BT-ReACLPrepareWin10Profiles fails with an error Unable to update registry key UserChoice (4379519)

When you run a cutover or Offline Domain Join (ODJ) job, the BT-ReACLPrepareWin10Profiles task fails on the first attempt with the following registry access errors:

Unable to update Registry key '\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice': 
System.ComponentModel.Win32Exception (0x80004005): SetSecurityInfo: Access is denied

Unable to update Registry key '\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice': 
System.ComponentModel.Win32Exception (0x80004005): SetSecurityInfo: Access is denied

Unable to update Registry key '\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice': 
System.ComponentModel.Win32Exception (0x80004005): SetSecurityInfo: Access is denied

This issue occurs due to recent Microsoft security hardening changes that introduced the UserChoice Protection Driver (UCPD).

By default, UCPD prevents any third-party applications (including ReACL tools) from modifying UserChoice registry keys. These keys store user-selected default app preferences. Windows enforces this restriction to block unauthorized changes and protect user settings.

Resolution 1: Prevention measures to avoid possible icon flickering after cutover.

To prevent this, you can disable UCPD before running the cutover job and re-enable UCPD after the cutover completes.

The scripts for the same have been attached below.

Note: This solution will only work for workstations that have not been re-acled before.

Resolution 2: Fix for Workstation Issues Post-Migration (Flickering due to File Association Error)

For the workstations that have already been migrated please follow below steps.

Disable UCPD Service

This can be done using the script attached to the KB. The script will restart the workstation as well which is required for disabling UCPD service.

Delete Affected Registry Entries
Open Registry Editor (regedit) as Administrator and delete the following keys for the affected user SID: 
In our testing, we just removed them for all the users.  The one ending with classic may not need to be removed. 
HKEY_USERS\<UserSID>\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http
HKEY_USERS\<UserSID>\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https
HKEY_USERS\<UserSID>\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\pdf
HKEY_USERS\<UserSID>\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf

Re-enable UCPD Service

This can be done using the script attached to the KB. The script will restart the workstation as well which is required for enabling UCPD service. Once the machine is rebooted please check the behavior.

Important Note: Support does not provide support for problems that arise from improper modification of the registry. The Windows registry contains information critical to your computer and applications. Make sure you back up the registry before modifying it. For more information on the Windows Registry Editor and how to back up and restore it, refer to Microsoft Article ID 256986 “Description of the Microsoft Windows registry” at Microsoft Support.