Uxorious 0 Posted March 16 Share Posted March 16 After updating Windows 11 the other day, Windows 11 now complains that Local Security Authority Protection is off. Looking into the errors in Event Viewer, it looks like the cause is that ESET binaries are not properly signed. Anybody else seeing this? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,910 Posted March 16 Administrators Share Posted March 16 I've checked ekrn.exe signatures and both certs issued by Entrust and Microsoft are valid: Link to comment Share on other sites More sharing options...
Uxorious 0 Posted March 16 Author Share Posted March 16 The one it complains about is eamsi.dll, but it actually has multiple signatures. That top one looks good, but the bottom one can not be verified. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,910 Posted March 16 Administrators Share Posted March 16 It's perfectly ok, the last one is a signature by an internal CA cert and is not meant to be verified by the OS in order to load. What mattes is that the first two signatures are reported as valid by Windows. Link to comment Share on other sites More sharing options...
Uxorious 0 Posted March 16 Author Share Posted March 16 Sure, but where is this coming from? Link to comment Share on other sites More sharing options...
itman 1,627 Posted March 16 Share Posted March 16 (edited) Actually, eamsi.dll is not validly signed per below screen shor: To date, this status has not caused issues in Win 10. Perhaps Microsoft has decided to crack down on AV vendors in this regard on Win 11. Edited March 16 by itman Link to comment Share on other sites More sharing options...
itman 1,627 Posted March 16 Share Posted March 16 I did some "boning up" on LSA protection on Win 11. At default settings, it just sets lsass.exe to protected mode. I have done this on my Win 10 build via reg hack. Also, can be done via Group Policy editor. Again, even in protected mode, I haven't observed any conflicts with invalid signed Eset eamsi.dll. That is, lsass.exe still runs in protected mode along with LsaIso.exe; i.e.Credential Guard & Key Guard, loading. However, my PC doesn't support Secure Boot. Without it, I don't get full Credential Guard & Key Guard protection. Win 11 however does introduce LSA protected mode with UEFI lock option. Are you using that option? However since lsass.exe runs as a Protected process, Eset wouldn't be able to inject eamsi.dll into it; even if it tried to which I see no reason why it would do so. Bottom line is I don't beleive eamsi.dll is the source of your LSA issues on Win 11. Link to comment Share on other sites More sharing options...
Uxorious 0 Posted March 18 Author Share Posted March 18 So the base problem is indeed not ESET (even though clearly MS would like something to be different according to the event viewer). Apparently something in the update 4 days ago made this happen for a lot of people. The solution is to add a new/different registry key to enable LSA. No idea why this is now needed. https://www.elevenforum.com/t/enable-or-disable-local-security-authority-lsa-protection-in-windows-11.11104/#post-274436 Link to comment Share on other sites More sharing options...
Recommended Posts