Windows 7 users have reported that immediately after log on, they were presented with a Windows Activation window: “Windows is not genuine. Your computer might not be running a counterfeit copy of Windows. 0x80070005, and more….” Microsoft explained that its caused by lack of permissions in the registry key HKU\S-1-5-20. “The Network Service account must have full control and read permissions over that registry key. This situation may be the result of applying a Plug and Play Group Policy object (GPO). Computer Configuration / Policies / Windows Settings /Security Settings / System Services / Plug and Play (Startup Mode: Automatic).” Customers affected by this issue can turn to one of two workarounds detailed by Microsoft, documented below:
Method A: Disable the Plug and Play Policy
Method A: Disable the Plug and Play Policy
- Determine the source of the policy. To do this, follow these steps:
- On client experiencing Activation error, run Resultant Set of Policy wizard by clicking Start, Run and entering rsop.msc as the command.
- Visit following location: Computer Configuration / Policies / Windows Settings /Security Settings / System Services / If Plug & Play service is configured through a Group Policy setting, you see it here with settings other than Not Defined. Additionally, you can see which Group Policy is applying this setting.
- Disable Group Policy settings and force Group Policy to be reapplied.
- Edit Group Policy that's identified in Step 1 and change setting to “Not Defined.” Or, follow the section below to add required permissions for Network Service account.
- Force Group Policy setting to reapply: gpupdate /force (a restart of the client's sometimes required)
- Open Group Policy that's identified in Method A, Step 1 above, and open corresponding Group Policy setting.
- Click Edit Security button, and then click Advanced button.
- In Advanced Security Settings for Plug & Play window click Add and then add SERVICE account. Then, click OK
- Select following permissions in Allow section and then click OK: Query template
Query status
Enumerate dependents
Interrogate
User-defined control
Read permissions
Note: Previous rights’re the minimum required permissions.
- Run gpupdate /force after you apply previous permissions to Group Policy setting.
- Verify that appropriate permissions're applied with following command: sc sdshow plugplay
following’re the rights applied to Plug & Play service in SDDL:
D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWLOCRRC;;;IU)
(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
(A;;CC LC SW LO CR RC ;;;SU is an Access Control Entry (ACE) that allows the following rights to "SU" (SDDL_SERVICE – Service logon user)
A: Access Allowed
CC: Create Child
LC: List Children
SW: Self Write
LO: List Object
CR: Control Access
RC: Read Control
SU: Service Logon User
Note: If there’re no GPO's in place, then another activity may’ve changed default registry permissions. To work around this issue, perform following steps:
- On computer that’s out of tolerance, start Registry Editor.
- Right-click registry key HKEY_USERS\S-1-5-20, and select Permissions...
- If NETWORK SERVICE isn’t present, click Add...
- In Enter object names to select type Network Service and then click Check Names and OK.
- Select NETWORK SERVICE and Grant Full Control and Read permissions.
- Restart computer.
- After restart, system may require activation. Complete the activation.