Windows 10 Edition Upgrade | Intune-Hybrid

Dear Intune Admin,

During the planning stages of transitioning your current infrastructure to be hybrid-joined to the cloud through Intune, you may have been requested a task that involves upgrading new devices that house Windows 10 Pro to Enterprise. If this pertains to you, then I have the solution! We will using Intune’s built-in configuration profiles to assign out a universal key that is provided when you have a Microsoft license. I will be going over in detail what all this means above so do not panic!

Best Regards,
Nick

Pre-Requisites

For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following:

Ø Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded/downgraded

Ø Azure Active Directory available for identity management

Ø Devices must be Azure AD-joined, or Hybrid Azure AD joined (Workgroup-joined or Azure AD registered devices are not supported)

Ø Synced through Azure AD Connect Sync

Ø Microsoft Enterprise E3/E5 License

Notice for Multi-Factor folks

There is an issue that has been identified with Hybrid Azure AD joined devices that have enabled MFA. If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription! This was patched in later versions following so if your device is running Windows 20H2 then you do not have to worry about this.

If the device is running Windows 10, version 1703,1709, or 1803, the user must either sign in with an Azure AD account, or you must disable MFA for this user during the 30-day polling period and renewal.

If the device is running Windows, version 1809 or later then you will be able to manually fix this step.
When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem, click that notification and there should be an option labeled “Fix now”.

What license do I need and how do you differentiate them?

Here is a run-down of how Microsoft will label and delegate their licenses and what they offer specifically in terms of features/access.

Microsoft License SKU.png

The Microsoft 365 and Office 365 plans combine the familiar Microsoft Office desktop suite with cloud-based versions of Microsoft's next-generation communications and collaboration services—including Microsoft Exchange Online, Microsoft SharePoint Online, Office for the web, and Microsoft Skype for Business Online—to help users be productive from virtually anywhere through the internet.

For our case, we would be going for either an E3/E5 license because it will offer the power of Office applications and the ability for us to give out Windows 10 Enterprise licenses.

Setting up Edition Upgrade Policy Profile

Good to see that you made it here and stuck around. There is always going to be a minimum of five pages of pre-requisites so now its time for the fun part!

Step 1:

Endpoint Manager -> Devices -> Configuration Profiles -> Create Profile

Step 2:

Platform: Windows 10 and Later

Profile: Edition Upgrade and Mode Switch

Step 3:

Within the “Configuration Settings” under “Edition Upgrade”, switch it to “Windows 10 Enterprise” and you will see “Product Key” appear. This key provided in this document will only be accessible to users that have the Microsoft E3/E5 license. You can leave the “Mode Switch” as “Not Configured”.

Product Key for Microsoft E3/E5 license holders: NPPR9-FWDCX-D2C8J-H872K-2YT43

checklist (1).png

Normally, you would have to install this manually on each device, but by leveraging Intune we can create that profile which will do all the busy work for us!

Step 4:

Now you want to make sure that you are assigning this profile to an appropriate group that holds the devices and once you are finished, you may skip to the “Review + Create” section and press “Create”!

checklist (2).png

Congrats! You have now successfully configured an Edition Upgrade policy on Intune which will communicate to our devices via sync and force the device to upgrade to Windows 10 Enterprise without a reboot required.

You can check to verify that your device has successfully taken the new policy you just created by going to

Settings -> Update & Security -> Activation

checklist (3).png

You will be able to see that your edition is now changed to Windows 10 Enterprise and that your “Activation” is changed now.

Nicholas SeoFebruary 1, 2021