Microsoft confirms "Local Security protection is off" Microsoft Defender issue
Microsoft Windows 11 systems may display the error message "Local Security protection is off. Your device may be vulnerable." after installation of a recent Microsoft Defender Antivirus update.
Microsoft confirmed the issue for Windows 11 and Windows 11 version 22H2 on its Release Health website. Both versions of the Windows 11 operating system are affected in the same way by the issue. The known issues listings for supported Windows 10 versions does not have the entry, which suggests that these operating systems are not affected by it.
Windows 11 devices may throw the error message after installation of KB5007651 on Windows 11 devices. The update's full name is Update for Microsoft Defender Antivirus antimalware platform - KB5007651, and it should be listed as one of the installed updates by update management services.
Windows administrators who enable Local Security Authority protection on Windows 11 devices may resolve the issue, but it leads directly to a follow-up issue. Once enabled, Windows 11 may "persistently prompt that a restart is required" through its notifications system.
Microsoft recommends that administrators ignore the restart prompts, provided that they have enabled Local Security Authority protection and restarted the Windows 11 device at least once.
A support page reveals how system administrators may use the System log under Windows Logs in the Event Viewer to determine whether Local Security Authority protection (LSASS.exe) is enabled.
The log should have this entry: "12: LSASS.exe was started as a protected process with level: 4".
Enabling Local Security Authority Protection on Windows 11
Local Security Authority protection "helps protect user credentials by preventing unsigned drivers and plugins from loading into the Local Security Authority". A support page on Microsoft's Learn websites has additional information.
When enabled, Local Security Authority protection prevents code injections that "could compromise credentials". Plugins and drivers need to have a valid signature and adhere to the Microsoft Security Deployment Lifecycle process guidance. If they don't, they won't be loaded.
Windows administrators may enable the security feature in the following way:
- Open the Start Menu and load the Settings application.
- Select the Privacy & security tab.
- Activate the Windows Security option on the page that opens.
- Select Device Security on the next page; this opens the Windows Security app.
- On the Device Security page, select "Core isolation details".
- Toggle Local Security Authority protection to ON under Core isolation.
Microsoft notes that it does not recommend any other workarounds for the issues. While it does not mention any, it may refer to the uninstallation of the Microsoft Defender Antivirus update on the affected Windows 11 device.
The company is working on a full resolution of the issue and plans to "provide an update as soon as it is available".