deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into wdav-10things

Browse Source
This commit is contained in:
Denise Vangel-MSFT 2019-12-17 15:44:29 -08:00
commit 71458e1f04
6 changed files with 267 additions and 271 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
devices/surface-hub/surface-hub-2s-prepare-environment.md
View File

@ -17,34 +17,34 @@ ms.localizationpriority: Medium
## Office 365 readiness
You may use Exchange and Skype for Business on-premises with Surface Hub 2S. However, if you use Exchange Online, Skype for Business Online, Microsoft Teams or Microsoft Whiteboard, and intend to manage Surface Hub 2S with Intune, first review the [Office 365 requirements for endpoints](https://docs.microsoft.com/office365/enterprise/office-365-endpoints).
If you use Exchange Online, Skype for Business Online, Microsoft Teams, or Microsoft Whiteboard, and intend to manage Surface Hub 2S with Intune, first review the [Office 365 requirements for endpoints](https://docs.microsoft.com/office365/enterprise/office-365-endpoints).
Office 365 endpoints help optimize your network by sending all trusted Office 365 network requests directly through your firewall, bypassing all additional packet level inspection or processing. This feature reduces latency and your perimeter capacity requirements.
Office 365 endpoints help optimize your network by sending all trusted Office 365 network requests directly through your firewall, bypassing all additional packet-level inspection or processing. This feature reduces latency and your perimeter capacity requirements.
Microsoft regularly updates the Office 365 service with new features and functionality, which may alter required ports, URLs, and IP addresses. To evaluate, configure, and stay up-to-date with changes, subscribe to the [Office 365 IP Address and URL Web service](https://docs.microsoft.com/office365/enterprise/office-365-ip-web-service).
Microsoft regularly updates the Office 365 service with new features and functionality, which may alter required ports, URLs, and IP addresses. To evaluate, configure, and stay up to date with changes, subscribe to the [Office 365 IP Address and URL Web service](https://docs.microsoft.com/office365/enterprise/office-365-ip-web-service).
## Device affiliation
Use Device affiliation to manage user access to the Settings app on Surface Hub 2S.
With the Windows 10 Team Edition operating system — that runs on Surface Hub 2S — only authorized users can adjust settings via the Settings app. Since choosing the affiliation can impact feature availability, plan appropriately to ensure that users can access features as intended.
With the Windows 10 Team Edition operating system (that runs on Surface Hub 2S), only authorized users can adjust settings using the Settings app. Since choosing the affiliation can impact feature availability, plan appropriately to ensure that users can access features as intended.
> [!NOTE]
> You can only set Device affiliation during the initial out-of-box experience (OOBE) setup. If you need to reset Device affiliation, youll have to repeat OOBE setup.
## No affiliation
No affiliation is like having Surface Hub 2S in a workgroup with a different local Administrator account on each Surface Hub 2S. If you choose No affiliation, you must locally save the [Bitlocker Key to a USB thumb drive](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-key-management-faq). You can still enroll the device with Intune, however only the local admin can access the Settings app using the account credentials configured during OOBE. You can change the Administrator account password from the Settings app.
No affiliation is like having Surface Hub 2S in a workgroup with a different local Administrator account on each Surface Hub 2S. If you choose No affiliation, you must locally save the [BitLocker Key to a USB thumb drive](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-key-management-faq). You can still enroll the device with Intune; however, only the local admin can access the Settings app using the account credentials configured during OOBE. You can change the Administrator account password from the Settings app.
## Active Directory Domain Services
If you affiliate Surface Hub 2S with on-premises Active Directory Domain Services, you need to manage access to the Settings app via a security group on your domain, ensuring that all security group members have permissions to change settings on Surface Hub 2S. Note also the following:
If you affiliate Surface Hub 2S with on-premises Active Directory Domain Services, you need to manage access to the Settings app using a security group on your domain. This helps ensure that all security group members have permissions to change settings on Surface Hub 2S. Also note the following:
- When Surface Hub 2S affiliates with your on-premises Active Directory Domain Services, the Bitlocker key can be saved in the AD Schema. For more information, see [Prepare your organization for BitLocker: Planning and policies](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies).
- When Surface Hub 2S affiliates with your on-premises Active Directory Domain Services, the BitLocker key can be saved in the Active Directory Schema. For more information, see [Prepare your organization for BitLocker: Planning and policies](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies).
- Your organizations Trusted Root CAs are pushed to the same container in Surface Hub 2S, which means you dont need to import them using a provisioning package.
- You can still enroll the device with Intune to centrally manage settings on your Surface Hub 2S.
## Azure Active Directory
When choosing to affiliate your Surface Hub 2S with Azure AD, any user in the Global Admins Security Group can sign in to the Settings app on Surface Hub 2S. Currently, no other group can be delegated to sign in to the Settings app on Surface Hub 2S.
When you choose to affiliate your Surface Hub 2S with Azure Active Directory (Azure AD), any user in the Global Admins Security Group can sign in to the Settings app on Surface Hub 2S. Currently, no other group can be delegated to sign in to the Settings app on Surface Hub 2S.
If you enabled Intune Automatic Enrollment for your organization, Surface Hub 2S will automatically enroll itself with Intune. The devices Bitlocker key is automatically saved in Azure AD. When affiliating Surface Hub 2S with Azure AD, single sign-on and Easy Authentication will not work.
If you enabled Intune Automatic Enrollment for your organization, Surface Hub 2S will automatically enroll itself with Intune. The devices BitLocker key is automatically saved in Azure AD. When affiliating Surface Hub 2S with Azure AD, single sign-on and Easy Authentication will not work.

4
mdop/mbam-v2/TOC.md
View File

@ -36,8 +36,8 @@
## [Operations for MBAM 2.0](operations-for-mbam-20-mbam-2.md)
### [Using MBAM with Configuration Manager](using-mbam-with-configuration-manager.md)
#### [Getting Started - Using MBAM with Configuration Manager](getting-started---using-mbam-with-configuration-manager.md)
#### [Planning to Deploy MBAM with Configuration Manager [2 [MBAM_2](planning-to-deploy-mbam-with-configuration-manager-2.md)
#### [Deploying MBAM with Configuration Manager [MBAM2 [MBAM_2](deploying-mbam-with-configuration-manager-mbam2.md)
#### [Planning to Deploy MBAM with Configuration Manager](planning-to-deploy-mbam-with-configuration-manager-2.md)
#### [Deploying MBAM with Configuration Manager](deploying-mbam-with-configuration-manager-mbam2.md)
##### [How to Create or Edit the mof Files](how-to-create-or-edit-the-mof-files.md)
###### [Edit the Configuration.mof File](edit-the-configurationmof-file.md)
###### [Create or Edit the Sms_def.mof File](create-or-edit-the-sms-defmof-file.md)

500
windows/deployment/deploy-enterprise-licenses.md
View File

@ -1,252 +1,248 @@
---
title: Deploy Windows 10 Enterprise licenses
ms.reviewer:
manager: laurawi
ms.audience: itpro author: greg-lindsay
description: Steps to deploy Windows 10 Enterprise licenses for Windows 10 Enterprise E3 or E5 Subscription Activation, or for Windows 10 Enterprise E3 in CSP
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
audience: itpro author: greg-lindsay
ms.topic: article
---
# Deploy Windows 10 Enterprise licenses
This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
>[!NOTE]
>* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
>* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
>* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key.
## Firmware-embedded activation key
To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt
```
(Get-WmiObject -query select * from SoftwareLicensingService).OA3xOriginalProductKey
```
If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device does not have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key.
## Enabling Subscription Activation with an existing EA
If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant:
1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license:
2. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3
3. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5
4. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant.
5. The admin can now assign subscription licenses to users.
>Use the following process if you need to update contact information and retrigger activation in order to resend the activation email:
1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
2. Click on **Subscriptions**.
3. Click on **Online Services Agreement List**.
4. Enter your agreement number, and then click **Search**.
5. Click the **Service Name**.
6. In the **Subscription Contact** section, click the name listed under **Last Name**.
7. Update the contact information, then click **Update Contact Details**. This will trigger a new email.
Also in this article:
- [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses.
- [Troubleshoot the user experience](#troubleshoot-the-user-experience): Examples of some license activation issues that can be encountered, and how to resolve them.
## Active Directory synchronization with Azure AD
You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD.
You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
![Illustration of Azure Active Directory Connect](images/enterprise-e3-ad-connect.png)
**Figure 1. On-premises AD DS integrated with Azure AD**
For more information about integrating on-premises AD DS domains with Azure AD, see the following resources:
- [Integrating your on-premises identities with Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/)
- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
>[!NOTE]
>If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers.
## Preparing for deployment: reviewing requirements
Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
## Assigning licenses to users
Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service:
![profile](images/al01.png)
The following methods are available to assign licenses:
1. When you have the required Azure AD subscription, [group-based licensing](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users.
2. You can sign in to portal.office.com and manually assign licenses:
![portal](images/al02.png)
3. You can assign licenses by uploading a spreadsheet.
4. A per-user [PowerShell scripted method](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available.
5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses.
## Explore the upgrade experience
Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10 Enterprise. What will the users experience? How will they upgrade their devices?
### Step 1: Join Windows 10 Pro devices to Azure AD
Users can join a Windows 10 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703.
**To join a device to Azure AD the first time the device is started**
1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.
<img src="images/enterprise-e3-who-owns.png" alt="Who owns this PC? page in Windows 10 setup" width="624" height="351" />
**Figure 2. The “Who owns this PC?” page in initial Windows 10 setup**
2. On the **Choose how youll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.
<img src="images/enterprise-e3-choose-how.png" alt="Choose how you'll connect - page in Windows 10 setup" width="624" height="351" />
**Figure 3. The “Choose how youll connect” page in initial Windows 10 setup**
3. On the **Lets get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.
<img src="images/enterprise-e3-lets-get.png" alt="Let's get you signed in - page in Windows 10 setup" width="624" height="351" />
**Figure 4. The “Lets get you signed in” page in initial Windows 10 setup**
Now the device is Azure AD joined to the companys subscription.
**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up**
>[!IMPORTANT]
>Make sure that the user you're signing in with is **not** a BUILTIN/Administrator. That user cannot use the `+ Connect` button to join a work or school account.
1. Go to **Settings &gt; Accounts &gt; Access work or school**, as illustrated in **Figure 5**.
<img src="images/enterprise-e3-connect-to-work-or-school.png" alt="Connect to work or school configuration" width="624" height="482" />
**Figure 5. Connect to work or school configuration in Settings**
2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.
<img src="images/enterprise-e3-set-up-work-or-school.png" alt="Set up a work or school account" width="624" height="603" />
**Figure 6. Set up a work or school account**
3. On the **Lets get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.
<img src="images/enterprise-e3-lets-get-2.png" alt="Let's get you signed in - dialog box" width="624" height="603" />
**Figure 7. The “Lets get you signed in” dialog box**
Now the device is Azure AD joined to the companys subscription.
### Step 2: Pro edition activation
>[!IMPORTANT]
>If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.
>If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 7a**.
<span id="win-10-pro-activated"/>
<img src="images/sa-pro-activation.png" alt="Windows 10 Pro activated" width="710" height="440" />
<strong>Figure 7a - Windows 10 Pro activation in Settings</strong>
Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only).
### Step 3: Sign in using Azure AD account
Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
<img src="images/enterprise-e3-sign-in.png" alt="Sign in, Windows 10" width="624" height="351" />
**Figure 8. Sign in by using Azure AD account**
### Step 4: Verify that Enterprise edition is enabled
You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 9**.
<span id="win-10-activated-subscription-active"/>
<img src="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt="Windows 10 activated and subscription active" width="624" height="407" />
**Figure 9 - Windows 10 Enterprise subscription in Settings**
If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
>[!NOTE]
>If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:
>Name: Windows(R), Professional edition
>Description: Windows(R) Operating System, RETAIL channel
>Partial Product Key: 3V66T
## Virtual Desktop Access (VDA)
Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/CloudandHosting/licensing_sca.aspx).
Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md).
## Troubleshoot the user experience
In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows:
- The existing Windows 10 Pro, version 1703 or 1709 operating system is not activated. This problem does not apply to Windows 10, version 1803 or later.
- The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed.
Use the following figures to help you troubleshoot when users experience these common problems:
- [Figure 9](#win-10-activated-subscription-active) (above) illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active.
- [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro is not activated, but the Windows 10 Enterprise subscription is active.
- [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed.
- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed.
<span id="win-10-not-activated"/>
<img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png" alt="Windows 10 not activated and subscription active" width="624" height="407" />
<strong>Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings</strong>
<span id="subscription-not-active"/>
<img src="images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png" alt="Windows 10 activated and subscription not active" width="624" height="407" />
<strong>Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings</strong>
<span id="win-10-not-activated-subscription-not-active"/>
<img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png" alt="Windows 10 not activated and subscription not active" width="624" height="407" />
<strong>Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings</strong>
### Review requirements on devices
Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
**To determine if a device is Azure Active Directory joined:**
1. Open a command prompt and type **dsregcmd /status**.
2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined.
**To determine the version of Windows 10:**
- At a command prompt, type:
**winver**
A popup window will display the Windows 10 version number and detailed OS build information.
If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
---
title: Deploy Windows 10 Enterprise licenses
ms.reviewer:
manager: laurawi
ms.audience: itpro
ms.author: greglin
description: Steps to deploy Windows 10 Enterprise licenses for Windows 10 Enterprise E3 or E5 Subscription Activation, or for Windows 10 Enterprise E3 in CSP
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
audience: itpro
author: greg-lindsay
ms.topic: article
---
# Deploy Windows 10 Enterprise licenses
This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
>[!NOTE]
>* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
>* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
>* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key.
## Firmware-embedded activation key
To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt
```
(Get-WmiObject -query select * from SoftwareLicensingService).OA3xOriginalProductKey
```
If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device does not have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key.
## Enabling Subscription Activation with an existing EA
If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant:
1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license:
2. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3
3. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5
4. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant.
5. The admin can now assign subscription licenses to users.
>Use the following process if you need to update contact information and retrigger activation in order to resend the activation email:
1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
2. Click on **Subscriptions**.
3. Click on **Online Services Agreement List**.
4. Enter your agreement number, and then click **Search**.
5. Click the **Service Name**.
6. In the **Subscription Contact** section, click the name listed under **Last Name**.
7. Update the contact information, then click **Update Contact Details**. This will trigger a new email.
Also in this article:
- [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses.
- [Troubleshoot the user experience](#troubleshoot-the-user-experience): Examples of some license activation issues that can be encountered, and how to resolve them.
## Active Directory synchronization with Azure AD
You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD.
You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
![Illustration of Azure Active Directory Connect](images/enterprise-e3-ad-connect.png)
**Figure 1. On-premises AD DS integrated with Azure AD**
For more information about integrating on-premises AD DS domains with Azure AD, see the following resources:
- [Integrating your on-premises identities with Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/)
- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
>[!NOTE]
>If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers.
## Preparing for deployment: reviewing requirements
Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
## Assigning licenses to users
Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service:
![profile](images/al01.png)
The following methods are available to assign licenses:
1. When you have the required Azure AD subscription, [group-based licensing](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users.
2. You can sign in to portal.office.com and manually assign licenses:
![portal](images/al02.png)
3. You can assign licenses by uploading a spreadsheet.
4. A per-user [PowerShell scripted method](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available.
5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses.
## Explore the upgrade experience
Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10 Enterprise. What will the users experience? How will they upgrade their devices?
### Step 1: Join Windows 10 Pro devices to Azure AD
Users can join a Windows 10 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703.
**To join a device to Azure AD the first time the device is started**
1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.<br>
<img src="images/enterprise-e3-who-owns.png" alt="Who owns this PC? page in Windows 10 setup" width="624" height="351" />
**Figure 2. The “Who owns this PC?” page in initial Windows 10 setup**
2. On the **Choose how youll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.<br>
<img src="images/enterprise-e3-choose-how.png" alt="Choose how you'll connect - page in Windows 10 setup" width="624" height="351" />
**Figure 3. The “Choose how youll connect” page in initial Windows 10 setup**
3. On the **Lets get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.<br>
<img src="images/enterprise-e3-lets-get.png" alt="Let's get you signed in - page in Windows 10 setup" width="624" height="351" />
**Figure 4. The “Lets get you signed in” page in initial Windows 10 setup**
Now the device is Azure AD joined to the companys subscription.
**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up**
>[!IMPORTANT]
>Make sure that the user you're signing in with is **not** a BUILTIN/Administrator. That user cannot use the `+ Connect` button to join a work or school account.
1. Go to **Settings &gt; Accounts &gt; Access work or school**, as illustrated in **Figure 5**.<br>
<img src="images/enterprise-e3-connect-to-work-or-school.png" alt="Connect to work or school configuration" width="624" height="482" />
**Figure 5. Connect to work or school configuration in Settings**
2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.<br>
<img src="images/enterprise-e3-set-up-work-or-school.png" alt="Set up a work or school account" width="624" height="603" />
**Figure 6. Set up a work or school account**
3. On the **Lets get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.<br>
<img src="images/enterprise-e3-lets-get-2.png" alt="Let's get you signed in - dialog box" width="624" height="603" />
**Figure 7. The “Lets get you signed in” dialog box**
Now the device is Azure AD joined to the companys subscription.
### Step 2: Pro edition activation
>[!IMPORTANT]
>If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.
>If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 7a**.
<span id="win-10-pro-activated"/>
<img src="images/sa-pro-activation.png" alt="Windows 10 Pro activated" width="710" height="440" />
<br><strong>Figure 7a - Windows 10 Pro activation in Settings</strong>
Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only).
### Step 3: Sign in using Azure AD account
Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
<img src="images/enterprise-e3-sign-in.png" alt="Sign in, Windows 10" width="624" height="351" />
**Figure 8. Sign in by using Azure AD account**
### Step 4: Verify that Enterprise edition is enabled
You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 9**.
<span id="win-10-activated-subscription-active"/>
<img src="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt="Windows 10 activated and subscription active" width="624" height="407" />
**Figure 9 - Windows 10 Enterprise subscription in Settings**
If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
>[!NOTE]
>If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:
>Name: Windows(R), Professional edition
>Description: Windows(R) Operating System, RETAIL channel
>Partial Product Key: 3V66T
## Virtual Desktop Access (VDA)
Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/CloudandHosting/licensing_sca.aspx).
Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md).
## Troubleshoot the user experience
In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows:
- The existing Windows 10 Pro, version 1703 or 1709 operating system is not activated. This problem does not apply to Windows 10, version 1803 or later.
- The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed.
Use the following figures to help you troubleshoot when users experience these common problems:
- [Figure 9](#win-10-activated-subscription-active) (see the section above) illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active.
- [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro is not activated, but the Windows 10 Enterprise subscription is active.
<span id="win-10-not-activated"/>
<img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png" alt="Windows 10 not activated and subscription active" width="624" height="407" />
<br><strong>Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings</strong>
- [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed.
<span id="subscription-not-active"/>
<img src="images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png" alt="Windows 10 activated and subscription not active" width="624" height="407" />
<br><strong>Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings</strong>
- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed.
<span id="win-10-not-activated-subscription-not-active"/>
<img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png" alt="Windows 10 not activated and subscription not active" width="624" height="407" />
<br><strong>Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings</strong>
### Review requirements on devices
Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
**To determine if a device is Azure Active Directory joined:**
1. Open a command prompt and type **dsregcmd /status**.
2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined.
**To determine the version of Windows 10:**
At a command prompt, type: **winver**
A popup window will display the Windows 10 version number and detailed OS build information.
If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.

2
windows/deployment/update/windows-as-a-service.md
View File

@ -7,8 +7,8 @@ ms.manager: elizapo
audience: itpro
itproauthor: jaimeo
author: jaimeo
description: Discover the latest news articles, videos, and podcasts about Windows as a service. Find resources for using Windows as a service within your organization.
ms.audience: itpro
author: jaimeo
ms.reviewer:
manager: laurawi
ms.localizationpriority: high

8
windows/deployment/windows-10-subscription-activation.md
View File

@ -1,6 +1,6 @@
---
title: Windows 10 Subscription Activation
description: How to dynamically enable Windows 10 Enterprise or Educations subscriptions
description: How to dynamically enable Windows 10 Enterprise or Education subscriptions
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
ms.mktglfcycl: deploy
@ -95,10 +95,10 @@ An issue has been identified with Hybrid Azure AD joined devices that have enabl
To resolve this issue:
If the device is running Windows 10, version 1703 or 1709, the user must either sign in with an Azure AD account, or you must disable MFA for this user during the 30-day polling period and renewal.
If the device is running Windows 10, version 1703, 1709, or 1803, the user must either sign in with an Azure AD account, or you must disable MFA for this user during the 30-day polling period and renewal.
If the device is running Windows 10, version 1803 or later:
1. Windows 10, version 1803 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
If the device is running Windows 10, version 1809 or later:
1. Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
2. When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
![Subscription Activation with MFA1](images/sa-mfa1.png)<br>

6
windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
View File

@ -35,7 +35,7 @@ There are some minimum requirements for onboarding machines to the service. Lear
Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
- Windows 10 Enterprise E5
- Windows 10 Education E5
- Windows 10 Education A5
- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
- Microsoft 365 A5 (M365 A5)
@ -122,9 +122,9 @@ By default, this service is enabled, but it&#39;s good practice to check to ensu
sc qc diagtrack
```
If the service is enabled, then the result should look like the following screenshot:
If the service is enabled, then the result should look like the following screenshot:
![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.