Microsoft: Defender update behind Windows LSA protection warnings

Microsoft says the KB5007651 Microsoft Defender Antivirus update triggers Windows Security warnings on Windows 11 systems saying that Local Security Authority (LSA) Protection is off.

LSA Protection is a security feature that defends sensitive information like credentials from theft by blocking untrusted LSA code injection and process memory dumping.

Widespread user reports say that “Local Security Authority protection is off. Your device may be vulnerable.” warnings have been showing up even when LSA Protection is enabled, as BleepingComputer on Monday.

Today, Microsoft acknowledged this as a new known issue causing affected Windows devices to persistently warn that they’re vulnerable and that a restart is required after toggling on LSA Protection.

Redmond says that the persistent restart alerts will only show up on systems running Windows 11 21H2 and 22H2.

“After installing ‘Update for Microsoft Defender Antivirus antimalware platform – KB5007651 (Version 1.0.2302.21002),’ you might receive a security notification or warning stating that ‘Local Security protection is off. Your device may be vulnerable.’ and once protections are enabled, your Windows device might persistently prompt that a restart is required,” Redmond .

“This issue affects only ‘Update for Microsoft Defender Antivirus antimalware platform – KB5007651 (Version 1.0.2302.21002).’ All other Windows updates released on March 14, 2023 for affected platforms (KB5023706 and KB5023698), do not cause this issue.”

​Workaround available

Microsoft says it’s working on a fix for the persistent LSA Protection warning issues and will provide more info as soon as available.

The company also provides a workaround for affected customers until a resolution is available, asking them to ignore the restart notifications.

“If you have and have restarted your device at least once, you can dismiss warning notifications and ignore any additional notifications prompting for a restart,” the company says.

To check if LSA had actually started in protected mode on your computer when Windows started, you can search for the following WinInit event in the System logs under Windows Logs: “12: LSASS.exe was started as a protected process with level: 4”

While BleepingComputer that the warnings can be dismissed by adding two registry entries, Microsoft says it does “not recommend any other workaround for this issue.”

Redmond also earlier this month that it would enable Local Security Authority (LSA) Protection by default for Windows 11 Insiders in the Canary channel if their systems pass an incompatibility audit check (Microsoft is yet to explain the compatibility issues it’s checking for).