DirSync: LSASS access denied error code 5 (B109612)

DirSync: LSASS access denied error code 5

Directory Sync workflow observed LSASS access denied error code 5 when syncing passwords

[BTPassSvc] - VirtualAllocEx failed: 5
[BTPassSvc] - Exiting service

Failed to open LSASS process (pid #xxx): 5

The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies.

The Windows operating system provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. This provides added security for the credentials that the LSA stores and manages

Error 5 means that access is denied to the LSASS process. This could be the account is not a Domain Admin, or the LSASS process is protected, or AV is preventing access. To check if LSASS is protected on the DC check the following

Open the Registry Editor and check the value  RunAsPPL is it set to 1? (RegEdit.exe), and navigate to the registry key that is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.

Lastly, the issue could be caused by LSA Protection, which is enforced on UEFI level instead of OS level. 
Using Process Explorer - it's possible to check, what protection is on the lsass.exe process. A RunAsPPL lsass.exe process will indicate Protected: PsProtectedSignerLsa-Light. If not RunAsPPL - it will say Protected: No

Disclaimer: "Support does not provide support for problems that arise from improper modification of the registry. The Windows registry contains information critical to your computer and applications. Make sure you back up the registry before modifying it. For more information on the Windows Registry Editor and how to back up and restore it, refer to Microsoft Article ID 256986 “Description of the Microsoft Windows registry” at Microsoft Support."