Have you just encountered an “LSA Package is Not Signed as Expected” warning on your Windows 11? Don’t panic: This warning is part of Windows’ Local Security Authority (LSA) protection process, which is used to enforce security policies, including logon authentication and credential management.
Users typically receive this warning when Windows detects that one or more LSA plugins are not properly signed according to Microsoft’s security requirements, even though LSA Protection is enabled. Think of it like having a delay in delivery: You bought the product online, but the delivery truck assigned to your residence didn’t track its location properly—in fact, it just suddenly disappeared and reappeared in your front yard! So, even if the driver is standing right outside your door, it would be wise not to accept the package because you are not certain if they’re the correct person or even carrying the right item.
Microsoft recommends that users enable LSA Protection to reduce the risk of credential theft. However, if you still receive the warning “LSA protection is on, but the LSA package is not signed as expected,” here is what you can do:
Resolving persistent “LSA package not signed” warnings
Before proceeding, there are technical prerequisites to note:
- Windows updates: All pending Windows Updates should be installed to ensure that your current system is up-to-date.
- Administrative rights: If you are currently under a managed environment, you may need to speak to your IT admin.
- Secure boot and VBS: Secure Boot and virtualization-based security (VBS) should be enabled.
- HVCI support: The device must support Hypervisor-protected Code Integrity (HVCI).
Step 1: Verify LSA protection status
Method A: Using GUI
-
- Navigate to Settings > Privacy & security > Windows Security > Device security
- Click on Core isolation details or Security processor (depending on your system configuration).
- Check the status of your LSA protection under the section Local Security Authority Protection. One of three messages may appear:
- ✅ LSA protection is on
- ⚠️ LSA protection is on, but the LSA package is not signed as expected
- 🛑 LSA protection is off
- Restart your system to clear out transient messages.
💡 Sometimes, the GUI is unreliable or missing. As such, this method may not work for you. Other methods you can try are:
Method B: Using Windows Event Log
-
- Open Event Viewer. You can do this by typing “Event Viewer” in the Windows Search bar.
- Navigate to Applications and Services Logs > Microsoft > Windows > CodeIntegrity > Operational.
- Look for Event ID 3089 or 3065:
- Event ID 3089: Indicates LSA is not running as a protected process.
- Event ID 3065: Indicates LSA is running as protected but encountered unsigned plug-ins.
Method C: Using msinfo32
-
- Press Win + R, type msinfo32, and press Enter.
- Scroll down and check for the following fields:
- Virtualization-based security: It should say “Running”. If not, there is an error.
- Credential Guard: If the LSA protection is on, it will say “Running”.
Step 2: Enable LSA Protection
Method A: Through Registry Editor
-
- Press Win + R, type regedit, and click Enter.
- Navigate to the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Check the following two values and configure them as described:
- RunAsPPL
- If the RunAsPPL DWORD already exists, double-click it and set its value to 1.
- If it doesn’t exist:
- Right-click on an empty space and select New > DWORD (32-bit) Value.
- Name is RunAsPPL.
- Set its value to 1
- RunAsPPLBoot
- If the RunAsPPLBoot DWORD already exists, double-click it and set its value to 1.
- If it doesn’t exist:
- Right-click on an empty space and select New > DWORD (32-bit) Value.
- Name is RunAsPPLBoot.
- Set its value to 1.
- RunAsPPL
- Restart your system to apply the changes.
Method B: Through PowerShell
-
- Open PowerShell as an administrator.
- Execute the commands:
- To enable LSA protection:
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1 -PropertyType DWORD -Force
-
-
- To enforce protection at boot (optional):
-
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPLBoot" -Value 1 -PropertyType DWORD -Force
-
- Restart the system to apply the changes.
Step 3: Scan and remove non-compliant LSA plugins
Method A: Using the Registry Editor
-
- Press Win + R, type regedit, and click Enter.
- Navigate to the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Review the authentication packages.
- Check the Authentication Packages and Security Packages entries for third-party plugins.
- Common third-party entries might include older antivirus or VPN software components.
- Uninstall or update software as needed.
- Identify any non-Microsoft security software that may inject unsigned LSA plug-ins.
- Uninstall or update these applications to versions that are compliant with LSA protection.
Method B: Using Event Viewer
-
- Press Win R, type eventviewer.msc, and press Enter.
- Navigate to Windows Logs > System.
- In the Event sources drop-down, look for and select:
- LSASS (Local Security Authority Subsystem Service)
- CodeIntegrity
- You can also filter by Event ID 3089 or 3065, which often relate to LSA protection issues.
- Review the details and analyze. Pay attention to references to specific DLLs or file paths, especially those located outside of C:\Windows\System32. You should also note the name and location of any third-party plug-ins, such as those from outdated antivirus tools.
- Cross-reference with what’s already installed in your system via Settings > Apps > Installed apps.
- Remove the non-compliant software.
- If the plug-in belongs to a known third-party application:
- Uninstall it from Settings > Apps > Installed Apps.
- Use the vendor’s uninstaller if available.
- If the updated version is available, download it from a trusted source and install it.
- If the plug-in belongs to a known third-party application:
- Restart the system to ensure all changes are applied.
Step 4: Remediate LSA integrity issues
Method A: Use Windows Security “Fix” Option (if available)
-
- Go to Settings > Privacy & security > Windows Security > Device security.
- Click on Core isolation details or Security processor (depending on your system configuration).
- If a Fix or Restart required button is present, click it to start remediation.
- Follow any prompts to reboot the system.
💡 As with step 1, sometimes, the GUI is unreliable or missing. As such, this method may not work for you. Other methods you can try are:
Method B: Confirm the Registry is correct
Make sure you’ve applied the Registry Editor method and PowerShell method to explicitly enable RunAsPPL and, optionally, RunAsPPLBoot. These override GUI behavior and enforce LSA protection directly at the system level.
Method C: Manually investigate third-party software
Keep in mind that Windows cannot remove third-party software; you need to manually do this. If unsigned plug-ins are present, you’ll need to use Event Viewer, as detailed in Step 3, Method B, to identify the source.
Additional considerations with LSA protection
- In enterprise environments, you can utilize Group Policy or Configuration Service Providers (CSPs) to enforce LSA protection across multiple systems.
- Note that older third-party tools and software are less likely to be signed. In these cases, it’s recommended to either uninstall them or update these packages to resolve the warning.
- We suggest regularly monitoring Event Viewer or using PowerShell scripts to check for Event ID 3065 or 3089, which indicate LSA integrity issues.
Resolving the “LSA package is not signed as expected” warning
This LSA protection warning occurs when third-party plug-ins do not meet current code integrity standards. While they can be frustrating to receive, it is a useful strategy to protect your device from threats. Even so, this guide has shown you the necessary steps to resolve this warning so you can go about your work with no disruptions.
