This blog will be, again about some nasty Store Apps issues!. In the conclusion of my last blog, I was already mentioning the fact that I was looking into some Startmenu and the OneDrive/ Outlook connection issues that were occurring.
I will divide this blog into multiple parts
- The Issue
- Fixing it the old way
- Troubleshooting the Issue
- Fixing it the new way
- If you don’t want to fix it manually
1. The issue
I guess I don’t need to mention that nasty 2022-05 update again, that broke the installations from the MS Store but when looking at the first time I noticed this Store issue (15-02-2022) this issue has been around for longer than the 2022-05 May update.
Let me explain what stops working.
- Outlook can’t connect anymore
- OneDrive stops syncing as it can’t connect anymore (0x8004de44) / Hangs on Signing in
- The Start menu is not responding on left click (right-click still works)
To give you a good idea of what is breaking, I also record it to let you show exactly what was happening!
Looking at all the stuff that is breaking, I guess we could just break the device and be done with it… but I guess we need to fix it, otherwise we wouldn’t be doing our job!
Now we know and have seen what stops working and if we didn’t break our device, we need to take a look at which events we would get if all that stuff breaks! Open your Application event log and start looking at all those excellent yellow warnings!
Event ID: 20
Triggered repair because operation LocalSettings against package Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy with error -2147024891.
Event ID: 21
Repair for operation LocalSettings against package Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy with error -2147024891 returned Error Code: –2147024891.
Event ID: 23
Triggered repair of state locations because of operation SettingsInitialize against package Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy with error –2147024891.
Event ID: 24
Repair of state locations for operation SettingsInitialize against package Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy with error -2147024891 returned Error Code: 0
It’s pretty obvious we are dealing with 2147024891 | 8007005 | Access Denied errors. But I am not done yet because another error caught my eye! As shown below, it is mentioning the 0xc000027b error.
The Application event log is not the only event log we need to dig into so let’s also take a look at the System event log. This event log is showing us the Kernel-General event 16 mentioning the application history in component AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\settings.dat is deleted
Damn… Almost forgot one event log! As told earlier, when you are having sign-in issues with Onedrive and Outlook it’s always best practice to check out the AAD event log. As shown below even the AAD sign-in log is giving us the same 0x80070005 Access is denied error
2. Fixing it the Old way
When this weird issue started occurring we didn’t know exactly what was going on. At first, we just deleted the corrupted profile to make sure a new nice and shiny profile would be created
To do so we rebooted the device and logged in with a local admin user. After logging in we started deleting the c:\users\%username% folder and removing the user its profile key in the registry
With the old corrupted profile gone we could start logging in with the user again so the profile will be recreated. After logging in, please open your OneDrive and Outlook to make sure your Microsoft account is connected and working again!
Please Note: With the June update released we also made sure that we installed the June 2022-06 update which has the Store fix included.
3. Troubleshooting the issue
If we don’t want to recreate the profile and go through all the hassle to resync OneDrive etc we also have another option to fix it. As always I also looked if there was something useful in the MS-Docs.
Microsoft Store Apps fail to start – Windows Client | Microsoft Docs
When looking at the above link they do mention something about how to solve possible Store Apps issues.
That’s definitely one error (0xc000027b) we noticed before, right? I guess we have some missing permissions for “ALL APPLICATION PACKAGES” | AKA S-1-15-2-1 on some registry keys…. But which ones? because we have a lot of them!
When you are wondering what is happening in the registry, there is always Procmon!. Open Procmon and configure the filter first as shown below
Looking back at the error we got earlier 2147024891 –> Access denied. I will only add the filter “Include” the value “ACCESS DENIED”
As shown above, it is mentioning “Access Denied” on the HKU\S-1-12-1-2370815533-1185198546-48193434-4181760345\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer and the User Shell Folders registry keys. I guess that are the registry keys we need!
4. Fixing it the New Way
First, make sure the device got the 2022-06 update installed! Because the May update could break it again.?
When we are 100% sure the device is up to date open the registry (If you have the permissions to do so, otherwise run Regedit as admin and search for the correct user in the HKEY_USERS key) and validate the permissions on the below registry entries.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
As mentioned before those registry keys need to have the “All Application Packages user” configured in the permissions and it also needs to have the “Read” box checked.
If the “ALL APPLICATION PACKAGES” user doesn’t have read permissions, you need to add them manually!
Of course, you could also automate the fix by using PowerShell. When looking at the script below that needs to be executed as an admin, It will first search for the SID of the Azure Ad user. After it got the right SID it will create a new-psdrive to make sure we can connect to the HKEY_USERS key.
After the PSDrive has been created it will add Readkey permissions for the missing “ALL APPLICATION PACKAGES” to the registry key
Please change the $packages to your own language
$Packages = "All APPLICATION PACKAGES"
$key = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-12-1-*'
$profiles = (Get-Item $key)
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
Foreach ($profile in $profiles) {
$sids = $profile
$sids = Split-path -path $sids -leaf
$user = "HKU:\$sids\"
$test = test-path $user
if ($test -eq $true){
$Folder = "HKU:\$sids\Software\Microsoft\windows\currentversion\explorer\"
$Acl = Get-ACL $folder
$AccessRule= New-Object System.Security.AccessControl.RegistryAccessRule($Packages,"Readkey","ContainerInherit","None","Allow")
$Acl.SetAccessRule($AccessRule)
Set-Acl $folder $Acl
$Folder = "HKU:\$sids\Software\Microsoft\windows\currentversion\explorer\user shell folders"
$Acl = Get-ACL $folder
$AccessRule= New-Object System.Security.AccessControl.RegistryAccessRule($Packages,"Readkey","ContainerInherit","None","Allow")
$Acl.SetAccessRule($AccessRule)
Set-Acl $folder $Acl
}
}
Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}
After we made sure the permissions are all good, first let’s take a look if we maybe have some luck because changing the registry permissions resolved it for 75% of the devices.
If the problem still exists make sure you log in to the device with the USER who is experiencing this issue (NOT ADMIN, the user session! )
Once logged in, open 1 Elevated PowerShell session and 1 not elevated in the user it session. First, kill the explorer.exe with the use of the task manager.
Please note: When you don’t close the Explorer you will end up with some errors mentioning the resource is currently in use!
In the ELEVATED (RUN AS ADMIN) PowerShell session:
Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"} 
Please wait until it’s done! and just ignore the errors if you have any
In the NORMAL PowerShell session (in the user session)
Get-AppXPackage *Microsoft.Windows.Search* |
ForEach-Object {
Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"
}
Get-AppXPackage *MicrosoftWindows.Client.CBS* |
ForEach-Object {
Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"
}
Get-AppXPackage *Microsoft.Windows.ShellExperienceHost* |
ForEach-Object {
Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"
}
Get-AppXPackage *Microsoft.AAD.BrokerPlugin* |
ForEach-Object {
Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"
}
Get-AppXPackage *Microsoft.AccountsControl* |
ForEach-Object {
Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"
}
if (-not (Get-AppxPackage Microsoft.Windows.CloudExperienceHost)) {
Add-AppxPackage -Register "$env:windir\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Appxmanifest.xml" -DisableDevelopmentMode -ForceApplicationShutdown
}
Get-AppxPackage Microsoft.Windows.CloudExperienceHost
if (-not (Get-AppxPackage Microsoft.AAD.BrokerPlugin)) {
Add-AppxPackage -Register "$env:windir\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Appxmanifest.xml" -DisableDevelopmentMode -ForceApplicationShutdown
}
Get-AppxPackage Microsoft.AAD.BrokerPlugin
After this PowerShell script is run, please reboot the device or just start explorer.exe with the use of Taskmanager and you will notice everything is working again!
5. When you don’t want to fix it manually
I guess sometimes we are all lazy admins! When you don’t want to go through all of the hassles of fixing it manually you could always perform a “Fresh Start”
But beware it will take some more time before the user could use his device again because it needs to go through the whole Device and User ESP again to install the required apps. It’s up to you to choose the solution you are happy with
Conclusion
All those Store Apps issues we are experiencing the last few months are awful. Luckily most of the issues can be resolved. This blog will explain how you could solve issues with the start menu, Onedrive, and Outlook.
Please Note: I am still looking for the “why”! If I have more information I will share it with all of you!
If you are interested in solving issues with the Offline Company portal app please check out this blog
Company Portal not working after performing a Wipe/Reset (call4cloud.nl)
Thanks for this, it was a life saver.
I did however run into a couple problems.
1. If there are multiple profiles on the device the $DelFind = (Get-Item $key) returns multiple items and $sid contains more than 1 SID, so how do you get the correct SID?
I bypassed this by just setting $sid = ‘paste the current user SID from Registry’
2. Even after completing both ‘Fixes’ and rebooting the Search window was not working. This was only on some PC’s. I have not figured out how to fix that yet.
Hi.. it s on my list to take a look at it to make sure that for each it will be fixed
I updated the script so it works a little bit better when there are multiple sids
Finally a solution!
For the registry permissions, I noticed the all app account was missing from HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The inheritance was also broken (I compared it to a working laptop), so I removed the accounts already there and enabled the inheritance and applied to all child objects. A few other apps were still not working, like the search bar, but the AppXPackage PS took care of that.
“It will first search for the SID of the Azure Ad user.”
Will this also work for on-prem or hybrid setups?