2 
Computer: Lenovo Ideapad S340-15API
Model: 81nc
Processor: AMD Ryzen 5 3500U with Radeon Vega Mobile Gfx 2.10 GHz
Installed RAM: 8,00 GB (5,94 GB usable)
System type: 64-bit operating system, x64-based processor

Edition: Windows 11 Home
Version: 22H2
Installed on: ‎2023-‎03-‎21
OS build: 22621.1635
Experience: Windows Feature Experience Pack 1000.22641.1000.0

On 2023-03-17 I got the Microsoft Defender icon with a Warning triangle in my task bar, telling me "Local Security Authority protection is off. Your device may be vulnerable". However, the option to turn it on was grayed out, so I believe I turned it on manually through regedit if I recall correctly.

Shortly after that date, on 2023-03-21, I completely re-installed Windows with Microsoft's own media creation tool. My current configuration is given above.

Today, the same problem arose, i.e. the Microsoft Defender icon with a Warning triangle, telling me "Local Security Authority protection is off. Your device may be vulnerable". It then prompted me to go to Device Security settings to turn it on. However, this time the actual feature named 'Local Security Authority Protection' doesn't even exist under Security features, either in my Local user account nor my Admin account.

As you can se on the screenshot taken in darkmode, from Microsoft's own help forum, 'Local Security Authority Protection' should be security feature number two between 'Memory integrity' and 'Microsoft Vulnerability Driver Blocklist', but it is completely missing as seen on my own screenshot taken in lightmode.

When I tried searching for "Local Security Authority protection option is missing" I didn't get any results with the same issue, but rather I got results about the same warning. I ended up following this guide on how to turn the option on through regedit.

The guide said to put a '1' in the value data of RunAsPPL, which I did. However, other guides said that it should always be a '2', so I don't actually know what is correct here.

Changing RunAsPPL to a '1' and rebooting did nothing about getting back 'Local Security Authority Protection' and the warning did not disappear. However, when I followed another guide saying to also create RunAsPPLBoot and setting them both, i.e. RunsAsPPL & RunAsPPLBoot to a '2' and then reboot, it did make the warning go away. I still don't have 'Local Security Authority Protection' in my settings though.

That is why I turned to Superuser to see if anyone knows why this option does not exist for me.

Improve this question
1
  • You are tracking it’s enabled despite saying it’s not, right, and this behavior was introduced by installing KB5007651?
    – Ramhound
    Commented May 4, 2023 at 12:34

4 Answers 4

Reset to default
3

You can resolve this known issue by running the command:

Get-AppPackage Microsoft.SecHealthUI

This will update Windows Defender to a version that no longer has this issue once it's released. Until an update is released, you can confirm that LSA protection is still enabled, despite the notification saying otherwise by looking for the following WinInit event:

12: LSASS.exe was started as a protected process with level: 4

Source: Windows 11, version 22H2 known issues and notifications

Improve this answer
2
  • So the original notification was caused by the update, the option missing from Settings, might be something else but I believe if you perform the resolution steps you will find LSA protection actually is enabled on your system
    – Ramhound
    Commented May 4, 2023 at 12:46
  • I found the WinInit event with that exact text, so I guess it works now. But the Get-AppPackage Microsoft.SecHealthUI command plus a reboot did not bring back that option in settings. This is super odd.
    – capably_chummy
    Commented May 4, 2023 at 13:28
2

I'm hitting the same issue.

I did verify via Ramhound's answer that the 12: LSASS.exe was started as a protected process with level: 4 is actually running. But the warning is nonetheless annoying, and the disappearance of the setting itself is concerning.

However, I did stumble across the below, which may be helpful, but I can't verify where Microsoft has explicitly stated this:

Microsoft has temporarily removed the Local Security Authority UI from the Windows Security app, but the feature is supported on Windows 11. Therefore, the ability to disable or enable Local Security Authority Protection from Windows Security is currently not available. However, you can still do it from the Group Policy or the Windows Registry (discussed below).

https://www.itechtics.com/fix-local-security-authority-protection-off/

Improve this answer
1
  • 1
    This is pretty much the only answer i have found regarding the missing LSA option. Kinda concerning that, while many people have/had problems with the LSA warning bug, there is nearly no information anywhere about the option totally missing.
    – RedPanda
    Commented May 19, 2023 at 12:59
0

This microsoft learning article explains more details on LSA (and mentions the different values with their corresponding functions). Beware I'm not SDL certified, and I therefore cannot recommend executing the regex command (tbf I even don't properly understand the feature).

To me it seems like the fixed bug (March) is somehow re-introduced or triggered by another usecase with yesterdays updates (May). Meaning, even if you have the latest updates, it wont fix it.

Running the commandlet of Ramhound is safe[src], which you could alternatively also do through the windows updates center or winget upgrade

Additional proof when running Get-AppPackage | Where-Object {$_.Name -like "Microsoft.SecHealthUI"} which gives me version 1000.25305.9000.0 (which matches in the Windows UI with the "Windows Security Application Version", and is latest stable version for 5-May-23 7pm GMT).

Improve this answer
-1

Setting RunsAsPPL value 2 and creating RunAsPPLBoot as DWORD and set the value 2 in regedit removed the error for me aswell, so thanks for that. I still don't see the option in Security Center though.

For anyone wondering the location in regedit is:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Improve this answer
2
  • 1
    As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.
    – Community Bot
    Commented Jun 24, 2023 at 10:22
  • The author already tried this solution, the fact is, this behavior was caused by a known issue and the removal likely was intentional
    – Ramhound
    Commented Jun 24, 2023 at 14:02

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .