Base Filtering Engine service fails to start with Error 5: Access is denied

Problem Description:-

Base Filtering Engine Service may fail to start on the server, with “Access is denied” error message.
You would also see these services failing to start:-

IKE and AuthIP IPsec keying modules
Internet Connection sharing (ICS)
IPSec Policy Agent
Routing and Remote Access
Windows Firewall

On the SBS server, all the Exchange services may be timing out. Rebooting the server takes a long time as the services time out before it finally starts up.


This issue occurs due to missing permissions on the registry key for the base
filtering engine service.
Missing privileges for the BFE account can be added as follows:
Browse to the above mentioned location , right
click and select permissions.
In the “Permissions for Policy” window, click advanced | Add.
Once the “Select Users, Computers or Group” box appears, change the “From this location:” to point to the local machine name.
After changing the search location, enter “NT ServiceBFE” in the “Enter the object
name to select” box and click “Check names” – this will allow you to add the BFE
Give the following privileges to the BFE account:
-Query Value
-Set Value
-Create Subkey
-Enumerate Subkeys
-Read Control

After adding the BFE account to the registry key, you should be able to start the Base Filtering Engine service.
Once the Base Filtering Engine service starts, the dependent services should start as well.