A step-by-step guide to resolving the persistent bug where Windows 11 claims Local Security Authority (LSA) protection is off, even after you restart your device.
Keywords: Local Security Authority protection is off, LSA protection glitch, Windows 11 security warning, fix Core Isolation, RunAsPPL Registry fix
Contents 📋
What is the LSA Protection Glitch?
Windows 11 users frequently report a confusing issue where Windows Security displays a yellow warning triangle stating "Local Security Authority protection is off. Your device may be vulnerable."
Even after users toggle the setting to On and restart their computer as requested, the warning often persists. In many cases, this is simply a User Interface (UI) bug within the Windows Defender application. The security feature is often running in the background, but the dashboard fails to reflect its status correctly. Below are the proven methods to fix this visual glitch and ensure your system is secure.
Method 1: The Registry Editor Fix (Most Effective)
If the toggle in Settings won't stick, modifying the Registry is the standard solution recommended to force Windows to recognize that LSA is enabled.
⚠ Warning: Modifying the Registry can cause system issues if done incorrectly. Please follow these steps exactly.
- Press Windows Key + R to open the Run dialog.
- Type regedit and press Enter. Click Yes if prompted by User Account Control.
- Navigate to the following path by pasting it into the address bar at the top:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa - In the right-hand pane, look for a value named RunAsPPL.
- If it exists, double-click it and set the Value data to 2.
- If it does not exist, right-click on an empty space, select New > DWORD (32-bit) Value, name it RunAsPPL, and set the value to 2.
- Next, repeat the process for a second value named RunAsPPLBoot.
- Create or edit RunAsPPLBoot and ensure its Value data is also set to 2.
- Close the Registry Editor and Restart your computer. The warning should now be gone.
Method 2: Use PowerShell to Force Enable LSA
If you prefer not to navigate the Registry manually, you can automate the process using Windows PowerShell. This essentially performs the same action as Method 1 but is faster.
- Right-click the Start button and select Terminal (Admin) or PowerShell (Admin).
- Copy and paste the following command, then press Enter:
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 2 /f - Then, copy and paste this second command and press Enter:
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPLBoot /t REG_DWORD /d 2 /f - Once both commands return "The operation completed successfully," Restart your PC.
Method 3: Verify and Toggle Core Isolation Settings
Sometimes the issue is linked to the broader Core Isolation settings. Toggling these can refresh the security status.
- Open Settings and go to Privacy & security > Windows Security.
- Click on Open Windows Security.
- Go to Device security > Core isolation details.
- If Memory integrity is Off, try turning it On.
- If LSA protection appears here, toggle it Off and then back On, followed by a restart.
How to Verify LSA is Actually Running
If you are worried that your PC is unprotected despite applying the fixes, you can use the Event Viewer to confirm LSA is active.
- Right-click the Start button and select Event Viewer.
- Expand Windows Logs and select System.
- In the right pane, click Filter Current Log.
- In the "Event sources" dropdown, look for and select Wininit.
- Click OK.
- Look for an event with ID 12. The description should say: "LSASS.exe was started as a protected process with level: 4". This confirms LSA protection is active and working, regardless of what the buggy UI says.