Windows 10 Professional Hybrid Azure AD joined will not update to Enterprise when license assigned

Simon Burbery 516 Reputation points

Hi all, hoping someone has tried this and may have some answers... reading the docs, I should be able to assign a CSP Windows 10 Enterprise license to a user that currently has Win 10 Pro (for example to enable them to run Direct Access or machine based Always On VPN). However my initial tests I have been unable to see the OS change from Pro to Ent. I found this from 2017:

The suggested fix was very convoluted (aka unacceptable!) but I thought I would give it a try on my Win 10 Pro 1909 setup. Even after leaving the on prem domain, logging in as local admin (which seems to be the only way to get the option to 'join Azure AD' during setting up work or school account), then joining Azure AD and logging in with a user assigned the Win 10 Ent E3 license, it still remained Win 10 Pro. It seems that this is supposed to work, even automatically without these steps if the machine is 'Hybrid Azure AD joined' which this clients machines are. Really frustrating to read about these things and discuss them with clients, only for them not to work. Even if the above process worked, how you gonna do that for 200 workstations across the globe? Stink bro!

Keen to hear if anyone has used this method successfully on latest OS versions, thanks!


Windows 10 Setup
Windows 10 Setup
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Setup: The procedures involved in preparing a software program or application to operate within a computer or mobile device.
1,784 questions
{count} vote

4 answers

Sort by: Most helpful
  1. Manu Philip 14,551 Reputation points MVP

    Hello @Simon Burbery ,

    Here are the notes for upgrading Windows 10 Pro to Enterprise for your setup

    Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible.

    There are many methods available to assign license. I haven one of them
    Sign in to and open the user properties as shown below and assign the license:


    Now that your Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro

    To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up

    1. Go to Settings > Accounts > Access work or school
    2. In Set up a work or school account, click Join this device to Azure Active Directory under Alternative Actions
    3. On the Let’s get you signed in page, enter the Azure AD credentials, and then click Sign in
    4. Now the device is Azure AD joined to the company’s subscription.
    5. Verify that the license is activated

    Please mark as "Accept the answer" if the above steps helps you. Others with similar issues can also follow the solution as per your suggestion



  2. Jenny Feng 701 Reputation points


    For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following:

    Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded.
    Azure Active Directory (Azure AD) available for identity management.
    Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.

    More information please refer to the following article:

    Hope above information can help you.

  3. moderor 1 Reputation point

    Not sure if the below note applies. I haven't set enterprise up, but I'm looking into it at the moment and found this note:

    An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0.
    Also ensure that the Group Policy setting: Computer Configuration > Administrative Templates > Windows Components > Windows Update > "Do not connect to any Windows Update Internet locations" is set to "Disabled".

    0 comments No comments

  4. Craig Vibert 1 Reputation point


    I think there is a known bug:
    An issue has been identified with Hybrid Azure AD joined devices that have enabled multi-factor authentication (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription. Or it drops off when getting renewed after 30 days.

    I have had a ticket open with Premier support for about 6 weeks as this is not good.