Jump to content
  • Microsoft pulls Defender update fixing Windows LSA Protection bug

    alf9872000

    • 1 comment
    • 588 views
    • 5 minutes
     Share


    • 1 comment
    • 588 views
    • 5 minutes

    Microsoft has pulled a recent Microsoft Defender update that was supposed to fix a known issue triggering persistent restart alerts and Windows Security warnings that Local Security Authority (LSA) Protection is off.

     

    LSA Protection helps safeguard Windows users from credential theft attempts by thwarting LSASS process memory dumping and the injection of untrusted code into the LSASS.exe process, which would otherwise allow the extraction of sensitive information.

     

    Microsoft acknowledged the issue on March 21, after widespread user reports regarding Windows 11 systems warning that LSA protection was off. However, it was being shown in the settings user interface as being toggled on.

     

    Redmond says the persistent restart alerts triggered by this known issue will only appear on Windows 11 21H2 and 22H2 systems.

     

    A subsequent Microsoft Defender update issued weeks later replaced the LSA Protection feature's user interface setting with a new feature called Kernel-mode Hardware-enforced Stack Protection. Unfortunately, Microsoft has not documented this change, leading to user confusion.

     

    "LSA Protection has not been removed – it is still built in and on by default on Windows 11 machines. In the latest Windows Insider Preview, there was an update that changed the appearance of the user interface (UI) for this feature," Microsoft told BleepingComputer, mistakenly saying it was only in Windows 11 Insider builds when it was already available in Windows 11 22H2.

     

    One week later, on April 26, Redmond announced they fixed the LSA Protection UI issue, however, this was just done by removing the setting in the KB5007651 Defender update to ensure that the confusing alerts would no longer be displayed in the Windows Settings app.

    Defender update causing blue screens and random reboots

    Today, Redmond revealed that it decided to stop pushing the KB5007651 Defender update due to blue screens or unexpected system restarts when gaming affecting Windows 11 systems where the Defender update was deployed.

     

    "This known issue was previously resolved with an update for Microsoft Defender Antivirus antimalware platform KB5007651 (Version 1.0.2303.27001) but issues were found, and that update is no longer being offered to devices," Microsoft said.

     

    "If you have installed Version 1.0.2303.27001 and receive an error with a blue screen, or if your device restarts when attempting to open some games or apps, you will need to disable Kernel-mode Hardware-enforced Stack Protection."

     

    To disable Kernel-mode HSP, you will have to go to Device Security > Core Isolation in the Windows Security app and toggle the "Kernel-mode Hardware-enforced Stack Protection" feature.

     

    However, Microsoft doesn'tdoesn't provide any information on what affected users who already installed KB5007651 should do to address the system restarts and blue screens caused by this buggy Defender update other than to disable the Kernel-mode Hardware-enforced Stack Protection feature.

     

    Some of the conflicting game anti-cheat drivers causing Windows crashes or conflicts when Kernel-mode HSP is enabled include PUBGValorant (Riot Vanguard), BloodhuntDestiny 2Genshin ImpactPhantasy Star Online 2 (Game Guard), and Dayz.

    Workaround available until a fix is released

    Microsoft says it'sit's working on another fix for the relentless LSA Protection warnings affecting Windows 11 systems and will provide more details as soon as possible.

     

    Redmond also shared a workaround for customers who haven't installed KB5007651 and are still seeing restart warnings, asking them to ignore the reboot notifications.

     

    "If you have enabled Local Security Authority (LSA) protection and have restarted your device at least once, you can dismiss warning notifications and ignore any additional notifications prompting for a restart," the company says.

     

    You can check if the feature is enabled on your computer using the Windows Event Viewer by looking for a Wininit event saying that "LSASS.exe was started as a protected process with level:4," indicating that the process is isolated and protected by LSA Protection.

     

    While BleepingComputer has previously reported that these warnings can be prevented by adding two registry entries, Microsoft does "not recommend any other workaround for this issue."

     

    Two months ago, Microsoft announced that LSA Protection would be enabled default for Windows 11 Insiders in the Canary channel if their systems passed an incompatibility audit check.

    A confusing mess

    Microsoft continues to confusingly discuss Kernel-mode Hardware-enforced Stack Protection in troubleshooting steps regarding LSA Protection.

     

    In the past, Microsoft specifically told BleepingComputer that the two features are unrelated, yet they continue to conflate the two features in support bulletins.

     

    "LSA and Kernel-mode hardware-enforced stack protection are separate settings. In the latest Windows Insider Preview build, the kernel-mode HSP setting was added. It is not a replacement for LSA protection," Microsoft told BleepingComputer.

     

    However, even this information is incorrect, as Kernel-mode HSP is in production builds already and not just Windows Insider previews, causing even more confusion.

     

    Microsoft has still not released any official documentation on Kernel-mode Hardware-enforced Stack Protection, although it's been available in Windows 11 for almost a month.

     

    Source


    User Feedback

    Recommended Comments

    I don't use defender, nor any antivirus, on any of my computers.  Instead I use Software Restriction Policies.  I have been relying on them for over 15 years and tested them against thousands (literally) of malware samples without one infection.  I can either manually disable defender or there is a program call defender remover that I haven't tested yet, but will provide another avenue of getting rid of defender.  The problem with Microsoft is they patch a vulnerability, such as one they did in March, that created a new vulnerability that had to be patched in May.  Still waiting for the vaulted Windows 10 the most secure version of windows ever.  That was obviously marketing talking back before the release of 10.  In reality, the most secure version was 1.03 and it has gotten markedly worse with each release since.  They could probably make a secure version if they made a bare OS without all the unneeded crap in it and let us add the half dozen programs we really need. Personally I like the idea of a bare bones windows 10 with one program running on it, virtual box.  Then create however many virtual machines you need, each with a specific task, such as audio, video, graphics, office, etc. That prevents a possible vulnerability in one program from destroying your whole system.  Just delete the machine and build another.

    Link to comment
    Share on other sites




    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...