After extensive troubleshooting, hours after hours, I have finally located a certainly interesting problem with the install routine of modern apps, including the immersive control panel in Windows 8.1 (with Update).
Problem description
Whenever a user logs into a domain joined Windows 8.1 machine all modern apps included in the image have “x” / crosses on them and they cannot be started. Also the immersive control panel an all its settings are unavailable. A few of the error messages and codes:
Trying to start a modern app:
This app can’t open. There’s a problem with <app name>. Contact your system administrator about repairing or reinstalling it
or
This app does not support the contract specified or is not installed.
and in Swedish:
Den här appen stöder inte det angivna avtalet eller så har det inte installerats.
Trying to install an app using Add-AppxPackage PowerShell cmdlet:
Add-AppxPackage : Deployment failed with HRESULT: 0x80073CF6, Package could not be registered. error 0x8007064A: Cannot register the request because the following error was encountered while initializing the windows.repositoryExtension extension: The configuration data for this product is corrupt. Contact your support personnel.
Cause
After going through a bunch of GPOs and hundreds of settings and excluding the most likely settings I finally reached out to what turned out to be the cause. Simply the use of “restricted groups” in group policies to add NT AUTHORITY\SYSTEM to the local Administrators group on the Windows 8.1 machines is what is the cause. The problem can easily be reproduced by adding SYSTEM to the Administrators group on domain or non-domain joined machines.
BE AWARE: SYSTEM has more privileges on a Windows box than an Administrator. Adding SYSTEM to the local administrators group effectively lowers the privileges of the SYSTEM account which apart from apparently causing modern apps to fail have a bunch of other unpredicted results on a Windows machine.
Solution
The solution is to remove SYSTEM from the local Administrators group from being applied via restricted groups. Adding the group SYSTEM to the local Administrators group is not necessary as SYSTEM is a member of the Administrators group per default, although it is not visible in the GUI (Computer Management).