Windows 10 E3 VDA Activation and Azure AD Hybrid Join

%3CLINGO-SUB%20id%3D%22lingo-sub-1375906%22%20slang%3D%22en-US%22%3EWindows%2010%20E3%20VDA%20Activation%20and%20Azure%20AD%20Hybrid%20Join%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1375906%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20recently%20purchased%20some%20licensing%20of%20Windows%2010%20E3%20VDA%20that%20we%20want%20to%20assign%20to%20users%20to%20allow%20access%20to%20some%20Windows%2010%20Pro%20virtual%20desktops.%20As%20of%20now%20I've%20setup%20AD%20Connect%20with%20AD%20Forest%20credentials%20from%20on%20prem%20AD%20to%20sync%20password%20hash%2C%20write-back%2C%20and%20sync%20devices.%20I%20can%20confirm%20that%20password%20sync%20is%20working%2C%20and%20devices%20show%20up%20as%20hybrid%20synced%20when%20placed%20in%20my%20test%20OU.%20When%20I%20attempt%20to%20login%20to%20the%20computer%20with%20my%20test%20account%2C%20with%20Win10-VDA%20assigned%20to%20365%2C%20the%20computer%20remains%20licensed%20for%20Windows%2010%20Pro.%20If%20I%20setup%20a%20new%20VM%2C%20and%20choose%20to%20join%20the%20Azure%20AD%20directly%2C%20it%20works%20and%20the%20license%20is%20assigned%20properly.%20I'm%20not%20sure%20what%20I'm%20missing%2C%20but%20the%20option%20to%20enable%20write-back%20and%20user%20password%20unlock%20are%20also%20grayed%20out%20in%20Azure%2C%20even%20though%20I've%20setup%20write-back%20with%20proper%20credentials%2C%20I%20checked%20the%20MSO_%20account%20and%20permissions%20are%20correct.%20Any%20help%20is%20highly%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EChris%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1375906%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E10%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eactivation%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ee3%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EVDA%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1379693%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%2010%20E3%20VDA%20Activation%20and%20Azure%20AD%20Hybrid%20Join%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1379693%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F661541%22%20target%3D%22_blank%22%3E%40Chris_Menuey%3C%2FA%3E%26nbsp%3BDid%20you%20configure%20device%20registration%20as%20described%20in%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fblog.alschneiter.com%2F2018%2F08%2F16%2Fconfigure-device-registration-with-azure-ad-connect%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblog.alschneiter.com%2F2018%2F08%2F16%2Fconfigure-device-registration-with-azure-ad-connect%2F%3C%2FA%3E%3F%3C%2FP%3E%0A%3CP%3EIf%20a%20device%20is%20registered%20by%20an%20AAD%20user%20who%20has%20the%20appropriate%20license%20assigned%20it%20is%20switched%20from%20Pro%20to%20Enterprise.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1380063%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%2010%20E3%20VDA%20Activation%20and%20Azure%20AD%20Hybrid%20Join%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1380063%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F201575%22%20target%3D%22_blank%22%3E%40Simon%20Taylor%3C%2FA%3EI%20had%20a%20support%20ticket%20with%20MS%20open%20this%20morning%2C%20out%20of%20sheer%20miracle%20when%20I%20logged%20in%20to%20show%20him%20my%20VDI%20on%20Pro%2C%20it%20said%20the%20enterprise%20license%20was%20activate.%20To%20attempt%20to%20test%20I%20tried%20to%20removed%20the%20licensing%20from%20Office%20365%20but%20it%20didn't%20seem%20to%20take%20effect%20right%20away.%20I'm%20not%20sure%20if%20it%20just%20needed%20time%20to%20sync%20or%20what.%20The%20devices%20had%20been%20registering%20correctly%2C%20and%20showing%20Hybrid%20Join.%20I%20guess%20for%20now%20my%20problem%20is%20solved.%20I%20was%20also%20curious%2C%20in%20case%20you%20know%2C%20does%20the%20computer%20I'm%20logging%20into%2C%20the%20VDI%2C%20already%20have%20to%20be%20licensed%20for%20Windows%3F%20I%20read%20somewhere%20that%20the%20machine%20will%20activate%20with%20subscription%20but%20that%20the%20license%20doesn't%20cover%20the%20machine%20itself%20only%20the%20user%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1383295%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%2010%20E3%20VDA%20Activation%20and%20Azure%20AD%20Hybrid%20Join%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1383295%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F661541%22%20target%3D%22_blank%22%3E%40Chris_Menuey%3C%2FA%3E%26nbsp%3BThe%20basic%20requirement%20is%20that%20the%20device%20is%20properly%20activated%20re%20the%20underlying%20W10%20Pro%20license.%20There%20a%20different%20ways%20to%20get%20there%20as%20described%20in%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdeployment%2Fdeploy-enterprise-licenses%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdeployment%2Fdeploy-enterprise-licenses%3C%2FA%3E%26nbsp%3Bso%20that%20for%20example%20with%201803%20and%20newer%20the%20device%20must%20not%20have%20been%20activated%20before%20but%20can%20be%20activated%20automatically%20based%20on%20the%20UEFI%20embedded%20key%20when%20using%20subsription%20activation%20to%20switch%20from%20Pro%20to%20Ent%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi everyone,

 

We recently purchased some licensing of Windows 10 E3 VDA that we want to assign to users to allow access to some Windows 10 Pro virtual desktops. As of now I've setup AD Connect with AD Forest credentials from on prem AD to sync password hash, write-back, and sync devices. I can confirm that password sync is working, and devices show up as hybrid synced when placed in my test OU. When I attempt to login to the computer with my test account, with Win10-VDA assigned to 365, the computer remains licensed for Windows 10 Pro. If I setup a new VM, and choose to join the Azure AD directly, it works and the license is assigned properly. I'm not sure what I'm missing, but the option to enable write-back and user password unlock are also grayed out in Azure, even though I've setup write-back with proper credentials, I checked the MSO_ account and permissions are correct. Any help is highly appreciated.

 

Thanks,

 

Chris

 

3 Replies
Highlighted

@Chris_Menuey Did you configure device registration as described in https://blog.alschneiter.com/2018/08/16/configure-device-registration-with-azure-ad-connect/?

If a device is registered by an AAD user who has the appropriate license assigned it is switched from Pro to Enterprise. 

Highlighted

@Simon TaylorI had a support ticket with MS open this morning, out of sheer miracle when I logged in to show him my VDI on Pro, it said the enterprise license was activate. To attempt to test I tried to removed the licensing from Office 365 but it didn't seem to take effect right away. I'm not sure if it just needed time to sync or what. The devices had been registering correctly, and showing Hybrid Join. I guess for now my problem is solved. I was also curious, in case you know, does the computer I'm logging into, the VDI, already have to be licensed for Windows? I read somewhere that the machine will activate with subscription but that the license doesn't cover the machine itself only the user?

Highlighted

@Chris_Menuey The basic requirement is that the device is properly activated re the underlying W10 Pro license. There a different ways to get there as described in https://docs.microsoft.com/en-us/windows/deployment/deploy-enterprise-licenses so that for example with 1803 and newer the device must not have been activated before but can be activated automatically based on the UEFI embedded key when using subsription activation to switch from Pro to Ent