ערוך

שתף באמצעות


Deploy Windows Enterprise licenses

This article describes how to deploy Windows Enterprise E3 or E5 licenses with subscription activation or Enterprise E3 in CSP and Microsoft Entra ID.

These activation features require a supported and licensed version of Windows Pro:

  • Subscription activation with an enterprise agreement (EA) or a Microsoft Products & Services Agreement (MPSA).
  • Enterprise E3 in CSP.
  • Automatic, non-KMS activation also requires a device with a firmware-embedded activation key.
  • Subscription activation requires Enterprise per user licensing. It doesn't work with per device licensing.

Enable subscription activation with an existing EA

EA customers with an existing Microsoft 365 tenant can use the following steps to enable Windows subscription licenses on the existing tenant:

  1. Work with the reseller to place an order for one $0 SKU per user. As of October 1, 2022, there are three SKUs available, depending on the current Windows Enterprise SA license:

    SKU Description
    AAA-51069 Win OLS Activation User Alng Sub Add-on E3
    AAA-51068 Win OLS Activation User Sub Add-on E5
    VRM-00001 Win OLS Activation User GCC Sub Per User

    Note

    As of October 1, 2022, subscription activation is available for commercial and GCC tenants. It's currently not available on GCC High or DoD tenants.

  2. After an order is placed, the OLS admin on the agreement will receive a service activation email, which indicates the subscription licenses is provisioned on the tenant.

  3. Subscription licenses can now be assigned to users.

To update contact information and resend the activation email, use the following process:

  1. Sign in to the Microsoft Volume Licensing Service Center.

  2. Select Subscriptions.

  3. Select Online Services Agreement List.

  4. Enter the agreement number, and then select Search.

  5. Select the Service Name.

  6. In the Subscription Contact section, select the name listed under Last Name.

  7. Update the contact information, then select Update Contact Details. This action triggers a new email.

Prepare for deployment: reviewing requirements

  • Devices must be running a supported version of Windows Pro.
  • Microsoft Entra joined, or hybrid domain joined with Microsoft Entra Connect. Customers who are federated with Microsoft Entra ID are also eligible.

For more information, see Review requirements on devices, later in this article.

Active Directory synchronization with Microsoft Entra ID

If there's an on-premises Active Directory Domain Services (AD DS) domain, identities in the on-premises AD DS domain need to be synchronized with Microsoft Entra ID. This synchronization is required for users to have a single identity that they can use to access their on-premises apps and cloud services that use Microsoft Entra ID. An example of a cloud service is Windows Enterprise E3 or E5.

For more information about integrating on-premises AD DS domains with Microsoft Entra ID, see the following resources:

Assign licenses to users

After the Windows subscription is ordered, an email is sent with guidance on how to use Windows as an online service. The following methods are available to assign licenses:

  • When the required Microsoft Entra subscription is available, group-based licensing is the preferred method to assign Enterprise E3 or E5 licenses to users.

  • Licenses can be manually assigned by signing into the Microsoft 365 admin center.

  • Licenses can be assigned by uploading a spreadsheet.

  • Licenses can be assigned via PowerShell.

Explore the upgrade experience

Now that a subscription is established and licenses are assigned to users, devices running supported versions of Windows Pro can be upgraded to Enterprise edition.

Tip

This upgrade experience walkthrough assumes Autopilot isn't being used. For the Autopilot experience when joining Microsoft Entra ID, see User-driven Microsoft Entra join: Deploy the device.

Step 1: Join Windows Pro devices to Microsoft Entra ID

The first time the device starts, a Windows Pro device can join Microsoft Entra ID during setup. Existing devices can also join Microsoft Entra ID.

Join a device to Microsoft Entra ID during OOBE when the device is started for the first time

  1. Power on the device for the first time to initiate Windows Setup and the Out of Box experience (OOBE).

  2. In the Is this the right country or region? screen, select the desired country/region and then select the Yes button.

  3. In the Is this the right keyboard layout or input method? screen, select the desired keyboard/input methods and then select the Yes button.

  4. In the Want to add a second keyboard layout? screen, if desired add additional keyboard/input methods by selecting Add layout. Otherwise select the Skip button.

  5. If no network connection is detected, the Let's connect you to a network screen appears. Connect to a wireless or wired network that has Internet access, and then select the Next button.

  6. At this point, updates for Windows Setup might be installed. If updates are installed, the device reboots to finish installing the updates.

  7. In Windows 11 Pro editions, the Let's name your device screen appears. Give the device a name and then select the Next button. After the device is given a name, the device might reboot.

  8. In Windows 11 Pro editions, the How would you like to set up this device? screen appears. Select Set up for work or school and then select the Next button.

  9. In the Let's set things up for your work or school screen:

    1. In the someone@example.com text box under Sign in, enter the username for the Microsoft Entra user account, and then select the Next button. The username is in the email format of user@domain.com.

    2. In the Password text box under Enter password, enter the password for the Microsoft Entra user account, and then select the Sign in button.

  10. The device proceeds with the rest of the Windows setup including configuration of organization specific settings.

  11. In the Choose privacy settings for your device screen, configure privacy settings as desired, using the Next button to go between settings. Once complete, select the Accept button.

  12. Depending on the device and the configuration of organization specific settings, additional screens might appear. For example, the Windows Hello screen might appear.

  1. Power on the device for the first time to initiate Windows Setup and the Out of Box experience (OOBE).

  2. In the Let's start with region. Is this right? screen, select the desired country/region and then select the Yes button.

  3. In the Is this the right keyboard layout? screen, select the desired keyboard/input methods and then select the Yes button.

  4. In the Want to add a second keyboard layout? screen, if desired add additional keyboard/input methods by selecting the Add layout button. Otherwise select the Skip button.

  5. If no network connection is detected, the Let's connect you to a network screen appears. Connect to a wireless or wired network that has Internet access, and then select the Next button.

  6. At this point, updates for Windows Setup might be installed. If updates are installed, the device reboots to finish installing the updates.

  7. In Windows 10 Pro editions, the How would you like to set up? screen appears. Select Set up for an organization and then select the Next button.

  8. In the Sign in with Microsoft screen, in the someone@example.com text box, enter the username for the Microsoft Entra user account, and then select the Next button. The username is in the email format of user@domain.com.

  9. In the Enter your password screen, in the Password text box, enter the password for the Microsoft Entra user account, and then select the Next button.

  10. The device proceeds with the rest of the Windows setup including configuration of organization specific settings.

  11. In the Choose privacy settings for your device screen, configure privacy settings as desired. Once complete, select the Accept button.

  12. Depending on the device and the configuration of organization specific settings, additional screens might appear. For example, the Windows Hello screen might appear.

Once Windows Setup finishes, the user is automatically signed in and the device is Microsoft Entra joined to the organization's subscription.

Join a device to Microsoft Entra ID when the device is already set up with Windows

Important

Make sure that the user signing in isn't the BUILTIN/Administrator account. That user can't use the + Connect action to join a work or school account.

Open the Accounts > Access work or school pane in the Settings app by selecting the following link:

or

  1. Right-click on the Start menu and select Run.

  2. In the Run window, next to Open:, enter:

    ms-settings:workplace
    

    and then select OK.

or

  1. Right-click on the Start menu and select Settings.

  2. In the Settings app, select Accounts in the left hand pane.

  3. In the Accounts pane, select Access work or school.

Once the Accounts > Access work or school pane is open:

  1. In the Accounts > Access work or school pane, next to Add a work or school account, select the Connect button.

  2. In the Microsoft account window that opens:

    1. In the Set up a work or school account page, under Alternate actions:, select Join this device to Microsoft Entra ID.

    2. In the Email or phone text box of the Sign in page, enter the username for the Microsoft Entra user account, and then select the Next button. The username is in the email format of user@domain.com.

    3. In the Password text box of the Enter password page, enter the password for the Microsoft Entra user account, and then select the Sign in button.

    4. When the Make sure this is your organization window opens, confirm the information is correct and then select the Join button.

    5. The device joins the organization's Microsoft Entra ID subscription. Once complete, the You're all set! page is displayed. Select the Done button to complete the process.

  1. Right-click on the Start menu and select Settings.

  2. In the Settings app, select Accounts.

  3. In the left hand pane, select Access work or school.

Once the Access work or school pane is open:

  1. In the Access work or school pane, select the + button next to Connect.

  2. In the Microsoft account window that opens:

    1. In the Set up a work or school account page, under Alternate actions:, select Join this device to Microsoft Entra ID.

    2. In the Email or phone text box of the Sign in page, enter the username for the Microsoft Entra user account, and then select the Next button. The username is in the email format of user@domain.com.

    3. In the Password text box of the Enter password page, enter the password for the Microsoft Entra user account, and then select the Sign in button.

    4. When the Make sure this is your organization window opens, confirm the information is correct and then select the Join button.

    5. The device joins the organization's Microsoft Entra subscription. Once complete, the You're all set! page is displayed. Select the Done button to complete the process.

The device is now Microsoft Entra joined to the organization's subscription.

Step 2: Pro edition activation

Windows Pro has to be activated on the device. However, if the device is running a currently supported version of Windows, most modern devices automatically activates Windows Pro edition using the firmware-embedded activation key.

Step 3: Sign in using Microsoft Entra account

Once the device is joined to Microsoft Entra ID and Windows Setup/OOBE completes, the user signs in with their Microsoft Entra account. Once the user signs in with their Microsoft Entra account, the Windows Enterprise E3 or E5 license associated with the user enables Windows Enterprise edition capabilities on the device.

Step 4: Verify that Enterprise edition is enabled

To verify the Windows Enterprise E3 or E5 subscription:

Open the Activation pane in the Settings app by selecting the following link:

or

  1. Right-click on the Start menu and select Run.

  2. In the Run window, next to Open:, enter:

    ms-settings:activation
    

    and then select OK.

or

  1. Right-click on the Start menu and select Settings.

  2. In the Settings app, select System in the left hand pane.

  3. In the System pane, Activation.

Once the System > Activation pane is open:

  1. In the System > Activation pane, expand Activation state and Subscription to see full details of the activation state and status:

    1. Under Activation state, verify that Windows is activated. It should display the message:

      Windows is activated with a digital license

    2. Under Subscription, verify that the Windows 11 Enterprise subscription is active. It should display the message:

      Windows 11 Enterprise subscription is active

      Note

      If the Windows Enterprise subscription hasn't yet been applied, the Subscription pane isn't displayed.

  1. Right-click on the Start menu and select Settings.

  2. In the Settings app, select Update & Security.

  3. In the left hand pane, select Activation.

Once the Activation pane is open:

  1. In the Activation pane:

    1. Next to Subscription, verify that the Windows 10 Enterprise subscription is active. It should display the message:

    Windows Enterprise 10 subscription is active

    Note

    If the Windows Enterprise subscription hasn't yet been applied, the Subscription field isn't displayed.

    1. Next to Activation, verify that Windows is activated. It should display the message:

    Windows is activated with a digital license

A device is healthy when both the subscription and activation are active. If there are any problems with the Windows Enterprise E3 or E5 license or the activation of the license, the Activation pane displays the appropriate error message or status. This information can be used to help diagnose the licensing and activation process.

Verify that Enterprise edition is enabled with slmgr

Slmgr can also be used to verify the activation information:

  1. Open a command prompt.

  2. To get basic licensing information, run the following command at the command prompt:

    slmgr /dli
    

    A window with output similar to the following opens:

    Name: Windows(R), Professional edition
    Description: Windows(R) Operating System, RETAIL channel
    Partial Product Key: 3V66T
    License Status: Licensed
    

To instead get detailed licensing information, run the following command:

slmgr /dlv

For more information on Slmgr, see Slmgr.vbs options for obtaining volume activation information.

Troubleshoot the user experience

In some instances, users might experience problems with activation of the Windows Enterprise E3 or E5 subscription. The most common problems that users might experience are the following issues:

  • The Windows Enterprise E3 or E5 subscription has lapsed, was removed, or isn't applied.
  • Windows Pro was never activated.

When there are problems with Windows Enterprise E3 or E5 subscription activation, the following are errors can occur in the Activation pane:

  • Windows Pro isn't activated

    When Windows Pro isn't activated on a device, the following message is displayed for Activation in the Activation pane:

    Windows is not activated

    Additionally, the following message might be displayed:

    We can't activate Windows on this device right now. You can try activating again later or go to the Store to buy genuine Windows. Error code: 0xC004F034.

    Examples where this problem can occur include:

    • The device doesn't have a firmware-embedded activation key.
    • The starting edition of Windows wasn't Windows Pro. For example, the starting edition of Windows was Windows Home.

    In these cases, a Windows Pro key might need to be manually entered.

  • Windows Enterprise subscription isn't active

    When a device with a Windows Enterprise subscription has lapsed or has been removed, the following message is displayed for Subscription in the Activation pane:

    Windows Enterprise subscription isn't valid.

    Note

    If the Windows Enterprise subscription has never been applied, the Subscription pane isn't displayed.

    Note

    If the Windows Enterprise subscription has never been applied, the Subscription field isn't displayed.

Review requirements on devices

When there are Windows Enterprise E3 or E5 license activation issues on a device, verify that it meets all of the requirements:

  • Devices must be running a currently supported version of Windows Pro. Versions of Windows Pro that are out support don't support this feature.

  • Devices must be joined to Microsoft Entra ID, or hybrid domain joined with Microsoft Entra Connect. Customers who are federated with Microsoft Entra ID are also eligible.

  • For automatic activation of Windows Pro, the device must have a firmware-embedded activation key.

Use the following guides to verify each one of these requirements:

  • Determine if the version of Windows is currently supported.

    To determine if the version of Windows is currently supported:

    1. Open a command prompt

    2. In the command prompt window, enter:

      winver.exe
      
    3. The About Windows window opens and displays both the OS version and the build information of Windows.

    4. Compare the information from the About Windows window against the Windows support lifecycle:

  • Determine if a device is Microsoft Entra joined.

    To determine if a device is Microsoft Entra joined:

    1. Open a command prompt.

    2. In the command prompt window, enter:

      dsregcmd.exe /status
      
    3. Review the output. Under the first section called Device State, verify that the value of AzureAdJoined is YES. If the value is YES, the device is joined to Microsoft Entra ID.

      +----------------------------------------------------------------------+
      | Device State                                                         |
      +----------------------------------------------------------------------+
      
               AzureAdJoined : YES
            EnterpriseJoined : NO
                DomainJoined : NO
             Virtual Desktop : NOT SET
                 Device Name : Demo-PC
      
  • Determine if devices has a firmware-embedded activation key.

    To determine if the device has a firmware-embedded activation key:

    1. Open an elevated Windows PowerShell command prompt.

    2. In the elevated Windows PowerShell command prompt, enter:

      (Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey
      
    3. If the device has a firmware-embedded activation key, the key is displayed in the output. If the output is blank, the device doesn't have a firmware embedded activation key. Most modern OEM-provided devices designed to run currently supported versions of Windows have a firmware-embedded key.

  • Make sure the Microsoft Entra user has been assigned a license.

    For more information, see Assigning licenses to users.

Adding Conditional Access policy

When a device has been offline for an extended period of time, the Subscription Activation might not reactivate automatically on the device. To resolve this issue, use Conditional Access policies to control access by excluding one of the following cloud apps from their Conditional Access policies using Select Excluded Cloud Apps:

Although the app ID is the same in both instances, the name of the cloud app depends on the tenant.

For more information about configuring exclusions in Conditional Access policies, see Application exclusions.

Setting this Conditional Access policy ensures that Subscription Activation continues to work seamlessly.

Starting with Windows 11, version 23H2 with KB5034848 or later, users are prompted for authentication with a toast notification when Subscription Activation needs to reactivate. The toast notification will show the following message:

Your account requires authentication

Please sign in to your work or school account to verify your information.

Additionally, in the Activation pane, the following message might appear:

Please sign in to your work or school account to verify your information.

The prompt for authentication usually occurs when a device has been offline for an extended period of time. This change eliminates the need for an exclusion in the Conditional Access policy for Windows 11, version 23H2 with KB5034848 or later. A Conditional Access policy can still be used with Windows 11, version 23H2 with KB5034848 or later if the prompt for user authentication via a toast notification isn't desired.

Make sure Windows Update isn't blocked

If a device isn't able to connect to Windows Update, it can lose activation status or be blocked from upgrading to Windows Enterprise. Make sure that Windows Update isn't blocked on the device:

  • Using gpedit.msc or group policy editor in the domain, make sure that the following group policy setting is set to Disabled or Not Configured:

    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Server Update Service > Do not connect to any Windows Update Internet locations

    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not connect to any Windows Update Internet locations

    If this policy is set to Enabled, it must be changed to Disabled or Not Configured.

  • In the following registry key of the registry:

    HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

    check if the value DoNotConnectToWindowsUpdateInternetLocations exists. If the value does exist, verify that it has a REG_DWORD value of 0. If the value is instead set to 1, it must be changed to 0. The value can be changed by running the following command from an elevated command prompt:

    reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v DoNotConnectToWindowsUpdateInternetLocations /t REG_DWORD /d 1 /f
    

    Note

    Make sure to first check the group policy of Do not connect to any Windows Update Internet locations. If the policy is Enabled, then this registry key will eventually be reset back to 1 even after it's manually set to 0 via reg.exe. Setting the policy of Do not connect to any Windows Update Internet locations to Disabled or Not Configured will make sure the registry value remains as 0.

Delay in the activation of Enterprise license of Windows

There might be a delay in the activation of the Enterprise license in Windows. This delay is by design. Windows uses a built-in cache when determining upgrade eligibility. This behavior includes processing responses that indicate that the device isn't eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires.

Virtual Desktop Access (VDA)

Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another qualified multitenant host.

Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. For more information, see Enable VDA for Enterprise subscription activation.