Windows Subscription Activation allows you to ‘upgrade’ devices with existing Windows 10/11 Pro licences to Windows 10 Enterprise or Windows 10 Education.
If your organisation already has A3/E3 or A5/E5 licenses, you already have access to Windows 10 Enterprise/Education Licences through the ‘Step up’ feature of Windows but in this article i will explain some common issues which may stop the device from automatically upgrading using Windows Subscription Activation.
1. Devices must have a Windows 10 Pro licence as a baseline
All device must already have a valid Windows 10 Pro or Windows 10 Education Pro Licence key for windows subscription activation to upgrade your device to Enterprise or Education. Since W10 1803, windows supports pulling the key from the bios know as an ’embedded key’. If you have purchased devices in the last few years with Windows Pro already installed, the key will be embedded into the firmware, meaning you can use the media creation tool to download the ISO files and deploy via and OSD tool like MDT. Windows will automatically pick up the licence from the firmware and show as Windows is activated with a digital licence
If this is not the case ensure the version of windows you have installed matches the embedded key, for example if you have installed Windows Education and the embedded key is Windows Pro, it will fail to activate.
If you have installed Win 10 Education and your embedded licence is Win 10 Pro but dont want to reimage the machine, use the following Powershell CMDlet to display your embedded licence key
wmic path SoftwareLicensingService get OA3xOriginalProductKeyThen use this command to change your windows version to professional
dism /online /set-edition:professional /productkey:XXXX-XXXX-XXXX-XXXX /accepteula2. Devices must be Hybrid Azure AD Joined or Azure AD Joined
In order for windows subscription activation to work, your target device must be enrolled in Azure AD or Hybrid Joined to your Azure AD. The devices should be able to access the following URLs as SYSTEM.
https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
https://autologon.microsoftazuread-sso.com
Your ADFS server address if you have one e.g. https://sts.contoso.com
3. Users must have a valid Windows 10/11 Enterprise licence assigned
In order for windows to step up from Pro to Enterprise you must have a valid Windows 10/11 Enterprise licence assigned to your user(s). To do this go to the Microsoft 365 Admin Panel User > Licences and ensure Windows 10/11 Enterprise is ticked.
4. Conditional Access or MFA is enabled
If you use Multi-Factor Authentication in your organisation (which you should) then windows subscription activation will not work, even if you have verified the above 3 steps are correct.
To fix this you need to allow an exception in your conditional access policy.
Head to Azure Active Directory and click Protect & Secure > Conditional Access and open up your MFA policy.
Under ‘Cloud Apps or Actions‘ click Exclude and search for Universal Store Service APIs and Web Application
Once this is added and all above steps are correct, your device will now automatically ‘step up’ to windows 1o enterprise or education.
#EdTech Network Manager, experienced in Microsoft 365, Server 2019, Intune, SCCM and anything inbetween.