From 04d20d4700e1cbd009e7d4742b8a5b63e41b7fda Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Fri, 23 Feb 2024 13:41:59 -0500
Subject: [PATCH] Add new MFA features for Windows Subscription Activation 3

---
 .../deployment/deploy-enterprise-licenses.md  | 26 +++++++--
 .../windows-subscription-activation.md        | 57 ++++++++++---------
 2 files changed, 52 insertions(+), 31 deletions(-)

diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index b5f5c2ca8d..7c31cca692 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -11,8 +11,9 @@ ms.topic: how-to
 ms.collection:
   - highpri
   - tier2
-ms.date: 02/15/2024
+ms.date: 02/27/2024
 zone_pivot_groups: windows-versions-11-10
+#customer intent: As an IT Pro, I want to step up Windows Pro to Windows Enterprise
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@@ -65,7 +66,7 @@ To update contact information and resend the activation email, use the following
 
 1. Update the contact information, then select **Update Contact Details**. This action triggers a new email.
 
-## Preparing for deployment: reviewing requirements
+## Prepare for deployment: reviewing requirements
 
 - Devices must be running a supported version of Windows Pro.
 - Microsoft Entra joined, or hybrid domain joined with Microsoft Entra Connect. Customers who are federated with Microsoft Entra ID are also eligible.
@@ -82,7 +83,7 @@ For more information about integrating on-premises AD DS domains with Microsoft
 - [What is hybrid identity with Microsoft Entra ID?](/azure/active-directory/hybrid/whatis-hybrid-identity)
 - [Microsoft Entra Connect and Microsoft Entra Connect Health installation roadmap](/azure/active-directory/hybrid/how-to-connect-install-roadmap)
 
-## Assigning licenses to users
+## Assign licenses to users
 
 After the Windows subscription is ordered, an email is sent with guidance on how to use Windows as an online service. The following methods are available to assign licenses:
 
@@ -482,10 +483,25 @@ Use the following guides to verify each one of these requirements:
 
 - **Make sure the Microsoft Entra user has been assigned a license**.
 
-  For more information, see [Assigning licenses to users](#assigning-licenses-to-users).
+  For more information, see [Assigning licenses to users](#assign-licenses-to-users).
 
 ## Known issues
 
+- When a device has been offline for an extended period of time, the Subscription Activation might not reactive automatically on the device. To resolve this issue, use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using **Select Excluded Cloud Apps**:
+
+  - [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
+  - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
+
+  Although the app ID is the same in both instances, the name of the cloud app depends on the tenant.
+
+  For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
+
+  <!-- 8605089 -->
+
+  Setting this Conditional Access policy ensures that Subscription Activation continues to work seamlessly.
+
+  Starting with Windows 11, version 23H2 with [KB5034848](https://support.microsoft.com/help/5034848) or later, users are prompted for authentication with a toast notification when Subscription Activation needs to reactivate. The prompt for authentication usually occurs when a device has been offline for an extended period of time. This change eliminates the need for the Conditional Access policy for Windows 11, version 23H2 with [KB5034848](https://support.microsoft.com/help/5034848) or later. A Conditional Access policy can still be used with Windows 11, version 23H2 with [KB5034848](https://support.microsoft.com/help/5034848) or later if the prompt for user authentication via a toast notification isn't desired.
+
 - If a device isn't able to connect to Windows Update, it can lose activation status or be blocked from upgrading to Windows Enterprise. Make sure that Windows Update isn't blocked on the device:
 
   - Using `gpedit.msc` or group policy editor in the domain, make sure that the following group policy setting is set to **Disabled** or **Not Configured**:
@@ -528,7 +544,7 @@ Subscriptions to Windows Enterprise are also available for virtualized clients.
 
 Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. For more information, see [Enable VDA for Enterprise subscription activation](vda-subscription-activation.md).
 
-## Related articles
+## Related content
 
 - [Windows subscription activation](windows-subscription-activation.md).
 - [MDM enrollment of Windows devices](/windows/client-management/mdm-enrollment-of-windows-devices).
diff --git a/windows/deployment/windows-subscription-activation.md b/windows/deployment/windows-subscription-activation.md
index 9f748d05ad..c37a580fa6 100644
--- a/windows/deployment/windows-subscription-activation.md
+++ b/windows/deployment/windows-subscription-activation.md
@@ -1,6 +1,6 @@
 ---
 title: Windows subscription activation
-description: Learn how to dynamically enable Windows Enterprise or Education subscriptions.
+description: Learn how to step up from Windows Pro to  a Windows Enterprise subscription or from Windows Eduction Pro to a Windows Education subscription.
 ms.service: windows-client
 ms.subservice: itpro-fundamentals
 ms.localizationpriority: medium
@@ -10,9 +10,10 @@ manager: aaroncz
 ms.collection:
   - highpri
   - tier2
-ms.topic: conceptual
+ms.topic: concept-article
 zone_pivot_groups: windows-versions-11-10
-ms.date: 02/15/2024
+#customer intent: As an IT Pro, I want to step up Windows Pro to Windows Enterprise
+ms.date: 02/27/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@@ -34,16 +35,20 @@ The subscription activation feature eliminates the need to manually deploy Enter
 
 For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
 
-> [!NOTE]
->
-> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using **Select Excluded Cloud Apps**:
->
-> - [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
-> - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
->
-> Although the app ID is the same in both instances, the name of the cloud app depends on the tenant.
->
-> For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
+Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using **Select Excluded Cloud Apps**:
+
+- [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
+- [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
+
+Although the app ID is the same in both instances, the name of the cloud app depends on the tenant.
+
+For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
+
+<!-- 8605089 -->
+
+When a device has been offline for an extended period of time, the device might not reactive automatically if these Conditional Access policies aren't in place. Setting this Conditional Access policy ensures that Subscription Activation continues to work seamlessly.
+
+Starting with Windows 11, version 23H2 with [KB5034848](https://support.microsoft.com/help/5034848) or later, users are prompted for authentication with a toast notification when Subscription Activation needs to reactivate. The prompt for authentication usually occurs when a device has been offline for an extended period of time. This change eliminates the need for the Conditional Access policy for Windows 11, version 23H2 with [KB5034848](https://support.microsoft.com/help/5034848) or later. A Conditional Access policy can still be used with Windows 11, version 23H2 with [KB5034848](https://support.microsoft.com/help/5034848) or later if the prompt for user authentication via a toast notification isn't desired.
 
 ## Subscription activation for Enterprise
 
@@ -72,14 +77,6 @@ To support inherited activation, both the host computer and the VM must be runni
 
 ### Windows Enterprise requirements
 
-> [!NOTE]
->
-> The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. Azure KMS supports workgroup, hybrid, and Microsoft Entra joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines).
-
-> [!IMPORTANT]
->
-> As of October 1, 2022, subscription activation is available for *commercial* and *GCC* tenants. It's currently not available on GCC High or DoD tenants. <!-- 6783128 --> For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
-
 For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), the following requirements must be met:
 
 - A supported version of Windows Pro or Enterprise edition installed on the devices to be upgraded.
@@ -88,6 +85,14 @@ For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products &
 
 For Microsoft customers that don't have EA or MPSA, Windows Enterprise E3/E5 or A3/A5 licenses can be obtained through a cloud solution provider (CSP). Identity management and device requirements are the same when using CSP to manage licenses. For more information about getting Windows Enterprise E3 through a CSP, see [Windows Enterprise E3 in CSP](windows-enterprise-e3-overview.md).
 
+> [!NOTE]
+>
+> These requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. Azure KMS supports workgroup, hybrid, and Microsoft Entra joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines).
+
+> [!IMPORTANT]
+>
+> As of October 1, 2022, subscription activation is available for *commercial* and *GCC* tenants. It's currently not available on GCC High or DoD tenants. <!-- 6783128 --> For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
+
 ### Windows Education requirements
 
 - A supported version of Windows Pro Education installed on the devices to be upgraded.
@@ -118,8 +123,8 @@ With Windows Enterprise or Education editions, an organization can benefit from
 
 To compare Windows editions and review pricing, see the following sites:
 
-- [Compare Windows editions](https://www.microsoft.com/en-us/windows/business/windows-10-pro-vs-windows-11-pro)
-- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing)
+- [Compare Windows editions](https://www.microsoft.com/en-us/windows/business/windows-10-pro-vs-windows-11-pro) <!-- Leaving in language reference in URL because URL without it doesn't redirect properly>
+- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing)
 
 Benefits of moving to Windows as an online service include:
 
@@ -135,7 +140,7 @@ Benefits of moving to Windows as an online service include:
 
 ## How it works
 
-The device is Microsoft Entra joined, for example from the [Access work or school](ms-settings:workplace) pane in the **Settings** app which can be found under **Settings** > **Accounts** > **Access work or school**.
+The device is Microsoft Entra joined, for example from the [Access work or school](ms-settings:workplace) pane in the **Settings** app that can be found under **Settings** > **Accounts** > **Access work or school**.
 
 Windows Enterprise is assigned to a user, for example through the Microsoft 365 admin center. When a licensed user signs in to a device that meets requirements using their Microsoft Entra credentials, Windows steps up from Pro edition to Enterprise, or from Pro Education to Education. Once the edition is stepped up, Enterprise/Education features are unlocked. When a user's subscription expires or is transferred to another user, the device reverts seamlessly to Windows Pro or Windows Pro Education edition, once the current subscription validity expires.
 
@@ -207,7 +212,7 @@ If an organization has an Enterprise Agreement (EA) or Software Assurance (SA):
 
 If an organization has a Microsoft Products & Services Agreement (MPSA):
 
-- New customers are automatically emailed the details of the service. Take steps to process the instructions.
+- New customers are automatically emailed the details of the service. Follow the instructions and steps found in the email.
 
 - Existing MPSA customers receive service activation emails that allow their customer administrator to assign users to the service.
 
@@ -223,7 +228,7 @@ Subscriptions to Windows Enterprise are also available for virtualized clients.
 
 Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
 
-## Related articles
+## Related content
 
 - [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
 - [Plan your Microsoft Entra hybrid join implementation](/entra/identity/devices/hybrid-join-plan).