How to Turn On Local Security Authority (LSA) Protection in Windows 11

By / August 31, 2025

Keeping your PC safe should always be a top priority, especially with cyber threats evolving every day. If you’re running Windows 11, you’ve got a hidden gem called Local Security Authority (LSA) Protection that helps keep hackers out by protecting sensitive system processes. But here’s the catch—this feature isn’t always turned on by default.

In this guide, we’ll break down what LSA Protection is, why it matters, and how you can enable it step by step. Don’t worry, we’ll keep it simple, so even if you’re not super techy, you’ll be able to secure your system with ease.

What Is Local Security Authority (LSA) Protection?

The Basics

The Local Security Authority Subsystem Service (LSASS.exe) is a crucial part of Windows. It handles things like:

  • Verifying your login credentials
  • Enforcing security policies
  • Managing password changes

Now, LSA Protection is a security feature that prevents attackers from dumping passwords and authentication tokens from LSASS.

Why It’s Important

Without LSA protection, malicious programs could extract your saved credentials, making it easier for hackers to move across networks or steal data.

Think of it like locking a safe inside another safe—it adds an extra security wall around one of the most important parts of your system.

How to Check If LSA Protection Is Enabled in Windows 11

Before turning it on, let’s check whether it’s already active.

Method 1: Using Windows Security App

  1. Open Windows Security (search for it in Start).
  2. Go to Device Security → Core isolation details.
  3. Look for Local Security Authority protection.
    • If it says On, you’re good.
    • If it says Off or Unavailable, you’ll need to enable it.

Method 2: Using Event Viewer

  1. Press Windows + S and search for Event Viewer.
  2. Navigate to: Windows Logs → System
  3. Look for event ID 12, 13, or 14 under LSA protection logs.

👉 If it’s not enabled, don’t panic—we’ll fix that next.

How to Turn On Local Security Authority Protection in Windows 11

There are three main ways to do this: Windows Security settings, Registry Editor, and Group Policy Editor. Let’s go step by step.

Method 1: Turn On LSA Protection from Windows Security

This is the easiest method for most users.

  1. Open Windows Security from Start.
  2. Go to Device Security.
  3. Click Core isolation details.
  4. Toggle on Local Security Authority Protection.
  5. Restart your computer for changes to take effect.

👉 Simple, right? But sometimes this option is missing, so let’s check the advanced methods.

Method 2: Enable LSA Protection via Registry Editor

⚠️ Warning: Editing the Registry incorrectly can mess up your system. Always create a backup first.

  1. Press Windows + R, type regedit, and hit Enter.
  2. Navigate to this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. On the right side, look for:
    • RunAsPPL
    • RunAsPPLBoot
      (If they don’t exist, right-click → New → DWORD (32-bit) Value)
  4. Set both values to 2.
    • 2 means enabled with UEFI lock (most secure).
    • 1 means enabled.
    • 0 means disabled.
  5. Close Registry Editor and restart your PC.

Method 3: Enable LSA Protection via Group Policy

If you’re on Windows 11 Pro, Enterprise, or Education, you can use Group Policy.

  1. Press Windows + R, type gpedit.msc, and hit Enter.
  2. Navigate to: Computer Configuration → Administrative Templates → System → Local Security Authority
  3. Double-click Configure LSASS to run as a protected process.
  4. Select Enabled with UEFI lock (recommended).
  5. Click Apply → OK and restart your system.

👉 This is especially useful for IT admins managing multiple PCs.

Troubleshooting: LSA Protection Option Missing in Windows 11

Sometimes, you won’t see the LSA option in Windows Security. Here’s why and how to fix it:

Reason 1: Outdated Windows Version

Make sure you’ve installed the latest Windows 11 updates. Microsoft rolled out LSA settings gradually.

Reason 2: Incompatible Drivers

Certain old drivers may block LSA from being enabled. Check Device Security → Security processor troubleshooting for warnings.

Reason 3: Disabled by Group Policy or Registry

Your organization (if you’re on a work PC) may have disabled it.

How to Verify That LSA Protection Is Running

Even after enabling it, you’ll want to double-check.

Method 1: Task Manager

  1. Open Task Manager (Ctrl + Shift + Esc).
  2. Go to Details tab.
  3. Find lsass.exe.
    • If Protected Process Light (PPL) is enabled, you can’t dump it with basic tools.

Method 2: Windows Security

Go back to Device Security → Core isolation details and confirm it says On.

Should You Enable LSA Protection?

Pros

  • Protects against credential theft
  • Adds an extra security layer for businesses
  • Helps block advanced malware attacks

Cons

  • May cause compatibility issues with older drivers
  • Slight performance overhead (usually negligible)

👉 For most users, the pros far outweigh the cons. Unless you’re running very old hardware, you should turn it on.

Other Ways to Secure Your PC Alongside LSA Protection

Enabling LSA is great, but it shouldn’t be your only defense. Combine it with:

1. Windows Hello or Strong Passwords

Avoid weak or reused passwords. Better yet, use PIN or biometric login.

2. Secure Boot

Prevents rootkits from loading during startup.

3. BitLocker Encryption

Protects your data even if your device is stolen.

4. Regular Updates

Keep Windows and drivers updated for maximum protection.

5. Antivirus & Firewall

Windows Defender is solid, but you can add extra layers if you want.

When Not to Enable LSA Protection

There are rare cases when enabling LSA might not be ideal:

  • You use legacy apps that rely on older authentication methods.
  • Your system runs outdated drivers incompatible with PPL.
  • You’re testing security tools that need to read LSASS memory.

👉 If in doubt, test it in a controlled environment before deploying on all systems.

Conclusion

Turning on Local Security Authority (LSA) Protection in Windows 11 is one of the easiest ways to safeguard your credentials and lock down your PC against advanced attacks. Whether you do it through Windows Security, the Registry, or Group Policy, the extra protection is absolutely worth it.

Yes, there might be a tiny chance of compatibility issues, but for most users, it’s a set-it-and-forget-it security upgrade.

So go ahead—enable it, restart your PC, and sleep better knowing your credentials are safe.

FAQs

1. Is LSA Protection available on all editions of Windows 11?
It’s available on Home, Pro, Enterprise, and Education, though Group Policy is limited to Pro and above.

2. Will enabling LSA Protection slow down my PC?
The performance impact is minimal—most users won’t notice any difference.

3. What happens if I disable LSA Protection?
Disabling it makes your system more vulnerable to credential theft attacks.

4. Do I need antivirus if I enable LSA Protection?
Yes—LSA only protects credentials, not against all types of malware.

5. Can I enable LSA Protection without restarting?
No. You’ll need to restart your PC for the changes to take effect.

Related Posts:

Scroll to Top