none
PUR-Authentication failure when installing an app from Microsoft Store from hybrid Azure AD joined computer RRS feed

  • General discussion

  • I am sharing this finding as it could be helpful for others!

    Scenario:
    A hybrid Azure AD joined computer fails to install apps from Microsoft Store and gives following annoying error message knowing the use of Microsoft Account was disabled using GPO:

    After closing and trying to login, the below error message is displayed:

    Research:
    I figured out that the service Microsoft Account Sign-in Assistant is disabled on all affected computers which sounds to be normal at first look because of deactivation Microsoft Account use.

    However, I changed the start type of that service to Manual then attempt to install app(s) from Microsoft Store. This time I got the below screen where I clicked "No, thanks" and the app installed:

    However I noticed that as soon as the service Microsoft Account Sign-in Assistant started, the service start type set to "Disabled" and that is strange to me. On per System event log, the service was disabled by system. After the service stopped, I cycled into the same issue for installing new apps until I change the service start type to manual.

    Solution:
    By investigating, I figured out that the use of AllowMicrosoftAccountSignInAssistant was disabled and which caused the service to be disabled upon start-up by itself (I guess).

    By changing the value of AllowMicrosoftAccountSignInAssistant from 0 to 1 in the below registry location and setting the service Microsoft Account Sign-in Assistant start type to manual, all started to work as expected:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Accounts

    By reviewing all GPO settings in place, we could not find the setup the registry key so not sure where it comes from!

    Programmatic Solution:

    Open cmd with elevated permission on the affected computer then execute below two commands to resolve the issue:

    reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Accounts" /v AllowMicrosoftAccountSignInAssistant /t REG_DWORD /d 1 /f

    sc config wlidsvc start= demand

    Hope this information would help others in the same situation!


    • Changed type GWORLD_S Thursday, May 2, 2019 12:56 PM
    • Edited by GWORLD_S Thursday, May 2, 2019 5:58 PM
    Thursday, May 2, 2019 12:56 PM

All replies

  • Thank you sooooooooooooooooo much !!!

    This problem had been driving me crazy for months !!!!!!

    You're the boss...

    Friday, May 10, 2019 9:00 AM