Tuesday, May 09, 2017

Windows 10 Enterprise E3 CSP - Activation Gotchas!

So Microsoft introduced the concept of Windows 10 Enterprise E3 or E5, which can only be purchased from CSPs - https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-e3-overview

The technical challenge is that the activation of Windows 10 Enterprise E3 (from Windows 10 Pro OEM) is not done using a product key, but requires Azure AD device registration - OR - Azure AD Join. These two things are fundamentally very different, and requires very different technical implication to work.

Scenario: Customer has bought a lot of replacement desktops, and they come with Windows 10 Pro OEM.  They bought Secure Productivity Enterprise E3 (SPE E3) from a CSP, which comes with Windows 10 Enterprise E3.

Customer requirement: The new computers will continue to be on-premises AD joined. The Windows 10 Enterprise activation should happen automatically and require no user intervention. The users shouldn't need to do anything different from Windows 7 - i.e. not use User Principal Name (UPN) to sign on, nor needing to do any AAD Join manually. Because this computer will be on-premises AD joined, it is not possible to simultaneously joined to Azure AD as well.

High level steps:
  1. Implement Azure AD Connect. Ensure that user accounts (who will log onto the Windows 10 computers) and Windows 10 computer accounts are synced
  2. Create the Service Connection Point for Azure AD automatic device registration. Follow instruction located here (https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup) 
    1. Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1";
    2. $aadAdminCred = Get-Credential;
    3. Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount [connector account name] -AzureADCredentials $aadAdminCred;
  3. Deploy WPAD in your environment. Windows 10 does not respect Internet Explorer proxy settings and the only way to get this working is deploying WPAD. 
  4. Ensure that "licensing.mp.microsoft.com" can be accessed from the Windows 10 clients 
  5. And now for the secret sauce - make sure that the GPO for "Do not connect to any Windows Update Internet locations" is TURNED OFF!

In the Microsoft documentation for Azure AD automatic device registration, it is mentioned that the GPO for "Automatically workplace join client computers" can be used to control the rollout - but based on testing, this is no longer required for Windows 10 1607 (Anniversary Update) onwards. 

The requirement to access licensing.mp.microsoft.com and the related GPO "Do not connect to any Windows Update Internet locations" is a major surprised for me, as this is not mentioned anywhere, not even in forums.

So hope this would help someone out there.

Bonus tip: to confirm Azure AD automatic device registration is successful, on the Windows 10 computer, look at event viewer > Applications and Services Logs > Microsoft > Windows > User Device Registration.

Bonus tip 2: also to confirm, run the following command line: dsregcmd /status - more information here https://docs.microsoft.com/en-us/azure/active-directory/active-directory-device-registration-troubleshoot-windows