Issues with Windows Security Center, Windows 11 Pro 21H2.

Topic

New Reply

Hello. I’m new here, so I apologize in advance for any mistakes I might make whilst writing this. And I also apologize for the length of this post.

I have an issue with Windows Security Center. At 11 AM today, I heard a ding sound signaling that a device was inserted into my PC. I’d assumed it was malware, since I didnt connect any device at all. So, I checked the Windows Defender icon in the pop put panel, and sure enough, the icon showed the caution symbol signaling that Windows Defender has actions I need to check.

When I entered, it stated that part of the Core Isolation protection was turned off. I felt panicked and nervous, since this has never happened to me before. I turned it back on, and now it told me it needed to restart to enable it. I did so, and yet the yellow icon still was there. (It was the Local Security Authority protection)

I re-entered, and when I checked again, what I saw confused me greatly.

It had remained enabled, but Windows still warned that it was turned off. I dismissed the warning, and rechecked the icon. It was green, no issues. However, I noticed that Memory access protection was disabled. I renabled it, and now it says that a restart is required. I then thought, “No problem, right?”

As it turns out, people on the Windows 11 Reddit have been reporting that the latest Windows Defender update (KB5023286, Version 1000.25305.0.1000) has been causing issues, ranging from UI color changes, to LSA or TPM disabling itself, refusing to open, etc. Sounds similar to my issue, albeit in a worse form.

They fixed it by adding two Registry keys, (But I don’t think I need that drastic of a fix just yet) but I have a problem concerning the new update. I told Windows Defender to check for updates, (because I was going to run a scan, but I halted myself, due to the above information.) and it installed the same one. I did so before I heard the above information, so now I’m in possession of a dilemma: Should I restart and hope for the best, restart and roll back the update, or should I avoid turning off my PC?

I have not installed any updates since March 1st, (I use WUSOHide to hide updates and GPEdit to use the setting of “Notify, but don’t download or install”) but I’ve heard rumors that Defender updated in the background.

My PC is still on, so now I have to make a decision. So my question is this: What should I do? Should I restart and go on, restart and roll back, or avoid shutting down?

I will be grateful for any advice or aid anyone can give me, and I hope not to waste the community’s time.

 

Reply | Quote

Replies

It’s becoming common (apart from the ding), and is confusing, but you have no need to panic. You can update and scan if you wish, but a restart may not correct the LSA protection warning which appears to be a bug.

Windows 11 Pro version 22H2 build 22621.1485 + Microsoft 365 + Edge

1 user thanked author for this post.

CFA-727

Reply | Quote

Thank you for the advice. I restarted. I’ll check in one minute to see if the icon is green, and if the Security Center looks odd, or crashes in any way. I’ll consider it a victory if the center does not crash, all protections are enabled, and if the icon is green.

I’ll roll back the update if I notice any issues.

Thank you for your help, and have an excellent day.

(Notice: I checked it out. And here’s what I saw: Icon is green, Memory Access Protection is still disabled and informing me I need to restart when I just already did, Windows Security center works/looks just fine. 2/3 points is good enough. I’ll look for a solution to the Memory protection error. Also, I did a full scan, no threats were detected.)

1 user thanked author for this post.

b

Reply | Quote

A user on the Microsoft Support Community forum figured out my issue. Apparently, a user by the name of Tiago Vincente solved it by re enteing a Registry key. In his words:

“I figure that is a missing reg entry RunAsPPLBoot in my case.

Create a new DWORD32 and set to 2

After reboot no longer get error.

RunAsPPL and RunAsPPLBoot. (RunAsPPL should already exist, and be set to a value of 2)

By default they are set to 0 to enable this you need to set them to 2.”

 

What he means is the one need to create a 32 DWORD using RegEdit in this path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. You then click on the Lsa folder, and create a 32-bit DWORD named ‘RunAsPPLBoot’. Set the value to 2, Save it, exit, and restart. The notification that LSA is disabled should go away, along with the Memory Access Protection error as well.

I am going to backup my registry to a thumb drive first before doing so. (I’ll do the backup today, and the fix tomorrow) So have a good night.

Link to answer:https://answers.microsoft.com/en-us/windows/forum/all/windows-security-bug-local-security-authority/64f933bf-2c1a-497a-a815-2d6bbfe54db5 ssf

Proof that it works:https://www.reddit.com/r/WindowsHelp/comments/10a7x0e/comment/j9ql891/?utm_medium=android_app&utm_source=share&context=3

Reply | Quote

But why does it need adding? 22H2 still feels like a work in progress.

Susan Bradley Patch Lady

Reply | Quote

22H2 or 22h1?

Susan Bradley Patch Lady

Reply | Quote

…
Automatic enablement of Audit mode

Audit mode for additional LSA protection is enabled by default on devices running Windows 11, 22H2. If your device is running this build, no additional actions are needed to audit additional LSA protection.
…

Configuring Additional LSA Protection [Microsoft Learn]

But:

Windows 11 users report seeing widespread Windows Security warnings that Local Security Authority (LSA) Protection has been disabled even though it shows as being toggled on.
…
While Windows users report that this issue is caused by the recently released KB5023706 Windows 11 22H2 cumulative update, this has been happening since at least January 15.

The “Local Security Authority protection is off. Your device may be vulnerable.” warnings show up even though LSA Protection is enabled in Windows Security > Device security > Core isolation details.

“There is a technical glitch with this feature, if you have successfully turned on this feature and you are being prompted to restart, kindly note that the feature is ON irrespective of the message as this is a technical glitch that we are aware of and we are working to resolve that issue soonest,” Microsoft Technical support representative reportedly told one of the affected users.
…
How to remove the LSA Protection alerts

Until Microsoft rolls out a fix for this Windows 11 Local Security Authority glitch, you have to add two new DWORD registry entries and set them to ‘2’ to ensure that the LSA Protection feature is automatically enabled after the next restart, and the faulty warnings will no longer be shown.

The procedure requires you to go through these steps:

Open the Registry Editor and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Add new RunAsPPL and RunAsPPLBoot DWORD entries and set them to 2.
Restart the system.
…
Windows 11 bug warns Local Security Authority protection is off
[BleepingComputer.com; March 20, 2023]

Windows 11 Pro version 22H2 build 22621.1485 + Microsoft 365 + Edge

Reply | Quote