Deploy Windows Enterprise licenses

• Article
• 02/28/2023
• 9 minutes to read

• Applies to:

  ✅ Windows 10, ✅ Windows 11

In this article

This article describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with subscription activation or Enterprise E3 in CSP and Azure Active Directory (Azure AD).

These activation features require a supported and licensed version of Windows 10 Pro or Windows 11 Pro:

• Subscription activation with an enterprise agreement (EA) or a Microsoft Products & Services Agreement (MPSA).
• Enterprise E3 in CSP.
• Automatic, non-KMS activation also requires a device with a firmware-embedded activation key.
• Subscription activation requires Enterprise per user licensing. It doesn’t work with per device licensing.

Enable subscription activation with an existing EA

If you’re an EA customer with an existing Microsoft 365 tenant, use the following steps to enable Windows subscription licenses on your existing tenant:

1. Work with your reseller to place an order for one $0 SKU per user. As of October 1, 2022, there are three SKUs available, depending on your current Windows Enterprise SA license:

   SKU
   Description

   AAA-51069
   Win OLS Activation User Alng Sub Add-on E3
   AAA-51068
   Win OLS Activation User Sub Add-on E5
   VRM-00001
   Win OLS Activation User GCC Sub Per User

   Note

   As of October 1, 2022, subscription activation is available for commercial and GCC tenants. It’s currently not available on GCC High or DoD tenants.

2. After an order is placed, the OLS admin on the agreement will receive a service activation email, which indicates the subscription licenses have been provisioned on the tenant.

3. You can now assign subscription licenses to users.

If you need to update contact information and resend the activation email, use the following process:

1. Sign in to the Microsoft Volume Licensing Service Center.

2. Select Subscriptions.

3. Select Online Services Agreement List.

4. Enter your agreement number, and then select Search.

5. Select the Service Name.

6. In the Subscription Contact section, select the name listed under Last Name.

7. Update the contact information, then select Update Contact Details. This action will trigger a new email.

Preparing for deployment: reviewing requirements

• Devices must be running a supported version of Windows 10 Pro or Windows 11 Pro
• Azure AD-joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible.

For more information, see Review requirements on devices, later in this article.

Active Directory synchronization with Azure AD

If you have an on-premises Active Directory Domain Services (AD DS) domain, you need to synchronize the identities in the on-premises AD DS domain with Azure AD. This synchronization is required for users to have a single identity that they can use to access their on-premises apps and cloud services that use Azure AD. An example of a cloud service is Windows Enterprise E3 or E5.

Figure 1 illustrates the integration between the on-premises AD DS domain with Azure AD. Azure AD Connect is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.

Figure 1: On-premises AD DS integrated with Azure AD

For more information about integrating on-premises AD DS domains with Azure AD, see the following resources:

Assigning licenses to users

After you’ve ordered the Windows subscription (Windows 10 Business, E3 or E5), you’ll receive an email with guidance on how to use Windows as an online service:

The following methods are available to assign licenses:

• When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 or E5 licenses to users.

• You can sign in to the Microsoft 365 admin center and manually assign licenses:

  

• You can assign licenses by uploading a spreadsheet.

• How to use PowerShell to automatically assign licenses to your Microsoft 365 users.

Tip

Other solutions may exist from the community. For example, a Microsoft MVP shared the following process: Assign EMS licenses based on local Active Directory group membership.

Explore the upgrade experience

Now that you’ve established a subscription and assigned licenses to users, you can upgrade devices running supported versions of Windows 10 Pro or Windows 11 Pro to Enterprise edition.

Note

The following experiences are specific to Windows 10. The general concepts also apply to Windows 11.

Step 1: Join Windows Pro devices to Azure AD

You can join a Windows Pro device to Azure AD during setup, the first time the device starts. You can also join a device that’s already set up.

Join a device to Azure AD the first time the device is started

1. During the initial setup, on the Who owns this PC? page, select My organization, and then select Next.

   

   Figure 2: The “Who owns this PC?” page in initial Windows 10 setup.

2. On the Choose how you’ll connect page, select Join Azure AD, and then select Next.

   

   Figure 3: The “Choose how you’ll connect” page in initial Windows 10 setup.

3. On the Let’s get you signed in page, enter your Azure AD credentials, and then select Sign in.

   

   Figure 4: The “Let’s get you signed in” page in initial Windows 10 setup.

Now the device is Azure AD-joined to the organization’s subscription.

Join a device to Azure AD when the device is already set up with Windows 10 Pro

Important

Make sure that the user you’re signing in with is not the BUILTIN/Administrator account. That user can’t use the + Connect action to join a work or school account.

1. Go to Settings, select Accounts, and select Access work or school.

   

   Figure 5: “Connect to work or school” configuration in Settings.

2. In Set up a work or school account, select Join this device to Azure Active Directory.

   

   Figure 6: Set up a work or school account.

3. On the Let’s get you signed in page, enter your Azure AD credentials, and then select Sign in.

   

   Figure 7: The “Let’s get you signed in” window.

Now the device is Azure AD-joined to the organization’s subscription.

Step 2: Pro edition activation

If the device is running a supported version of Windows 10 or Windows 11, it automatically activates Windows Enterprise edition using the firmware-embedded activation key.

Step 3: Sign in using Azure AD account

Once the device is joined to Azure AD, users will sign in with their Azure AD account, as illustrated in Figure 8. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.

Figure 8: Sign in to Windows 10 with an Azure AD account.

Step 4: Verify that Enterprise edition is enabled

To verify the Windows Enterprise E3 or E5 subscription, go to Settings, select Update & Security, and select Activation.

Figure 9: Verify Windows 10 Enterprise subscription in Settings.

If there are any problems with the Windows Enterprise E3 or E5 license or the activation of the license, the Activation panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.

Note

If you use the slmgr /dli or slmgr /dlv commands to get the activation information for the E3 or E5 license, the license information displayed will be similar to the following output:

Name: Windows(R), Professional edition
Description: Windows(R) Operating System, RETAIL channel
Partial Product Key: 3V66T

Troubleshoot the user experience

In some instances, users may experience problems with the Windows Enterprise E3 or E5 subscription. The most common problems that users may experience are the following issues:

• The Windows 10/11 Enterprise E3 or E5 subscription has lapsed or has been removed.
• An earlier version of Windows 10 Pro isn’t activated. For example, Windows 10, versions 1703 or 1709.

Troubleshoot common problems in the Activation pane

Use the following figures to help you troubleshoot when users experience common problems:

Device in healthy state

The following image illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active.

Device that’s not activated with active subscription

Figure 10 illustrates a device on which the Windows 10 Pro isn’t activated, but the Windows 10 Enterprise subscription is active.

Figure 10: Windows 10 Pro, version 1703 edition not activated in Settings.

It displays the following error: “We can’t activate Windows on this device right now. You can try activating again later or go to the Store to buy genuine Windows. Error code: 0xC004F034.”

Device that’s activated without an Enterprise subscription

Figure 11 illustrates a device on which the Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed.

Figure 11: Windows 10 Enterprise subscription lapsed or removed in Settings.

It displays the following error: “Windows 10 Enterprise subscription isn’t valid.”

Device that’s not activated and without an Enterprise subscription

Figure 12 illustrates a device on which the Windows 10 Pro license isn’t activated and the Windows 10 Enterprise subscription is lapsed or removed.

Figure 12: Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings.

It displays both of the previously mentioned error messages.

Review requirements on devices

Devices must be running a supported version of Windows 10 Pro or Windows 11 Pro. Earlier versions of Windows 10, such as version 1703, don’t support this feature.

Devices must also be joined to Azure AD, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible.

Use the following procedures to review whether a particular device meets these requirements.

Firmware-embedded activation key

To determine if the computer has a firmware-embedded activation key, enter the following command at an elevated Windows PowerShell prompt:

(Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey

If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device doesn’t have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key.

Determine if a device is Azure AD-joined

1. Open a command prompt and enter dsregcmd /status.

2. Review the output in the Device State section. If the AzureAdJoined value is YES, the device is joined to Azure AD.

Determine the version of Windows

1. Open a command prompt and enter winver.

2. The About Windows window displays the OS version and build information.

3. Compare this information again the Windows support lifecycle:

   • Windows 10 release information
   • Windows 11 release information

Note

If a device is running a version of Windows 10 Pro prior to version 1703, it won’t upgrade to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.

Delay in the activation of Enterprise license of Windows 10

This delay is by design. Windows 10 and Windows 11 include a built-in cache that’s used when determining upgrade eligibility. This behavior includes processing responses that indicate that the device isn’t eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires.

Known issues

If a device isn’t able to connect to Windows Update, it can lose activation status or be blocked from upgrading to Windows Enterprise. To work around this issue:

• Make sure that the device doesn’t have the following registry value: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations = 1 (REG_DWORD). If this registry value exists, it must be set to 0.

• Make sure that the following group policy setting is disabled: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Don’t connect to any Windows Update Internet locations.

Virtual Desktop Access (VDA)

Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another qualified multitenant hoster (PDF download).

Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Azure AD-joined clients are supported. For more information, see Enable VDA for Enterprise subscription activation.