Event 1098: "Error: 0xCAA5001C Token broker operation failed"in Windows 10

Applies to: Windows 10, version 1903, all editionsWindows 10, version 1809, all editionsWindows 10, version 1709, all editions

Symptoms


After you log on to a Windows 10-based computer, you try to access Microsoft Store for Business. However, Azure Active Directory authentication fails, and the following events are logged in the Microsoft-Windows-AAD/Operational log: 



In addition to Microsoft Store for Business, this issue may affect Enterprise State Roaming.

Cause


This issue occurs if there are missing permissions or ownership attributes on one or both of the following registry keys:

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\ Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\PSR
HKEY_USERS\S-1-5-21-299502267-1950408961-849522115-1818\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion \AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\PSR
Note Match the SID reported for the user in event ID 1098 to the path under HKEY_USERS. In this example, it is S-1-5-21-299502267-1950408961-849522115-1818.

Resolution


To resolve this issue, follow these steps:
  1. Take ownership of the key if necessary (Owner = SYSTEM).
  2. Fix the permissions on these registry keys by enabling inheritance (fixing one should fix both, unless multiple users log on to the same device):
    HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\ Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\PSR
    HKEY_USERS\S-1-5-21-299502267-1950408961-849522115-1818\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion \AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\PSR
    TypePrincipalAccessInherited fromApplies to
    AllowS-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272Query ValueNoneThis key only
    AllowSYSTEMFull ControlCURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppDataThis key and subkeys
    AllowDomain User Account (user@contoso.com)Full ControlCURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppDataThis key and subkeys
    AllowAdministrators (COMPUTER\Administrators)Full ControlCURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppDataThis key and subkeys
    AllowCREATOR OWNERFull ControlCURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppDataSubkeys only
    Note: If you view the permissions of the ~\PSR registry key under HKEY_USERS\{SID}, the Inherited from field shows inheritance from the HKEY_USERS\{SID} path.

    If this does not resolve the issue, consider running Process Monitorwhile performing the authentication method to look for ACCESS DENIED in other areas of the registry or file system that could be causing the authentication failure. If you discover any, add them to this article.