Cannot deploy windows 10 Enterprise subscription activation

Occasional Contributor

Hi dear community,

I got stuck and would really appreciate your help.

Key data:

Fairly small traditional environment with on-prem AD joined computers running Windows 10 21H2.

Previously using Office 365 E3 with cloud services and Office desktop. All devices which connected to, e.g., Exchange Online over Outlook are listed in Azure AD as "Azure AD registered" with "Owner" the respective user, who connected to the cloud service. No surprises here.

A previous admin had the glorious idea to provide OS deployment with an on-prem SCCM server. This server is used solely for this purpose - no software, patch or config management happens, but, of course, the SCCM agent is installed and running. Current version is 2107, if at all relevant.

Now, in the last month we have migrated the licensing model from Office 365 E3 to Microsoft 365 E3, including the "Windows 10 E3" license, which, theoretically, provisions us with Windows 10 Enterprise licenses, as a "step in" or "upgrade" from existing Pro licenses.

The simple task described here https://docs.microsoft.com/en-us/windows/deployment/deploy-enterprise-licenses ended with a nightmare of dependencies.

Now, since we are owning OEM OS preinstalled devices, I'm following the "firmware-embedded activation key" path. The Get-CimInstance PowerShell command is returning a key, all fine.

Then comes the Azure AD Join. OK, not a fun at all, because I cannot simply have an on-prem AD joined test device and cloud Azure AD join it. It needs to be hybrid Azure AD joined, as also described in the same article. Reading three further MSFT docs, I finally gather all the prerequisites needed (inter alia: password sync AND seamless SSO; Win10 min version; domain and forest functional levels; AD Connect min version; Hybrid AD Join enabled - creating SCP; test computers sync in scope;…) and configure the whole productive environment to comply herewith.

After AD Connect sync, the test computer is shown in Azure portal / Devices shortly double - one is Azure AD registered, the other is Hybrid Azure AD joined. But that's expected and well described by MSFT. After a while only the hybrid object is listed. All good here.

Now we start with the real issues after the AD Connect synchronization.

1) On the local computer, under Settings / Accounts / Access work or school account my cloud account had disappeared, leaving only the local domain account listed. And I'm sure that it was there before. For once, there is an issue with MFA, as described here https://docs.microsoft.com/en-us/windows/deployment/windows-10-subscription-activation#multifactor-a... , I headed out to Notifications / "Work or school account problem" and then Fix now. The MFA authentication was successful, and the warning disappeared from the Notifications, but my MS365 account was still missing. And in Azure portal, my device was listed with Owner "N/A" instead of my account.

2) This is where I bluntly decided to click on "Connect" and add the cloud account. This worked, but strangely, onboarded the device in Intune as well (instead of simply adding an owner to the computer object in Azure). And yes, now I have under Access work or school account both buttons: "Disconnect" and "Info", the latter being the typical sign for a successful Intune/MDM onboarding.

But despite all these integrations, I'm still missing the main goal, to upgrade Windows 10 from Pro to Enterprise.

I have followed the Troubleshooting section from the initially mentioned online documentation, but my GUI experience is deviating from Figure 11. There is no mentioning of Enterprise. And also there is no "Troubleshoot", as in link Figure 12. All I see is this:

BoSolo_0-1649535336079.png

Dsregcmd /status clearly lists AzureAdJoined status as YES; and I DO have a MS 365 E3 license assigned to me.

The device is listed in Azure as follows (btw, still not showing me as owner there)

BoSolo_1-1649535365266.png

And listed in Endpoint Manager admin center as follows. Here yet another issue - the device was initially listed as Personal. I needed to manually change the ownership to Corporate. What a nonsense, when it got obviously hybrid AAD joined and MSFT is detecting the SCCM agent (therefrom the Co-managed status, even though we have not activated ANY cloud functionality and integration on the on-prems SCCM server)

BoSolo_2-1649535443857.png

PS: Reading through

https://techcommunity.microsoft.com/t5/microsoft-365/microsoft-365-e5-windows-10-subscription-activa...

and

https://techcommunity.microsoft.com/t5/microsoft-365/m365-win-10-e3-activation-issue/m-p/341179

I have already tried the UPN login, the “Do not connect to any Windows Update Internet locations"=Disabled, and the manual activation script. No improvement.

What am I overseeing?

4 Replies

@BoSolo Did you ever get this resolved, I'm at this point now and at a loss on next steps.

@mbtfcu275 My CSP opened a ticket by MSFT. The usual: 1st level, 2nd level... Gone through three MSFT 3rd level support teams... And then suddenly: "there's a problem with the activation: your firmware key was rejected", or something like this. Obviously a bug in the activation server, because this is an HP UEFI / OEM brand new business laptop key.

Still waiting for reply from MSFT - unfortunately no ETA :(

@BoSolo Thanks for the update, I'm banging my head against the wall on this.  I have to have a go/no-go decision for our open value agreement within the next couple of weeks and this is holding me back from moving into Microsoft 365 and dropping the device licenses.  Please update if you get a response, I'd appreciate it.

Hi @mbtfcu275 and all followers,

sorry for the late reply, but we had this fixed indeed today, 2022-07-05.

In our case: "An issue was identified with the subscription configuration at the tenant backend level, which required a resync of license for your tenant".
Please check the event logs of affected computers under Applications and Services Logs / Microsoft / Windows / Store / Operational and search for Event ID 8003. If the content contains something like "The entitlement is in a state that prevents it from being used to create a Content License", then you have very good chances to have it fixed. Simply open a case with email address removed for privacy reasons (or via your CSP, for the ones not having a direct agreement with MSFT).