Cannot deploy windows 10 Enterprise subscription activation

New Contributor

Hi dear community,

I got stuck and would really appreciate your help.

Key data:

Fairly small traditional environment with on-prem AD joined computers running Windows 10 21H2.

Previously using Office 365 E3 with cloud services and Office desktop. All devices which connected to, e.g., Exchange Online over Outlook are listed in Azure AD as "Azure AD registered" with "Owner" the respective user, who connected to the cloud service. No surprises here.

A previous admin had the glorious idea to provide OS deployment with an on-prem SCCM server. This server is used solely for this purpose - no software, patch or config management happens, but, of course, the SCCM agent is installed and running. Current version is 2107, if at all relevant.

Now, in the last month we have migrated the licensing model from Office 365 E3 to Microsoft 365 E3, including the "Windows 10 E3" license, which, theoretically, provisions us with Windows 10 Enterprise licenses, as a "step in" or "upgrade" from existing Pro licenses.

The simple task described here ended with a nightmare of dependencies.

Now, since we are owning OEM OS preinstalled devices, I'm following the "firmware-embedded activation key" path. The Get-CimInstance PowerShell command is returning a key, all fine.

Then comes the Azure AD Join. OK, not a fun at all, because I cannot simply have an on-prem AD joined test device and cloud Azure AD join it. It needs to be hybrid Azure AD joined, as also described in the same article. Reading three further MSFT docs, I finally gather all the prerequisites needed (inter alia: password sync AND seamless SSO; Win10 min version; domain and forest functional levels; AD Connect min version; Hybrid AD Join enabled - creating SCP; test computers sync in scope;…) and configure the whole productive environment to comply herewith.

After AD Connect sync, the test computer is shown in Azure portal / Devices shortly double - one is Azure AD registered, the other is Hybrid Azure AD joined. But that's expected and well described by MSFT. After a while only the hybrid object is listed. All good here.

Now we start with the real issues after the AD Connect synchronization.

1) On the local computer, under Settings / Accounts / Access work or school account my cloud account had disappeared, leaving only the local domain account listed. And I'm sure that it was there before. For once, there is an issue with MFA, as described here , I headed out to Notifications / "Work or school account problem" and then Fix now. The MFA authentication was successful, and the warning disappeared from the Notifications, but my MS365 account was still missing. And in Azure portal, my device was listed with Owner "N/A" instead of my account.

2) This is where I bluntly decided to click on "Connect" and add the cloud account. This worked, but strangely, onboarded the device in Intune as well (instead of simply adding an owner to the computer object in Azure). And yes, now I have under Access work or school account both buttons: "Disconnect" and "Info", the latter being the typical sign for a successful Intune/MDM onboarding.

But despite all these integrations, I'm still missing the main goal, to upgrade Windows 10 from Pro to Enterprise.

I have followed the Troubleshooting section from the initially mentioned online documentation, but my GUI experience is deviating from Figure 11. There is no mentioning of Enterprise. And also there is no "Troubleshoot", as in link Figure 12. All I see is this:


Dsregcmd /status clearly lists AzureAdJoined status as YES; and I DO have a MS 365 E3 license assigned to me.

The device is listed in Azure as follows (btw, still not showing me as owner there)


And listed in Endpoint Manager admin center as follows. Here yet another issue - the device was initially listed as Personal. I needed to manually change the ownership to Corporate. What a nonsense, when it got obviously hybrid AAD joined and MSFT is detecting the SCCM agent (therefrom the Co-managed status, even though we have not activated ANY cloud functionality and integration on the on-prems SCCM server)


PS: Reading through


I have already tried the UPN login, the “Do not connect to any Windows Update Internet locations"=Disabled, and the manual activation script. No improvement.

What am I overseeing?

0 Replies