CNG Key Isolation (KeyIso) Service Defaults in Windows 10

The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements.

Default Settings

Startup type:Manual
Display name:CNG Key Isolation
Service name:KeyIso
Service type:share
Error control:normal
Object:LocalSystem
Path:%SystemRoot%\system32\lsass.exe
File:%SystemRoot%\system32\keyiso.dll
Registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KeyIso

Default Behavior

CNG Key Isolation is a Win32 service. In Windows 10 it is starting only if the user, an application or another service starts it. When the CNG Key Isolation service is started, it is running as LocalSystem in a shared process of lsass.exe along with other services. If CNG Key Isolation fails to start, the failure details are being recorded into Event Log. Then Windows 10 will start up and notify the user that the KeyIso service has failed to start due to the error.

Dependencies

CNG Key Isolation cannot be started under any conditions, if the Remote Procedure Call (RPC) service is disabled.

While CNG Key Isolation is stopped, the Extensible Authentication Protocol service cannot be launched.

Restore Default Startup Configuration for CNG Key Isolation

1. Select your Windows 10 edition and release, and then click Download.

2. Save the Win10_KeyIso_Service_Startup.cmd file to a local storage device.

3. Run the saved file as an administrator.

4. Restart the computer.

The KeyIso service is using the keyiso.dll file that is located in the %WinDir%\system32 folder. If the file is changed, damaged or deleted, you can restore its original version from Windows 10 installation media.