RSA MFA Agent for Windows will not run due to error "This module is blocked from loading into the Local Security Authority"
10 months ago
Originally Published: 2024-10-18
Article Number
000072961
Applies To

RSA Product Set: ID Plus
RSA Product/Service Type: MFA Agent for Windows
RSA Version/Condition: 2.3.5 and earlier

Windows OS/Patch: 

Microsoft Windows 11 24H2 and later

Microsoft Windows Server 2022 and later

Issue

Microsoft Windows 11 24H2 upgrade (released in October 2024) and Windows Server 2022 introduced new features that do not allow RSA MFA Agent for Windows v2.3.5 and earlier to start. 

If the Windows machine is running Windows 11 24H2 or Windows Server 2022, you will see the message below and the MFA Agent will no longer function on that machine.

Compatibility_error.png

Cause

Recent changes in the Microsoft Windows 11 24H2 and Windows Server 2022 Local Security Authority (LSA) process affect RSA MFA Agent for Windows v2.3.5 and earlier.

Resolution

From RSA MFA Agent v2.3.6 onwards, the MFA Agent is fully compatible with the Local Security Authority (LSA) changes introduced in Windows 11 24H2 and Windows Server 2022.  The issue does not occur.  See AAWIN-7533 in section "Fixed Issues" on page 8 of the RSA MFA Agent 2.3.6 for Microsoft Windows Release Notes

To fix this issue, RSA recommends installing or upgrading to the latest version of the RSA MFA Agent.

Workaround

As a workaround on Windows 11 24H2 and Windows Server 2022 or later computers, until the MFA Agent can be upgraded to the latest RSA MFA Agent version, follow the steps below to disable Local Security Authority (LSA) and restore Agent functionality.

Disable Local Security Authority (LSA)

Steps to disable using Local Group Policy on Windows 11 version 24H2 and later:

  1. Open the Local Group Policy Editor by entering gpedit.msc.
  2. Expand Computer Configuration > Administrative Templates > System > Local Security Authority.
  3. Open the Configure LSASS to run as a protected process policy.
  4. Set the policy to Disable.
  5. Restart the machine 

Microsoft reference: section "Disable LSA protection" on page https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#disable-lsa-protection

Notes

This issue has also been reported for the RSA Authentication Agent for Windows.   That product has reached end-of-life, is no longer supported and has been replaced by the RSA MFA Agent for Windows (see section "Authentication Agents & Related SDK" on page Product Version Life Cycle for RSA ID Plus and RSA SecurID).  Migration to the latest version of the RSA MFA Agent for Windows is strongly recommended.

Related Articles

Trending Articles

Don't see what you're looking for?