The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements.
This service also exists in Windows 10, 7, 8 and Vista.
Windows 11 version | Home | Pro | Education | Enterprise |
---|---|---|---|---|
21H2 | Manual | Manual | Manual | Manual |
22H2 | Manual | Manual | Manual | Manual |
23H2 | Manual | Manual | Manual | Manual |
Display name: | CNG Key Isolation |
Service name: | KeyIso |
Type: | share |
Path: | %WinDir%\system32\lsass.exe |
File: | %WinDir%\system32\keyiso.dll |
Error control: | normal |
Object: | LocalSystem |
The CNG Key Isolation service is running as LocalSystem in a shared process of lsass.exe. Other services might run in the same process. If CNG Key Isolation fails to start, the error is logged. Windows 11 startup proceeds, but a message box is displayed informing you that the KeyIso service has failed to start.
CNG Key Isolation is unable to start, if the Remote Procedure Call (RPC) service is stopped or disabled.
If CNG Key Isolation is stopped, the following services cannot start:
1. Select your Windows 11 edition and release, and then click on the Download button below.
2. Save the RestoreCNGKeyIsolationWindows11.bat file to any folder on a local drive such as SSD or a hard disk.
3. Right-click the downloaded batch file and select Properties.
4. Check the Unblock checkbox and click OK.
5. Right-click the batch file again and select Run as administrator.
6. Restart the computer to save changes.
Note. Make sure that the keyiso.dll
file exists in the %WinDir%\system32
folder. If this file is missing you can try to restore it from your Windows 11 installation media.