The Windows Club

TheWindowsClub covers authentic Windows 11, Windows 10 tips, tutorials, how-to's, features, freeware. Created by Anand Khanse, MVP.

How to enable Local Security Authority (LSA) Protection in Windows 11

Download Windows Speedup Tool to fix errors and make PC run faster

If you see a Local Security Authority protection is off message, then this post explains how to enable Local Security Authority (LSA) Protection in Windows 11. Local Security Authority is one of the several critical functions of the Windows security subsystem that authenticates a user’s identity during the sign-in process on a local computer. It verifies password changes and login attempts, creates access tokens for single sign-in sessions, and performs other Windows authentication and authorization-related tasks.

Protecting the Local Security Authority subsystem is one of the prime things you can do to protect your system and accounts from cybercriminals. Once you’ve enabled the Local Security Authority protection, you will have more control over cleartext password vulnerability and password dumping attacks.

How to enable Local Security Authority (LSA) Protection in Windows 11

How to Turn on Local Security Authority (LSA) Protection in Windows 11

Windows 11 supports the Local Security Authority protection to prevent attackers from gaining unauthorized access to your system. In this post, we will discuss three different ways of enabling the Local Security Authority (LSA) Protection in Windows 11 – if you find that it is turned off or missing:

  1. Using the Windows Security app.
  2. Using Windows Registry Editor.
  3. Using the Local Group Policy Editor.

You must be signed in as an administrator to enable the additional protection for Local Security Authority in Windows 11.

Local Security Authority protection is off, Your device may be vulnerable

Before you begin, make sure that you have installed the updates fro your Windows 11 OS and Microsoft Defender.

1] Turn on Local Security Authority Protection using Windows Security

Enabling Local Security Authority protection using Windows Security

Windows Security is a built-in tool in Windows that constantly monitors the system for viruses, malware, and other security threats. You can use it to manage security features on your Windows 11 device, including the Local Security Authority protection.

As long as this feature is disabled, you may see the ‘Local Security Authority protection is off, Your device may be vulnerable‘ alert in Windows Security. This alert is a warning message that your device and system resources are at stake by attackers who want to gain unauthorized access to your system by stealing your credentials. So you must enable the Local Security Authority protection feature in Windows Security and then restart your PC to fix the message and to prevent your system from cyber criminals.

  1. Click on the Windows search bar and type ‘windows security’.
  2. Click on the Windows Security option at the top of the search results.
  3. Click on the menu icon to expand the left menu in the Windows Security app.
  4. Click on the Device Security option.
  5. Click on the Core isolation details link under the Core isolation section.
  6. Turn the toggle button On for the Local Security Authority protection option.
  7. Click Yes in the User Account Control prompt that appears.
  8. Reboot your PC to apply the changes.

2] Enable Local Security Authority Protection using Registry Editor

Enabling Local Security Authority protection using Registry Editor

You can also enable the Local Security Authority protection using Windows Registry. However, make sure to back up your registry or create a system restore point before you make any changes to your system through the Registry Editor.

To enable Local Security Authority protection using Registry Editor, follow these steps:

  1. Press the Win+R key combination and type regedit in the Run dialogue box.
  2. Press the Enter key.
  3. Click Yes in the UAC prompt.
  4. In the Registry Editor, navigate to the following path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  5. In the right panel, double-click on RunAsPPL.
  6. Change the Value data to 1 and click on OK.
  7. Restart your PC to apply the changes.

Also Read: What is lsass.exe in Windows?

3] Turn on LSA Protection using Local Group Policy Editor

Enabling Local Security Authority protection using Group Policy Editor

You can also enable the Local Security Authority protection from the Group Policy Editor that comes bundled with Windows Pro and Enterprise editions. Home users can also access this valuable tool using the Policy Plus freeware. Again, before making any Windows Policy changes, it is crucial to create a system restore point.

Here’s how you can enable the Local Security Authority protection using the Local Group Policy editor:

  1. Open the Run dialogue box and type gpedit.msc.
  2. Press the Enter key.
  3. In the Local Group Policy Editor window, navigate to the following path: Computer Configuration\Administrative Templates\System\Local Security Authority.
  4. In the right panel, double-click on the ‘Configure LSASS to run as a protected process‘ policy.
  5. In the policy settings window, select the Enabled option.
  6. Then click on the dropdown under Configure LSA to run as a protected process and select Enabled with UEFI Lock. With this setting, LSA will run as a protected process and the configuration will be UEFI Locked, which means, it cannot be disabled remotely. If you don’t want this restriction, you can select Enabled without UEFI Lock in the dropdown.
  7. Click on the OK button. Then click on the Apply button.

This is how you enable the Local Security Authority (LSA) Protection in Windows 11.

Related: This change requires you to restart your device LSA error in Windows 11

Local Security Authority protection is off even after restarting PC

Local Security Authority protection is off

If you see Local Security Authority protection is off message even after you have turned it ON and restarted your computer, update your Windows and check as Microsoft has released an Update to fix this issue. If it does not help, then create a system restore point first and then try this.

Open Registry Editor and go to the following location:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

On the right side, ensure that RunAsPPLBoot and RunAsPPL as set to a value of 2. If you do not see RunAsPPLBoot, create it.

Local Security Authority protection not turning on

If the Local Security Authority protection setting is not turning on or grayed out in Windows Security, you can always follow the Registry Editor and Local Group Policy Editor methods to turn it on. You must know that it requires you to sign into your Administrator account in order to modify the respective setting. On the other hand, you can also repair Windows Security if you think that there are some corrupt files injected into the app.

Local Security Authority (LSA) option is missing

If you find that the Local Security Authority (LSA) option is missing in Windows 11, execute the following command in an elevated  PowerShell prompt: reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 2 /f;reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPLBoot /t REG_DWORD /d 2 /f;>code>.

Read Next: How to fix Local Security Authority cannot be contacted in Windows.

SangeetaGhera@TWC

Sangeeta holds a Bachelor's in Computer Science, and a Post Graduate Diploma in Computer Applications. She has been associated with the Information Technology industry for over 10 years, and enjoys reading and sharing Windows & technology-related tips.