Forum Discussion

mfi10011's avatar
mfi10011
Copper Contributor
Mar 29, 2026

Win 11 OEM Activation problems on Laptop w/ Win 10 S Mode

I purchased an HP laptop model 15-dw3033dx from Best Buy a few years ago.  These had Windows 10 in S-Mode preinstalled. First thing I did after OOBE and initial activation was to go to the Windows S...
configuration
deployment
licensing
Mousefluff's avatar
Mousefluff
Iron Contributor
Mar 31, 2026

Windows 11 25H2 Basic Sysprep Post-Generalization Checklist:

 

1.) Avoid installing new drivers, personalizing the operating system, or UWP / .NET MAUI Apps before activation.

2.) The system clock has to be synchronized with a remote time server, or you will be unable to open a socket to connect to the activation server. The system clock cannot synchronize itself without Location Services being partially enabled:

 

Settings -> Time & language -> Date & time -> Time zone

Settings -> Time & language -> Date & time -> Additional clocks -> Date and Time -> Change date and time...

Settings -> Time & language -> Date & time -> Additional clocks -> Internet Time -> Change settings... -> Server -> time.cloudflare.com

Settings -> Time & language -> Language & region -> Windows display language

Settings -> Time & language -> Language & region -> Country or region

Settings -> Time & language -> Language & region -> Regional format

 

Settings -> Privacy & security -> Account info -> Account info access -> On

Settings -> Privacy & security -> Account info -> Let apps access your account info -> On

Settings -> Privacy & security -> File system -> File system access -> On

Settings -> Privacy & security -> File system -> Let apps access your file system -> On

Settings -> Privacy & security -> Location -> Location services -> On

Settings -> Privacy & security -> Location -> Let apps access your location -> On ( turn off precise location access for all apps )

Settings -> Apps -> Advanced app settings -> Choose where to get apps -> Anywhere

Settings -> Apps -> Advanced app settings -> Share across devices -> My devices only

Settings -> Apps -> Advanced app settings -> Archive apps -> Off

 

3.) The network stack, including network adapters, have to be fully configured, with both TLS 1.3 and HTTP/3 also enabled using PowerShell or by adding registry entries.

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls13}"
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {((Get-TlsCipherSuite | Format-Table Name -Wrap -AutoSize | Out-String -Stream -Width 32767 | Select-String -Pattern 'TLS') -Replace '  ','') | Enable-TlsCipherSuite;Get-TlsEccCurve | Format-Table Name -Wrap -AutoSize | Out-String -Stream -Width 32767 | Enable-TlsEccCurve;}"
REG ADD "HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /V DisabledByDefault /T REG_DWORD /D 00000000 /F
REG ADD "HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /V Enabled /T REG_DWORD /D 00000001 /F
REG ADD "HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /V DisabledByDefault /T REG_DWORD /D 00000000 /F
REG ADD "HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /V Enabled /T REG_DWORD /D 00000001 /F
REG ADD "HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /V DisabledByDefault /T REG_DWORD /D 00000000 /F
REG ADD "HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /V Enabled /T REG_DWORD /D 00000001 /F
REG ADD "HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /V DisabledByDefault /T REG_DWORD /D 00000000 /F
REG ADD "HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /V Enabled /T REG_DWORD /D 00000001 /F
REG ADD HKLM\SYSTEM\ControlSet001\Services\HTTP\Parameters /V EnableHttp2Tls /T REG_DWORD /D 00000001 /F
REG ADD HKLM\SYSTEM\ControlSet001\Services\HTTP\Parameters /V EnableHttp3 /T REG_DWORD /D 00000001 /F
REG ADD HKLM\SYSTEM\ControlSet001\Services\HTTP\Parameters /V EnableAltSvc /T REG_DWORD /D 00000001 /F

4.) The Windows Defender Firewall has to have firewall rules, both created and enabled, for the following programs / services. It is possible to activate using a VPN tunnel with a similar firewall ruleset, given the DNS Client, DHCP Client, W32tm, and Windows Time Service firewall rules, all have overlap with each other, according to the official documentation provided by Microsoft:

 

Windows Time Service ( W32Time )

W32tm ( C:\Windows\System32\w32tm.exe )

DNS Client ( Dnscache )

DHCP Client ( Dhcp )

Background Intelligent Transfer Service ( BITS )

Cryptographic Services ( CryptSvc )

Windows License Manager Service ( LicenseManager )

Windows Activation Client ( C:\Windows\System32\SLUI.exe )

((netsh advfirewall reset)&(CMD /Q /C START /MIN /REALTIME PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Get-NetAdapter -Name 'v* (Default Switch)' -IncludeHidden | Disable-NetAdapter -Confirm:$False;Get-HNSNetwork | Remove-HNSNetwork;Get-NetFirewallRule -Direction Inbound -Enabled True | where DisplayName -eq 'HNS Container Networking*' | Remove-NetFirewallRule}")&(CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Get-NetFirewallProfile | Set-NetFirewallProfile -Enabled True -DefaultInboundAction Block -DefaultOutboundAction Block -AllowUnicastResponseToMulticast False -NotifyOnListen True -EnableStealthModeForIPsec True}")&(CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Get-NetFirewallRule -Enabled True | Disable-NetFirewallRule}"))
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Remove-NetFirewallRule -DisplayName 'App Updater Essential ( * )';}"
CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'App Updater Essential ( Windows Time Service )' -Profile Any -InterfaceType Any -Protocol UDP -LocalPort 123 -RemotePort Any -Service W32Time}"
CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'App Updater Essential ( W32tm )' -Profile Any -InterfaceType Any -Program 'C:\Windows\System32\w32tm.exe' -Protocol UDP -LocalPort 123 -RemotePort Any}"
CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'App Updater Essential ( DHCP Client TX )' -Profile Any -Protocol UDP -LocalPort Any -RemotePort 53,5353,443,67,68,2535 -InterfaceType Any -Service Dhcp}"
CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'App Updater Essential ( DHCP Client RX )' -Profile Any -Protocol UDP -LocalPort 53,5353,443,67,68,2535 -RemotePort Any -InterfaceType Any -Service Dhcp}"
CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'App Updater Essential ( DNS Client TX )' -Profile Any -Protocol UDP -LocalPort Any -RemotePort 53,5353,443,67,68,2535 -InterfaceType Any -Service Dnscache}"
CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'App Updater Essential ( DNS Client RX )' -Profile Any -Protocol UDP -LocalPort 53,5353,443,67,68,2535 -RemotePort Any -InterfaceType Any -Service Dnscache}"
CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'App Updater ( Background Intelligent Transfer Service )' -Enabled False -Profile Any -Protocol Any -Service BITS}"
CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'App Updater ( Cryptographic Services )' -Enabled False -Profile Any -Protocol Any -Service CryptSvc}"
CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'App Updater ( Windows License Manager Service )' -Enabled False -Profile Any -Protocol Any -Service LicenseManager}"
IF EXIST "C:\Windows\System32\SLUI.exe" CMD /Q /C START /MIN PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'App Updater ( Windows Activation Client )' -Enabled False -Profile Any -Program 'C:\Windows\System32\SLUI.exe' -Protocol Any}"

5.) Activating Windows 10 / 11 using the ADK requires you to use Slmgr:

 

"Microsoft Learn - Slmgr.vbs options for obtaining volume activation information - Global options" -> https://learn.microsoft.com/en-us/windows-server/get-started/activation-slmgr-vbs-options#global-options

 

NOTE: Once you fetch the DNS queries, you really only have to whitelist the following two programs / services before running Slmgr:

 

Windows License Manager Service ( LicenseManager )

Windows Activation Client ( C:\Windows\System32\SLUI.exe )