How to enable LSA protection on Windows 11

Russell Kidson
Feb 11, 2023
Updated • Feb 11, 2023
Windows 11 Help
|
8

The Local Security Authority is a crucial component of the Windows security system, responsible for verifying a user's identity during the sign-in process on a local computer. It checks password changes and login attempts, generates access tokens for single sign-in sessions, and carries out other authentication and authorization tasks in Windows.

How to enable LSA protection on Windows 11

Securing the Local Security Authority subsystem is one of the most important steps you can take to safeguard your system and accounts against cyber threats. By enabling Local Security Authority protection, you will have increased control over potential cleartext password vulnerabilities and password dumping attacks, providing an extra layer of security for your system.This guide will show you how to turn on Local Security Authority (LSA) Protection in Windows 11.

How to enable LSA protection on Windows 11

Windows 11 provides support for Local Security Authority protection to help prevent unauthorized access to your system by attackers. In this post, we'll cover three methods for enabling LSA Protection in Windows 11:

  • Using the Windows Security app.
  • Using the Windows Registry Editor.
  • Using the Local Group Policy Editor.

It's important to note that you need to have administrator privileges to enable the extra protection for Local Security Authority in Windows 11.

How to enable LSA protection on Windows 11

How to enable LSA using the Windows Security app

To enable the Local Security Authority protection in Windows 11 using the Windows Security app, follow these steps:

  1. Go to the Windows search bar and type 'windows security'.
  2. Select the 'Windows Security' option from the search results.
  3. Expand the left menu in the Windows Security app by clicking on the menu icon.
  4. Click on the 'Device Security' option.
  5. Under the 'Core isolation' section, click on the 'Core isolation details' link.
  6. Turn on the toggle button for the 'Local Security Authority protection' option.
  7. Confirm the change by clicking 'Yes' in the User Account Control prompt that appears.
  8. Finally, restart your PC to apply the changes.

By enabling the Local Security Authority protection, you can protect your device and system resources from attackers who might try to gain unauthorized access to your system by stealing your credentials. The ‘Local Security Authority protection is off, Your device may be vulnerable’ alert in Windows Security is a warning message that your device is at risk, so it's important to fix it by enabling the feature.

How to enable LSA using the Registry Editor

You can also enable the Local Security Authority protection through Windows Registry. However, before you make any changes, it's important to back up your registry or create a system restore point to keep your system secure.

Here's how you can do it:

  1. Press the Win + R key combination and type 'regedit' in the Run dialogue box.
  2. Hit the Enter key.
  3. Say yes to the User Account Control prompt.
  4. In the Registry Editor, navigate to this path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  5. On the right panel, double-click on RunAsPPL.
  6. Change the value data to 1 and hit OK.
  7. Finally, restart your PC to apply the changes.

How to enable LSA protection on Windows 11

How to enable LSA using the Group Policy Editor

If you have a Windows Pro or Enterprise edition, you can use the bundled Local Group Policy Editor to enable the Local Security Authority protection. If you have the Home edition, don't worry, you can still access this tool using Policy Plus freeware. Just make sure to create a system restore point before making any changes to your Windows Policy.

Here's how you can enable the Local Security Authority protection with the Local Group Policy Editor:

  1. Open the Run dialog box by pressing Win+R and type 'gpedit.msc.'
  2. Press Enter and navigate to Computer Configuration\Administrative Templates\System\Local Security Authority in the Local Group Policy Editor window.
  3. In the right panel, double-click on 'Configure LSASS to run as a protected process' policy.

In the policy settings window, select 'Enabled' and choose either 'Enabled with UEFI Lock' or 'Enabled without UEFI Lock' in the dropdown menu.

  1. If you choose 'Enabled with UEFI Lock,' LSA will run as a protected process and the configuration can't be disabled remotely.
  2. Click OK, then Apply.
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. CL said on March 2, 2023 at 8:42 pm
    Reply

    Works on 22H2 Enterprise.

  2. VioletMoon said on February 11, 2023 at 8:28 pm
    Reply

    “LSA requires CPU virtualization turned on.”

    Try a site that has someone who knows what he/she is writing about.

    Even though your chip may support virtualization, the motherboard may not.

    It’s really more complicated than gHacks makes out.

    https://www.intel.com/content/www/us/en/support/articles/000005486/processors.html

    https://www.elevenforum.com/t/enable-or-disable-local-security-authority-lsa-protection-in-windows-11.11104/

  3. Anonymous said on February 11, 2023 at 8:11 pm
    Reply

    Yeap article sucks and is out dated. These options no longer exist in Win11 22H2.

    And failed to mention that it is easy to bypass LSA Protection anyways.

    Source: https://itm4n.github.io/lsass-runasppl/

    If you want to use, the correct method is:

    open the Registry Editor (regedit.exe) as an Administrator;
    open the key HKLM\SYSTEM\CurrentControlSet\Control\Lsa;
    add the DWORD value RunAsPPL and set it to 1;
    reboot.

  4. John G. said on February 11, 2023 at 5:26 pm
    Reply

    This article sucks! I recommended this article to my sister and she hasn’t found the LAS option. I’m not at home now till sunday however I thought this article was true and it will work easily at any W11. Near 15 minutes of lost time trying to enable such the f****** option for nothing. Please provide true info before writing an article!

  5. semce said on February 11, 2023 at 2:03 pm
    Reply

    My W11 doesn’t have this option.

    1. Anonymous said on February 11, 2023 at 7:15 pm
      Reply

      Microsoft’s guide may help:
      https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection

      @Russel Especially where it mentions “Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016”

    2. John G. said on February 11, 2023 at 3:25 pm
      Reply

      Neither my sister’s one (W11 22H2l latest).

    3. Rikkie said on February 11, 2023 at 2:41 pm
      Reply

      Me neither (Win11Pro)

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.