Microsoft enables LSA protection by default in Windows Canary build

Microsoft says the latest Windows 11 build rolling out to Insiders in the Canary channel will enable Local Security Authority (LSA) protection by default.

LSA protection is crucial for safeguarding against the theft of sensitive information or login credentials by blocking untrusted code injection into the LSA process and blocking process memory dumping.

As described by Microsoft in the Windows 11 Security app, it "helps protect user credentials by preventing unsigned drivers and plugins from loading into the Local Security Authority."

In simpler terms, LSA protection acts as a gatekeeper, ensuring that only authorized entities can gain access to critical information required for user authentication and system security.

However, there are caveats since this new Windows 11 security option will only be enabled if it passes an audit checking the system for incompatibilities (Microsoft did not explain what compatibility issues it's checking for).

"Starting with on upgrade, we will audit for a period of time to check for incompatibilities with LSA protection. If we do not detect any incompatibilities, we will automatically turn on LSA Protection," Microsoft's Amanda Langowski and Brandon LeBlanc said.

​Windows Insiders can check if LSA protection is enabled on their systems by opening the Windows Security app and going to the Device Security > Core Isolation page.

They can also use the Windows event log to check if any LSA plugins and drivers have been blocked by opening the Event Viewer and looking for events with 3033 and 3063 IDs under Microsoft-Windows-Codeintegrity/Operational (more details here).

In February 2022, Microsoft also said that it would enable a Microsoft Defender 'Attack Surface Reduction' security rule by default to block attempts to steal Windows credentials from the Local Security Authority Subsystem Service (LSASS) process.

BleepingComputer is still waiting for Microsoft to reply to an email asking when this rule will be enabled by default.

The Windows 11 Insider Preview Build 25314 rolling out today to Insiders in the Canary Channel further increases Windows 11 security by disabling the Remote Mailslot Protocol by default.

Today, Microsoft also released a new Windows 11 preview build to the rebooted Dev Channel, which comes with multiple new features, including a new notification toast button to copy 2FA codes, File Explorer access keys, and a new VPN status indicator.