Some users have reported that the Windows Security app is showing “Local Security authority protection is off. Your device may be vulnerable” warnings when the feature is enabled. This bug is in Windows Defender (KB5007651), a mandatory security update shipped alongside Windows 11’s March 2023 Update.
Local Security Authority protection is a feature that prevents code injection and reduces the possibility of compromising credentials. The Local Security Authority feature verifies Windows logins, and it is necessary for the OS to function normally.
This security toggle in the Settings app adds extra protection to LCA to prevent code injection that could compromise credentials. With LCAP, Microsoft hopes to prevent the accidental sharing or leaking of sensitive information such as passwords, tokens, certificates, etc.
After the latest update, the app tells you to enable Local Security Authority protection and restart the device even though it’s already enabled (the toggle is on). The feature is running in the background. Our tests showed that this could be a bug with the Windows Security interface, which doesn’t mean your installation is corrupted.
“Under the Device Security and Core isolation settings, Local Security Authority protection is toggled on. However, I am always notified that Local Security Authority Protection is off. Above the category is a message that the change requires that I restart the device. I also have tried turning it off, restarting, turning it back on, and also restarting. The issue still persists,” one of the affected users noted in a post on Feedback Hub.
The issue seems widespread, and Microsoft is aware of the reports.
A Microsoft source told us the company is taking steps to pause the rollout of the botched Windows 11 KB5007651 security update and will resume the update when the problem is fixed.
A Microsoft representative confirmed to a user that it was aware of the problem.
How to fix Local Security Authority protection is off error
To fix “Local Security authority protection is off. Your device may be vulnerable”, follow these steps:
- Open Windows Registry Editor.
- Navigate to the following location: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Make sure you have RunAsPPL and RunAsPPLBoot. If you don’t have RunAsPPLBoot listed, create DWORD entries for RunAsPPL and RunAsPPLBoot.
- Value for both entries should be 2.
- Reboot and warnings should stop.
If you’re unable to make changes to the Windows Registry or it is not working for some reason, you can run the following PowerShell script created and tested by us:
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 2 /f;reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPLBoot /t REG_DWORD /d 2 /f;
For now, the above workaround seems to be working for users. If you do not have the issue and Windows Defender KB5007651 is not installed, it may be a good idea to pause Windows Updates while Microsoft works on a hotfix.
Update 1: Microsoft has started rolling out a fix, but it’s taking longer than usual to reflect on all systems worldwide as users continue to run into the problem.