When trying to install or upgrade the agent on DC's it fails with various errors. These errors include "The target version is already installed" or "the file is checked out or locked for editing by another user". Multiple tries with different user accounts have been unsuccessful.
LSASS protection might be the cause.
Open Regedit and navigate to HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/LSA and look there for a DWORD value RunAsPPL. If present, and if it has a value greater than zero, then the "Additional LSA Protection" feature is enabled and will prevent Change Auditor lsass extensions from loading.
Change the value to 0
Restart the server in order for this setting to take effect.
