[German]Microsoft has released Defender Update KB5007651 for its anti-malware platform, version 1.0.2303.27001 for Windows 11, effective April 18, 2023. The update is intended to fix a Local Security Authority (LSA) bug in Windows 11 and brings "hardware-assisted protection" in the form of FASR (Firmware Attack Surface Reduction). A German blog reader contacted me about this and reports that the Defender Memory Access Protection option is no longer changeable. In addition, there is still a message that "Security Health Service exe" is crashing. As it turns out, the new FASR feature under Windows 11 is only available on newer CPUs (from Intel 11 Gen. and AMD counterparts).
Defender Update KB5007651 with LSA Fix?
Update KB5007651 updates the Defender anti-malware platform in Windows 10 and Windows 11. The update shipped for Windows 11 in March 2023 caused issues because the Security Center displayed disabled protection. As of April 18, 2023, there has probably been an update to version 1.0.2303.27001, which should (partially) fix the issue. Blog reader Guido B. had contacted me two days ago about this Defender update from April 18, 2023, which continues to cause problems for him. Guido wrote:
I received an update today, 04/18/2023 for Microsoft Defender Antivirus Anti-malware Platform-KB5007651 (version 1.0.2303.27001).
The transparency issues with the two different colors in the view in Defender have now been resolved. But to my surprise I had to notice that the switch, here, Protection by local security authority is missing!
The colleagues from deskmodder.de also point to this update in this German post and write that this fixes the Defender bug "Protection by local security authority is disabled" in Device Security. In addition, a new option "Hardware-backed stack protection" appears in the Defender options under Windows 11.
I wrote something about this Local Security Authority (LSA) bug in March 2023 in the blog post Windows 11 22H2 Defender causes "Local Security Authority protection is off" warning. Microsoft later confirmed the problem (see my article Windows 11 22H2: Microsoft confirms Defender bug "Local security protection is disabled").
New Feature FASR introduced
According to deskmodder.de, the LSA bug has been fixed by the new FASR feature in Defender. The abbreviation FASR stands for Firmware Attack Surface Reduction, and Microsoft provides this support article from March 2023. The whole thing runs in the context of the "Secured-core PC", which is supposed to provide certain protection measures on a hardware basis.
For legacy systems that do not yet have hardware-based D-RTM capabilities, Microsoft uses Firmware Attack Surface Reduction (FASR). In short, FASR provides a technique to detect and prevent boot path tampering.
- Only code that is trusted, signed, and integrated by Microsoft is allowed to run.
- Manipulations of the boot path can be detected by the operating system.
The linked support article contains more details about this. Windows Security showsthen the new entry "Kernel-mode Hardware-enforced Stack Protection" in the category Core isolation (see the following screenshot).
I checked, Microsoft has not yet confirmed the issue as fixed on the Windows 11 22H2 Health status page in the Known Issues in the post Known Issues im Beitrag "Local Security Authority protection is off." with persistent restart. Both Windows 11 versions (21H2 and 22H2) are affected, but not Windows Server 2022.
FASR requires newer CPUs
However, the new FASR feature has the drawback that it only takes effect when an Intel CPU of the 11th generation (or newer) – or a corresponding counterpart from AMD – is installed (the CPU needs Intel CET or AMD shadow stack support). Blog reader Guido had already mentioned in his initial mail that the Defender update KB5007651 shall fixes something, but causes issues on his system. To his surprise, he found out that the switch for the Memory Access Protection option is missing. He wrote about this:
Only "Memory access protection" appears in the display – but the switch is missing! Again a display error?
If I open the Defender so is to read in the reliability history that "Security Health Service exe" is no longer functional!
Unfortunately, the problems still exist…
The following screenshots show the German settings pages for Memory Integrity and Core-isolation, where the switch to enable the Memory Access Protection option is missing.
Also the problem that in the event viewer the message that the "Security Health Service exe" is no longer functional still appears – so for the blog reader the LSA problem is not fixed. In an addendum Guido then confirmed the findings of the colleagues from deskmodder.de and wrote:
I had seen, shortly after I sent you an email yesterday, that deskmodder had published an article about the Defender update.
I don't have the "hardware-assisted stack protection in kernel mode". According to Reddit, it would probably require at least an 11th generation Intel chip, for example.
This addition refers to this reddit.com thread titled Windows Security App Update? where the topic is also discussed. There somebody wrote:
A note for those who might need it: Kernel mode hardware enforced protection requires an 11th Gen or higher CPU. (Intel CET or AMD shadow stack support)
So Guido observation about the "mission options" are not caused by a display error. He simply doesn't have the feature, because his notebook has an Intel i5 processor of the tenth generation. Then Windows 11 does not show this option "Kernel-mode Hardware-enforced Stack Protection" in Windows Security.
But this has another cavat: If the CPU doesn't support FASR, the LSA bug isn't fixed at all. Guido wrote: What remains unsightly is the crash of the SecurityHealthService.exe process, which can still be seen in the reliability history. What it boils down to is that the Windows 11 build site for platforms that are not 100% compatible is showing more and more problems and discrepancies. Thanks to Guido for the hint.
Addendum: After publishing the English version of my yesterday German blog post I noticed, that Bleeping Computer has also this article addressing the confusion, caused be Microsoft's update.
