The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements.
This service also exists in Windows 11, 8 and Vista.
Windows 10 version | Home | Pro | Education | Enterprise |
---|---|---|---|---|
1507 | Manual | Manual | Manual | Manual |
1511 | Manual | Manual | Manual | Manual |
1607 | Manual | Manual | Manual | Manual |
1703 | Manual | Manual | Manual | Manual |
1709 | Manual | Manual | Manual | Manual |
1803 | Manual | Manual | Manual | Manual |
1809 | Manual | Manual | Manual | Manual |
1903 | Manual | Manual | Manual | Manual |
1909 | Manual | Manual | Manual | Manual |
2004 | Manual | Manual | Manual | Manual |
20H2 | Manual | Manual | Manual | Manual |
21H1 | Manual | Manual | Manual | Manual |
21H2 | Manual | Manual | Manual | Manual |
22H2 | Manual | Manual | Manual | Manual |
Display name: | CNG Key Isolation |
Service name: | KeyIso |
Type: | share |
Path: | %WinDir%\system32\lsass.exe |
File: | %WinDir%\system32\keyiso.dll |
Error control: | normal |
Object: | LocalSystem |
The CNG Key Isolation service is running as LocalSystem in a shared process of lsass.exe. Other services might run in the same process. If CNG Key Isolation fails to start, the error is logged. Windows 10 startup proceeds, but a message box is displayed informing you that the KeyIso service has failed to start.
CNG Key Isolation is unable to start, if the Remote Procedure Call (RPC) service is stopped or disabled.
If CNG Key Isolation is stopped, the Extensible Authentication Protocol service fails to start and initialize.
1. Select your Windows 10 edition and release, and then click on the Download button below.
2. Save the RestoreCNGKeyIsolationWindows10.bat file to any folder on your hard drive.
3. Right-click the downloaded batch file and select Run as administrator.
4. Restart the computer to save changes.
Note. Make sure that the keyiso.dll
file exists in the %WinDir%\system32
folder. If this file is missing you can try to restore it from your Windows 10 installation media.