-->

This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with Windows 10 Enterprise Subscription Activation or Windows 10 Enterprise E3 in CSP and Azure Active Directory (Azure AD).

Microsoft 365 E3 combines best-in-class productivity apps with core security and compliance capabilities. Improve productivity and foster a culture of collaboration with connected experiences. Transform how you manage your business and enhance customer relationships with. Apr 06, 2021 If you purchased Azure and Microsoft 365 subscriptions separately and want to access the Microsoft 365 Azure AD tenant from your Azure subscription, see the instructions in Add an existing Azure subscription to your Azure Active Directory tenant. Microsoft cloud for enterprise architects illustrations.

Note

• Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
• Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
• Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key.
• Windows 10 Enterprise Subscription Activation requires Windows 10 Enterprise per user licensing; it does not work on per device based licensing.

Microsoft 365 Enterprise E3 For Symphony

Important

An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateDoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0.

Also ensure that the Group Policy setting: Computer Configuration > Administrative Templates > Windows Components > Windows Update > 'Do not connect to any Windows Update Internet locations' is set to 'Disabled'.

Firmware-embedded activation key

To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt:

If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device does not have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key.

Enabling Subscription Activation with an existing EA

If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant:

1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license:

   • AAA-51069 - Win10UsrOLSActv Alng MonthlySub Addon E3
   • AAA-51068 - Win10UsrOLSActv Alng MonthlySub Addon E5

2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant.

3. The admin can now assign subscription licenses to users.

Use the following process if you need to update contact information and retrigger activation in order to resend the activation email:

1. Sign in to the Microsoft Volume Licensing Service Center.

2. Click Subscriptions.

3. Click Online Services Agreement List.

4. Enter your agreement number, and then click Search.

5. Click the Service Name.

6. In the Subscription Contact section, click the name listed under Last Name.

7. Update the contact information, then click Update Contact Details. This will trigger a new email.

Also in this article:

• Explore the upgrade experience: How to upgrade devices using the deployed licenses.
• Troubleshoot the user experience: Examples of some license activation issues that can be encountered, and how to resolve them.

Active Directory synchronization with Azure AD

You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD.

You might ask why you need to synchronize these identities. The answer is so that users will have a single identity that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.

Figure 1 illustrates the integration between the on-premises AD DS domain with Azure AD. Microsoft Azure Active Directory Connect (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.

Figure 1. On-premises AD DS integrated with Azure AD

For more information about integrating on-premises AD DS domains with Azure AD, see the following resources:

Note

If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers.

Preparing for deployment: reviewing requirements

Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see Review requirements on devices, later in this topic.

Assigning licenses to users

Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service:

The following methods are available to assign licenses:

1. When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 or E5 licenses to users.

2. You can sign in to portal.office.com and manually assign licenses:

3. You can assign licenses by uploading a spreadsheet.

4. A per-user PowerShell scripted method of assigning licenses is available.

5. Organizations can use synchronized AD groups to automatically assign licenses.

Explore the upgrade experience

Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10 Enterprise. What will the users experience? How will they upgrade their devices?

Step 1: Join Windows 10 Pro devices to Azure AD

Users can join a Windows 10 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703.

To join a device to Azure AD the first time the device is started

1. During the initial setup, on the Who owns this PC? page, select My organization, and then click Next, as illustrated in Figure 2.
   

   Figure 2. The “Who owns this PC?” page in initial Windows 10 setup

2. On the Choose how you’ll connect page, select Join Azure AD, and then click Next, as illustrated in Figure 3.
   

   Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup

3. On the Let’s get you signed in page, enter the Azure AD credentials, and then click Sign in, as illustrated in Figure 4.
   

   Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup

Now the device is Azure AD–joined to the company’s subscription.

To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up

Important

Make sure that the user you're signing in with is not a BUILTIN/Administrator. That user cannot use the + Connect button to join a work or school account.

1. Go to Settings > Accounts > Access work or school, as illustrated in Figure 5.
   

   Figure 5. Connect to work or school configuration in Settings

2. In Set up a work or school account, click Join this device to Azure Active Directory, as illustrated in Figure 6.
   

   Figure 6. Set up a work or school account

3. On the Let’s get you signed in page, enter the Azure AD credentials, and then click Sign in, as illustrated in Figure 7.
   

   Figure 7. The “Let’s get you signed in” dialog box

Now the device is Azure AD–joined to the company's subscription.

Step 2: Pro edition activation

Important

If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in Settings > Update & Security > Activation, as illustrated in Figure 7a.

Figure 7a - Windows 10 Pro activation in Settings

Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only).

Step 3: Sign in using Azure AD account

Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in Figure 8. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.

Figure 8. Sign in by using Azure AD account

Step 4: Verify that Enterprise edition is enabled

Microsoft 365 Enterprise E3 Pricing

You can verify the Windows 10 Enterprise E3 or E5 subscription in Settings > Update & Security > Activation, as illustrated in Figure 9.

Figure 9 - Windows 10 Enterprise subscription in Settings

If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the Activation panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.

Note

If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:Name: Windows(R), Professional editionDescription: Windows(R) Operating System, RETAIL channelPartial Product Key: 3V66T

Virtual Desktop Access (VDA)

Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another qualified multitenant hoster.

Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See Enable VDA for Enterprise Subscription Activation.

Troubleshoot the user experience

In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows:

• The existing Windows 10 Pro, version 1703 or 1709 operating system is not activated. This problem does not apply to Windows 10, version 1803 or later.

• The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed.

Use the following figures to help you troubleshoot when users experience these common problems:

• Figure 9 (see the section above) illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active.

• Figure 10 (below) illustrates a device on which Windows 10 Pro is not activated, but the Windows 10 Enterprise subscription is active.

  
  
  Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings

• Figure 11 (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed.

  
  
  Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings

• Figure 12 (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed.

  
  
  Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings

Review requirements on devices

Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.

To determine if a device is Azure Active Directory joined:

1. Open a command prompt and type dsregcmd /status.
2. Review the output under Device State. If the AzureAdJoined status is YES, the device is Azure Active Directory joined.

To determine the version of Windows 10:

At a command prompt, type: winver

A popup window will display the Windows 10 version number and detailed OS build information.

If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.

-->

Microsoft 365 for enterprise is a complete, intelligent solution that empowers everyone to be creative and work together securely.

Microsoft 365 for enterprise is designed for large organizations, but it can also be used for medium-sized and small businesses that need the most advanced security and productivity capabilities.

Components

Microsoft 365 for enterprise consists of:

Services	Description
Local apps and cloud-based apps and productivity services	Includes both Microsoft 365 Apps for enterprise, the latest Office apps for your PC and Mac (such as Word, Excel, PowerPoint, Outlook, and others), and a full suite of online services for email, file storage and collaboration, meetings, and more.
Windows 10 Enterprise	Meets the needs of both large and midsize organizations. It's the most productive and secure version of Windows for users. For IT professionals, it also provides comprehensive deployment, device, and app management.
Device management and advanced security services	Includes Microsoft Intune, which is a cloud-based enterprise mobility management service that helps enable your workforce to be productive while protecting your organization data.

Plans

Microsoft 365 for enterprise is available in three plans.

Plan name	Capabilities
E3	Access the Microsoft 365 core products and features to securely enhance workplace productivity and drive innovation.
E5	Access the Microsoft 365 latest products and features. These include Defender for Office 365, security tools, and collaboration tools. This plan includes all E3 capabilities, plus advanced security, voice, and data analysis tools.
F3	Connect with your first-line workers through purpose-built tools and resources that they can use to help them do their best work.

If you have Microsoft 365 E3, you can also get these add-ons:

• Identity & Threat Protection
• Information Protection & Compliance
• Microsoft 365 E5 Insider Risk

Microsoft 365 E3 users can use these add-ons to take advantage of some of the additional features Microsoft 365 E5 includes.

For more information, see Features and capabilities for each plan.

Get the big picture

The Microsoft 365 for enterprise poster is a central location for you to view:

• The benefits of Microsoft 365 for enterprise, and how apps and services map to its value pillars.
• Microsoft 365 for enterprise plans and which components they contain.
• The key components of the Microsoft modern workplace, which Microsoft 365 for enterprise enables.
• The Microsoft 365 Productivity Library and representative scenarios for some common organization departments.

You can also download a copy of the poster.

Transition your entire organization

To get a better picture about how to move your entire organization to the products and services in Microsoft 365 for enterprise, see the transition poster.

This two-page poster is a quick way to inventory your existing infrastructure. It helps you to find guidance and move to the corresponding product or service in Microsoft 365 for enterprise. It includes Windows and Office products and other infrastructure and security elements, such as device management, identity, and information and threat protection.

Microsoft 365 Enterprise E3 Trial

End of support for Windows 7 and Office 2010 clients and servers

Windows 7 reached end of support on January 14, 2020.

These products reached end of support on October 13, 2020:

SharePoint Server 2010 will reach end of support on April 13, 2021.

For a visual summary of the upgrade, migrate, and move-to-the-cloud options for these products, see the end of support poster.

This one-page poster is a quick way to understand the various paths you can take to prevent Windows 7 and Office 2010 client and server products from reaching end of support, with preferred paths and support in Microsoft 365 for enterprise highlighted.

You can also download this poster and print it in letter, legal, or tabloid (11 x 17) formats.

Plan for and deploy

There are three ways to plan for and deploy the products, features, and components of Microsoft 365 for enterprise:

• In partnership with FastTrack

  With FastTrack, Microsoft engineers help you move to the cloud at your own pace. See FastTrack for Microsoft 365.

• With the help of Microsoft Consulting Services or a Microsoft partner

  Consultants can analyze your current infrastructure and help you develop a plan to incorporate all the software and services of Microsoft 365 for enterprise.

• Do it yourself

  Start with the Networking roadmap to build out or verify your existing infrastructure and productivity workloads.

For an example of how a fictional but representative multinational organization has deployed Microsoft 365 for enterprise, see the Contoso Corporation case study.

Additional Microsoft 365 products

• Bring together the best-in-class productivity and collaboration capabilities with device management and security solutions to safeguard business data for small and midsize businesses.

• Empower educators to unlock creativity, promote teamwork, and provide a simple and safe experience in a single, affordable solution built for education.

• Empower United States public sector employees to work together, securely.

Best together with Surface and the Edge browser

Optimize your user’s integrated and secure productivity with the best-together combination of Microsoft 365 for enterprise, Microsoft Surface devices, and the Microsoft Edge browser. This cross-product integration provides:

• A common identity and sign-in security infrastructure.
• Integrated local and cloud apps for search, collaboration, productivity, and compliance.
• Comprehensive and integrated security for hardware, browser, local app, and cloud apps.
• A common infrastructure for IT management of installs and updates.

Here is an example for an enterprise organization.

For more information and configuration examples for a small and medium business and an educational institution, download the Best together poster.

Microsoft 365 training

To learn more about Microsoft 365 and work toward a Microsoft 365 certification, you can start with Microsoft 365 Certified: Fundamentals.

See also