The subscription activation feature enables a "step-up" from Windows Pro edition to Enterprise edition or from Windows Pro Education edition to Education edition. This feature can be used with a subscription to Windows Enterprise E3 or E5 licenses.
Windows Pro Education is analogous to Windows Pro, while Windows Education is analogous to Windows Enterprise. In other words, Windows Education is a step-up from Windows Pro Education, similar to how Windows Enterprise is a step-up from Windows Pro.
The subscription activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later:
For more information on how to deploy Enterprise licenses, see Deploy Windows Enterprise licenses.
Windows Enterprise E3 and E5 are available as online services via subscription. Windows Enterprise can be deployed in an organization without keys and reboots.
Organizations that have an enterprise agreement can also benefit from the service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Microsoft Entra ID using Microsoft Entra Connect Sync.
Subscription activation is available for qualifying devices running currently supported versions of Windows. Subscription activation can't be used to upgrade to a newer version of Windows.
Organizations that use the Subscription Activation feature to enable users to "step-up" from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using Select Excluded Cloud Apps:
Note The Microsoft Store for Business and Microsoft Store for Education are retired. For more information, see Microsoft Store for Business and Education retiring March 31, 2023.
Although the app ID is the same in both instances, the name of the cloud app depends on the tenant.
For more information about configuring exclusions in Conditional Access policies, see Application exclusions.
When a device has been offline for an extended period of time, the device might not reactivate automatically if this Conditional Access exclusion isn't in place. Setting this Conditional Access exclusion ensures that Subscription Activation continues to work seamlessly.
Starting with Windows 11, version 23H2 with KB5034848 or later, users are prompted for authentication with a toast notification when Subscription Activation needs to reactivate. The toast notification will show the following message:
Your account requires authentication
Please sign in to your work or school account to verify your information.
Additionally, in the Activation pane, the following message might appear:
Please sign in to your work or school account to verify your information.
The prompt for authentication usually occurs when a device has been offline for an extended period of time. This change eliminates the need for an exclusion in the Conditional Access policy for Windows 11, version 23H2 with KB5034848 or later. A Conditional Access policy can still be used with Windows 11, version 23H2 with KB5034848 or later if the prompt for user authentication via a toast notification isn't desired.
Subscription activation for Education works the same as the Enterprise edition. However, in order to use subscription activation for Education, the device must have Windows Pro Education and an active subscription plan with an Enterprise license. For more information, see the requirements section.
Inherited activation allows Windows virtual machines to inherit activation state from their Windows client host. When a user with a Windows E3/E5 or A3/A5 license assigned creates a new Windows virtual machine (VM) using a Windows host, the VM inherits the activation state from a host machine. This behavior is independent of whether the user signs on with a local account or uses a Microsoft Entra account on a VM.
To support inherited activation, both the host computer and the VM must be running a currently supported version of Windows. The hypervisor platform must also be Windows Hyper-V.
For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), the following requirements must be met:
For Microsoft customers that don't have EA or MPSA, Windows Enterprise E3/E5 or A3/A5 licenses can be obtained through a cloud solution provider (CSP). Identity management and device requirements are the same when using CSP to manage licenses. For more information about getting Windows Enterprise E3 through a CSP, see Windows Enterprise E3 in CSP.
These requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. Azure KMS supports workgroup, hybrid, and Microsoft Entra joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines.
As of October 1, 2022, subscription activation is available for commercial and GCC tenants. It's currently not available on GCC High or DoD tenants. For more information, see Enable subscription activation with an existing EA.
If Windows Pro is converted to Windows Pro Education, then subscription activation doesn't work. The device needs to be reimaged to Windows Pro Education for subscription activation to work. Alternatively, reimage the device directly to Windows Education.
With Windows Enterprise or Education editions, an organization can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Education or Enterprise editions to their users. With Windows Enterprise E3/E5 or A3/A5 being available as an online service, it's available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows features.
To compare Windows editions and review pricing, see the following sites:
Benefits of moving to Windows as an online service include:
The device is Microsoft Entra joined, for example from the Access work or school pane in the Settings app that can be found under Settings > Accounts > Access work or school.
Windows Enterprise is assigned to a user, for example through the Microsoft 365 admin center. When a licensed user signs in to a device that meets requirements using their Microsoft Entra credentials, Windows steps up from Pro edition to Enterprise, or from Pro Education to Education. Once the edition is stepped up, Enterprise/Education features are unlocked. When a user's subscription expires or is transferred to another user, the device reverts seamlessly to Windows Pro or Windows Pro Education edition, once the current subscription validity expires.
A supported version of Windows is being used. A Windows Enterprise E3 or E5 subscription is purchased, or there's an existing E3 or E5 subscription but Windows Enterprise isn't yet deployed.
All of the Windows Pro devices step-up to Windows Enterprise. When a subscription activation-enabled user signs in, devices that are already running Windows Enterprise migrate from KMS or MAK activated Enterprise edition to subscription activated Enterprise edition.
Microsoft Entra joined devices or Active Directory-joined devices running a supported version of Windows are being used. Microsoft Entra synchronization is configured. The steps in Deploy Windows Enterprise licenses are followed to get a $0 SKU and a new Windows Enterprise E3 or E5 license in Microsoft Entra ID. The license is then assigned to all of the Microsoft Entra users, which can be Active Directory-synced accounts. When that user signs in, the device automatically steps up from Windows Pro to Windows Enterprise or from Windows Pro Education to Windows Education.
If devices are running Windows 7 or Windows 8.1, more steps are required. A wipe-and-load approach still works, but it can be easier to upgrade from Windows 7 Pro directly to a currently supported Windows 10 Enterprise edition. This path is supported, and completes the move in one step. However, versions of Windows newer than Windows 10 don't support upgrading from Windows 7 or Windows 8.1. For versions of Windows newer than Windows 10, an upgrade to Windows 10 would first be required, followed by upgrading to the version of Windows Enterprise newer than Windows 10. In this scenario, a wipe-and-load might be more practical.
The following policies apply to acquisition and renewal of licenses on devices:
Licenses can be reallocated from one user to another user, allowing optimization of the licensing investment against changing needs.
With a Microsoft Entra subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see Group-based licensing basics in Microsoft Entra ID.
With currently supported versions of Windows, subscription activation automatically pulls the firmware-embedded Windows activation key and activates the underlying Pro license. The license then steps up to Enterprise using subscription activation. This behavior automatically migrates devices from KMS or MAK activated Enterprise to subscription activated Enterprise.
Subscription activation doesn't remove the need to activate the underlying OS. This requirement still exists for running a genuine installation of Windows.
Firmware-embedded Windows activation happens automatically only during Windows Setup out of box experience (OOBE).
If the computer has never been activated with a Pro key, use the following script from an elevated PowerShell console:
$(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach < if ( $null -ne $_ ) < Write-Host "Installing"$_;changepk.exe /Productkey $_ >else < Write-Host "No key present" >>
If an organization has an Enterprise Agreement (EA) or Software Assurance (SA):
If an organization has a Microsoft Products & Services Agreement (MPSA):
Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another qualified multitenant hoster (QMTH).
Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. See Enable VDA for Subscription Activation.