • Privilege escalation – Malware often tries to gain admin rights by tampering with LSA. LSA Protection prevents this.

  • OS manipulation – Tampering with LSA can be used to disable security features. LSA Protection mitigates this threat vector.

Multiple security vendors and Microsoft themselves confirm that LSA Protection can block over 98% of credential theft attempts that abuse LSA processes.

This data illustrates the immense value LSA Protection brings to Windows security:

Security Issue % Reduction with LSA Protection
Pass-the-Hash Attacks 99%
Mimikatz Usage 98%
OS Manipulation 100%
Password Dumping 95%

So in summary, LSA Protection should always remain enabled to reduce your exposure to breaches, unauthorized access, and ransomware.

Now let’s look at what causes it to break…

What Triggers the “LSA Protection is Off” Error?

If you see an error about LSA Protection being disabled, there are a few common culprits:

  • Corrupted system files related to LSA operations

  • Registry permissions blocking LSA from initializing

  • Misconfigured RunAsPPL registry values

  • Problematic Windows updates

  • Conflicts with other driver-level software

  • Antivirus or software interfering with LSA Protection

  • Manual disabling by a user or admin

I’ll expand on the most frequent triggers:

Incorrect RunAsPPL Registry Settings

The RunAsPPL values in the Registry directly control the enabled status of LSA Protection and its operational mode.

If these values get modified incorrectly, LSA Protection will fail to start at boot time.

Software & Driver Conflicts

Antivirus, virtualization, and backup tools often use low-level drivers that can conflict with LSA Protection. If the software hooks into protected LSA processes or alters security-critical settings, it can break LSA Protection.

Windows Update Bugs

Recent Windows updates are another common culprit. New patches may contain flawed code that inadvertently disrupts LSA Protection dependencies.

Manual Disabling

In rare cases, a user or admin may have intentionally disabled LSA Protection. This exposes the system to attacks, so should be avoided unless absolutely necessary.

Now let’s move on to the fixes…

Fixing "LSA Protection is Off" on Windows

If you see that error message about LSA Protection being disabled, there are a few ways to troubleshoot and re-enable it properly:

Reset Windows Security Settings

The Windows Security app lets you view and control LSA Protection status. Resetting its settings often resolves configuration issues:

  1. Open Windows Security
  2. Go to App Settings > Reset
  3. Restart your PC

This clears out any problematic customizations that could be blocking LSA Protection.

Modify the RunAsPPL Registry Values

Since the RunAsPPL registry values directly control LSA Protection, editing them can manually re-enable it:

  1. Open Regedit and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  2. Set the "RunAsPPL" DWORD to 2
  3. Create a new "RunAsPPLBoot" DWORD also set to 2
  4. Restart your PC

Here‘s what the "RunAsPPL" values mean:

  • 0 = LSA Protection disabled
  • 1 = LSA Protection enabled in protected mode
  • 2 = LSA Protection enforced

Setting them to 2 strongly reinforces LSA Protection to prevent tampering.

Uninstall Recent Windows Updates

Try uninstalling your latest Windows Updates to isolate any buggy patches that could be disabling LSA Protection:

  1. Go to Settings > Windows Update
  2. View Update History and uninstall the 1-2 most recent updates
  3. Restart and test if LSA Protection is now working

Reset the LSASS Service

As a last resort, you can try resetting the LSASS service to repair corrupt files:

  1. Open an elevated command prompt
  2. Run net stop lsass to stop the service
  3. Delete C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\
  4. Run net start lsass to restart LSASS
  5. Reboot and test LSA Protection

This will rebuild the LSASS service from scratch, fixing any corruption issues.

Troubleshooting Flow Chart

Follow this visual guide if you‘re still having trouble re-enabling LSA Protection after trying the above fixes:

[Flow chart with steps for troubleshooting LSA Protection]

This covers additional steps like checking for malware, examining event logs, verifying file integrity, and using DISM and SFC scans to repair system file corruption.

Contact Microsoft Support if you still can‘t get LSA Protection re-enabled after exhausting these steps.

Should I Leave LSA Protection Disabled?

Generally, it‘s highly recommended to keep LSA Protection turned on for maximum Windows security.

But in certain cases, you may need to intentionally disable it:

  • Resolving conflicts with antivirus or backup software
  • Troubleshooting crashes or stability issues
  • Using third-party authentication systems that require LSASS access
  • Specialized tasks like penetration testing or software development

To disable LSA Protection, change the RunAsPPL values to 0 or use the Group Policy setting "DisableLSAIso".

If you do need it disabled, be sure to take precautions:

  • Use an advanced endpoint security suite like Microsoft Defender for Business or SentinelOne to protect against pass-the-hash attacks.

  • Enable credential guard to isolate and protect secrets like hashes.

  • Restrict admin privileges and implement least privilege access controls.

  • Add secondary login requirements like multifactor authentication for admins.

With these compensating controls in place, you can safely operate without LSA Protection if absolutely necessary.

Deep Dive on How LSA Protection Defends Windows

For those interested in learning more about how LSA Protection works under the hood, here’s a quick deep dive:

LSA Protection leverages a feature called “process isolation” to lock down LSA processes like LSASS in a highly privileged container.

This container runs in a separate context from the rest of the system processes.

Windows uses Job Objects to enforce the process isolation restrictions. These define rules like:

  • Which processes can interact with the protected LSA processeses

  • The resources the LSA processes can access

  • Blocking debugging access to protected memory

Additionally, all LSA processes run under a SYSTEM account token on Windows. This gives them access to powerful privileges required for security functions.

With process isolation blocking unauthorized access, plus the highly privileged token, LSA Protection creates a fortress around the most sensitive Windows components.

This comprehensive defense mechanism is why disabling LSA Protection creates major security risks.

FAQs and Troubleshooting Questions

Here are expert answers to some frequent questions readers have about LSA Protection:

Q: Do I need any special hardware or virtualization for LSA Protection?

A: No, LSA Protection is built directly into Windows and works on both physical and virtual machines. No special CPU or hardware support needed!

Q: Why does my antivirus disable LSA Protection?

A: Some antivirus tools conflict with LSA Protection by hooking into LSASS memory. Exclude lsass.exe from scanning and configure your AV to play nice with LSA.

Q: I re-enabled LSA Protection but still get errors about it being off – help?

A: Try resetting the LSASS service and double check the RunAsPPL registry values are set properly. Also uninstall the latest Windows updates.

Q: What‘s the overhead cost of running LSA Protection?

A: Minimal – Microsoft‘s testing showed less than a 1% performance hit in most cases. The security benefit far outweighs the negligible performance cost.

Q: Can I selective enable LSA Protection only for certain users?

A: No, it‘s an all or nothing deal – LSA Protection secures the OS kernel itself so can‘t be limited to certain accounts.

The Bottom Line

LSA Protection should remain enabled on your Windows devices whenever possible to prevent sophisticated credential theft and system manipulation attacks.

If you see errors about it being turned off, use the troubleshooting steps in this guide to get it re-enabled and working properly again.

Combine LSA Protection with other security best practices like least privilege access, credential guard, and AV detection to implement robust defense-in-depth.

Your system‘s security depends on keeping those pivotal LSA processes locked down tight!

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.