In recent versions, Microsoft added a new security feature called Local Security Authority (LSA) that provides an extra layer of security by verifying the user’s identity and protecting their credentials.
To use this feature, you have to manually enable LSA protection on Windows. You can do that via the Windows Security app, Group Policy, or Registry Editor.
I will show all three ways to enable Local Security Authority protection on Windows. Follow the one you like.
Table of contents:
- What is Local Security Authority (LSA)?
- How to enable LSA Protection on Windows
- Enable LSA Protection on Windows via Group Policy (GPO)
- Use Registry to turn on LSA Protection on Windows
- Frequently asked questions (FAQs)
- Conclusion
What is Local Security Authority (LSA)/(LSASS)?
The Local Security Authority, also known as LSA, is a built-in security component that automatically verifies the users and protects their credentials so that the attacks cannot gain unauthorized access to your computer.
For example, attackers often gather and use bits of important information like password hashes, user rights, etc., from system memory and use sophisticated tools to compromise the user account. Enabling LSA will ensure that Windows will manage this information more strictly so that the attackers cannot scrape important information.
To implement the LSA functionality, Windows uses the LSASS (lsass.exe) process. This process is responsible for verifying the user’s identity and enforcing security policies such as password complexity, account lockout, and more.
How to enable LSA Protection on Windows
Being a security option, you can enable LSA protection from the Windows Security app. Follow the below steps:
- Click the Start icon on Taskbar.
- Search for Windows Security and open it.
- Go to the Device Security tab.
- Click on “Core isolation details” under Core Isolation.
- Turn on the Local Security Authority Protection option.
- Close the Windows Security app.
- Reboot the computer.
- With that, you’ve enabled LSA protection on Windows.
Steps with more details:
First, open the Windows Security app. You can either search for “Windows Security” in the Start menu or open the Settings app (Windows key + I), go to the “Privacy & Security -> Windows Security” page, and click the “Open Windows Security” button.
Once the Windows Security app opens, go to the “Device Security” tab on the sidebar. This page has all the advanced security options to keep your Windows device safe and secure.
Click on the “Core isolation details” link on this page under the “Core Isolation” section.
Here, turn on the “Local Security Authority Protection” option. After that, close the Windows Security app and reboot the computer to apply the modified security settings.
With that, you’ve enabled the LSA protection on Windows 10 or 11 systems.
Enable LSA Protection on Windows via Group Policy (GPO)
You can use the “Configure LSASS to run as protected process” GPO (Group Policy Object) to turn on LSA protection. Here’s how.
Note: You should be running Windows 10/11 Pro or Enterprise edition. Home users can follow the Registry method shown below.
- Press the “Windows logo key + R” shortcut.
- Run the “gpedit.msc” command in the Run window.
- Go to the “Computer Configuration/Administrative Templates” folder.
- Go to the “System/Local Security Authority” folder next.
- Open the “Configure LSASS to run as protected process” policy.
- Select the “Enabled” option.
- Select “Enabled with UEFI Lock” from the options dropdown menu.
- Click the “Ok” button.
- Close the Group Policy Editor window.
- Reboot Windows, and the LSA protection is enabled.
Steps with more details:
Launch the Group Policy Editor on your Windows device. You can use the “gpedit.msc” command in the Run window (Windows logo key + R) or search the same in the Start menu. As I noted earlier, you should be running the Pro or Enterprise edition. Home users can follow the registry editor method.
On the left panel, go to the “Configuration\Administrative Templates\System\Local Security Authority” folder. As you can tell from the folder name, it has all the options that let you enable and configure LSA on Windows.
Find the “Configure LSASS to run as protected process” policy on this page and open it.
Next, select the “Enabled” option and then choose “Enabled with UEFI Lock” from the options dropdown menu. Click the “Ok” button to confirm the policy settings.
Finally, close the Group Policy Editor and reboot the computer. Rebooting the system will update the system policy and enable LSA on Windows.
Use Registry to turn on LSA Protection on Windows
You can use the good old registry editor to turn on LSA protection if you don’t have access to the group policy editor.
- Press “Windows key + R” to open Run.
- Use the “regedit” command and click Ok.
- Go to the “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa” folder.
- Right-click on the Lsa folder.
- Choose the “New -> DWORD (32-bit) Value” option.
- Set the value name as RunAsPPL.
- Right-click on the RunAsPPL value.
- Choose the Modify option.
- Type 1 in the Value Data field.
- Click the OK button.
- Close the Registry Editor.
- Reboot the Windows system.
- With that, you’ve enabled the LSA protection on Windows.
Steps with more details:
First of all, open the Registry on your Windows system. You can search for “regedit.exe” in the Start menu or use it as a run command (Win + R).
Navigate to the “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa” folder. You can copy and paste the path in the registry’s address bar and press “Enter” on your keyboard. Here, double-click on the “RunAsPPL” value. You can also right-click on the value and select “Modify.”
If the key doesn’t exist, right-click on the “New -> DWORD (32-bit) Value” option and set the new value name as “RunAsPPL.”
Change the value data to 1 and click the “Ok” button to confirm the changes.
Finally, close the Registry Editor and reboot your computer. After rebooting, Windows enables LSA protection.
Frequently asked questions (FAQs)
Here are a few frequently asked questions about Local Security Authority (LSA):
If you don’t see the Local Security Authority option in Windows Security app, make sure you are running Windows 10 v1903 or higher. Even if you don’t see the option, you can enable LSA via Group Policy or Registry Editor. The steps for both are shown above.
LSA (Local Security Authority) layer of security by verifying the user’s identity and protecting their credentials. Enabling this feature ensures that an attacker cannot scrape important user information, password hashes, etc., from the system memory to compromise the Windows system.
LSASS (lsass.exe) is a system process implemented by LSA (Local Security Authority) feature. It is responsible for verifying the user’s identity and enforcing security policies such as password complexity, account lockout, and more.
Enabling Local Security Authority — Conclusion
Whether you follow the Windows Security app, Group Policy Editor, or Registry Editor, it just takes a few steps to turn on LSA on Windows. Enabling this built-in security feature ensures that attackers cannot scrape important user information, password hashes, etc., from the system memory to compromise a user account or Windows server.
If you want to add an extra layer of security, using Local Security Authority (LSA) is recommended.
—
That is all. It is simple to turn on LSA protection on Windows 10 and 11.
I hope this simple and easy Windows how-to guide helped you.
If you are stuck or need help, send an email, and I will try to help as much as possible.