Core Isolation works with Memory Integrity (aka Hypervisor-Protected Code Integrity (HVCI)) in Windows to make it difficult for malicious software and scripts to use low-level drivers to hijack one’s computer. For additional security, one can also enable the Local Security Authority (LSA) process to prevent code injection that could compromise credentials. With Core Isolation, Memory Integrity, and LSA, it makes it significantly more difficult for attackers to steal credentials by ensuring LSA loads only trusted, signed code. Starting with Windows 11, the LSA feature is disabled by default. However, you can turn it on and off anytime using the Windows Security app, Windows Registry editor, and the Local Group Policy editor. In the future, Local Security Authority Protection will be enabled by default for new, enterprise-joined Windows 11 devices. Below is how to enable or disable LSA in Windows 11.
Turn on or off Local Security Authority (LSA) protection using the Windows Security app
As described above, to make it significantly more difficult for attackers to steal credentials in Windows, you can turn on LSA, and below is how to do that. In Windows 11, click the Start menu and in the search box, type Windows Security and then select Windows Security in the list of results. In the Windows Security app, click the Device security link on the left menu, or under Security at a glance, select the Device security button as highlighted below. On the Device security setting page, under Core isolation, click the Core isolation details link. On the Core isolation details pane, under Local Security Authority protection, toggle the button to the Off position to disable. To re-enable, simply toggle the button back to the On position. That should do it! You will have to restart your computer for the changes to apply. You can now close the Windows security app.
Enable or disable local security authority (LSA) protection via the Windows Registry Editor
Another way to enable or disable LSA in Windows is to use the Windows Registry editor. To do that, first, open the Windows Registry, and navigate to the folder key path as listed below. If you don’t see the Lsa folder key, right-click on the Control key, then create the subkey (Lsa) folders. On the right pane of the Lsa folder key, right-click and select New -> DWORD (32-bit) Value. Type a new key named RunAsPPL. Also, create a DWORD (32-bit) Value for RunAsPPLBoot. Double-click both value names (RunAsPPL and RunAsPPLBoot) and enter the Value data of 0 to turn off LSA in Windows 11. A Value data of 1 will turn on LSA in Windows 11. That should do it! Restart your computer to apply your changes.
Turn on LSA protection using the Local Group Policy editor
Yet, another way to enable or disable LSA is to use the Local Group Policy editor. Open the Local Group Policy editor, and browse the folders below: Double-click the “Configure LSASS to run as protected process” setting. On the Configure LSASS to run as protected process setting window, choose to enable or disable LSA. Restart your computer for the changes to apply. Reference: https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection Conclusion: This post showed you how to enable or disable Local Security Authority (LSA) protection in Windows 11. If you find any error above or have something to add, please use the comment form below.