3 years ago
In a migration phase to Windows 10 we wanted to be able to benefit from the fairly new Windows 10 Subscription Activation method for the existing environment. One of the requirements for us was that we could do this with Hybrid Azure AD Joined devices. With this post I will try to guide you through the settings and steps for the setup to work properly.
In this scenario the environment looked like this from the beginning:
Domain functional level: Windows Server 2012 R2
Windows 7 machines ready to be upgraded to Windows 10
All Windows clients domain-joined to an on-premise domain
An active Office 365 tenant existed
Azure AD Connect was configured with password synchronization only
An active Azure AD Premium P1 subscription existed
Now when we got the background information about the environment, lets start listing the things we needed to do before we successfully could make the Windows 10 Subscription Activation work for the new Windows 10 devices.
- Configure a service connection point
- Enable device writeback in Azure AD Connect
- Sync computers accounts via Azure AD Connect
- Create a GPO so domain joined computers automatically and silently register as devices with Azure Active directory
- Upgrade existing computer or install a new one with Windows 10 Pro 1709 and on-premise domain-join the device
- Verify that the Windows 10 computer register as a Hybrid Azure AD Joined device in Azure Active Directory admin center
- Assign a Windows 10 E3/E5 license to a user in Office 365 Admin Center
- Log onto the computer with the user you assigned the license to
- Confirm that the Windows 10 Pro 1709 computer steps up to Enterprise
Now I will describe most of the steps in more detail so it’s easier for you to understand what needs to be done.
To configure a service connection point, follow the steps below:
In newer versions of Azure AD Connect and when running Express settings, this SCP is created automatically here:
CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=dc,DC=dc;
You can also retrieve the setting with PowerShell:
$scp = New-Object System.DirectoryServices.DirectoryEntry; $scp.Path = "LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=dc,DC=dc; $scp.Keywords;
In this case, it had not been created, probably because older version of Azure AD Connect was installed that did not perform this. Run the commands below as admin from the Microsoft Azure Active Directory Module for Windows PowerShell on the Azure AD Connect server which also needs to have RSAT-ADDS installed to create the SCP. Make sure you have 1.1.166 of the module installed.
Connect-MsolService Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"; $aadAdminCred = Get-Credential; Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount yourADConnectorAccount -AzureADCredentials $aadAdminCred;
Verify that the SCP has been created with the retrieve PowerShell command above.
To enable device writeback in Azure AD Connect and sync computer accounts, follow the steps below:
This is done from the Azure AD Connect server.
Azure AD Connect > Customize synchronization Connect to Azure AD > With an admin account Add Registered Devices for Domain and OU filtering Add your computer OU for Domain and OU filtering Next [v] Password synchronization [v] Device writeback Device writeback forest: Choose your forest Next > Finish
To create the GPO for domain joined computers to automatically and silently register as devices with Azure Active directory, follow the steps below:
Create new GPO Computer Configuration/Policies/Administrative Template/Windows Components/Device Registration Enable: Register domain joined computers as devices Save and apply GPO to your Windows 10 computers
Login to Azure Active Directory admin center Azure Active Directory > Devices > All devices Verify that the Windows 10 computer is synced and Hybrid Azure AD Joined
You should also see msDS-Device records in the RegisteredDevices OU in Active Directory.
To assign a Windows 10 E3 or E5 license to a user in Office 365 Admin Center, follow the steps below:
In your Office 365 admin portal, find the user who should log onto the Windows 10 Pro computer and activate the Windows 10 Enterprise license that you bought beforehand. This license can be purchased as a separate license or via Microsoft 365 E3 or E5 license bundle.
To verify that the computer has been activated through Windows 10 Subscription Activation, follow the steps below:
After logging onto the Windows 10 Pro computer, verify that the Enterprise version has been activated.
Settings > Update & Security > Activation Verify Windows 10 Enterprise subscription is active
Please note that you need to have a Windows 10 Pro license activated to get this to work. If you have a Windows 7 Pro licensed computer today and you have bought the Windows 10 E3/E5 or Microsoft 365 E3/E5 license you can upgrade your existing Windows 7 Pro computer to Windows 10 Pro by using your existing Windows 7 Pro key. This will give you a valid Windows 10 Pro license that can be used in this scenario.
A good to know command in this hybrid scenario is dsregcmd.exe /status. It will give you the status of your local computer, like if the device is Azure joined or if the user is in Azure.
A lot of people that are experiencing issues with the Windows 10 Subscription Activation doesn’t have a valid Windows 10 Pro license for their machine. Since this is an requirement you need to provide one or it won’t work. So if your having issues related to this, please check the following two things:
- The computer has a valid Windows 10 Pro license key. Normally these keys are embedded in the firmware of the computer itself, so please use the following command to see if your computer has a Windows 10 Pro product key or not. The command will show you the product key if any exist.
wmic path SoftwareLicensingService get OA3xOriginalProductKey
If you don’t have any embedded product key in the firmware you need to manually add one (that you purchased or got from some other source) via the following command:
cscript.exe c:\windows\system32\slmgr.vbs /ipk <PRODUCT KEY>
- Check that you are using Windows 10, version 1803 or above. From Windows 10, version 1803, Windows 10 Subscription Activation are enabled for pulling the activation keys directly from firmware for devices that support firmware-embedded keys. In these case it is no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise.
If you still having issues with the activation, even if you got the product key in the firmware and at least Windows 10 1803, try to activate the Windows 10 Pro license key manually with the command:
cscript.exe c:\windows\system32\slmgr.vbs /ato
If you have any questions, feel free to email me at email@example.com.
Please see Microsoft documentation here for additional questions.