From a13ed317db58877465f986ec0e751da3b740b030 Mon Sep 17 00:00:00 2001 From: Kelly Baker Date: Mon, 9 Dec 2019 11:24:32 -0800 Subject: [PATCH 01/11] Update surface-hub-2s-prepare-environment.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @greg-lindsay Please review the copy edit to this article and let me know if I’ve changed the technical meaning anywhere. This is the third of three PRs for DevOps work request 3805258. Thanks! Kelly --- .../surface-hub-2s-prepare-environment.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/devices/surface-hub/surface-hub-2s-prepare-environment.md b/devices/surface-hub/surface-hub-2s-prepare-environment.md index fba71d0e0e..0e9f44b5e4 100644 --- a/devices/surface-hub/surface-hub-2s-prepare-environment.md +++ b/devices/surface-hub/surface-hub-2s-prepare-environment.md @@ -17,34 +17,34 @@ ms.localizationpriority: Medium ## Office 365 readiness -You may use Exchange and Skype for Business on-premises with Surface Hub 2S. However, if you use Exchange Online, Skype for Business Online, Microsoft Teams or Microsoft Whiteboard, and intend to manage Surface Hub 2S with Intune, first review the [Office 365 requirements for endpoints](https://docs.microsoft.com/office365/enterprise/office-365-endpoints). +If you use Exchange Online, Skype for Business Online, Microsoft Teams, or Microsoft Whiteboard, and intend to manage Surface Hub 2S with Intune, first review the [Office 365 requirements for endpoints](https://docs.microsoft.com/office365/enterprise/office-365-endpoints). -Office 365 endpoints help optimize your network by sending all trusted Office 365 network requests directly through your firewall, bypassing all additional packet level inspection or processing. This feature reduces latency and your perimeter capacity requirements. +Office 365 endpoints help optimize your network by sending all trusted Office 365 network requests directly through your firewall, bypassing all additional packet-level inspection or processing. This feature reduces latency and your perimeter capacity requirements. -Microsoft regularly updates the Office 365 service with new features and functionality, which may alter required ports, URLs, and IP addresses. To evaluate, configure, and stay up-to-date with changes, subscribe to the [Office 365 IP Address and URL Web service](https://docs.microsoft.com/office365/enterprise/office-365-ip-web-service). +Microsoft regularly updates the Office 365 service with new features and functionality, which may alter required ports, URLs, and IP addresses. To evaluate, configure, and stay up to date with changes, subscribe to the [Office 365 IP Address and URL Web service](https://docs.microsoft.com/office365/enterprise/office-365-ip-web-service). ## Device affiliation Use Device affiliation to manage user access to the Settings app on Surface Hub 2S. -With the Windows 10 Team Edition operating system — that runs on Surface Hub 2S — only authorized users can adjust settings via the Settings app. Since choosing the affiliation can impact feature availability, plan appropriately to ensure that users can access features as intended. +With the Windows 10 Team Edition operating system (that runs on Surface Hub 2S), only authorized users can adjust settings usin the Settings app. Since choosing the affiliation can impact feature availability, plan appropriately to ensure that users can access features as intended. > [!NOTE] > You can only set Device affiliation during the initial out-of-box experience (OOBE) setup. If you need to reset Device affiliation, you’ll have to repeat OOBE setup. ## No affiliation -No affiliation is like having Surface Hub 2S in a workgroup with a different local Administrator account on each Surface Hub 2S. If you choose No affiliation, you must locally save the [Bitlocker Key to a USB thumb drive](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-key-management-faq). You can still enroll the device with Intune, however only the local admin can access the Settings app using the account credentials configured during OOBE. You can change the Administrator account password from the Settings app. +No affiliation is like having Surface Hub 2S in a workgroup with a different local Administrator account on each Surface Hub 2S. If you choose No affiliation, you must locally save the [BitLocker Key to a USB thumb drive](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-key-management-faq). You can still enroll the device with Intune; however, only the local admin can access the Settings app using the account credentials configured during OOBE. You can change the Administrator account password from the Settings app. ## Active Directory Domain Services -If you affiliate Surface Hub 2S with on-premises Active Directory Domain Services, you need to manage access to the Settings app via a security group on your domain, ensuring that all security group members have permissions to change settings on Surface Hub 2S. Note also the following: +If you affiliate Surface Hub 2S with on-premises Active Directory Domain Services, you need to manage access to the Settings app using a security group on your domain. This helps ensure that all security group members have permissions to change settings on Surface Hub 2S. Also note the following: -- When Surface Hub 2S affiliates with your on-premises Active Directory Domain Services, the Bitlocker key can be saved in the AD Schema. For more information, see [Prepare your organization for BitLocker: Planning and policies](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies). +- When Surface Hub 2S affiliates with your on-premises Active Directory Domain Services, the BitLocker key can be saved in the Active Directory Schema. For more information, see [Prepare your organization for BitLocker: Planning and policies](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies). - Your organization’s Trusted Root CAs are pushed to the same container in Surface Hub 2S, which means you don’t need to import them using a provisioning package. - You can still enroll the device with Intune to centrally manage settings on your Surface Hub 2S. ## Azure Active Directory -When choosing to affiliate your Surface Hub 2S with Azure AD, any user in the Global Admins Security Group can sign in to the Settings app on Surface Hub 2S. Currently, no other group can be delegated to sign in to the Settings app on Surface Hub 2S. +When choosing to affiliate your Surface Hub 2S with Azure Active Directory (Azure AD), any user in the Global Admins Security Group can sign in to the Settings app on Surface Hub 2S. Currently, no other group can be delegated to sign in to the Settings app on Surface Hub 2S. -If you enabled Intune Automatic Enrollment for your organization, Surface Hub 2S will automatically enroll itself with Intune. The device’s Bitlocker key is automatically saved in Azure AD. When affiliating Surface Hub 2S with Azure AD, single sign-on and Easy Authentication will not work. +If you enabled Intune Automatic Enrollment for your organization, Surface Hub 2S will automatically enroll itself with Intune. The device’s BitLocker key is automatically saved in Azure AD. When affiliating Surface Hub 2S with Azure AD, single sign-on and Easy Authentication will not work. From a7a922e0311550e15ef98d1e7c6d06444769041f Mon Sep 17 00:00:00 2001 From: Kelly Baker Date: Tue, 10 Dec 2019 11:55:54 -0800 Subject: [PATCH 02/11] Update surface-hub-2s-prepare-environment.md --- devices/surface-hub/surface-hub-2s-prepare-environment.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/devices/surface-hub/surface-hub-2s-prepare-environment.md b/devices/surface-hub/surface-hub-2s-prepare-environment.md index 0e9f44b5e4..5f10258934 100644 --- a/devices/surface-hub/surface-hub-2s-prepare-environment.md +++ b/devices/surface-hub/surface-hub-2s-prepare-environment.md @@ -26,7 +26,7 @@ Microsoft regularly updates the Office 365 service with new features and functio ## Device affiliation Use Device affiliation to manage user access to the Settings app on Surface Hub 2S. -With the Windows 10 Team Edition operating system (that runs on Surface Hub 2S), only authorized users can adjust settings usin the Settings app. Since choosing the affiliation can impact feature availability, plan appropriately to ensure that users can access features as intended. +With the Windows 10 Team Edition operating system (that runs on Surface Hub 2S), only authorized users can adjust settings using the Settings app. Since choosing the affiliation can impact feature availability, plan appropriately to ensure that users can access features as intended. > [!NOTE] > You can only set Device affiliation during the initial out-of-box experience (OOBE) setup. If you need to reset Device affiliation, you’ll have to repeat OOBE setup. @@ -45,6 +45,6 @@ If you affiliate Surface Hub 2S with on-premises Active Directory Domain Service ## Azure Active Directory -When choosing to affiliate your Surface Hub 2S with Azure Active Directory (Azure AD), any user in the Global Admins Security Group can sign in to the Settings app on Surface Hub 2S. Currently, no other group can be delegated to sign in to the Settings app on Surface Hub 2S. +When you choose to affiliate your Surface Hub 2S with Azure Active Directory (Azure AD), any user in the Global Admins Security Group can sign in to the Settings app on Surface Hub 2S. Currently, no other group can be delegated to sign in to the Settings app on Surface Hub 2S. If you enabled Intune Automatic Enrollment for your organization, Surface Hub 2S will automatically enroll itself with Intune. The device’s BitLocker key is automatically saved in Azure AD. When affiliating Surface Hub 2S with Azure AD, single sign-on and Easy Authentication will not work. From 9248e1a8046c6c1e3e2b3d882e2841b5e6ad33a7 Mon Sep 17 00:00:00 2001 From: mingwli Date: Mon, 16 Dec 2019 14:44:37 +0800 Subject: [PATCH 03/11] content-fix: fix toc markdown by removing bracketed texts Otherwise, docfx v3 will throw toc-syntax error --- mdop/mbam-v2/TOC.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mdop/mbam-v2/TOC.md b/mdop/mbam-v2/TOC.md index ee098e3a8b..4bb822bfb4 100644 --- a/mdop/mbam-v2/TOC.md +++ b/mdop/mbam-v2/TOC.md @@ -36,8 +36,8 @@ ## [Operations for MBAM 2.0](operations-for-mbam-20-mbam-2.md) ### [Using MBAM with Configuration Manager](using-mbam-with-configuration-manager.md) #### [Getting Started - Using MBAM with Configuration Manager](getting-started---using-mbam-with-configuration-manager.md) -#### [Planning to Deploy MBAM with Configuration Manager [2 [MBAM_2](planning-to-deploy-mbam-with-configuration-manager-2.md) -#### [Deploying MBAM with Configuration Manager [MBAM2 [MBAM_2](deploying-mbam-with-configuration-manager-mbam2.md) +#### [Planning to Deploy MBAM with Configuration Manager](planning-to-deploy-mbam-with-configuration-manager-2.md) +#### [Deploying MBAM with Configuration Manager](deploying-mbam-with-configuration-manager-mbam2.md) ##### [How to Create or Edit the mof Files](how-to-create-or-edit-the-mof-files.md) ###### [Edit the Configuration.mof File](edit-the-configurationmof-file.md) ###### [Create or Edit the Sms_def.mof File](create-or-edit-the-sms-defmof-file.md) From 19709d66b7bc81e6f7a321eb67838ac061db2386 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Mon, 16 Dec 2019 16:23:53 -0800 Subject: [PATCH 04/11] fix some formatting issues --- .../deployment/deploy-enterprise-licenses.md | 500 +++++++++--------- 1 file changed, 248 insertions(+), 252 deletions(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index c4c52097cc..d1013e8cde 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -1,252 +1,248 @@ ---- -title: Deploy Windows 10 Enterprise licenses -ms.reviewer: -manager: laurawi -ms.audience: itpro author: greg-lindsay -description: Steps to deploy Windows 10 Enterprise licenses for Windows 10 Enterprise E3 or E5 Subscription Activation, or for Windows 10 Enterprise E3 in CSP -keywords: upgrade, update, task sequence, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Deploy Windows 10 Enterprise licenses - -This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). - ->[!NOTE] ->* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. ->* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. ->* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key. - -## Firmware-embedded activation key - -To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt - -``` -(Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey -``` - -If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device does not have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key. - -## Enabling Subscription Activation with an existing EA - -If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant: - -1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license: -2. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 -3. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 -4. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. -5. The admin can now assign subscription licenses to users. - ->Use the following process if you need to update contact information and retrigger activation in order to resend the activation email: - -1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). -2. Click on **Subscriptions**. -3. Click on **Online Services Agreement List**. -4. Enter your agreement number, and then click **Search**. -5. Click the **Service Name**. -6. In the **Subscription Contact** section, click the name listed under **Last Name**. -7. Update the contact information, then click **Update Contact Details**. This will trigger a new email. - -Also in this article: -- [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses. -- [Troubleshoot the user experience](#troubleshoot-the-user-experience): Examples of some license activation issues that can be encountered, and how to resolve them. - -## Active Directory synchronization with Azure AD - -You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD. - -You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. - -**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. - -![Illustration of Azure Active Directory Connect](images/enterprise-e3-ad-connect.png) - -**Figure 1. On-premises AD DS integrated with Azure AD** - -For more information about integrating on-premises AD DS domains with Azure AD, see the following resources: - -- [Integrating your on-premises identities with Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/) -- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) - ->[!NOTE] ->If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers. - -## Preparing for deployment: reviewing requirements - -Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. - -## Assigning licenses to users - -Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service: - -![profile](images/al01.png) - -The following methods are available to assign licenses: - -1. When you have the required Azure AD subscription, [group-based licensing](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users. -2. You can sign in to portal.office.com and manually assign licenses: - - ![portal](images/al02.png) - -3. You can assign licenses by uploading a spreadsheet. -4. A per-user [PowerShell scripted method](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available. -5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses. - -## Explore the upgrade experience - -Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10 Enterprise. What will the users experience? How will they upgrade their devices? - -### Step 1: Join Windows 10 Pro devices to Azure AD - -Users can join a Windows 10 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703. - -**To join a device to Azure AD the first time the device is started** - -1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**. - - Who owns this PC? page in Windows 10 setup - - **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup** - -2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**. - - Choose how you'll connect - page in Windows 10 setup - - **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup** - -3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**. - - Let's get you signed in - page in Windows 10 setup - - **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup** - -Now the device is Azure AD joined to the company’s subscription. - -**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up** - ->[!IMPORTANT] ->Make sure that the user you're signing in with is **not** a BUILTIN/Administrator. That user cannot use the `+ Connect` button to join a work or school account. - -1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**. - - Connect to work or school configuration - - **Figure 5. Connect to work or school configuration in Settings** - -2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**. - - Set up a work or school account - - **Figure 6. Set up a work or school account** - -3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**. - - Let's get you signed in - dialog box - - **Figure 7. The “Let’s get you signed in” dialog box** - -Now the device is Azure AD joined to the company’s subscription. - -### Step 2: Pro edition activation - ->[!IMPORTANT] ->If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. ->If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**. - - -Windows 10 Pro activated -Figure 7a - Windows 10 Pro activation in Settings - -Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). - - -### Step 3: Sign in using Azure AD account - -Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device. - -Sign in, Windows 10 - -**Figure 8. Sign in by using Azure AD account** - -### Step 4: Verify that Enterprise edition is enabled - -You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**. - - -Windows 10 activated and subscription active - -**Figure 9 - Windows 10 Enterprise subscription in Settings** - - -If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. - ->[!NOTE] ->If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following: ->Name: Windows(R), Professional edition ->Description: Windows(R) Operating System, RETAIL channel ->Partial Product Key: 3V66T - -## Virtual Desktop Access (VDA) - -Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/CloudandHosting/licensing_sca.aspx). - -Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md). - -## Troubleshoot the user experience - -In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows: - -- The existing Windows 10 Pro, version 1703 or 1709 operating system is not activated. This problem does not apply to Windows 10, version 1803 or later. - -- The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed. - -Use the following figures to help you troubleshoot when users experience these common problems: - -- [Figure 9](#win-10-activated-subscription-active) (above) illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active. - -- [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro is not activated, but the Windows 10 Enterprise subscription is active. - -- [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed. - -- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed. - - - -Windows 10 not activated and subscription active -Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings - - - -Windows 10 activated and subscription not active -Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings - - - -Windows 10 not activated and subscription not active -Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings - - -### Review requirements on devices - -Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements. - -**To determine if a device is Azure Active Directory joined:** - -1. Open a command prompt and type **dsregcmd /status**. - -2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined. - -**To determine the version of Windows 10:** - -- At a command prompt, type: - **winver** - - A popup window will display the Windows 10 version number and detailed OS build information. - - If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal. +--- +title: Deploy Windows 10 Enterprise licenses +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +description: Steps to deploy Windows 10 Enterprise licenses for Windows 10 Enterprise E3 or E5 Subscription Activation, or for Windows 10 Enterprise E3 in CSP +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Deploy Windows 10 Enterprise licenses + +This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). + +>[!NOTE] +>* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. +>* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. +>* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key. + +## Firmware-embedded activation key + +To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt + +``` +(Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey +``` + +If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device does not have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key. + +## Enabling Subscription Activation with an existing EA + +If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant: + +1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license: +2. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 +3. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 +4. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. +5. The admin can now assign subscription licenses to users. + +>Use the following process if you need to update contact information and retrigger activation in order to resend the activation email: + +1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). +2. Click on **Subscriptions**. +3. Click on **Online Services Agreement List**. +4. Enter your agreement number, and then click **Search**. +5. Click the **Service Name**. +6. In the **Subscription Contact** section, click the name listed under **Last Name**. +7. Update the contact information, then click **Update Contact Details**. This will trigger a new email. + +Also in this article: +- [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses. +- [Troubleshoot the user experience](#troubleshoot-the-user-experience): Examples of some license activation issues that can be encountered, and how to resolve them. + +## Active Directory synchronization with Azure AD + +You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD. + +You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. + +**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. + +![Illustration of Azure Active Directory Connect](images/enterprise-e3-ad-connect.png) + +**Figure 1. On-premises AD DS integrated with Azure AD** + +For more information about integrating on-premises AD DS domains with Azure AD, see the following resources: + +- [Integrating your on-premises identities with Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/) +- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) + +>[!NOTE] +>If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers. + +## Preparing for deployment: reviewing requirements + +Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. + +## Assigning licenses to users + +Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service: + +![profile](images/al01.png) + +The following methods are available to assign licenses: + +1. When you have the required Azure AD subscription, [group-based licensing](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users. +2. You can sign in to portal.office.com and manually assign licenses: + + ![portal](images/al02.png) + +3. You can assign licenses by uploading a spreadsheet. +4. A per-user [PowerShell scripted method](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available. +5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses. + +## Explore the upgrade experience + +Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10 Enterprise. What will the users experience? How will they upgrade their devices? + +### Step 1: Join Windows 10 Pro devices to Azure AD + +Users can join a Windows 10 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703. + +**To join a device to Azure AD the first time the device is started** + +1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.
+ + Who owns this PC? page in Windows 10 setup + + **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup** + +2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.
+ + Choose how you'll connect - page in Windows 10 setup + + **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup** + +3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.
+ + Let's get you signed in - page in Windows 10 setup + + **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup** + +Now the device is Azure AD joined to the company’s subscription. + +**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up** + +>[!IMPORTANT] +>Make sure that the user you're signing in with is **not** a BUILTIN/Administrator. That user cannot use the `+ Connect` button to join a work or school account. + +1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**.
+ + Connect to work or school configuration + + **Figure 5. Connect to work or school configuration in Settings** + +2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.
+ + Set up a work or school account + + **Figure 6. Set up a work or school account** + +3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.
+ + Let's get you signed in - dialog box + + **Figure 7. The “Let’s get you signed in” dialog box** + +Now the device is Azure AD joined to the company’s subscription. + +### Step 2: Pro edition activation + +>[!IMPORTANT] +>If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. +>If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**. + + +Windows 10 Pro activated +
Figure 7a - Windows 10 Pro activation in Settings + +Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). + + +### Step 3: Sign in using Azure AD account + +Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device. + +Sign in, Windows 10 + +**Figure 8. Sign in by using Azure AD account** + +### Step 4: Verify that Enterprise edition is enabled + +You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**. + + +Windows 10 activated and subscription active + +**Figure 9 - Windows 10 Enterprise subscription in Settings** + + +If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. + +>[!NOTE] +>If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following: +>Name: Windows(R), Professional edition +>Description: Windows(R) Operating System, RETAIL channel +>Partial Product Key: 3V66T + +## Virtual Desktop Access (VDA) + +Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/CloudandHosting/licensing_sca.aspx). + +Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md). + +## Troubleshoot the user experience + +In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows: + +- The existing Windows 10 Pro, version 1703 or 1709 operating system is not activated. This problem does not apply to Windows 10, version 1803 or later. + +- The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed. + +Use the following figures to help you troubleshoot when users experience these common problems: + +- [Figure 9](#win-10-activated-subscription-active) (see the section above) illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active. + +- [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro is not activated, but the Windows 10 Enterprise subscription is active. + + + Windows 10 not activated and subscription active +
Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings + +- [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed. + + + Windows 10 activated and subscription not active +
Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings + +- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed. + + + Windows 10 not activated and subscription not active +
Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings + +### Review requirements on devices + +Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements. + +**To determine if a device is Azure Active Directory joined:** + +1. Open a command prompt and type **dsregcmd /status**. +2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined. + +**To determine the version of Windows 10:** + +At a command prompt, type: **winver** + +A popup window will display the Windows 10 version number and detailed OS build information. + +If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal. From 6737dab43488927d896828ffc69621a63fb64114 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Mon, 16 Dec 2019 16:35:10 -0800 Subject: [PATCH 05/11] fix version requirement --- windows/deployment/windows-10-subscription-activation.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 2c105278f6..7b9bcc1932 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -95,10 +95,10 @@ An issue has been identified with Hybrid Azure AD joined devices that have enabl To resolve this issue: -If the device is running Windows 10, version 1703 or 1709, the user must either sign in with an Azure AD account, or you must disable MFA for this user during the 30-day polling period and renewal. +If the device is running Windows 10, version 1703, 1709, or 1803, the user must either sign in with an Azure AD account, or you must disable MFA for this user during the 30-day polling period and renewal. -If the device is running Windows 10, version 1803 or later: -1. Windows 10, version 1803 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch. +If the device is running Windows 10, version 1809 or later: +1. Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch. 2. When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below: ![Subscription Activation with MFA1](images/sa-mfa1.png)
From 99b86454ff0267e0c54b3a695b954c6888aef086 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 16 Dec 2019 17:05:25 -0800 Subject: [PATCH 06/11] Metadata: Changed first instance of "author" to "ms.author" ...and also replaced Greg's GitHub user name with his Microsoft alias. --- windows/deployment/deploy-enterprise-licenses.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index d1013e8cde..cd4f1c3e5b 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -3,7 +3,7 @@ title: Deploy Windows 10 Enterprise licenses ms.reviewer: manager: laurawi ms.audience: itpro -author: greg-lindsay +ms.author: greglin description: Steps to deploy Windows 10 Enterprise licenses for Windows 10 Enterprise E3 or E5 Subscription Activation, or for Windows 10 Enterprise E3 in CSP keywords: upgrade, update, task sequence, deploy ms.prod: w10 From 42a46eff24274261945557f0058e40fd44dda259 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 16 Dec 2019 17:08:31 -0800 Subject: [PATCH 07/11] Metadata: Changed "Educations" to "Education" in "description" --- windows/deployment/windows-10-subscription-activation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 7b9bcc1932..bdb8c230c4 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -1,6 +1,6 @@ --- title: Windows 10 Subscription Activation -description: How to dynamically enable Windows 10 Enterprise or Educations subscriptions +description: How to dynamically enable Windows 10 Enterprise or Education subscriptions keywords: upgrade, update, task sequence, deploy ms.prod: w10 ms.mktglfcycl: deploy From 67815bb54f40543e86adfedbf9badaea64c42d97 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 17 Dec 2019 13:14:45 -0800 Subject: [PATCH 08/11] license --- .../microsoft-defender-atp/minimum-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 1625a62968..06e1a0dada 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -35,7 +35,7 @@ There are some minimum requirements for onboarding machines to the service. Lear Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: - Windows 10 Enterprise E5 -- Windows 10 Education E5 +- Windows 10 Education A5 - Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5 - Microsoft 365 A5 (M365 A5) From b2a95e5baa204184a34903fb645ead8bc5ab0e92 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 17 Dec 2019 16:29:32 -0500 Subject: [PATCH 09/11] added meta description --- windows/deployment/update/windows-as-a-service.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index 1cec56cb46..a3e0af5ef0 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -7,8 +7,8 @@ ms.manager: elizapo audience: itpro itproauthor: jaimeo author: jaimeo +description: Discover the latest news articles, videos, and podcasts about Windows as a Service. Find resources for using Windows as a service within your organization. ms.audience: itpro -author: jaimeo ms.reviewer: manager: laurawi ms.localizationpriority: high From 6b2e55baa4fafb8b200f9beebd5e6f33c270ff48 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 17 Dec 2019 16:32:54 -0500 Subject: [PATCH 10/11] fixed inconsistent casing in description --- windows/deployment/update/windows-as-a-service.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index a3e0af5ef0..89b24aea50 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -7,7 +7,7 @@ ms.manager: elizapo audience: itpro itproauthor: jaimeo author: jaimeo -description: Discover the latest news articles, videos, and podcasts about Windows as a Service. Find resources for using Windows as a service within your organization. +description: Discover the latest news articles, videos, and podcasts about Windows as a service. Find resources for using Windows as a service within your organization. ms.audience: itpro ms.reviewer: manager: laurawi From a858af05fb47479d20e5a4f1eceabf33e1a5d65b Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 17 Dec 2019 15:25:05 -0800 Subject: [PATCH 11/11] Changed indentation of results detail in a procedure step --- .../microsoft-defender-atp/minimum-requirements.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 06e1a0dada..aaf95f6065 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -122,9 +122,9 @@ By default, this service is enabled, but it's good practice to check to ensu sc qc diagtrack ``` -If the service is enabled, then the result should look like the following screenshot: + If the service is enabled, then the result should look like the following screenshot: -![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png) + ![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png) If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.