How to Enable or Disable Local Security Authority (LSA) Protection in Windows 11

This article describes steps to turn on or off Local Security Authority (LSA) Protection in Windows 11.

Core Isolation works with Memory Integrity (aka Hypervisor-Protected Code Integrity (HVCI)) in Windows to make it difficult for malicious software and scripts to use low-level drivers to hijack one’s computer.

For additional security, one can also enable the Local Security Authority (LSA) process to prevent code injection that could compromise credentials. With Core Isolation, Memory Integrity, and LSA, it makes it significantly more difficult for attackers to steal credentials by ensuring LSA loads only trusted, signed code.

Starting with Windows 11, the LSA feature is disabled by default. However, you can turn it on and off anytime using the Windows Security app, Windows Registry editor, and the Local Group Policy editor.

In the future, Local Security Authority Protection will be enabled by default for new, enterprise-joined Windows 11 devices.

Below is how to enable or disable LSA in Windows 11.

Turn on or off Local Security Authority (LSA) protection using the Windows Security app

As described above, to make it significantly more difficult for attackers to steal credentials in Windows, you can turn on LSA, and below is how to do that.

In Windows 11, click the Start menu and in the search box, type Windows Security and then select Windows Security in the list of results.

windows security app search on start menu
windows security app search on the start menu

In the Windows Security app, click the Device security link on the left menu, or under Security at a glance, select the Device security button as highlighted below.

windows 11 security app device security option
Windows 11 security app device security option

On the Device security setting page, under Core isolation, click the Core isolation details link.

windows 11 core isolation details link
Windows 11 core isolation details link

On the Core isolation details pane, under Local Security Authority protection, toggle the button to the Off position to disable.

To re-enable, simply toggle the button back to the On position.

windows local security authority protection button
Windows local security authority protection button

That should do it! You will have to restart your computer for the changes to apply.

You can now close the Windows security app.

Enable or disable local security authority (LSA) protection via the Windows Registry Editor

Another way to enable or disable LSA in Windows is to use the Windows Registry editor.

To do that, first, open the Windows Registry, and navigate to the folder key path as listed below.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

If you don’t see the Lsa folder key, right-click on the Control key, then create the subkey (Lsa) folders.

windows local security authority protection windows registry
Windows local security authority protection windows registry

On the right pane of the Lsa folder key, right-click and select New -> DWORD (32-bit) Value. Type a new key named RunAsPPL. Also, create a DWORD (32-bit) Value for RunAsPPLBoot.

Double-click both value names (RunAsPPL and RunAsPPLBoot) and enter the Value data of 0 to turn off LSA in Windows 11.

Value data of 1 will turn on LSA in Windows 11.

windows local security authority protection windows registry value data
Windows local security authority protection windows registry value data

That should do it! Restart your computer to apply your changes.

Turn on LSA protection using the Local Group Policy editor

Yet, another way to enable or disable LSA is to use the Local Group Policy editor.

Open the Local Group Policy editor, and browse the folders below:

Computer Configuration > Administrative Templates > System > Local Security Authority

Double-click the “Configure LSASS to run as protected process” setting.

windows local security authority protection local group policy editor
Windows local security authority protection local group policy editor

On the Configure LSASS to run as protected process setting window, choose to enable or disable LSA.

windows local security authority protection local group policy editor options
Windows local security authority protection local group policy editor options

Restart your computer for the changes to apply.

Reference:

https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection

Conclusion:

This post showed you how to enable or disable Local Security Authority (LSA) protection in Windows 11. If you find any error above or have something to add, please use the comment form below.