Forum Discussion
Win 11 OEM Activation problems on Laptop w/ Win 10 S Mode
I purchased an HP laptop model 15-dw3033dx from Best Buy a few years ago. These had Windows 10 in S-Mode preinstalled.
First thing I did after OOBE and initial activation was to go to the Windows Store and switch the laptop out of S-Mode, then I did a clean install of Windows 10 Home. I run it with a local account only.
When I did a clean install from a fresh Win 11 Home 25H2 download with a local account, the system activated as expected.
However, when I did a Win 11 Home 25H2 install with a customized autounattend.xml file and local account, I get an activation error with code 0xC004C003. I installed from the SAME media to the SAME laptop, the only difference being having the custom autounattend.xml file or not.
I then did a clean install of Win11 Home 25H2 WITHOUT the custom autounattend.xml file and logged in with a Microsoft account. The Activation was normal.
On the same laptop and same media, I reinstalled Win 11 25H2 Home using the custom autounattend.xml file and logged in with a Microsoft Account. This time, I get an activation error with code 0x8004FE94. This time I am given an option to activate by phone, but the countries listed goes from Afghanistan to Palau, and nothing past Palau.
There was an option to say I changed hardware on the device so I gave that a try. I get a "Unable to activate Windows" message.
Bottom Line - on the same laptop (sold w/ Win10 S Mode and switched out) and same install media, clean install of Windows 11 Home activates normally, customized autounattend.xml install gives activation error.
I have some other similar devices at a local nonprofit to migrate to Win11 so all suggestions and insights are welcome!
3 Replies
Ensure that the product key is valid and not corrupted. You can try to activate Windows 11 using the product key on the original installation media to see if it works.
This error indicates that the activation server cannot find a suitable license key for the device, often related to hardware changes or how the product key or digital license is being recognized.
Windows 11 25H2 Basic Sysprep Post-Generalization Checklist:
1.) Avoid installing new drivers, personalizing the operating system, or UWP / .NET MAUI Apps before activation.
2.) The system clock has to be synchronized with a remote time server, or you will be unable to open a socket to connect to the activation server. The system clock cannot synchronize itself without Location Services being partially enabled:
Settings -> Time & language -> Date & time -> Time zone
Settings -> Time & language -> Date & time -> Additional clocks -> Date and Time -> Change date and time...
Settings -> Time & language -> Date & time -> Additional clocks -> Internet Time -> Change settings... -> Server -> time.cloudflare.com
Settings -> Time & language -> Language & region -> Windows display language
Settings -> Time & language -> Language & region -> Country or region
Settings -> Time & language -> Language & region -> Regional format
Settings -> Privacy & security -> Account info -> Account info access -> On
Settings -> Privacy & security -> Account info -> Let apps access your account info -> On
Settings -> Privacy & security -> File system -> File system access -> On
Settings -> Privacy & security -> File system -> Let apps access your file system -> On
Settings -> Privacy & security -> Location -> Location services -> On
Settings -> Privacy & security -> Location -> Let apps access your location -> On ( turn off precise location access for all apps )
Settings -> Apps -> Advanced app settings -> Choose where to get apps -> Anywhere
Settings -> Apps -> Advanced app settings -> Share across devices -> My devices only
Settings -> Apps -> Advanced app settings -> Archive apps -> Off
3.) The network stack, including network adapters, have to be fully configured, with both TLS 1.3 and HTTP/3 also enabled using PowerShell or by adding registry entries.
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls13}" PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {((Get-TlsCipherSuite | Format-Table Name -Wrap -AutoSize | Out-String -Stream -Width 32767 | Select-String -Pattern 'TLS') -Replace ' ','') | Enable-TlsCipherSuite;Get-TlsEccCurve | Format-Table Name -Wrap -AutoSize | Out-String -Stream -Width 32767 | Enable-TlsEccCurve;}" REG ADD "HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /V DisabledByDefault /T REG_DWORD /D 00000000 /F REG ADD "HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /V Enabled /T REG_DWORD /D 00000001 /F REG ADD "HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /V DisabledByDefault /T REG_DWORD /D 00000000 /F REG ADD "HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /V Enabled /T REG_DWORD /D 00000001 /F REG ADD "HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /V DisabledByDefault /T REG_DWORD /D 00000000 /F REG ADD "HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /V Enabled /T REG_DWORD /D 00000001 /F REG ADD "HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /V DisabledByDefault /T REG_DWORD /D 00000000 /F REG ADD "HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /V Enabled /T REG_DWORD /D 00000001 /F REG ADD HKLM\SYSTEM\ControlSet001\Services\HTTP\Parameters /V EnableHttp2Tls /T REG_DWORD /D 00000001 /F REG ADD HKLM\SYSTEM\ControlSet001\Services\HTTP\Parameters /V EnableHttp3 /T REG_DWORD /D 00000001 /F REG ADD HKLM\SYSTEM\ControlSet001\Services\HTTP\Parameters /V EnableAltSvc /T REG_DWORD /D 00000001 /F4.) The Windows Defender Firewall has to have firewall rules, both created and enabled, for the following programs / services. It is possible to activate using a VPN tunnel with a similar firewall ruleset, given the DNS Client, DHCP Client, W32tm, and Windows Time Service firewall rules, all have overlap with each other, according to the official documentation provided by Microsoft:
Windows Time Service ( W32Time )
W32tm ( C:\Windows\System32\w32tm.exe )
DNS Client ( Dnscache )
DHCP Client ( Dhcp )
Background Intelligent Transfer Service ( BITS )
Cryptographic Services ( CryptSvc )
Windows License Manager Service ( LicenseManager )
Windows Activation Client ( C:\Windows\System32\SLUI.exe )
((netsh advfirewall reset)&(CMD /Q /C START /MIN /REALTIME PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Get-NetAdapter -Name 'v* (Default Switch)' -IncludeHidden | Disable-NetAdapter -Confirm:$False;Get-HNSNetwork | Remove-HNSNetwork;Get-NetFirewallRule -Direction Inbound -Enabled True | where DisplayName -eq 'HNS Container Networking*' | Remove-NetFirewallRule}")&(CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Get-NetFirewallProfile | Set-NetFirewallProfile -Enabled True -DefaultInboundAction Block -DefaultOutboundAction Block -AllowUnicastResponseToMulticast False -NotifyOnListen True -EnableStealthModeForIPsec True}")&(CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Get-NetFirewallRule -Enabled True | Disable-NetFirewallRule}")) PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Remove-NetFirewallRule -DisplayName 'App Updater Essential ( * )';}" CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'App Updater Essential ( Windows Time Service )' -Profile Any -InterfaceType Any -Protocol UDP -LocalPort 123 -RemotePort Any -Service W32Time}" CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'App Updater Essential ( W32tm )' -Profile Any -InterfaceType Any -Program 'C:\Windows\System32\w32tm.exe' -Protocol UDP -LocalPort 123 -RemotePort Any}" CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'App Updater Essential ( DHCP Client TX )' -Profile Any -Protocol UDP -LocalPort Any -RemotePort 53,5353,443,67,68,2535 -InterfaceType Any -Service Dhcp}" CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'App Updater Essential ( DHCP Client RX )' -Profile Any -Protocol UDP -LocalPort 53,5353,443,67,68,2535 -RemotePort Any -InterfaceType Any -Service Dhcp}" CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'App Updater Essential ( DNS Client TX )' -Profile Any -Protocol UDP -LocalPort Any -RemotePort 53,5353,443,67,68,2535 -InterfaceType Any -Service Dnscache}" CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'App Updater Essential ( DNS Client RX )' -Profile Any -Protocol UDP -LocalPort 53,5353,443,67,68,2535 -RemotePort Any -InterfaceType Any -Service Dnscache}" CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'App Updater ( Background Intelligent Transfer Service )' -Enabled False -Profile Any -Protocol Any -Service BITS}" CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'App Updater ( Cryptographic Services )' -Enabled False -Profile Any -Protocol Any -Service CryptSvc}" CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'App Updater ( Windows License Manager Service )' -Enabled False -Profile Any -Protocol Any -Service LicenseManager}" IF EXIST "C:\Windows\System32\SLUI.exe" CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'App Updater ( Windows Activation Client )' -Enabled False -Profile Any -Program 'C:\Windows\System32\SLUI.exe' -Protocol Any}"5.) Activating Windows 10 / 11 using the ADK requires you to use Slmgr:
"Microsoft Learn - Slmgr.vbs options for obtaining volume activation information - Global options" -> https://learn.microsoft.com/en-us/windows-server/get-started/activation-slmgr-vbs-options#global-options
NOTE: Once you fetch the DNS queries, you really only have to whitelist the following two programs / services before running Slmgr:
Windows License Manager Service ( LicenseManager )
Windows Activation Client ( C:\Windows\System32\SLUI.exe )
