Windows desktop icons flickering after cutover (4379562)

When you run a cutover or Offline Domain Join (ODJ) job, the BT-ReACLPrepareWin10Profiles task fails on the first attempt with the following registry access errors:

Unable to update Registry key '\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice': 
System.ComponentModel.Win32Exception (0x80004005): SetSecurityInfo: Access is denied

Unable to update Registry key '\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice': 
System.ComponentModel.Win32Exception (0x80004005): SetSecurityInfo: Access is denied

Unable to update Registry key '\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice': 
System.ComponentModel.Win32Exception (0x80004005): SetSecurityInfo: Access is denied

This issue occurs due to recent Microsoft security hardening changes that introduced the UserChoice Protection Driver (UCPD).

By default, UCPD prevents any third-party applications (including ReACL tools) from modifying UserChoice registry keys. These keys store user-selected default app preferences. Windows enforces this restriction to block unauthorized changes and protect user settings.

Resolution 1: Prevention measures to avoid possible icon flickering after cutover

We have received reports of desktop icon flickering after the cutover when ODMAD is unable to ReACL the UserChoice registry keys protected by UCPD. To prevent this issue from occurring in upcoming device cutovers, you can disable UCPD before running the cutover job and re-enable UCPD after the cutover completes.

1.  Prior to device cutover, open PowerShell as Administrator, then run the below PowerShell command
    
   Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UCPD" -Name "Start" -Value 4 -Force
   Disable-ScheduledTask -TaskName '\Microsoft\Windows\AppxDeploymentClient\UCPD velocity'
   
   
2. Restart the machine
   
   
3. Perform the cutover job in ODMAD
   
   
4. After the device cutover is complete, open PowerShell as Administrator, then run the below PowerShell command
   
   

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UCPD" -Name "Start" -Value 1 -Force
Enable-ScheduledTask -TaskName "\Microsoft\Windows\AppxDeploymentClient\UCPD velocity" -ErrorAction SilentlyContinue

Attached below are scripts that can help with automating the process of enabling and disabling UPCD.

Resolution 2: Fix for Workstation Issues Post-Migration ((Flickering due to File Association Error)

1. Disable UCPD Service
   
   Open PowerShell as Administrator, then run the below PowerShell command
    
   Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UCPD" -Name "Start" -Value 4 -Force
   Disable-ScheduledTask -TaskName '\Microsoft\Windows\AppxDeploymentClient\UCPD velocity'
   
   
2. Restart your machine before proceeding to the next step.
   
   
3. Delete Affected Registry Entries
   
   Open Registry Editor (regedit) as Administrator and delete the following keys for the affected user SID: 
   In our testing, we just removed them for all the users.  The one ending with classic may not need to be removed. 
    
   HKEY_USERS\<UserSID>\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http
   HKEY_USERS\<UserSID>\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https
   HKEY_USERS\<UserSID>\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\pdf
   HKEY_USERS\<UserSID>\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf
   
   
4. Re-enable UCPD Service
   
   After the registry cleanup, reopen PowerShell as Administrator and run the below PowerShell command
    
   Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UCPD" -Name "Start" -Value 1 -Force
   Enable-ScheduledTask -TaskName '\Microsoft\Windows\AppxDeploymentClient\UCPD velocity'
   
   
5. Restart the machine again 
   
   

Important Note: Support does not provide support for problems that arise from improper modification of the registry. The Windows registry contains information critical to your computer and applications. Make sure you back up the registry before modifying it. For more information on the Windows Registry Editor and how to back up and restore it, refer to Microsoft Article ID 256986 “Description of the Microsoft Windows registry” at Microsoft Support.