Back in June when we announced Windows AutoPilot, we also talked about another feature to automatically step up from Windows 10 Pro to Windows 10 Enterprise on Azure AD user logon, a key requirement to be able to use an off the shelf OEM device as soon as it comes out of the box, without reimaging.
So how exactly does this work? Many assume that this is done by Microsoft Intune (or other MDM services) pushing down a policy to change the Windows 10 product key, either using a MAK key or a KMS key. And while that’s certainly possible to do, that approach is not ideal: MAK keys have limited activation counts, so you have to make sure you don’t run out of activations, and KMS requires periodic connectivity to the corporate network as well as on-premises infrastructure.
That’s where the new Windows 10 Subscription Activation feature comes in. By leveraging Azure Active Directory, you can eliminate product keys altogether. Instead, you can assign Windows 10 Enterprise E3 or E5 licenses directly to Azure AD users (just like you would with Office 365 or EMS) so that when a user logs onto a Windows 10 Pro device, it automatically steps up to Windows 10 Enterprise, making all the enterprise features instantly available. You can see the result of this step-up in the Settings app, where it shows you that the subscription is active:
The device will check with Azure Active Directory to ensure that the user still has a valid subscription license, so periodic internet access is required. If the license is removed or if the device is unable to check after a period of trying, it will step down to Windows 10 Pro automatically.
This also works for traditional Active Directory-joined devices too, as long as you have set up hybrid Azure Active Directory join to synchronize between your Active Directory domain and Azure Active Directory tenant. (Note that using the “Add work account” process to associate your Azure Active Directory account with a device is not supported, since these devices are assumed to be personal ones.)
If you have an active per-user Windows 10 Enterprise E3 or E5 or Windows VDA E3 or E5 subscription, there are some steps that need to be performed to make the license available in Azure Active Directory: a corresponding $0 Add-On license, which starts the process of adding the license to Azure AD, and then your designated volume licensing admin (online services contact) will receive and process some e-mailed instructions. For more information on that, see the Windows 10 Subscription Activation documentation. Once this is done, you can see the license in Azure Active Directory:
Note that this is not designed as a straight replacement for KMS or MAK activation. Windows 10 Subscription Activation requires that the original Windows 10 Pro OS is already activated (typically through OEM activation using the key embedded in the firmware of the device) – this enables automatic compliance for the underlying Pro edition licensing requirement to deploy Windows.
Windows 10 Subscription Activation is supported with Windows 10 Pro version 1703 and later releases. Azure Active Directory is also needed, but any Azure AD edition will work. A per-user Windows 10 Enterprise E3 or E5 subscription through an Enterprise Agreement (EA) or Microsoft Products & Services Agreements (MPSA) is also needed. (For SMB customers, similar capabilities were announced last year as part of the Cloud Solution Provider [CSP] channel.)
To learn more about Windows 10 Subscription Activation, check out the Microsoft Ignite session recording.
Continue the conversation. Find best practices. Visit the Windows 10 Tech Community.
Looking for support? Visit the Windows 10 IT pro forums.