Tuesday, May 09, 2017

Windows 10 Enterprise E3 CSP - Activation Gotchas!

So Microsoft introduced the concept of Windows 10 Enterprise E3 or E5, which can only be purchased from CSPs - https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-e3-overview

The technical challenge is that the activation of Windows 10 Enterprise E3 (from Windows 10 Pro OEM) is not done using a product key, but requires Azure AD device registration - OR - Azure AD Join. These two things are fundamentally very different, and requires very different technical implication to work.

Scenario: Customer has bought a lot of replacement desktops, and they come with Windows 10 Pro OEM.  They bought Secure Productivity Enterprise E3 (SPE E3) from a CSP, which comes with Windows 10 Enterprise E3.

Customer requirement: The new computers will continue to be on-premises AD joined. The Windows 10 Enterprise activation should happen automatically and require no user intervention. The users shouldn't need to do anything different from Windows 7 - i.e. not use User Principal Name (UPN) to sign on, nor needing to do any AAD Join manually. Because this computer will be on-premises AD joined, it is not possible to simultaneously joined to Azure AD as well.

High level steps:
  1. Implement Azure AD Connect. Ensure that user accounts (who will log onto the Windows 10 computers) and Windows 10 computer accounts are synced
  2. Create the Service Connection Point for Azure AD automatic device registration. Follow instruction located here (https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup) 
    1. Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1";
    2. $aadAdminCred = Get-Credential;
    3. Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount [connector account name] -AzureADCredentials $aadAdminCred;
  3. Deploy WPAD in your environment. Windows 10 does not respect Internet Explorer proxy settings and the only way to get this working is deploying WPAD. 
  4. Ensure that "licensing.mp.microsoft.com" can be accessed from the Windows 10 clients 
  5. And now for the secret sauce - make sure that the GPO for "Do not connect to any Windows Update Internet locations" is TURNED OFF!

In the Microsoft documentation for Azure AD automatic device registration, it is mentioned that the GPO for "Automatically workplace join client computers" can be used to control the rollout - but based on testing, this is no longer required for Windows 10 1607 (Anniversary Update) onwards. 

The requirement to access licensing.mp.microsoft.com and the related GPO "Do not connect to any Windows Update Internet locations" is a major surprised for me, as this is not mentioned anywhere, not even in forums.

So hope this would help someone out there.

Bonus tip: to confirm Azure AD automatic device registration is successful, on the Windows 10 computer, look at event viewer > Applications and Services Logs > Microsoft > Windows > User Device Registration.

Bonus tip 2: also to confirm, run the following command line: dsregcmd /status - more information here https://docs.microsoft.com/en-us/azure/active-directory/active-directory-device-registration-troubleshoot-windows


Steven said...

I'm running into this same exact scenario, however I can't seem to get it to activate for me.

Both user and PC are in azure AD.
The Device is Azure AD hybrid joined.
Internet Update GPO is set.

What do you mean by 'deploy WPAD'?

NathenNod said...

Implement WPAD - see https://technet.microsoft.com/en-au/library/cc995261.aspx

Sebastian said...

This "Do not connect to any Windows Update Internet locations" GPO was preventing this in my case. Thank you very much for sharing your knownledge!!!

P.Thakor said...

Hello ,

We have On Premises AD synced to Office365 (Azure) and Users having E3 Licences .

Dell Desktops with Windows 10 PRO 1803 version joined to On-Premises AD and they are Activated to Windows PRO using Dell Embedded Digital License .

Also Windows 10 Machines are showing in Azure AD Portal with "Hybrid Azure AD joined"

and dsregcmd /status shows AzureAdJoined : YES

But Machines are not getting upgraded from PROD to Enterprise,

Can you please help me what can be done in this issue.