Windows 10 roaming profiles cause Edge and other packaged applications to fail loading

The cause of this seems to be that when a user logs out from Windows 10 sets some essential registry keys to read only. When they logon again these keys are in the wrong state and packaged applications including Edge fail to load. But this seems to be on of the causes, while MS has no fix released since version 1511.

The below is a walkthrough for working this out.

Step1

Make sure your WKS has all latest updates.

Connect to your DC and open the group policy editor

Create a WMI filter for Windows 10 and put the following

Namespace (should be already there):            root\CIMv2

Query:   select * from WIN32_OperatingSystem WHERE Version LIKE ‘10.0.%’

You may get the following message, ignore it.

01

Step2

CREATE A GROUP POLICY TO APPLY THIS AS A LOGON SCRIPT

Create a group policy for your domain users called “User-Windows10RoamingProfileFix”. This will be targeted to Windows 10 computers using the WMI filter we created in the previous step.

On the new policy Right Click> Enforced

Right Click > Edit > User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff) >  Double Click on Logon > PowerShell Scripts > Add

02

Click on Browse

Inside the browse popup menu create a new txt file and rename it to

POWERSHELL-SCRIPT-TO-ALLOW-ROAMING-LOGINS.PS1

Make sure you have file extensions on and the file is a ps1 extension (powershell) and not a txt!

Copy paste the following inside the file:

#!PowerShell. De pilo pendet.

 

# https://social.technet.microsoft.com/Forums/en-US/fd436515-6423-4015-9afe-d7e6034909ab/windows-10-threshold-2-edgesearch-issues-for-domain-joined-pcs

#(c) Christian Ullrich

# copied by James Bayley 2016/01/25

function MakeACE() {

# S-1-15-2-1 is WELL_KNOWN_SID_TYPE::WinBuiltinAnyPackageSid, “APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES”.

# The self-documenting NTAccount type results in an object that “cannot be translated”.

$id = New-Object System.Security.Principal.SecurityIdentifier(“S-1-15-2-1”)

New-Object System.Security.AccessControl.RegistryAccessRule($id,

[System.Security.AccessControl.RegistryRights]::FullControl,

[System.Security.AccessControl.InheritanceFlags]::ContainerInherit,

[System.Security.AccessControl.PropagationFlags]::None,

[System.Security.AccessControl.AccessControlType]::Allow)

 

}

 

function GrantRequiredAccess($key) {

$acl = Get-Acl $key

$acl.AddAccessRule((MakeACE))

Set-Acl $key $acl

}

# All Windows 10, since Microsoft apparently managed to break build 10240 as well in December 2015, after having shipped 10586 broken from the start.

#New-EventLog –LogName Application –Source “LogonScript”

#Write-EventLog -LogName Application -Source LogonScript -EntryType Information -EventId 1 -Message “In LoginScript to fix roaming profiles”

if ([Environment]::OSVersion.Version.Major -eq 10) {

# Write-EventLog -LogName Application -Source LongScript -EntryType Information -EventId 1 -Message “Windows 10 detected”

GrantRequiredAccess “HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe”

GrantRequiredAccess “HKCU:\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy”

Step3

“ExcludeProfileDirs” Registry Tweak

  1. Continue Editing the above mentioned GPO.
  2. Navigate to: User Configuration > Preferences->Windows Settings->Registry, new registry item. Put the following information

03

The key path is:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (don’t copy-paste it, navigate yourself to it!!!!)

On the Value data field you should include the following to support Windows 10 version 1703.

AppData\LocalLow;$Recycle.Bin;OneDrive;WorkFolders;AppData\Local\Comms;AppData\Local\ConnectedDevicesPlatform;AppData\Local\Google;AppData\Local\GroupPolicy;AppData\Local\Mozilla;AppData\Local\Packages;AppData\Local\Publishers;AppData\Local\PeerDistRepub;AppData\Local\Temp;AppData\Local\VirtualStore;AppData\Local\Winternals;AppData\Local\Adobe;AppData\Local\Apple;AppData\Local\AppleComputer;AppData\Local\Autodesk;AppData\Local\Chromium;AppData\Local\CrashDumps;AppData\Local\NVIDIA;AppData\Local\NVIDIACorporation;AppData\Local\Skype;AppData\Local\WebEx;AppData\Local\Foxit Reader;AppData\Local\Macromedia;AppData\Local\Microsoft_Corporation;AppData\Local\Real;AppData\Local\DropBox;AppData\Local\Vmware;AppData\Local\Windows Live;AppData\Local\CrashDumps;AppData\Local\Citrix;AppData\Local\Microsoft\AppV;AppData\Local\Microsoft\Credentials;AppData\Local\Microsoft\Feeds;AppData\Local\Microsoft\Feeds Cache;AppData\Local\Microsoft\GameDVR;AppData\Local\Microsoft\Group Policy;AppData\Local\Microsoft\InputPersonalization;AppData\Local\Microsoft\InstallAgent;AppData\Local\Microsoft\Internet Explorer;AppData\Local\Microsoft\Media Player;AppData\Local\Microsoft\OneDrive;AppData\Local\Microsoft\PenWorkspace;AppData\Local\Microsoft\PlayReady;AppData\Local\Microsoft\Vault;AppData\Local\Microsoft\Windows Live;AppData\Local\Microsoft\Windows Sidebar;AppData\Local\Microsoft\WindowsApps;AppData\Local\Microsoft\Windows\UPPS;AppData\Local\Microsoft\Windows\1033;AppData\Local\Microsoft\Windows\ActionCenterCache;AppData\Local\Microsoft\Windows\Application Shortcuts;AppData\Local\Microsoft\Windows\Burn;AppData\Local\Microsoft\Windows\GameExplorer;AppData\Local\Microsoft\Windows\History;AppData\Local\Microsoft\Windows\IECompatCache;AppData\Local\Microsoft\Windows\IECompatUaCache;AppData\Local\Microsoft\Windows\INetCache;AppData\Local\Microsoft\Windows\INetCookies;AppData\Local\Microsoft\Windows\Notifications;AppData\Local\Microsoft\Windows\OfflineFiles;AppData\Local\Microsoft\Windows\PowerShell;AppData\Local\Microsoft\Windows\PRICache;AppData\Local\Microsoft\Windows\Ringtones;AppData\Local\Microsoft\Windows\RoamingTiles;AppData\Local\Microsoft\Windows\Safety;AppData\Local\Microsoft\Windows\SchCache;AppData\Local\Microsoft\Windows\SettingSync;AppData\Local\Microsoft\Windows\Shell;AppData\Local\Microsoft\Windows\WebCache;AppData\Local\Microsoft\Windows\WER;AppData\Local\Microsoft\Windows\Explorer;AppData\Local\Microsoft\CLR_v4.0;AppData\Local\Microsoft\CLR_v4.0_32

Step4

Continue editing the above group policy for the Applocker part.

Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker > Packaged App Rules > Right Click and create Default rules.

Step5

You should now force the group policy update on the problematic WKS (using gpupdate /force via cmd), log off and log on a few times. We had cases that we had to remove the roaming profile and reissue it again for this to work.

The above workaround is a merge of various articles and blog outputs we found on the web, while trying to solve an issue like this. The solution came after applying all of the above, and not one or the other.

Credits and references go to:

  1. Dr James Bayley’s excellent article https://blog.jamesbayley.com/2016/02/10/fixed-windows-10-roaming-profiles-break-edge-and-other-packaged-applications/
  2. https://social.technet.microsoft.com/Forums/en-US/fd436515-6423-4015-9afe-d7e6034909ab/windows-10-threshold-2-edgesearch-issues-for-domain-joined-pcs?forum=win10itprogeneral
  3. https://partnersupport.microsoft.com/en-us/par_clientsol/forum/par_win/roaming-profile-in-windows-10/173fffe7-6751-4721-a19c-c164a4658b90?auth=1
  4. https://www.youtube.com/watch?v=R4R4QlExLsU

 

 

 

Advertisements

About cpsaroudakis

IT professional, founder of CreativePeople.gr

Posted on September 6, 2017, in Everyday IT issues, Windows 10. Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: