locked
unable to run any Metro app once Win8 machine is joined to domain and group policy is processed

    Question

  • This issue existed with the last version and continues through to the RP. Something in our group policy is breaking metro apps. Metro apps work fine, including the app store before joining the machine to the domain. Once the machine is joined, all metro apps fail to launch. If I move the machine account and my account into a different OU that blocks our group policy settings, the metro apps start working again. Any ideas?


    Saturday, June 02, 2012 3:59 PM

Answers

  • Awesome. We don't see those group policy entries ourselves. It is good to know that it is a GPO for you. I suspected so. I'll have to go through our policy one entry at a time. I suspect it is centered around security, SCCM/WSUS or local machine firewall policies.
    • Proposed as answer by Niki HanModerator Monday, July 09, 2012 8:27 AM
    • Unproposed as answer by Beaum Monday, July 09, 2012 4:51 PM
    • Marked as answer by Beaum Monday, August 20, 2012 4:23 PM
    Thursday, July 05, 2012 6:47 PM
  • This issue existed with the last version and continues through to the RP. Something in our group policy is breaking metro apps. Metro apps work fine, including the app store before joining the machine to the domain. Once the machine is joined, all metro apps fail to launch. If I move the machine account and my account into a different OU that blocks our group policy settings, the metro apps start working again. Any ideas?


    We were able to fix our issue. It came down to an entry in group policy that was securing a registry key (winsock2) to our domain users. Resetting the security in the registry fixed the issue. Now we have to figure out why that key was secured back in the day.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters

    • Marked as answer by Beaum Monday, August 20, 2012 4:24 PM
    Wednesday, August 15, 2012 2:00 PM

All replies

  • here is an error from my event log

    Log Name:      Application
    Source:        Microsoft-Windows-Immersive-Shell
    Date:          6/2/2012 9:37:26 AM
    Event ID:      5973
    Task Category: (5973)
    Level:         Error
    Keywords:      
    User:          SDTBFMTEST01\B
    Computer:      sdtb
    Description:
    Activation of app microsoft.windowsphotos_8wekyb3d8bbwe!Microsoft.WindowsLive.ModernPhotos failed with error: The app didn't start in the required time. See the Microsoft-Windows-TWinUI/Operational log for additional information.

    Saturday, June 02, 2012 4:50 PM
  • I can't find the twinui operational log mentioned above. Any ideas?
    Saturday, June 02, 2012 5:00 PM
  • I reset Win8 back to factory and all is well as long as I don't join our domain. I think it might have to do with our deployment of SCCM. Our machines check our SCCM box for updates. Just a theory on my end.

    Monday, June 04, 2012 12:37 AM
  • I'm getting the same issue!!  I never thought it to be the domain join that caused the issue.

    I've had this same problem since the Consumer Preview (which was domain joined) and now the RC (which is also domain joined).

    None of my metro apps work (Mail, Calender, Skydrive, Bing Weather etc).

    Here is the error when loading the skydrive metro app:

    Activation of app microsoft.microsoftskydrive_8wekyb3d8bbwe!Microsoft.MicrosoftSkyDrive failed with error: A required privilege is not held by the client. See the Microsoft-Windows-TWinUI/Operational log for additional information.

    Here is the error when loading the Bing Weather metro app...

    App Microsoft.BingWeather_8wekyb3d8bbwe!App did not launch within its allotted time.

    All metro apps will throw either of those errors.  I'm going to remove my machine from the domain now, reset everything and see if this works like you suggested.


    http://www.dreamension.net

    Monday, June 04, 2012 8:24 AM
  • Ok, I'm having this issue too.  I posted a thread here:

    http://answers.microsoft.com/en-us/windows/forum/windows_8-winapps/release-preview-apps-wont-start-after-connecting/9c629ff0-b0b1-4470-b0d1-e005291de9a7?page=1

    I found the following in the event logs:

    In the Event Log (Microsoft-Windows-TWinUI/Operational) I see this:

     

    Activation of app microsoft.microsoftskydrive_8wekyb3d8bbwe!Microsoft.MicrosoftSkyDrive attempted. Execution state: Attempted activation of the app, 0, The operation completed successfully..

     

    Followed by this:

     

    Activation of the app microsoft.microsoftskydrive_8wekyb3d8bbwe!Microsoft.MicrosoftSkyDrive for the Windows.Launch contract failed with error: The app didn't start..

     

    In the AppHost event log I see this:

     

    The App Host could not start because the host module Package Protocol::Initialize failed with 0x0x80070015.

     

    Followed by:

    The App Host has encountered an unexpected error and will terminate. The error is 0x80070015.

    Does anyone know what would be causing this?

    Tuesday, June 05, 2012 1:45 PM
  • Is your machine joined to a domain? If so, do you have policies applied for your firewall or windows update?

    Tuesday, June 05, 2012 3:42 PM
  • Ok I just rebuilt now, didn't join the domain - and presto - all metro apps are working.


    http://www.dreamension.net

    Wednesday, June 06, 2012 1:25 AM
  • I have this issue as well.

    I've tried the information at http://blogs.technet.com/b/asiasupp/archive/2012/03/12/metro-apps-won-t-start-under-windows-8-cp.aspx. I still have the issue.

    I'd like to try and resolve this without rebuilding my machine or taking it off the domain.

    Jacob


    Jacob.

    Wednesday, June 06, 2012 3:22 AM
  • Hi Beaum,

    Could you help me narrow down which group policy breaking the Metro apps? It is important to identify the confliction and forward it to the appropriate department. Thanks for your efforts.


    Niki Han

    TechNet Community Support

    Wednesday, June 06, 2012 7:57 AM
    Moderator
  • I'm not certain it is a GPO issue. There error in the even log is:

    Activation of app microsoft.windowscommunicationsapps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail failed with error: A required privilege is not held by the client. See the Microsoft-Windows-TWinUI/Operational log for additional information.

    What would cause the apps to generate a "required privilege is not held by the client" error?

     


    Jacob.

    Wednesday, June 06, 2012 10:31 AM
  • Yes, it's joined to a domain and yes there are policies applied to both the firewall AND windows update.

    The firewall is disabled and windows update is set to use WSUS.

    Wednesday, June 06, 2012 2:01 PM
  • Well it's something to do with the domain.  I've reproduced this a few times.  A totally clean install.  Everything works.  Attach to the domain (no other changes) and the apps break immediately.

    If it's not GPO it's something else but my gut says GPO.

     
    Wednesday, June 06, 2012 2:03 PM
  • Seeing the exact same issue with the same "did not launch within its allotted time" in the Event Viewer. If it is a GPO creating the issue, it is a Computer Configuration issue. I am logged onto the machine with a local account that should be not be receiving the User Configuration objects. I can create multiple local accounts with no Metro Apps issues, but as soon as the computer is joined to the domain the issue appears.
    Wednesday, June 06, 2012 3:23 PM
  • I haven't been able to narrow it down. I think it has to do with sccm/wsus but I don't know for sure yet. It would be helpful if the other people chime in and say whether they use wsus and/or sccm or apply firewall settings in their GPO.
    Wednesday, June 06, 2012 4:10 PM
  • Not sure if this is the same issue but I'll give it a shot. I have seen this issue more than once and in those cases the user was either logged in as the built-in administrator, or on a domain logged in with Domain Admin privileges. I had the user log in with another domain name, without the Domain Admin privileges and everything worked fine.
    Wednesday, June 06, 2012 5:32 PM
  • I'll try a non admin account today. This is a spectacular bug if this is the issue.

    Wednesday, June 06, 2012 6:11 PM
  • I'm having the exact same problem.  I am logging in with a domain user account that I put in the local Administrators group.  We are using WSUS as well, but not SCCM.  If I log in using the local admin account I still have the same problem.

    I tried logging in as a different domain user and still not able to access any of the apps or the store.  I've tried it with the firewall disabled and enabled no difference.

    Here are the two events I see when I try to launch the Store.

    Log Name:      Application
    Source:        Microsoft-Windows-Immersive-Shell
    Date:          6/6/2012 3:29:08 PM
    Event ID:      2486
    Task Category: (2414)
    Level:         Error
    Keywords:      (64),Process Lifetime Manager
    User:          IGA\tabletuser
    Computer:      win8tab.iga.local
    Description:
    App winstore_cw5n1h2txyewy!Windows.Store did not launch within its allotted time.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Immersive-Shell" Guid="{315A8872-923E-4EA2-9889-33CD4754BF64}" />
        <EventID>2486</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>2414</Task>
        <Opcode>0</Opcode>
        <Keywords>0x2000000000000042</Keywords>
        <TimeCreated SystemTime="2012-06-06T19:29:08.412922700Z" />
        <EventRecordID>2088</EventRecordID>
        <Correlation />
        <Execution ProcessID="3540" ThreadID="3920" />
        <Channel>Application</Channel>
        <Computer>win8tab.iga.local</Computer>
        <Security UserID="S-1-5-21-125114396-1260416967-5979419-23325" />
      </System>
      <EventData>
        <Data Name="ApplicationId">winstore_cw5n1h2txyewy!Windows.Store</Data>
      </EventData>
    </Event>



    Log Name:      Application
    Source:        Microsoft-Windows-Immersive-Shell
    Date:          6/6/2012 3:28:52 PM
    Event ID:      5973
    Task Category: (5973)
    Level:         Error
    Keywords:      
    User:          IGA\tabletuser
    Computer:      win8tab.iga.local
    Description:
    Activation of app winstore_cw5n1h2txyewy!Windows.Store failed with error: A required privilege is not held by the client. See the Microsoft-Windows-TWinUI/Operational log for additional information.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Immersive-Shell" Guid="{315A8872-923E-4EA2-9889-33CD4754BF64}" />
        <EventID>5973</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>5973</Task>
        <Opcode>0</Opcode>
        <Keywords>0x2000000000000000</Keywords>
        <TimeCreated SystemTime="2012-06-06T19:28:52.526638200Z" />
        <EventRecordID>2087</EventRecordID>
        <Correlation />
        <Execution ProcessID="3540" ThreadID="4476" />
        <Channel>Application</Channel>
        <Computer>win8tab.iga.local</Computer>
        <Security UserID="S-1-5-21-125114396-1260416967-5979419-23325" />
      </System>
      <EventData>
        <Data Name="AppId">winstore_cw5n1h2txyewy!Windows.Store</Data>
        <Data Name="ErrorCode">-2147023582</Data>
      </EventData>
    </Event>


    • Edited by Eric Reid Wednesday, June 06, 2012 7:35 PM More info.
    Wednesday, June 06, 2012 7:25 PM
  • I'm having the same problem, did anyone solve this? :(
    Thursday, June 07, 2012 2:11 PM
  • As noted, we're using BOTH of those. 

    Also, the account in question is a local admin account.  It doesn't have domain admin.

    in addition to this, I created a local user on the box (after the apps broke) and the apps are broken for the local user as well.  It seems that whatever is causing the problem is causing it to happen to the machine globally.

    Did you follow up with Niki from above?  It looks like she is willing to try and figure this out with you and then forward the info to the correct dev team.


    • Edited by Comitizer Thursday, June 07, 2012 2:25 PM
    Thursday, June 07, 2012 2:24 PM
  • I'm a bit confused now.  The computer I'm having this problem on is a Samsung Series 7 Slate PC.

    I just installed Win8 RP on a Dell Latitude D820 and tried the Metro apps before joining the domain.  Everything worked.  I joined the domain and rebooted.  I then logged in as a normal AD user and tried the apps again.  They still worked.  I did a gpupdate /force to make sure it pulled any GPO's.  Everything still works.

    Thursday, June 07, 2012 5:41 PM
  • I think I just found out what broke this at least for me.  Here at work we run a couple of Oracle servers and the client we use requires .Net 3.5.  Windows 8 comes with an RC of .Net 4.5.  Once I install the .Net 3.5 the apps stop working.  Now I think I just need to figure out how to repair the .Net 4.5 install.  Anybody have any ideas on how I can do that?
    Thursday, June 07, 2012 6:03 PM
  • Now I think I just need to figure out how to repair the .Net 4.5 install.  Anybody have any ideas on how I can do that?
    Go to control panel and remove it, reboot and enable it again?

    "A programmer is just a tool which converts caffeine into code"

    Thursday, June 07, 2012 6:05 PM
    Answerer
  • That didn't work.  I thought of that as well.  Since it only takes about 10 mins to install Win8 I'm going to re-install it on the D820 and install .Net 3.5 before I join the domain and see if it still breaks the apps.  I'll keep you posted.
    Thursday, June 07, 2012 6:17 PM
  • I have 3.5 installed but don't see any issues. You could always try to reinstall it 4.5 if you think that could be an issue.

    http://www.microsoft.com/en-us/download/details.aspx?id=28978


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

    Thursday, June 07, 2012 6:44 PM
  • I tried a non admin account and that didn't fix it. It is clearly something in the GPO we are applying.
    Thursday, June 07, 2012 11:39 PM
  • Has anyone tried Promon or similar??

    I've tried almost everything I can think of including removing my machine from the domain.

    Jacob.


    Jacob.

    Thursday, June 07, 2012 11:43 PM
  • Hello,

    Was UAC Disabled via Group Policy, that may do it?

    Registry keys for UAC to check.

    http://technet.microsoft.com/en-us/library/dd835564(v=WS.10).aspx


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. VAMT - Volume Activation Management Tool - Download link http://www.microsoft.com/downloads/details.aspx?FamilyID=ec7156d2-2864-49ee-bfcb-777b898ad582&displaylang=en

    Friday, June 08, 2012 12:18 AM
  • Nope, UAC (according to the control panel) is set to the default level on my machine. 

    Friday, June 08, 2012 1:23 PM
  • First, sorry for the long post.

    The problem on my end has to do with our GPO and .Net Framework 3 on Windows 8.  I did another clean install of Windows 8 RP this morning on my Dell D820.  I joined the domain and all of the Metro apps continued to work.  This setup has worked for close to 6 hours today.  I just installed .Net Framework 3 using the following command:

    dism /online /enable-feature /featurename:NetFx3 /source:d:\source\sxs

    After it completed successfully I tested the Metro apps.  They all worked.  I rebooted the laptop and now none of the Metro Apps work.

    I've also tried to come up with a way to see what settings have been changed by our GPO.  The only thing I could come up with is to run "gpresult".  The output of that is listed below.  For some reason our "Computer Settings" aren't getting applied to Windows 8 (I'm not a GPO person so I'm guessing its because those will only apply to Windows 7).  So for us it has to be a setting in the "Users Settings".

    Does anything in these results jump out to anyone?


    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    c 2012 Microsoft Corporation. All rights reserved.

    Created on 6/8/2012 at 12:27:49 PM



    RSOP data for IGA\EREID on LSA01701984 : Logging Mode
    ------------------------------------------------------

    OS Configuration:            Member Workstation
    OS Version:                  6.2.8400
    Site Name:                   N/A
    Roaming Profile:             N/A
    Local Profile:               C:\Users\ereid
    Connected over a slow link?: No


    USER SETTINGS
    --------------
        CN=EREID,OU=TechsInheritBlock,OU=IGAUsers,DC=iga,DC=local
        Last time Group Policy was applied: 6/8/2012 at 12:26:59 PM
        Group Policy was applied from:      IGADC03.iga.local
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        IGA
        Domain Type:                        Windows 2008 or later
        
        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy
            InsureAdminAbility

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

        The user is a part of the following security groups
        ---------------------------------------------------
            Domain Users
            Everyone
            BUILTIN\Users
            NT AUTHORITY\INTERACTIVE
            CONSOLE LOGON
            NT AUTHORITY\Authenticated Users
            This Organization
            LOCAL
            ZP_LSA_Staff
            PhoneCenter_G
            RightFaxUsers_G
            EVERYONE_G
            EDUCO_F_G
            OCRGreenTeam_G
            TECHS_G
            WAMCO_F_G
            Zenprise Administrators
            $LSA
            ZP_LSA_SharePoint
            LSAALL_G
            $IGA
            Medium Mandatory Level
            
        The user has the following security privileges
        ----------------------------------------------


        Resultant Set Of Policies for User
        -----------------------------------

            Software Installations
            ----------------------
                N/A

            Logon Scripts
            -------------
                N/A

            Logoff Scripts
            --------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Refresh
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_MailNews
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddFromInternet
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Back
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Intellimenus
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Encoding
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Discussions
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoWindowsSetupPage
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Forward
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Policies\Microsoft\MMC\RestrictAuthorMode
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Folders
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Stop
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Copy
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAddPrinter
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Paste
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWelcomeScreen
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Edit
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetworkConnections
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Policies\Microsoft\Windows NT\Printers\Wizard\Printers Page URL
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Print
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103}
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{645FF040-5081-101B-9F08-00AA002F954E}
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Tools
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddPage
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SpecifyDefaultButtons
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyDocuments
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWindowsUpdate
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Size
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_History
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Home
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceStartMenuLogOff
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Search
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoBandCustomize
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Policies\Microsoft\MMC\RestrictToPermittedSnapins
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoRemovePage
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddFromNetwork
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Fullscreen
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Cut
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Policies\Microsoft\Windows\System\DisableCMD
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoChooseProgramsPage
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddFromCDorFloppy
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Favorites
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDeletePrinter
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispSettingsPage
                    State:       disabled

                GPO: InsureAdminAbility
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
                    State:       disabled

            Folder Redirection
            ------------------
                N/A

            Internet Explorer Browser User Interface
            ----------------------------------------
                N/A

            Internet Explorer Connection
            ----------------------------
                N/A

            Internet Explorer URLs
            ----------------------
                N/A

            Internet Explorer Security
            --------------------------
                N/A

            Internet Explorer Programs
            --------------------------
                N/A


    Friday, June 08, 2012 2:01 PM
  • . . .

    I've tried almost everything I can think of including removing my machine from the domain.


    Jacob.

    Same here.

    I also created a non admin user.  That made things even worse.  The non admin user can't open anything, much less Metro apps.

    Even after adding the user to the Administrators group, the user still can't open anything.  Explorer and IE10 won't open.  I get messages like "No such interface" or "App not found".  The only way to try anything is to use Task Manager.  At least I can still browse for files from Task Manager.

    I tried to do a fresh install but I get a message abouut a missing a "media driver".  Nothing I tried worked.

    Monday, June 11, 2012 12:52 AM
  • Hello,

    Let's check soem Dcom permissions

    Run dcomcnfg

    Under Component Serverice - Computers-My Computer ( choose properties of my computer)

    Choose the Com Security Tab

    What are the settings under the four buttons on that page and do they change when joining a domain?


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. VAMT - Volume Activation Management Tool - Download link http://www.microsoft.com/downloads/details.aspx?FamilyID=ec7156d2-2864-49ee-bfcb-777b898ad582&displaylang=en

    Monday, June 11, 2012 5:24 PM
  • Ok, I made an attempt to recreate the problem and can't seem to do so. Here is what I did.

    1. Did a fresh install of Win 8 RP. No upgrade, no files transferred.
    2. Added the PC to the domain and logged in as a regular domain user with local admin rights- no issues
    3. Linked my Live account to the profile- still no issues
    4. Verified the new PC in my live account- no issues
    5. Force GPO updates- no issues
    6. restarted my PC- no issues
    7. logged in as a domain admin and linked my live account- still no issues

    If somebody posts their DCOM security settings, I will compare with my own.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

    Monday, June 11, 2012 5:56 PM
  • I can confirm that the settings were the same between a working machine (not domain attached) and the broken machine (attached to the domain).

    Is there anything else that I could check?

    Monday, June 11, 2012 8:05 PM
  • Do you have a group policy relating to the Windows Firewall or WSUS?  It seems that one of these settings is related.
    Monday, June 11, 2012 8:06 PM
  • Has anybody tried this?

    Save the below to a .reg file and merge. Please make sure to backup the registry before changes are made. (http://support.microsoft.com/kb/322756)

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
    "MachineLaunchRestriction"=hex:01,00,04,80,90,00,00,00,a0,00,00,00,00,00,00,00,\
      14,00,00,00,02,00,7c,00,05,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
      00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
      00,01,00,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,00,00,05,20,00,00,\
      00,32,02,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,\
      2f,02,00,00,00,00,18,00,0b,00,00,00,01,02,00,00,00,00,00,0f,02,00,00,00,01,\
      00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,\
      00,05,20,00,00,00,20,02,00,00
    "MachineAccessRestriction"=hex:01,00,04,80,8c,00,00,00,9c,00,00,00,00,00,00,00,\
      14,00,00,00,02,00,78,00,05,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,\
      00,00,01,00,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,00,00,05,07,00,\
      00,00,00,00,18,00,07,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,32,02,00,\
      00,00,00,18,00,07,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,2f,02,00,00,\
      00,00,18,00,03,00,00,00,01,02,00,00,00,00,00,0f,02,00,00,00,01,00,00,00,01,\
      02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,\
      00,00,20,02,00,00


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

    Tuesday, June 12, 2012 2:44 AM
  • Has anybody tried this?

    Save the below to a .reg file and merge. Please make sure to backup the registry before changes are made. (http://support.microsoft.com/kb/322756)

    Windows Registry Editor Version 5.00

    . . .

    It did not help, not as far as I could tell.  I applied the regfile and it said it was merged.

    No app will run.  Ordinary user, not in domain.

    I checked and the new settings are there.  I also have:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
    "DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\
      14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
      00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,1f,00,00,00,01,01,00,00,00,00,\
      00,05,04,00,00,00,00,00,14,00,1f,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
      00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
      20,00,00,00,20,02,00,00
    "EnableDCOM"="Y"
    "LegacyImpersonationLevel"=dword:00000002 
    • Edited by Brian Borg Tuesday, June 12, 2012 4:44 AM
    Tuesday, June 12, 2012 4:42 AM
  • Brian, if you are running as an ordinary user it can be a different issue altogether. Make sure you are using the right resolution 1024x768, and make sure you update the video drivers. Remember drivers are still not ready for Win 8 and this can also play a big part in metro apps not running correctly. The registry key above, I believe, is for metro apps that start to load but fail.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

    Tuesday, June 12, 2012 12:08 PM
  • Brian, if you are running as an ordinary user it can be a different issue altogether. Make sure you are using the right resolution 1024x768, and make sure you update the video drivers. Remember drivers are still not ready for Win 8 and this can also play a big part in metro apps not running correctly. The registry key above, I believe, is for metro apps that start to load but fail.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

    Not sure, how this applies. If everything works and then you join it to the domain and they stop working, how is a driver involved?

    Did someone merge this thread with another?

    Tuesday, June 12, 2012 2:57 PM
  • Ok, I tried the .reg file and it didn't work.  To be clear here, everything works fine until I attach to our domain so I'm not sure it's a machine level setting.  It really seems to be GPO related.
    Tuesday, June 12, 2012 4:35 PM
  • My resolution is 1920x1080, the native resolution of the monitor.

    The driver is by AMD and written specifically for the RP, amd_catalyst_win8_release_preview DriverVer=05/30/2012, 8.972.4.0000.

    Tuesday, June 12, 2012 6:42 PM
  • Hi,

    Please try the following group policy to configure Metro App proxy.

    1. Open "Local Group Policy Editor"
    2. Navigate to "Computer Configuration -> Administrative Templates -> Network -> Network Isolation"
    3. Open "Internet Proxy Servers for Apps" and set the value to your proxy server address like 172.16.0.1:8080.


    Niki Han

    TechNet Community Support

    • Proposed as answer by Kiran.C Sunday, January 27, 2013 5:40 AM
    Wednesday, June 13, 2012 8:07 AM
    Moderator
  • Sorry Beaum, I meant to say for users that can't open Metro Apps from day 1.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

    Wednesday, June 13, 2012 10:34 AM
  • Can anyone confirm that the proxy server change fixes things?

    Also, if I take my machine to another network (without a proxy for instance) does this mean that the apps will break?

    • Edited by Comitizer Wednesday, June 13, 2012 3:19 PM
    Wednesday, June 13, 2012 3:19 PM
  • Hi,

    Please try the following group policy to configure Metro App proxy.

    1. Open "Local Group Policy Editor"
    2. Navigate to "Computer Configuration -> Administrative Templates -> Network -> Network Isolation"
    3. Open "Internet Proxy Servers for Apps" and set the value to your proxy server address like 172.16.0.1:8080.


    Niki Han

    TechNet Community Support

    What if you don't have a proxy server?

    • Edited by Brian Borg Friday, June 15, 2012 12:22 AM
    Friday, June 15, 2012 12:10 AM
  • On a good note, I have done a fresh install of Windows 8 RP x64.  For my first login I used my Windows Live ID.  Then, after Windows Update and rebooting, I joined the PC to the domain.

    Apps work!

    Friday, June 15, 2012 4:36 AM
  • So that eliminates GPOs.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

    Friday, June 15, 2012 11:40 AM
  • I suppose it does, although I'm not totally convinced. 

    Does anyone know of a way to try and diagnose these apps?  Is there way to file a bug with MS so they can help?  This is a pretty serious issue...

    Friday, June 15, 2012 1:21 PM
  • So that eliminates GPOs.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”


    It might eliminate the GPO, but it doesn't resolve the issue for some of us. When we join a domain metro apps stop working. I have confirmed this on multiple machines. How can we open a ticket with Microsoft?
    Friday, June 15, 2012 4:58 PM
  • On a good note, I have done a fresh install of Windows 8 RP x64.  For my first login I used my Windows Live ID.  Then, after Windows Update and rebooting, I joined the PC to the domain.

    Apps work!

    I've done this exact scenario and I continue to have issues.
    Friday, June 15, 2012 5:03 PM
  • I've done this exact scenario and I continue to have issues.

    Group Policy is still involved.  I used to disable UAC by setting "UAC :Run all administrators in  Admin Approval Mode" to Disabled

    This is under Default Domain Policy/Computer Configuration/Policier/Windows Settings/Security Settings/Local Policies/Security Options.

    Now It is unconfigured, or Not Defined.

    But UAC on the newly installed workstation is set to "Never notify".  Go figure.

    • Edited by Brian Borg Friday, June 15, 2012 6:10 PM
    Friday, June 15, 2012 6:07 PM
  • I continue to have the problem my self.  I tried multiple things on a couple of different computers and they all end up breaking the Metro Apps.  For me I have narrowed it down to the following.

    Local computer (not on the domain) with .Net Framework 3.5 installed - Metro Apps work fine.

    Domain computer (part of the domain) without .Net Framework 3.5 installed - Metro Apps work fine.

    As soon as I install .Net Framework 3.5 and join the domain the Metro Apps fail to load.  If I install .Net Framework 3.5 first and then join the domain the Metro Apps break as soon as I log in.  If I install .Net Framework 3.5 on a computer after I join the domain the Metro Apps stop working after the first reboot.

    Can anyone having the problem tell me if they have .Net Framework 3.5 installed on a domain joined computer?

    Monday, June 18, 2012 4:10 PM
  • I can confirm that I have the Framework installed.  I'll have to run some tests to see if that's related to the problem.
    Tuesday, June 19, 2012 3:19 PM
  • Has anyone else tested or confirmed that the framework is involved?
    Friday, June 22, 2012 12:32 PM
  • I can confirm that on the domain with .Net Framework 3.5 then the metro apps do not work. Before .Net 3.5 framework was installed but on the domain the metro apps did work.

    Friday, June 22, 2012 2:42 PM
  • As far as I can tell, there is no .NET installed on this machine.  This is in the app that opens in Control Panel\Programs and Features--Add or remove Windows Features.

    There had been TCP Port Sharing under .NET 4.5 in Windows Features but I removed it.

    It did not change anything.  I find that the non-domain user can run apps with no problem.  Any domain user will not be able to run apps.  It does not matter if the domain user is not an administrator nor if the local user is an administrator.  Nor does UAC matter.

    Note, the computer is in the Active Directory domain.
    • Edited by Brian Borg Saturday, June 23, 2012 1:08 AM
    Saturday, June 23, 2012 1:03 AM
  • I think I just found out what broke this at least for me.  Here at work we run a couple of Oracle servers and the client we use requires .Net 3.5.  Windows 8 comes with an RC of .Net 4.5.  Once I install the .Net 3.5 the apps stop working.  Now I think I just need to figure out how to repair the .Net 4.5 install.  Anybody have any ideas on how I can do that?

    I don't have .net 3.5 installed on the broken machine.
    Sunday, June 24, 2012 10:00 PM
  • I experienced the same thing and found the source of the problem:  App locker policy.

    If you have any type of an app locker rule configured in Group Policy, it pretty much does an all-inclusive blacklist of all Metro Apps.  I had to write an 'allow' rule for the metro apps before it would launch and function as expected.

    When i'd kick the machine off the domain, the GPO's would go away....one being the App Locker policy.  Hope that helps.

    • Proposed as answer by Kris Harmon Monday, June 25, 2012 2:30 PM
    • Unproposed as answer by Beaum Monday, June 25, 2012 5:33 PM
    Monday, June 25, 2012 2:30 PM
  • I experienced the same thing and found the source of the problem:  App locker policy.

    If you have any type of an app locker rule configured in Group Policy, it pretty much does an all-inclusive blacklist of all Metro Apps.  I had to write an 'allow' rule for the metro apps before it would launch and function as expected.

    When i'd kick the machine off the domain, the GPO's would go away....one being the App Locker policy.  Hope that helps.


    We don't use App Locker here.
    Monday, June 25, 2012 5:34 PM
  • I experienced the same thing and found the source of the problem:  App locker policy.

    If you have any type of an app locker rule configured in Group Policy, it pretty much does an all-inclusive blacklist of all Metro Apps.  I had to write an 'allow' rule for the metro apps before it would launch and function as expected.

    When i'd kick the machine off the domain, the GPO's would go away....one being the App Locker policy.  Hope that helps.

    That is interesting.  Where is this policy located?

    Do you think there is a default app locker policy or behavior that applies unless you have an allow policy?


    • Edited by Brian Borg Monday, June 25, 2012 7:19 PM
    Monday, June 25, 2012 7:17 PM
  • I didn't have any luck with app locker.  I found it in group policy.  Nothing was set so I tried disabling it, but no luck.

    I started looking at the errors in the event logs when I tried to start an app.  One of these was DistributedCOM event 10001.  I searched and found Event ID 10001 — COM General Functionality.  Resources did not seem to be the problem so I went to the bottom, step 5 of Verify:  "confirm that Access Permissions and Launch and Activation Permissions properties are set properly".

    I did not know what was proper so I just made sure that Activated Users had access and launch permissions by adding that group.

    After that, I was able to open PC Settings for the first time as a domain user.

    I still cannot open the Store but at least it is progress.

    Tuesday, June 26, 2012 12:56 AM
  • I've always been able to run PC settings.  It's just the apps (including the store) that won't run.
    Tuesday, June 26, 2012 4:21 PM
  • I've always been able to run PC settings.  It's just the apps (including the store) that won't run.

    Oh.

    I could not even get the PC Settings screen to open.  I had to use the Control Panel applets.

    Tuesday, June 26, 2012 10:29 PM
  • So I'm guessing no one has an answer?  I still can't get it working.  Is there a way to inform MS?
    Wednesday, July 04, 2012 4:24 PM
  • I keep playing with it but getting nowhere.

    One thing I had tried was going to "C:\Windows\WinStore\microsoft.system.package.metadata". I copied the ,pckgdep and .recovery files that started with the local users SID to similar files starting with my domain users SID.  I think this is what allowed PC Settings to open.

    Note, I am able to open apps as a local user, even when the user is an administrator and with UAC on the lowest setting.  I guess that is progress.

    But what I really don't understand is what are apps good for anyway?  Why take up all of my 24" monitor with something that would only require a fraction of it?

    Thursday, July 05, 2012 1:05 AM
  • After a lot of investigation into this using a virtual machine I have managed to resolve the issue we were having. I found that we had a group policy which was causing the problem, but once the group policy had been applied the problem would not go away, even after removing the policy and taking the machine of the domain.

    The group policy which was causing the issue was changing two settings which were

     both in Computer Config\Policies\Windows Settings\Security Settings\Local Policies\Security Options\

    These were called DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax and DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax

    If these policy were set to a machine once then the metro apps would never work again. It appears this policy is not removed once applied once.

    To resolve this I have removed this policy from our Group Policy (as we no longer need it) and also removed the whole regisitry key HKLM\SOFTWARE\Policies\Microsoft\Windows NT\dcom.

    After a reboot the metro apps started working again.

    Hope this is of some help to others

    Thanks

    Rob

    Thursday, July 05, 2012 2:20 PM
  • Awesome. We don't see those group policy entries ourselves. It is good to know that it is a GPO for you. I suspected so. I'll have to go through our policy one entry at a time. I suspect it is centered around security, SCCM/WSUS or local machine firewall policies.
    • Proposed as answer by Niki HanModerator Monday, July 09, 2012 8:27 AM
    • Unproposed as answer by Beaum Monday, July 09, 2012 4:51 PM
    • Marked as answer by Beaum Monday, August 20, 2012 4:23 PM
    Thursday, July 05, 2012 6:47 PM
  • We don't appear to have that policy applied (although I'm not an admin so I could be wrong).  I tend to agree with Beaum, it seems to be related to SCCM/WSUS or firewall policies. 
    • Marked as answer by Niki HanModerator Monday, July 09, 2012 8:28 AM
    • Unmarked as answer by Beaum Monday, July 09, 2012 3:12 PM
    Friday, July 06, 2012 2:45 PM
  • So this is the answer?  So what do we have to do to fix it?
    Monday, July 09, 2012 1:02 PM
  • We don't have those options set in our policies either.  I also looked in the registry on one of my computers that is having the problem and don't see this entry:  HKLM\SOFTWARE\Policies\Microsoft\Windows NT\dcom.

    Monday, July 09, 2012 4:30 PM
  • Awesome. We don't see those group policy entries ourselves. It is good to know that it is a GPO for you. I suspected so. I'll have to go through our policy one entry at a time. I suspect it is centered around security, SCCM/WSUS or local machine firewall policies.

    We need to know what ports need to be opened in the firewall or does wsus really break metro apps?
    Monday, July 09, 2012 4:52 PM
  • Anyone tried this yet?

    http://johndandison.com/blog/post/2012/04/05/Windows-8-Metro-Apps-Store-Windows-Update-WSUS.aspx

    "

    I’ve been building Windows 8 apps for my current employer, so I’ve been running Windows 8 since the developer preview. Consumer Preview brought us the App Store – but I noticed that after some AD moves, I could no longer access the store. Turns out it’s restricted via Windows Update…so this has some large implications.

    First, if you’re getting shut out of the store (“Can’t connect to the Store right now” kind of messages) & on a corporate, managed machine (you’ll see ‘Managed by your system administrator’ in Windows Update) – plus getting stuff like this:

     1: Fault bucket -1485561316, type 5
     2: Event Name: WindowsUpdateFailure2

    in your event viewer whenever you try to install apps, here’s the fix:

     1: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
     2: "DisableWindowsUpdateAccess"=dword:00000000

    Either copy/paste that text into a text file, save it as BobLoblaw.reg & run it, or navigate to that tree & change the DWORD from 1 to 0. Next, go into services.msc & restart the Windows Update service."

    • Proposed as answer by RyanEld Tuesday, July 10, 2012 2:05 PM
    Monday, July 09, 2012 4:54 PM
  • Also this log command might be interesting:

    http://social.technet.microsoft.com/Forums/en-US/w8itprogeneral/thread/5ccf9473-bacf-4271-89e1-037469e759ff

    "

    You can use this PowerShell command to get the log:

    Get-AppxLog
    What does it tell you?"
    Monday, July 09, 2012 4:57 PM
  • Anyone tried this yet?

    http://johndandison.com/blog/post/2012/04/05/Windows-8-Metro-Apps-Store-Windows-Update-WSUS.aspx

    "

    I’ve been building Windows 8 apps for my current employer, so I’ve been running Windows 8 since the developer preview. Consumer Preview brought us the App Store – but I noticed that after some AD moves, I could no longer access the store. Turns out it’s restricted via Windows Update…so this has some large implications.

    First, if you’re getting shut out of the store (“Can’t connect to the Store right now” kind of messages) & on a corporate, managed machine (you’ll see ‘Managed by your system administrator’ in Windows Update) – plus getting stuff like this:

     1: Fault bucket -1485561316, type 5
     2: Event Name: WindowsUpdateFailure2

    in your event viewer whenever you try to install apps, here’s the fix:

     1: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
     2: "DisableWindowsUpdateAccess"=dword:00000000

    Either copy/paste that text into a text file, save it as BobLoblaw.reg & run it, or navigate to that tree & change the DWORD from 1 to 0. Next, go into services.msc & restart the Windows Update service."

    Beaum

    After spending a few hours fighting with this issue your solution has resolved my issue of being unable to purchase or install apps from the App store.

    My machine is domain joined and I'm also the SCCM admin. Because of this I know for fact that we have a GPO that changes the start type of the windows update service to manual as our updates are managed inside of SCCM

    • Proposed as answer by Shopliftin Tuesday, August 21, 2012 11:41 AM
    Tuesday, July 10, 2012 2:08 PM
  • This didn't solve it for me.  :(  Are you running Windows 8 x64 or x86? Do you do anything with your firewall settings in your GPO?
    Tuesday, July 10, 2012 5:23 PM
  • Running windows 8 x64 Consumer preview.

    I'm not aware of every setting in our GPO's but when it pertains to WSUS and we have very little configured.(The bellow options are what are configured in our GPO and are my guess as to what broke the app store for me)

    Computer Configuration > Administrative Templates > Windows Components > Windows updates = Disabled
    Computer Configuration > Windows Settings > Security Settings > System Services > Windows Update = Manual Start

    As for windows firewall  we allow ICMP echo reply and File and print sharing to select subnets. If I had to hazard a guess my issue was related to the fact the windows update service wasn't started. My issue was slightly different then yours in that my apps where opening just couldn't "purchase" apps from the app store.

    Tuesday, July 10, 2012 5:50 PM
  • That doesn't help me either. 

    My apps still don't run and I'm not sure why.  I wish there was more logging.

    Tuesday, July 10, 2012 6:43 PM
  • Here's some info from my setup, which is having the same problem:

    I have installed two fresh Windows 8 Release Preview machines, one on a Samsung Tablet, and the other on a Thinkpad W520.  Both are joined to my domain.

    Whether I try to run metro apps as an administrative or non-administrative user, I always get the same thing - app splash screen shows for a few seconds and then quits.  The event log has several Events with Event ID 10027 in it.

    The detail is "The machine wide limit settings do not grant Local Activation permissions for COM Server applications to <username> <SID> from address LocalHost (Using LRPC) running in the application container <various containers depending what metro app I try>..."

    I notice that my default domain group policy has a modification at ComputerConfiguration\Policies\WindowsSettings\SecuritySettings\LocalPolicies\SecurityOptions\ under an item called "DCOM: Machine Launch Restrictions in SDDL Syntax" which I did not add - I assume this setting is the result of some Windows Update designed to enhance security?  It doesn't seem to be possible to override this setting in a sub OU to test.  I don't want to go disabling legitimate security updates in my domain just to research this.

    Does this info help?

    Tuesday, July 10, 2012 7:51 PM
  • Even more info - if your error is the same as mine:

    I looked into the DCOM Permissions, and found that the right to LocalActivate a DCOM app is granted to the "Distributed COM Users" Domain group - NOTE that there is a Distributed COM Users group on your local PC and also one one the Domain.  The one you want is the domain one.  I just added my user account to this Domain group, and after being VERY patient, all the Metro Apps started working on my Windows 8 Tablet.  It did require a complete shutdown of the tablet though. 

    I'm also not sure what sort of security holes I might have caused by doing this.  Be aware of the potential risk.

    Tuesday, July 10, 2012 9:03 PM
  • When I look at the Windows Security Log, I see Audit Failures for Sensitive Privelege Use, Event 4673, happening at about the same time I try to open the store.

    The events are saying that svchost.exe fails because the Login ID does not have SeTcbPrivilege.

    I also see a DCOM error saying that it was unable to start the server.  I tried playing with DCOM launch and activate permissions.  I also tried setting a policy to give System, Service, and Local Service the "Act as part of the operating system" (SeTcbPrivilege) right.

    None of this helped.

    Wednesday, July 11, 2012 3:34 AM
  • Hi,

    I don't know if i hade the exakt same issue, but i could not start any app on Metro.

    This is what i did to solve it.

    • Click Start, and then click Run.
    • Type comexp.msc, and then click OK. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
    • To locate your computer, click Component Services, click Computers, and then click My Computer.
    • Right-click My Computer, click Properties, and then click the COM Security tab.
    • Under Access Permissions, click Edit Limits to check and, if necessary, change the Access Permissions limits on applications that determine their own permissions.

      Under Launch and Activation Permissions, click Edit Limits to check and, if necessary, change the absolute limit on component launch and activation permissions.

    • Use Edit Default for each item to adjust Access Permissions and Launch and Activation Permissions to allow the requested operation to complete.

    \\Dan


    //Dan

    And i had to restart before it applied.
    • Edited by Dannenyo Tuesday, July 31, 2012 9:22 AM
    Tuesday, July 31, 2012 9:20 AM
  • Ok, this is going to sound really strange, but I am going to post anyway to see if it helps.

    I had the same problem with Metro Apps not working as well as not being able to configure my User Account to connect to my Microsoft account.  This became an issue after I connected to the domain here at work.  I had read a number of forums and tried all the fixes (proxy settings, permissions as above etc) and had basically given up, pending the RTM release.  I recently had to present Windows 8 to a number of clients and ended up setting up a totally new account for the demonstration.  Frustrating, but I was able to demonstrate the good things about Windows 8.

    Then I downloaded and installed the SkyDrive App yesterday and again had a number of issues with that, so started searching again for a solution for that issue.  One of the recommendations that I found to resolve this was to login and complete my profile at http://account.live.com. I did this and the Skydrive App started working.

    The other bonus is that now, all of my Metro Apps have begun to work.  I am still connected to the domain, I have altered nothing else, but I have been able to go to PC Settings, go through the process of associating my User Account with my Microsoft Account and now all Metro Apps work.  This does make sense in a weird way in that, I am probably a typical IT user with my Live account - put in the basic information to get the account opened, but not filling out all the fields.  Now that my profile is 100% complete, Metro Apps are happy.  I am guessing that most Microsoft employees have their Live Account profile complete, hence the inability for them to replicate this issue.

    If posting this here helps one other person get past this frustrating issue, that would be great.  Let me know if this works.

    Cheers,

    Kelvin

    Wednesday, August 01, 2012 3:19 AM
  • I've had similar issues on my estate here, and thank you to everyone who have contributed to this thread as it helped me on my way. After a lot of trialing and error with the group policies that we've deployed I found that the offending policy in my environment was \Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Audit the access of global system objects. With this setting set to Enabled, Windows 8 UI (Metro Apps) won't work. With this setting disabled they work fine. I found this to be irrespective of any Windows Live account association, and I could recreate it every time at will.

    I certainly hope that Microsoft will resolve this prior to release as having to go through all the group policies was extremely painful....

    Regards,

    Jan

    • Proposed as answer by Igor Sidorov Monday, August 20, 2012 3:52 PM
    Wednesday, August 15, 2012 7:25 AM
  • This issue existed with the last version and continues through to the RP. Something in our group policy is breaking metro apps. Metro apps work fine, including the app store before joining the machine to the domain. Once the machine is joined, all metro apps fail to launch. If I move the machine account and my account into a different OU that blocks our group policy settings, the metro apps start working again. Any ideas?


    We were able to fix our issue. It came down to an entry in group policy that was securing a registry key (winsock2) to our domain users. Resetting the security in the registry fixed the issue. Now we have to figure out why that key was secured back in the day.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters

    • Marked as answer by Beaum Monday, August 20, 2012 4:24 PM
    Wednesday, August 15, 2012 2:00 PM
  • Just an FYI - we experienced this issue as well, and continue to experience it with the final release.  I'm going through each GPO to which setting(s) cause this.

    As mentioned above, Metro apps such as Weather, Bing, News all work without issue, until I join the domain and reboot.

    Monday, August 20, 2012 3:58 PM
  • I've had similar issues on my estate here, and thank you to everyone who have contributed to this thread as it helped me on my way. After a lot of trialing and error with the group policies that we've deployed I found that the offending policy in my environment was \Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Audit the access of global system objects. With this setting set to Enabled, Windows 8 UI (Metro Apps) won't work. With this setting disabled they work fine. I found this to be irrespective of any Windows Live account association, and I could recreate it every time at will.

    I certainly hope that Microsoft will resolve this prior to release as having to go through all the group policies was extremely painful....

    Regards,

    Jan

    Oooh, great thanks. On the third day I found the exit. Now Apps're working.
    Monday, August 20, 2012 4:02 PM
  • This worked for me, I was getting the "Your purchase cannot be completed" version of the message.

    1. Domain Attached
    2. Using TrendMicro OfficeScan
    3. Cisco AnyConnect
    4. GPO for WSUS/SCCM settings

    Windows update is controlled via GP and the DisableWindowsUpdateAccess was set true.  Setting to false was instant satisfaction for me.

    Tuesday, August 21, 2012 11:43 AM
  • Hi Eric,

    I suffer the exact same behavior as you have stated. I think everyone is looking at multiple issues here when the original post was about one only. People are getting themselves all confused as to the cause of the problems and the symptoms we are suffering. We're comparing info that shouldn't be compared.

    Basically there are multiple things that break metro apps:

    • DCOM security settings
    • Random GPOs
    • Adding .NET 3.5 as a Windows feature on a domain joined machine

    Personally I am suffering from only downloaded Metro apps crashing after installing .NET 3.5. I am a domain joined machine.

    I'd love to know what is changed on the PC when adding the 3.5 framework. It is almost like .NET 3.5 tries to become the default framework for the Metro apps and they only want to play nice with 4.5 - However even after removing 3.5 again the Metro apps stay broken. Has there been any progress on this issue MS?

    Cheers.

    Tuesday, August 28, 2012 11:28 AM
  • In our windows 8 RTM enterprise 64 bit systems (with language pack ita) we have to explicitly enable the "User Account Control: Run all administrators in Admin Approval Mode" setting (HKLM\Security Settings\Local Policies\Security Options\EnableLUA set to 1) . This setting is disabled by a domain GPO in our environment so that as soon as a W8 pc joins the domain we loose the ability to run all win apps (aka metro apps). These apps fail to start with "cannot open xxxxx if User Account Control is disabled" message box in the Windows "metro" UI

    I haven't still found a reason or explanation for this.

    Anyone has?


    • Edited by achojwa Tuesday, August 28, 2012 2:10 PM
    Tuesday, August 28, 2012 2:10 PM
  • I fixed this issue to change the following registry key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

    "auditbaseobjects"=dword:00000000 

    Now the Metro Apps are working again!

    Saturday, September 01, 2012 9:52 AM
  • I checked that this reg key is already with "zero" value. But the windows apps still show "Cannot open XXXX  if UAC is disabled". Still no solution found!

    Monday, September 03, 2012 8:35 AM
  • I was finally able to fix this issue in my environment. The culprit was my predecessor had incorporated a Win 2k compatibility pack (compatws.inf) directly into Group Policy. The bulk of what this did was modify permissions on hundreds of HKEY Classes Root keys. The three main areas it poked were various file associations such as .exe, .bat, .reg, .txt, and GUIDs in HKR\CLSID and HKR\Interface. I tried to narrow down which particular settings were the cause, but was unable to as it appears that multiple settings are breaking it. In the end I removed all of these changes from Group Policy, which fixed it.

    I was able to narrow this down by creating a new OU and disabling GPO inheritance on it. Then I moved a test workstation into that OU. Once I did this and joined the domain with the test workstation the apps worked. So, then it was simply a slow process of manually reassociating the GPOs until I found the one that contained the offending settings. Once I found that I made a copy of the GPO and linked that to the OU and started removing large portions of settings until I narrowed it down further.

    What really made this approach take so long is that the moment the test workstation joined the domain the settings were applied. So the only way to unapply the settings was to reimage the workstation, make GPO changes, join it back to the domain and repeat.

    • Proposed as answer by Brian Borg Wednesday, September 19, 2012 8:49 PM
    Tuesday, September 18, 2012 3:04 PM
  • This Firewall issue hit the spot. I disabled the Avast Firewall for 15 minutes and the Store and Mail apps started working!!! Need to see how to configure the firewall. Check your firewalls! 

    Update on the Avast Firewall blocking the Windows Store/Mail etc. - Under Avast - Firewall Settings - Expert Settings - Firewall Policies - Enable "Internet Connection Sharing Mode." If you share your computer this is said to give access to your SkyDrive to other users of the PC, but you can shut it off as need be. Solo on my PC. Avast is supposedly working on adjusting this as goes Win 8 goes live. Overall, Avast has been doing one kick-butt job of catching crap especially on sites with infectious content!

    So, if you are using other Security software you may have to check their forums for solutions on how to get to the store, mail, cal, etc. through.

    As far as domains, you may have to work with your network admin and find out about what ports/sites need to be opened up on any of of the firewalls/filters.
    • Proposed as answer by Rich_X Saturday, September 22, 2012 3:21 PM
    • Edited by Rich_X Saturday, September 22, 2012 3:26 PM
    Saturday, September 22, 2012 3:23 AM
  • I searched for a solution all around internet and I finally find a way how to do it:

    Open command prompt as admin and write:

    netsh
    winhttp
    import proxy source=ie

    Hope it helps, unfortunately I do not remember the source of this script.


    Saturday, September 22, 2012 5:02 AM
  • Hello Everyone

    I  just  installed Windows 8  and  during the install it required Avast to be remove,  and then the installation completed, once done I  reinstall the newest  version of avast  and  rebooted.  then all metro apps fail to launch,  atfer seeing Rick_X's inputs  I Disable the Avast and  reboot  now  all the the Metro Apps works!!  not a fix but....

    So  i recommend check your  anti virus program

    I am check with avast for a solution,  

    Wednesday, September 26, 2012 5:52 PM
  • I've had similar issues on my estate here, and thank you to everyone who have contributed to this thread as it helped me on my way. After a lot of trialing and error with the group policies that we've deployed I found that the offending policy in my environment was \Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Audit the access of global system objects. With this setting set to Enabled, Windows 8 UI (Metro Apps) won't work. With this setting disabled they work fine. I found this to be irrespective of any Windows Live account association, and I could recreate it every time at will.

    I certainly hope that Microsoft will resolve this prior to release as having to go through all the group policies was extremely painful....

    Regards,

    Jan

    Oooh, great thanks. On the third day I found the exit. Now Apps're working.

    Good Afternoon,

    I have just gone through this ordeal and found this policy setting to be the cause (at least in my case).

    Thursday, October 11, 2012 5:29 PM
  • Like others Avast was stopping this working for me. The component that causes the issue is the Behaviour Shield. You can disable this and leave the rest enabled.

    Cheers

    Paul

    Friday, October 12, 2012 4:06 PM
  • Yes, I had the same problems (no Windows store, no Weather App etc. + Outlook 2007/Mail App cannot connect to the Exchange server (at work)). In my case, it was Firewall of AVG internet Security 2011. After turning it off, everything works fine.
    Sunday, October 28, 2012 9:42 PM
  • Greetings,

    I cannot open  any of the Metro Communications Apps: Mail, Calendar etc:

    This happens on two PC's both are Domain Joined running Windows 8 Final Enterprise x64 all current updates,

    When I try and open the mail app I receive the following error in the event log:

    Event ID 2486 App microsoft.windowscommunicationsapps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail did not launch within its allotted time.

    I have done the following:

    Uninstalled the app and reinstalled it

    Updated Video Drivers

    Updated Java

    Only group policy in use is Windows Update WSUS

    Not running any third party anti virus

    I have run the Modern App Troubleshooter which is useless says no problems found.

    Cheers

    Justin


    Monday, October 29, 2012 7:05 PM
  • In the end after trying all of this - it turned out to be UAC. We had it disabled for Win 7 in Group Policy. This seems to break Metro in Win 8 and couldn't find a way to unbreak it. Left UAC policy as default in GP and all good.
    Tuesday, October 30, 2012 1:20 AM
  • For us, the solution was to add rights on the system drive (C:) to  "all application packages" object.
    Now Metro apps running fine.

    Laszlo


    Regards, Laszlo

    Tuesday, October 30, 2012 2:14 PM
  • Installed Windows 8, had to active/install .Net 3.5 for SQL Server, joined workstation to our domain and then RT apps (AKA metro) stopped working, store would open but apps would not. EVENTVWR showed these errors:

    Log Name:      Application
    Source:        Microsoft-Windows-Immersive-Shell
    Date:          31/10/2012 11:19:11
    Event ID:      5973
    Task Category: (5973)
    Level:         Error
    Activation of application microsoft.windowscommunicationsapps_8wekyb3d8bbwe!Microsoft.WindowsLive.Calendar failed with error: The remote procedure call failed. See the Microsoft-Windows-TWinUI/Operational log for additional information.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Immersive-Shell" Guid="{315A8872-923E-4EA2-9889-33CD4754BF64}" />
        <EventID>5973</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>5973</Task>
        <Opcode>0</Opcode>
        <Keywords>0x2000000000000000</Keywords>
        <TimeCreated SystemTime="2012-10-31T11:19:11.610982000Z" />
        <EventRecordID>2058</EventRecordID>
        <Correlation />
        <Execution ProcessID="2792" ThreadID="800" />
        <Channel>Application</Channel>
        <Computer>AIWRK0053.aicorporation.com</Computer>
        <Security UserID="S-1-5-21-1390067357-1450960922-725345543-2615" />
      </System>
      <EventData>
        <Data Name="AppId">microsoft.windowscommunicationsapps_8wekyb3d8bbwe!Microsoft.WindowsLive.Calendar</Data>
        <Data Name="ErrorCode">-2147023170</Data>
      </EventData>
    </Event>

    Log Name:      Application
    Source:        Microsoft-Windows-Immersive-Shell
    Date:          31/10/2012 11:19:26
    Event ID:      2486
    Task Category: (2414)
    Level:         Error
    Keywords:      (64),Process Lifetime Manager
    Description:
    App microsoft.windowscommunicationsapps_8wekyb3d8bbwe!Microsoft.WindowsLive.Calendar did not launch within its allotted time.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Immersive-Shell" Guid="{315A8872-923E-4EA2-9889-33CD4754BF64}" />
        <EventID>2486</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>2414</Task>
        <Opcode>0</Opcode>
        <Keywords>0x2000000000000042</Keywords>
        <TimeCreated SystemTime="2012-10-31T11:19:26.325953900Z" />
        <EventRecordID>2059</EventRecordID>
        <Correlation />
        <Execution ProcessID="2792" ThreadID="4032" />
        <Channel>Application</Channel>
        <Computer>AIWRK0053.aicorporation.com</Computer>
        <Security UserID="S-1-5-21-1390067357-1450960922-725345543-2615" />
      </System>
      <EventData>
        <Data Name="ApplicationId">microsoft.windowscommunicationsapps_8wekyb3d8bbwe!Microsoft.WindowsLive.Calendar</Data>
      </EventData>
    </Event>

    Tried many of the fixes on this thread (from the top in the order they appear), in the end i gave "ALL APPLICATION PACKAGES" full control over C:\ (REM to choose override all other permissions).  I am not thrilled at the possible impact but at least the RT/Metro apps work now.

    Wednesday, October 31, 2012 1:34 PM
  • Hi,

    i´ve the same errors.

    My solution was to create a new roaming profile for my domain account. i´ve now a local profile, to switch between my windows 8 laptop and some other windows 7 machines.


    Kind regards Joerg

    • Proposed as answer by JörgS Thursday, November 08, 2012 9:55 AM
    Thursday, November 08, 2012 9:55 AM
  • Hi,

    I'm having exactly the same issue. This all seems centered around Domain Admin accounts, log in to windows 8 with an account that is just a member of Domain Users and all Metro Apps seem to work, at least for me.

    So the question is how does W8 treat Domain Admins differently?

    Regards

    Richard

    Friday, November 09, 2012 2:13 PM
  • It seems, with the new updates installed, metro apps working fine.

    Crossfinger

    Laszlo


    Regards, Laszlo

    Friday, November 16, 2012 4:29 PM
  • For us, the solution was to add rights on the system drive (C:) to  "all application packages" object.
    Now Metro apps running fine.

    Laszlo


    Regards, Laszlo


    YESSS!!! I was finally able to fix this issue in my environment!!! THANK'S!!!
    Friday, November 30, 2012 10:58 AM
  • I had a GPO setting changing permissions on this key: HKEY_Classes_Root\Wow6432Node\Interface

    The GPO was located at: "Computer Configuration > Policies > Windows Settings > Security Settings > Registry".

    The setting was being used to give some users full permissions to this key to use an old access 97 application (that isn't even being used anymore). Because of this, the "ALL APPLICATION PACKAGES" user didn't have permissions to the key or subkeys since it wasn't specified in the GPO setting. I deleted this setting then manually added the permission to a machine to fix it (only a few machines affected, don't know how you'd push this out to an environment. Probably need to use Win Srv 2012).

    I found a bit of info about this user account here: http://technet.microsoft.com/en-us/library/hh832040.aspx

    The "All APPLICATION PACKAGES" account seems to be the security context in which the metro apps run. If permissions are configured incorrectly to certain resources with this account, the apps will crash and fail.

    • Proposed as answer by JMC-Laketown Sunday, January 13, 2013 5:24 PM
    Tuesday, December 11, 2012 4:49 AM
  •  There is some odd issue in Windows 8. I haven't had a chance to figure out what triggers this. This has happened on a few of our domain joined machines.

    What we did was add the local group - ALL APPLICATION PACKAGES under the security group for the localusers AppData folder and granted it read-write permissions.

    I'm not sure of the security of this yet, and I'm sure there is just one or two subfolders that need this permission granted, but I don't have the time right now to go through full diagnosis. This could be totally unrelated.. but you never know :)

    Monday, December 24, 2012 8:13 PM
  • I have .NET 3.5 - I had to install it to run some older software, but since I don't need it anymore I am going to uninstall .net 3.5 and see if it fixes the problem.  Apps worked on domain accounts that existed BEFORE I joined the Win8 Lenovo W510 to the domain, but I had to recreate the user account to fix an exchange mailbox issue (before I knew about Disable-Mailbox!) and sure enough apps stopped working.  I am on RTM Win8 Pro.  I have had this issue before on Win8 Consumer Preview and Release Preview.

    Edit: Removing .NEt 3.5 from Windows Features control panel did not fix the problem.  This issue is really annoying

    • Edited by mmm.333 Saturday, January 05, 2013 7:15 PM
    Saturday, January 05, 2013 12:26 PM
  • Hi,

    Please try the following group policy to configure Metro App proxy.

    1. Open "Local Group Policy Editor"
    2. Navigate to "Computer Configuration -> Administrative Templates -> Network -> Network Isolation"
    3. Open "Internet Proxy Servers for Apps" and set the value to your proxy server address like 172.16.0.1:8080.


    Niki Han

    TechNet Community Support

    If anybody's counting this one worked for me.

    I have the following:

    Win2K8 R2 DC

    WSUS

    Forefront TMG Proxy

    Windows 8 Client

    .NET 3.5


    Sunday, January 06, 2013 1:38 PM
  • Thanks for the post.  After 4 months of trying to figure this out...   I have a domain-joined win-8 laptop.  If I log-in as the local user, all the Metro apps work.  If I log-in as a domain user, they fail.

    Following your advice, I navigated to the domain user's App Data directory and added read/write permissions for the ALL APPLICATION PACKAGES local group (you have to highlight the local machine to add this group - won't come up if you highlight the domain).  ...and MAGIC!

    All metro apps now function with the related domain account.

    Thanks again!


    Jim

    • Proposed as answer by JMC-Laketown Sunday, January 13, 2013 5:27 PM
    Sunday, January 13, 2013 5:26 PM
  • From what I can tell, this only happens when you try to run a Microsoft Live account while on a proper windows domain. It really seems like there should be a way to allow both. 

    After fiddling with the two GPC objects mentioned in this thread, I was able to get a different error from launching a metro app...but I can't seem to figure out a way to have my non-AD account play nice when the computer is joined to the AD.

    Tuesday, January 22, 2013 6:08 AM
  • Also had a problem that Metro apps were no longer working:

    Activation of app microsoft.microsoftskydrive_8wekyb3d8bbwe!Microsoft.MicrosoftSkyDrive failed with error: Access is denied. See the Microsoft-Windows-TWinUI/Operational log for additional information.

    I could fix this by disabling Kaspersky Internet Security 2013: http://forum.kaspersky.com/lofiversion/index.php/t247748.html


    Assumption is the mother of all f*k-ups

    Thursday, January 24, 2013 10:41 AM
  • I had similar issues but for me some apps worked (e.g Store App)and some apps didn't (e.g. News and Finance App).

    For me the solution was two-fold:

    1 On App Data directory added read/write permissions for the ALL APPLICATION PACKAGES local group. 

    2. On "Windows\Microsoft .NET" directory added full control permissions for the ALL APPLICATION PACKAGES local group (I suspect though it will also work with just read/write permissions on the .config files)

    Hopes this helps.

    Cheers!

    Thursday, February 07, 2013 11:47 AM
  • Also had a problem that Metro apps were no longer working:

    Activation of app microsoft.microsoftskydrive_8wekyb3d8bbwe!Microsoft.MicrosoftSkyDrive failed with error: Access is denied. See the Microsoft-Windows-TWinUI/Operational log for additional information.

    I could fix this by disabling Kaspersky Internet Security 2013: http://forum.kaspersky.com/lofiversion/index.php/t247748.html


    Assumption is the mother of all f*k-ups

    Thanks, Kaspersky is the cause of the exact same problem on my PC too. It's prevent me from using the metro Photos, SkyDrive and Windows Phone apps.

    Edit: After a quick google search I've managed to fix my issue by telling Kaspersky to trust the applications: http://forum.kaspersky.com/index.php?showtopic=254704


    • Edited by TechnoToneUK Saturday, February 23, 2013 12:01 AM
    Friday, February 22, 2013 11:53 PM
  • Hello Folks.  I'm not sure if this is in the right spot.  I've had a similar problem and found a solution for me.   In my case all my metro apps lost connectivity to the internet.  Windows Store would say I'm not connected to the internet, etc...   However, Desktop based apps like internet explorer and chrome would work just fine.  I'm not on a domain, not using gpos, not going through a proxy.  Using win 8 Pro.   I tried the dll registration fixes, the font install fixes, and a few other things I've forgotten now.   What finally occurred to me is that at one point I disabled some services that looked 'unnecessary'.   

    Well Once I re-enabled "Network List Service"  my Store started working again (and my other metro apps too).

    For those of you in domain/corporate scenarios, even if this service is running perhaps investigate what ports it or it's dependent services need.

    Thanks,

    Paul

    Tuesday, March 19, 2013 6:29 PM
  • I had similar issues but for me some apps worked (e.g Store App)and some apps didn't (e.g. News and Finance App).

    For me the solution was two-fold:

    1 On App Data directory added read/write permissions for the ALL APPLICATION PACKAGES local group. 

    2. On "Windows\Microsoft .NET" directory added full control permissions for the ALL APPLICATION PACKAGES local group (I suspect though it will also work with just read/write permissions on the .config files)

    Hopes this helps.

    Cheers!

    I have similar issues but for different cause. I have limited space on my boot drive so I moved the c:\program files\WindowsApps folder (which is the location where all metro apps resides) to another drive by using junction folder. And then suddenly the photos, mail, people and calendar app stops working.

    For me the solution that worked was by giving read/write/modify permission to ALL APPLICATION PACKAGES local group to the new junction folder.

    Hope this helps others with similar case.

    Monday, April 01, 2013 2:15 PM
  • For the record, none of these "answers" have fixed the problem. Once you add the machine to a domain (such as a Windows Server Essentials machine) all metro apps for the primary account stop working. I would love to see some sort of fix for this as I find it super annoying!

    Wednesday, April 03, 2013 2:48 AM
  • Can you explain how you reset the security in the registry? That statement is confusing to me :)
    Thursday, April 11, 2013 4:28 AM
  • This is the worst forum ever...people mark their answers as solved an don't even explain what they did? HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters doesn't exist in my registry...nobody tells me how to remove any blocking group policy...I respond and respond and nobody comments. Come on Microsoft, this is a real problem. You want me to use your stupid Win8 start screen, make it work for my corporate domain users. It's kind of a hard sell to upgrade when the OS doesn't even function according to spec!
    Wednesday, April 17, 2013 5:15 AM
  • I have the same issue on multiple machines. these are brand new Dell OptiPlex 9010.  all metro apps worked perfectly fine prior to joining the domain.    Firewall is turned off, Windows updates is pushed through SCCM but at the moment, it isn't set to push any updates.  No Proxy.  Tried all the suggested solutions here and none of them seem to work.

    Microsoft just need to setup test environment and try it out themselves.  Took the PCs off the domain and metro apps work fine but users won't have access to network resource without constantly having to enter in credential---> make Windows 8 useless in a production environment.

    Wednesday, May 08, 2013 11:58 PM
  • when clicking the store it just opened and closed with the following errors being written to the error logs:

    SYSTEM LOG:
    > Unable to start a DCOM Server: Windows.Store as Unavailable/Unavailable. The error:  "2" Happened while starting this command: "C:\Windows\System32\WWAHost.exe" -ServerName:Windows.Store

    APPLICATION LOG
    > Activation of application winstore_cw5n1h2txyewy!Windows.Store failed with error: The system cannot find the file specified. See the Microsoft-Windows-TWinUI/Operational log for additional information.

    > App winstore_cw5n1h2txyewy!Windows.Store did not launch within its allotted time.

    I took an image on my built PC and tried and tried to make it all work and everything I was reading on the internet said it was down to Group Policy.
    In the end I had totally disabled our Group Policy objects and still had the same issue.

    As part of my setup I had added Authenticated Users to the local Administrators group on the PC (so that any user logging in to the domain had local admin rights) and I didn't expect this to be the issue but turns out that it was.
    This is very worrying as I would have through this was something that a large number of companies do to give full rights to their end users.

    THIS IS WHAT RESOLVED THE ISSUE ON 12 PC'S FOR ME

    WINDOWS UPGRADES

    Make sure that Authenticated Users in added to the local Power Users group (Right click COMPUTER, Choose MANAGE, LOCAL USERS AND GROUPS)
    Make sure that Authenticated Users and Domain Users are NOT a member of the local Administrators group (Right click COMPUTER, Choose MANAGE, LOCAL USERS AND GROUPS)
    Run the Upgrade

    CLEAN INSTALLATION
    Install Windows 8
    Login as a LOCAL ACCOUNT (With Administrator rights as default)
    Make sure that Authenticated Users in added to the local Power Users group (Right click COMPUTER, Choose MANAGE, LOCAL USERS AND GROUPS)
    Make sure that Authenticated Users and Domain Users are NOT a member of the local Administrators group (Right click COMPUTER, Choose MANAGE, LOCAL USERS AND GROUPS)
    Add the computer to the domain and reboot when prompted
    Login as the domain user

    Once you have done this you can then add Authenticated Users to the local Administrators group and everything seems fine.

    Tuesday, May 14, 2013 10:19 AM