Windows 11 Enterprise Upgrade Issues and how to Fix (Subscription not active)

Quick blog post here explaining an Intune remediation to fix devices where they do not activate via a subscription.

If your device looks like this then you don’t need to follow this guide

If for any reason you have Not active in the subscription, this could mean that the CLIP Service store has become corrupt and no longer tries to activate with the user’s account.

To fix I wrote a quick intune remediation script based on https://call4cloud.nl/2022/02/escape-from-windows-10-pro/’s article

Detection

$WindowsSKU = (Get-WmiObject Win32_OperatingSystem).OperatingSystemSKU
if ($WindowsSKU -eq 4) {
Write-Output "Windows edition is Enterprise ($WindowsSKU)"
Exit 0
} elseif ($WindowsSKU -eq 175) {
Write-Output "Windows edition is Mutli-user Enterprise ($WindowsSKU)"
Exit 0
} else {
Write-Output "Windows edition is not Enterprise ($WindowsSKU)"
Exit 1
}

This uses WMI to look at the Windows SKU and 0 is all ok don’t run and 1 is this needs to run.

 Remediation

# Define the registry key path and value
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\MfaRequiredInClipRenew"
$registryValueName = "Verify Multifactor Authentication in ClipRenew"
$registryValueData = 0 # DWORD value of 0
$sid = New-Object System.Security.Principal.SecurityIdentifier("S-1-1-0") # SID for the Everyone group

# Check if the registry key already exists
if (-not (Test-Path -Path $registryPath)) {
# If the key doesn't exist, create it and set the DWORD value
New-Item -Path $registryPath -Force | Out-Null
Set-ItemProperty -Path $registryPath -Name $registryValueName -Value $registryValueData -Type DWORD
Write-Output "Registry key created and DWORD value added."
} else {
Write-Output "Registry key already exists. No changes made."
}

# Add read permissions for SID (S-1-1-0, Everyone) to the registry key with inheritance
$acl = Get-Acl -Path $registryPath
$ruleSID = New-Object System.Security.AccessControl.RegistryAccessRule($sid, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.AddAccessRule($ruleSID)
Set-Acl -Path $registryPath -AclObject $acl
Write-Output "Added 'Everyone' group and SID ($sid) with read permissions (with inheritance) to the registry key."

#Remove the # below to make sure it will kick off the scheduled task on already enrolled devices
Get-ScheduledTask -TaskPath \Microsoft\Windows\Subscription\ | Enable-ScheduledTask
#Start-Process "$env:SystemRoot\system32\ClipRenew.exe"
Get-ScheduledTask -TaskPath \Microsoft\Windows\Subscription\ -TaskName EnableLicenseAcquisition | Start-ScheduledTask

Nice and simple fix, stop the CLIP Service, run the Clip clean up state command via the clipc.dll and restart the service.

This clears the clip service license information and when the device next logs in it will reactivate Windows Subscription and the Store apps.

A reboot is next needed, so comms to the end users asking them to do this, unless you want to be cruel and run shutdown -r -t 60.

A gotcha to look out for though is after the 1st reboot the system will activate and download the Windows 11 Pro upgrade package.  This can be seen in the event viewer > Apps > Microsoft > Windows > Store > Admin logs.

Once you see that, or you give the end user 5 minutes, another reboot is needed after which you will get Active on the subscription service and happy days.

Inside of Intune I recommend configuring the proactive remediation as such:

First upload the 2 script files, set it to run with 64 bit PowerShell, though that’s not really needed.

When assigning it, I would suggest doing all users (you may want to target just Staff), scoped to corporate devices and tell it to only run once.

The running once is important, you only want this to run once to reset the clip service database, not every reboot.

Short and sweet.  Enjoy