Microsoft’s patch didn’t actually fix Windows Defender, but there’s a workaround

What you need to know

• Recently, an update Microsoft pushed to Windows Defender began causing Windows Security to display warnings that Local Security Authority protection was disabled, even if it was enabled previously.
• These warnings persisted even if users manually reenabled LSA protection and restarted their PC, causing many to worry.
• Microsoft’s patch for the issue didn’t work and is “no longer being offered,” but thankfully, there’s a workaround — ignoring the problem.
• As long as users are able to verify that LSA protection is on through the Event Viewer app, Windows Security’s warnings can be dismissed. If you installed the ineffective update and are experiencing blue screens or abrupt restarts, you’ll need to disable Kernel-mode Hardware-enforced Stack Protection, however.

The Microsoft Defender Antivirus software (also known as Windows Defender) is at the core of standard Windows security, but in late March, an update to it caused a concerning bug with the Windows Security app. Everyone who downloads and installs the update sees a warning that “Local Security Authority protection is off. Your device may be vulnerable,” even if it was enabled previously. 

These messages continue to persist even if LSA protection is reenabled and a restart is performed, and since the LSA manages user rights information and passwords, many users are understandably worried.

The issue was soon confirmed by Microsoft, and about a month later in April, the firm released a patch for it (Version 1.0.2303.27001). However, after users reported that the bug was continuing to persist and that further issues were introduced, Microsoft recently scrapped the patch and confirmed that the update “is no longer being offered to devices” on its Windows Health page. Thankfully, though, there’s a workaround for the original problem — and it’s a simple one.

“If you have enabled Local Security Authority (LSA) protection and have restarted your device at least once, you can dismiss warning notifications and ignore any additional notifications prompting for a restart,” writes the company. “Currently, we do not recommend any other workaround for this issue.”

Essentially, you can safely dismiss or ignore any LSA protection alerts Windows 11 pushes as long as you’re able to verify that LSA protection is actually active after you enable it and restart your PC. You can do this by opening the Event Viewer app, going into the Windows Logs section, and searching for this WinInit event in the System log:

• 12: LSASS.exe was started as a protected process with level: 4

Notably, Microsoft says that if you installed the ineffective update (Version 1.0.2303.27001) and experience blue screen errors or restarts when opening apps or games, you have to disable Kernel-mode Hardware-enforced Stack Protection to resolve the problem. This can be done by opening Windows Security, selecting Device Security, selecting Core Isolation, and toggling the Kernel-mode Hardware-enforced Stack Protection option off.

Ultimately, it’s good to know that there’s not something terribly serious going on here, though this bug will definitely continue alarming people that haven’t seen Microsoft’s assurances. The firm explained that it’s “working on a resolution and will provide an update in an upcoming release,” so hopefully the issue will be fixed soon.