If you’re experiencing what seems to be an “Kernel-mode Hardware-enforced Turning off Stack Protection. Your gadget might have security flaws in Windows 11 22H2 or 22H1, when you launch Windows Security.
Windows 11 now includes the latest Windows Defender update users reportthat a brand-new “Kernel-mode Hardware-enforced Stack Protection is off” alert has appeared in Windows Security. Warning that “your device may be vulnerable.” When users try to enable the feature, they are met with the same warning message they saw before. This is likely due to driver issues.
To fill in the blanks, a recent Windows 11 bug incorrectly users were informed that LSA Protection had been turned off even though it was turned on by a switch. Due to the importance of LSA protection in preventing the theft of login credentials, this widespread false error understandably alarmed users.
The LSA issue has been fixed with the latest Microsoft Defender update. This update swaps out the Windows Security settings for LSA Protection with those for Hardware-Enforced Stack Protection. In addition to fixing the LSA warning, the update added a new one about Hardware-Enforced Stack Protection.
On the other hand, this new LSA warning does not seem to be a false positive. It appears that incompatible drivers or software, such as anti-cheat systems, are to blame for the disabled Hardware-Enforced Stack Protection.
This adjustment is being rolled out as part of a required security update and will be applied mechanically.
Any time you get the message “Kernel-mode Hardware-enforced Stack Protection is off. If you’re getting “Your device may be vulnerable” messages, it’s probably because a driver or app is preventing the feature from activating.
Several users have emailed or commented to confirm the chaos. Users have complained that the Stack Protection that is enforced by hardware in the kernel mode is turned off by default and cannot be turned on.
It appears that incompatibilities between drivers are to blame, though which drivers are causing the issue is still unknown.
Bitlocker may be at the root of the problem, as two updates to Microsoft Defender Antivirus (KB5007651 and KB2267602) appear to have caused a collision with Bitlocker Countermeasures.
Group Policy “Require additional authentication at startup” is enabled on some systems thanks to Bitlocker Countermeasures like Pre-boot authentication. As stated in the Documentation for the kernel’s DMA protection Unfortunately, other defenses against BitLocker DMA attacks are incompatible with this function.
Clicking “Review Incompatible Drivers” when a message states that hardware-enforced Stack Protection cannot be enabled due to driver incompatibilities does nothing.
What is causing kernel-mode hardware-enforced stack protection is off warnings?
Unfortunately, the Windows Security app is not very good at spotting the incompatible driver, and fixing the issue may be impossible for end users.
For those who are unaware, “Hardware-enforced Stack Protection” is a new feature introduced with Windows 11 that allows programs to make use of the local CPU hardware to protect their code. Its purpose is to safeguard the stack, the section of memory where app instructions are temporarily stored before being executed.
Modern CPU hardware and shadow stacks (the code’s execution order) are used by the security feature to manage the memory stack, thereby protecting the code. As a hardware-based security feature in modern processors, it is incompatible with some software and hardware, such as anti-cheat systems and keyboard/mouse drivers that are no longer supported or outdated.
If you have Riot Vanguard (vgk.sys), GameGuard, or a similar program installed, you will not be able to enable this feature. You must remove them before you can activate the feature.
According to Windows Latest, Microsoft is looking into ways to better detect and flag incompatible drivers.
It’s important to remember that just because the Windows Security app alerts you that your device is “vulnerable” doesn’t mean it’s actually under attack. I’m hoping that Microsoft will fix the Windows Security app’s false alarms as soon as possible.