In Part 2 we discussed how to use the LicensingDiag.exe tool to do some troubleshooting.
In Part 3, I wanted to highlight how Subscription Activation is actually leveraged by Identity and some of the things that you should be aware of.
Subscription Activation is not simply using a https connection to Azure to “Step Up” Windows 10 Pro to Enterprise. It actively relies on the identity layer and requires the user logging on to the device to acquire an AAD ticket for the license to be applied
The licensingDiag.exe tool will collect the Windows Store log. This can be useful to help troubleshoot why a user may not have acquired their Windows 10 E3 Enterprise license. You should review the Windows Store event log. There are key Event ID’s that can help diagnose this. What the aim here is to confirm if the logged on user was able to acquire an AAD Ticket.
You can obtain the Windows Store event log in 2 ways:
Event Viewer > Applications and Services Logs > Store > Operational
Run the LicensingDiag.exe Tool which will extract it automatically.
To confirm if a user has obtained an AAD ticket then you could simply use the Find option in the Event Viewer with the following criteria, AAD or Ticket or Filter for Event ID 8001
In the example below you can see that the logged on user has acquired an AAD ticket
You’ll see from the screenshot above that the user is confirmed by their SID, you may want to confirm this as the actual logged on user.
Open a command-line and use the whoami /user this will confirm the user and SID string
Be aware most users generally will have a standard account for work and potentially some admin level account for elevation for certain tasks. The admin level account is unlikely to have a Windows 10 E3 Enterprise license assigned because it would make no sense for organizations to pay for and assign a license that is used only for admin tasks. If the admin account is synched to AAD and you logon with this account expect to see some Event ID’s in the logs that highlight there is no license available. You also see no AAD Ticket if the admin account is not synched to AAD
Multi-Factor and Conditional Access Policies (MFA & CAP)
I would recommend that if you are considering using the Subscription Activation model for licensing and now that you know this leverages Identity to acquire the license you should also be aware that this could be impacted by any policies that you implement with MFA or CFA.
If you fail MFA and/or CFA you will be denied an AAD ticket and therefore this may initially stop you stepping up from Pro to Enterprise. When all conditions are in place and Windows 10 “Steps Up” to Enterprise it will remain so for 30 days, even if you logged on to the device as a user without a license.
I would also ensure if you are using products like ZScaler Proxy you will want to obtain the the specific IP addresses that are being used for your organization and add them as a Trusted Location in AAD. The reason for this is that in AAD a country location is not seen as a Trusted Location but adding an IP Range can be defined as a Trusted Location. For products like ZScaler you would need to look at trusting the IP addresses in your MFA/CFA policies
See the screenshots below
Conditional Access by Country
Conditional Access by Trusted Location
I hope may give you some further insights to Subscription Activation and some additional considerations when designing and implementing this as a licensing method in your organisation.