Microsoft pulls Defender update fixing Windows LSA Protection bug – Source: www.bleepingcomputer.com

Microsoft has pulled a recent Microsoft Defender update that was supposed to fix a known issue triggering persistent restart alerts and Windows Security warnings that Local Security Authority (LSA) Protection is off.

LSA Protection helps safeguard Windows users from credential theft attempts by thwarting LSASS process memory dumping and the injection of untrusted code into the LSASS.exe process, which would otherwise allow the extraction of sensitive information.

Microsoft acknowledged the issue on March 21, after widespread user reports regarding Windows 11 systems warning that LSA protection was off. However, it was being shown in the settings user interface as being toggled on.

Redmond says the persistent restart alerts triggered by this known issue will only appear on Windows 11 21H2 and 22H2 systems.

A subsequent Microsoft Defender update issued weeks later replaced the LSA Protection feature’s user interface setting with a new feature called Kernel-mode Hardware-enforced Stack Protection. Unfortunately, Microsoft has not documented this change, leading to user confusion.

“LSA Protection has not been removed – it is still built in and on by default on Windows 11 machines. In the latest Windows Insider Preview, there was an update that changed the appearance of the user interface (UI) for this feature,” Microsoft told BleepingComputer, mistakenly saying it was only in Windows 11 Insider builds when it was already available in Windows 11 22H2.

One week later, on April 26, Redmond announced they fixed the LSA Protection UI issue, however, this was just done by removing the setting in the KB5007651 Defender update to ensure that the confusing alerts would no longer be displayed in the Windows Settings app.

Defender update causing blue screens and random reboots

Today, Redmond revealed that it decided to stop pushing the KB5007651 Defender update due to blue screens or unexpected system restarts when gaming affecting Windows 11 systems where the Defender update was deployed.

“This known issue was previously resolved with an update for Microsoft Defender Antivirus antimalware platform KB5007651 (Version 1.0.2303.27001) but issues were found, and that update is no longer being offered to devices,” Microsoft said.

“If you have installed Version 1.0.2303.27001 and receive an error with a blue screen, or if your device restarts when attempting to open some games or apps, you will need to disable Kernel-mode Hardware-enforced Stack Protection.”

To disable Kernel-mode HSP, you will have to go to Device Security > Core Isolation in the Windows Security app and toggle the “Kernel-mode Hardware-enforced Stack Protection” feature.

However, Microsoft doesn’tdoesn’t provide any information on what affected users who already installed KB5007651 should do to address the system restarts and blue screens caused by this buggy Defender update other than to disable the Kernel-mode Hardware-enforced Stack Protection feature.

Some of the conflicting game anti-cheat drivers causing Windows crashes or conflicts when Kernel-mode HSP is enabled include PUBG, Valorant (Riot Vanguard), Bloodhunt, Destiny 2, Genshin Impact, Phantasy Star Online 2 (Game Guard), and Dayz.

Workaround available until a fix is released

Microsoft says it’sit’s working on another fix for the relentless LSA Protection warnings affecting Windows 11 systems and will provide more details as soon as possible.

Redmond also shared a workaround for customers who haven’t installed KB5007651 and are still seeing restart warnings, asking them to ignore the reboot notifications.

“If you have enabled Local Security Authority (LSA) protection and have restarted your device at least once, you can dismiss warning notifications and ignore any additional notifications prompting for a restart,” the company says.

You can check if the feature is enabled on your computer using the Windows Event Viewer by looking for a Wininit event saying that “LSASS.exe was started as a protected process with level:4,” indicating that the process is isolated and protected by LSA Protection.

While BleepingComputer has previously reported that these warnings can be prevented by adding two registry entries, Microsoft does “not recommend any other workaround for this issue.”

​Two months ago, Microsoft announced that LSA Protection would be enabled default for Windows 11 Insiders in the Canary channel if their systems passed an incompatibility audit check.

A confusing mess

Microsoft continues to confusingly discuss Kernel-mode Hardware-enforced Stack Protection in troubleshooting steps regarding LSA Protection.

In the past, Microsoft specifically told BleepingComputer that the two features are unrelated, yet they continue to conflate the two features in support bulletins.

“LSA and Kernel-mode hardware-enforced stack protection are separate settings. In the latest Windows Insider Preview build, the kernel-mode HSP setting was added. It is not a replacement for LSA protection,” Microsoft told BleepingComputer.

However, even this information is incorrect, as Kernel-mode HSP is in production builds already and not just Windows Insider previews, causing even more confusion.

Microsoft has still not released any official documentation on Kernel-mode Hardware-enforced Stack Protection, although it’s been available in Windows 11 for almost a month.