[German]Quick question for administrators in the enterprise environment who manage Microsoft 365 licenses (volume licenses, E3/E5). Are you currently experiencing problems with Windows Pro systems no longer activating or losing activation? I have received indications from the readership regarding this issue – and it is probably not an isolated case – may be a certificate issue.
Advertising
I was contacted directly on Twitter by Fu Weissinger, who is affected and pointed me to the following tweet from Klaus, who described the issue:
In the Enterprise environment, the machines lose their activation and are downgraded from Enterprise to the Windows Pro base license or cannot be reactivated with the Enterprise volume licenses (Microsoft 365 E3/E5 licenses). In the above case, it is now Windows 10 Pro 21H2 (build 19044.1706, activation via digital license). Fu Weissinger wrote me in a private message that he observes something similar in his environment.
Hello Mr. Born, we are currently experiencing Windows activation problems. Especially in combination with M365 Windows licenses, i.e. Windows licenses that are assigned on a per-user basis. It seems to me that a certificate on the MS side is no longer valid. Have you heard about this as well? I thought it was us first, via Twitter I have seen similar messages.
He posted the following on Twitter and suspects a problem with certificates based on the error message (because he gets the message when opening the license or check URL with a browser):
Advertising
On Twitter, more users confirm these activation problems. Here are some messages:
Enrique Róo Moares: Hi Klaus, I have the same issues with different customers since friday. Did you move to the „New Commercial Experience" on the licensing side over the last weeks? We have devices in HAADJ and AAD only with the same issues and no luck so far with both write-up from @Mister_MDM
Martin Schmidl: Yes same for a customer… I think i checked all logs and executed all tasks there are.
Currently there a two more victims confirming that. Within my German blog, I got the following comment from a victim as an answer to my blog post.
yes 500 computer downgraded from Enterprise to Pro, almost freaking out.
Message: Windows 10 Enterprise subscription is invalid
Rudy Ooms has another article that describes the issue too. Receiving more and more similar feedback from German readers. Is anyone else affected?
Addendum: A German blog reader left a comment with a (temporary) workaround. He distributes a script with SCCM to affected Windows 10 Pro machines. The script has the following command:
cscript.exe C:\Windows\System32\slmgr.vbs -ipk NPPR9-FWDCX-D2C8J-H872K-2YT43
This sets the dummy key provided by Microsoft to install Windows 10 Enterprise. While an activation with the volume key is refused (subscription not valid), the generic key will be accepted, the machines are getting activated as Windows 10 Enterprise.
Feedback from Microsoft
German blog reader Tobias S. has escalated the issue via a partner to Microsoft an got the following answer (thanks for that):
Hello xxx,
Hope you are doing good!
I am Aman SEE for xxx, I review the case and found that the issue is at backed at tenant level. This is a known issue, and I am working on this with PG team.
I already shared the case summary and my findings with PG. I will update you once PG team update me with the next set of action.
Also, as this is a known issue, we are getting high volume for the same, I do not have an ETA for the fix but based on the trend so far it might take 2 to 3 days.
Appreciate your patience!
Aman xxx
M365 WDA
Customer Service & Support
Advertising
Same Issue here in Switzerland, several customers are affected. Ticket escalation is ongoing by Microsoft Premier Support.
Did you received any Feedback from Microsoft?
Did they check the certificate? It looks like they forget the all the DNS Names in subject alternative name attribute.
Try to contact your MS support to get this solved.
I have 6 laptops with an OEM:DM key stored in the BIOS for Windows 10 Pro.
I've assigned M365 E3 licences to users. These are showing as assigned in both Office Admin Portal and Azure AD.
I've successfully connected the laptops to our corporate AD domain (100% in Azure, not Hybrid) and connected them to MDM. They're successfully enrolled in Intune and Autopilot.
Windows 11 Enterprise still won't activate when a licensed user logs in. Anyone have any suggestions please?
Hi all
Responding from Cape Town, South Africa.
Currently having the same issue with a project I did. 13 laptops were done all the same, however, only 1 windows enterprise pro 11 is not activating. Tried to run the troubleshooter in order to get the option for "I changed hardware on this device recently" and then you can log in with your E3 account (or so I thought). It is looking for a personal microsoft account instead of the work and school account I used to join the user to the AD Azure domain.
My next step is to run the cscript.exe C:\Windows\System32\slmgr.vbs -ipk NPPR9-FWDCX-D2C8J-H872K-2YT43 script and see if that does anything but first want to find out whether someone else tried it and succeeded.
Same here in Switzerland.
3 Customers with same problem. Only a few clients affected. But all together we are talking about 500 Clients in 4 weeks.
Hi Thomas,
Yes :-),
Best Regards for Switzerland
Guillaume Devaud
# Define the registry key path and value
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\MfaRequiredInClipRenew"
$registryValueName = "Verify Multifactor Authentication in ClipRenew"
$registryValueData = 0 # DWORD value of 0
$sid = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-4")
# or SID S-1-5-4 for the interactive group
# Check if the registry key already exists
if (-not (Test-Path -Path $registryPath)) {
# If the key doesn't exist, create it and set the DWORD value
New-Item -Path $registryPath -Force | Out-Null
Set-ItemProperty -Path $registryPath -Name $registryValueName -Value $registryValueData -Type DWORD
Write-Output "Registry key created and DWORD value added."
} else {
Write-Output "Registry key already exists. No changes made."
}
# Add read permissions for SID (S-1-5-4,interactive users) to the registry key with inheritance
$acl = Get-Acl -Path $registryPath
$ruleSID = New-Object System.Security.AccessControl.RegistryAccessRule($sid, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.AddAccessRule($ruleSID)
Set-Acl -Path $registryPath -AclObject $acl
Write-Output "Added 'Interactive' group and SID ($sid) with read permissions (with inheritance) to the registry key."
#Start the scheduledtask
Get-ScheduledTask -TaskName 'LicenseAcquisition' | start-scheduledtask
#Start-Process "$env:SystemRoot\system32\ClipRenew.exe"
Did anyone ever found the cause and a solution?
Hello,
You can add the following script to Intune: https://intune.microsoft.com/?ref=AdminCenter#view/Microsoft_Intune_DeviceSettings/DevicesMenu/~/scripts
Platform scripts tab, then Add Windows 10 and Later
Name
Autopilot to ensure Windows 11 Enterprise license acquisition
Application description
Autopilot to ensure Windows 11 Enterprise license acquisition
PowerShell script
Windows11Enterprise_Activation.ps1
Execute this script using login credentials.
Yes
Check script signature
Yes
Run script on 64-bit PowerShell host
No
Groups included
Your Win11 devices
—-
Script Powerschell :
# Define the registry key path and value
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\MfaRequiredInClipRenew"
$registryValueName = "Verify Multifactor Authentication in ClipRenew"
$registryValueData = 0 # DWORD value of 0
$sid = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-4")
# or SID S-1-5-4 for the interactive group
# Check if the registry key already exists
if (-not (Test-Path -Path $registryPath)) {
# If the key doesn't exist, create it and set the DWORD value
New-Item -Path $registryPath -Force | Out-Null
Set-ItemProperty -Path $registryPath -Name $registryValueName -Value $registryValueData -Type DWORD
Write-Output "Registry key created and DWORD value added."
} else {
Write-Output "Registry key already exists. No changes made."
}
# Add read permissions for SID (S-1-5-4,interactive users) to the registry key with inheritance
$acl = Get-Acl -Path $registryPath
$ruleSID = New-Object System.Security.AccessControl.RegistryAccessRule($sid, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.AddAccessRule($ruleSID)
Set-Acl -Path $registryPath -AclObject $acl
Write-Output "Added 'Interactive' group and SID ($sid) with read permissions (with inheritance) to the registry key."
#Start the scheduledtask
Get-ScheduledTask -TaskName 'LicenseAcquisition' | start-scheduledtask
#Start-Process "$env:SystemRoot\system32\ClipRenew.exe"