The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!CNG Key Isolation (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\KeyIso!Start