Windows 11 - Prevent S mode

[n.meijer@pontifexcertific]

Hello all,

Before posting this I have checked for other threads, including "Enabling Windows S mode". In this thread it's suggested to quit S-mode by adding the .reg file, I have integrated this reg file into my Windows image. But when I'm running the unattended install I still get Windows 11 in S-mode.

I checked Google, asked ChatGPT for help, but so far no luck. I think the embedded Windows product key is set to S-mode and overrules other settings I've tried to apply. In theory I could login into the MS Store, disable S-mode, but I have about 100 laptops to image. So this is quite a nuisance.

Am I missing a setting in NTLite that facilitates this? Should I remove a specific component or disable a specific service? Can I add something to the SetupComplete.cmd or run a FirstBoot.ps1?

I hope anyone can help me.

Thanks!

 

[tistou77]

If you don't want S mode, why not just install "non-S" Windows directly ?

 

[garlin]

S mode is simply a copy of Windows where specific reg keys are enabled in the image. It's not a separate Windows product.

The policy is supported on most W10 editions, and W11 Home.

If you're using a clean image, there should be no S mode keys. Are you using some setup, where Autopilot provisioning takes over? NTLite doesn't have any specific settings to manage S mode. There is no individual component or service, it's part of the kernel security model to deny the specific use of non-approved apps.

To confirm your image has S mode enabled:
1. Load image into NTLite.
2. Open regedit, look for the HKLM\NLTmp*System* sub-tree. Check if "ControlSet001\Control\CI\Policy" has any S mode keys.

Any other source would have come from an integrated .PPKG provisioning update, or Autopilot.

 

[n.meijer@pontifexcertific]

Thanks for the quick response. I want to use the image on many different models and different built in licenses (Home or Edu), so I just downloaded the Windows 11 using the Media Creation Tool. I have Home, Pro and Education in the image, I removed the Home N, Pro N and Edu N editions. There is no Autopilot Provisioning.

I did like you suggested and exported the subtree:
[HKEY_LOCAL_MACHINE\NLTmp~58435c71~SYSTEM\ControlSet001\Control\CI\Policy]
"EmodePolicyRequired"=dword:00000000
"SkuPolicyRequired"=dword:00000000
"VerifiedAndReputablePolicyState"=dword:00000002
"WindowsLockdownTrialMode"=dword:00000000

I integrated these values in a previous attempt to force it to not use S-Mode:
"SkuPolicyRequired"=dword:00000000
"WindowsLockdownTrialMode"=dword:00000000

I'm still testing different things, but it seems if I disable Secure Boot on the Bios, it installs Windows without S-mode, when I have it turned on it installs Windows with S-mode.

I'm using the unattended Windows to install a trimmed down version on very basic laptops, which have the Windows keys stored on the device. So I think the installation checks the Windows key, recognizes it as a S-mode activation and overrides other values. Once I use the Windows Store Switch Out of S-Mode subsequent clean installs seem to install without S-mode. But I have to image a couple of 100 laptops, so would prefer not to manually switch out of S-mode for all. Or Disable/Enable secure boot. Plus I don't want to login into a MS account on all the laptops.

For now the Secure Boot thing seems to do the trick, but I'd prefer it to work without Disabling this in bios first.

EDIT: I know some sort of server-client think would be better, but I'm using 300-400 euro laptops that just run a single program for online testing. So it's just a one time install.

 

[garlin]

Try this trick: use the generic Home key [YTMG3-N6DKC-DKB77-7M9GH-8HVX7] in the Unattended file, as the install (not activation) key.

This might override Windows install's logic for enforcing the S policy. I'm wondering if your laptops are actually sold as Windows SE.

 

[shabarkat]

install windows in S-Mode
sign in with your microsoft account
open store and search for switch out of S-mode
install the app to switch off S-Mode permanently