Windows 10 in CSP


On the 1st of September a new item was added to the list of services on Partner Center - Windows 10 Enterprise E3. End-user with Windows 10 Enterprise E3 license, assigned through CSP, can convert up to five Windows 10 Pro devices to Windows 10 Enterprise by logging in using Azure AD account.

In a month after that Windows 10 Enterprise E5 was also added into CSP. Windows 10 Enterprise E5 is a bundle, that includes Windows 10 Enterprise E3 and Windows Defender Advanced Threat Protection (ATP) subscription.

Let's dig in details what does it mean:

  1. It works for Windows 10 Pro with Anniversary Update or later.
  2. It won't work on Windows 10 Pro RTM or November update. User needs to install Anniversary update first.
  3. It won't work for Windows 10 Home. User needs to purchase Windows 10 Pro and upgrade Home to Pro (it doesn't require a re-install), or purchase a new device with Windows 10 Pro OEM pre-installed.
  4. It won't work for Windows versions prior to Windows 10 (e.g. Windows 7 or Vista). Now you can upgrade Windows 7 or Windows 8.1 machines to Windows 10 Enterprise through CSP. Read here for details.
  5. No OS re-install is required - just connect Windows 10 Pro with Anniversary Update to Azure AD, sign-in with a user with assigned Windows 10 Enterprise E3 license and the device will become Windows 10 Enterprise after reboot.
  6. Windows 10 Enterprise E3 is a "per-user" license (while traditional Windows licenses are "per-device"). Device will rollback to Windows 10 Pro in 90 days if there will be no signing in users with Windows 10 Enterprise E3 license assigned.
  7. Users can manage devices, where their Windows 10 Enterprise E3 license is assigned, on the special web-portal. If they've reached the 5 device limit, they can remove the unused devices using that portal and convert a new device to Enterprise edition then.
  8. There will be no Product Key or Windows 10 installation media available.
  9. License is assigned to Azure AD user in the CSP Customer (=tenant). It makes sense to integrate On-Premise AD and Azure AD to simplify the Windows 10 Enterprise deployment in big organization.
  10. Connecting Windows 10 device to Azure AD doesn't mean that you won't be able to connect this device to On-Premise AD at the same time.

With this addition, CSP partners are able to provide Windows 10 Enterprise license to their customers as a monthly subscription instead of annual Software Assurance purchase. Customers will be able to use unique features of Windows 10 Enterprise edition with a support from local CSP partner on their work and home devices (including Windows 10 Mobile smartphones), such as:

  • Credential Guard - stores user access tokens within a virtualization-based security (VBS) environment running on Hyper-V technology. This helps prevent attackers from extracting the tokens from devices, even when the Windows kernel itself has been compromised. Malware running in the operating system, even with the highest privilege level, can't access tokens that are protected by Credential Guard.
  • Device Guard - help protect the Windows system core and prevent untrusted apps and executables from starting. It help secure your environment and prevent untrusted apps and code from running by using the ultimate form of app control. Using virtualization-based security, the Device Guard feature in Windows 10 offers a solution more powerful than traditional app control products, providing rigorous protection from tampering and bypass. Device Guard uses hardware-based isolation and virtualization to protect itself and the Windows system core from vulnerability and zero-day exploits. Device Guard enables your IT department to decide which software vendors and apps can be trusted within your environment. IT can designate as trustworthy the right combination of apps for your organization, from internal line-of-business apps to everything from the Windows Store to apps from specific software vendors.
  • AppLocker - helps administrators determine which applications and files users can run on a device, also known as "whitelisting". These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
  • Managed User Experience - advanced lockdown capabilities that give Internet of Things (IoT) devices an extra layer of security and provide a predictable experience for line-of-business device scenarios by allowing you to protect a device from write operations using Unified Write Filter (UWF intercepts all write attempts to a protected volume and redirects them to a virtual overlay instead), control the start screen layout and access to USB devices, automatically boot to a Classic Windows app or Universal Windows app. For example, you can restrict customers at your business to using only one app so your PC acts like a kiosk.
  • App-V - transforms applications into centrally managed services that are never installed and don't conflict with other applications. It also helps ensure that applications are kept current with the latest security updates.
  • UE-V - provides an enterprise-scalable user state virtualization solution that delivers a personal Windows experience.
  • Branch Cache
  • Direct Access
  • Telemetry
  • Windows Defender ATP (only for Windows 10 Enterprise E5) - security service, that helps customers to detect, investigate, and respond to advanced and targeted attacks on their networks. It includes client-end-point behavioral sensor, Cloud security analytics service and Microsoft and community intelligence for investigating the data, finding new behavioral patterns and correlating the data with existing knowledge from the security community.

capture_06092016_184135_006

More details about Enterprise features also available here.

Windows 10 in Partner Center

To assign Windows 10 Enterprise E3 license to the end-user, create a new Customer in Partner Center or add a new subscription to the existing one. Choose an offer called Windows 10 Enterprise E3 and choose the number of licenses (=users).

capture_06092016_171342_001

Then go to Users and Licenses menu and choose the user, whom you wish to assign Windows 10 Enterprise E3 license.

capture_06092016_172303_003

Converting Windows 10 Pro to Windows 10 Enterprise

There are 2 ways to convert Windows 10 Pro to Windows 10 Enterprise with Windows 10 Enterprise E3 license.

After the first OS boot

Choose "My work of school owns this PC" during the first OS launch (e.g. brand new device first boot or OS was just reinstalled), choose "Join Azure Active Directory" and authenticate with Azure AD credentials of the user, that has Windows 10 Enterprise E3 license assigned.
capture_06092016_200117_011
capture_06092016_200125_012
capture_06092016_200956_016a
capture_06092016_200407_013
capture_06092016_201124_019

If you did it, but the Windows edition still shown as "Windows 10 Professional", then it seems that the device came with Windows 10 RTM or Windows 10 November update pre-installed. Install Anniversary update and check again.

Connect the existing OS to Azure AD

This method can be used to convert the existing device with Windows 10 Pro with Anniversary Update to Windows 10 Enterprise. Go to Settings -> Accounts -> Access Work or School and click +Connect, then choose Join this device to Azure Active Directory and provide the credentials of Azure AD user with Windows 10 Enterprise E3 license assigned. Then sign in with that user, reboot and check if Windows edition changed to Windows 10 Enterprise.

capture_06092016_223735_045
capture_06092016_223813_046

capture_06092016_225252_049

capture_06092016_225347_051
capture_06092016_225803_052
capture_06092016_201124_019

You can find more details in Windows 10 Enterprise E3 CSP Technical Guide.

Comments (7)

  1. Jakob Strøm says:

    This article is incorrect, and it is incorrect on a very big subject!

    10. Connecting Windows 10 device to Azure AD doesn’t mean that you won’t be able to connect this device to On-Premise AD at the same time.

    This is NOT true. You can only Azure AD join, if the Workstation is NOT already joined to a local on-prem. This makes the product as of now very limited in use-cases..
    You can overcome this by disjoining the local AD prem. Reboot, join Azure AD, reboot, log in as the cloud user, reboot, disjoin Azure ad, reboot, join local on-prem AD, reboot, and you device is now enterprise. Now we have not been able to get a response from MS if the device in this way will keep it’s E3 license, or if it will roll back to pro. Så right now we are in a limbo.

    It would be really great if you could shed some light on this, because the product seems so new that even MS is not quite sure about how it Works.
    On top of this, the marketing about that this license is user based, is in my eyes not entirely true. If it was user based the license would up/down-grade according to log in every time, and it clearly is dependant on the device and not only on the user. The upgrade path you have to take as an administrator, as described above, makes this product not worth-while ontil you fix it.
    The product should instead be able to upgrade to E3 enterprise if you just added a Work or school account. Azure AD domain join (which cannot be done when you are already local ad joined), is a multiple step thing, that you cannot demand the user to do by himself, AND requires the user of the machine to be local administrator if the machine is joined to an on-prem AD.

    1. Here is the link with a guide how to join Windows 10 device to Azure AD if it’s already joined to a domain:
      https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/

      We call it “user-based license” because user can logon with his/her Azure AD credentials on several devices and all of them will convert to Windows 10 Enterprise. Before that with traditional per-device Windows licenses you were required to purchase several Windows Upgrade with SA licenses for every device, and now 1 user with several devices needs only one license.

      1. Matt says:

        But joining via GPO as per link, means the devices dont show in the portal
        “Windows 10 devices that are domain-joined with automatic device registration do not show up under the USER info. You need to use PowerShell to see all devices. ”
        https://docs.microsoft.com/en-us/azure/active-directory/active-directory-device-registration-faq
        This is bad, because if you enable Bitlocker and the key is stored in Azure AD – you cant see the key?!?

  2. Leider says:

    No one in MS can help me and I have not responded for a month. I’ve opened support cases and left me on hold. Why do they factorize something they do not handle?

    Can somebody help me? Is a computer that I installed from Windows 10 pro (1703) is a CSP subscription. The subscription activates correctly but windows does not.

    1. Hi Leider,

      What is the support ticket ID?

  3. Risto says:

    Hello Kirill,

    You mention that you can remove machines at https://account.activedirectory.windowsazure.com/profile/Default.aspx, but i cant. There are no machines in that list. Does this require additional licences? AAD premium perhaps?

    I have 5 devices AAD joined and Windows e5 running properly, but i cannot figure how to deactivate machine to e3/e5 another one.

    Br,
    R

    1. I’m sorry, but I’m not covering Windows 10 in CSP anymore, so I don’t have access to proper tools to check that. I recommend you to post this questions here to get an answer from Windows 10 CSP team: https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-e3-overview

Skip to main content