Issues Upgrading Windows 10 Pro to Enterprise with AzureAD and E5 Licenses

A client of ours wanted to upgrade their Windows 10 Professional licenses to Windows 10 Enterprise by way of E5 licensing in Office365 / Azure Active Directory.

Most computers worked fine, but a few just didn’t work and upgrade as they should have. There isn’t a lot of documentation on this, so I thought I’d put out there what worked for us and what we found. I ended up opening a ticket with Microsoft Escalated Support and worked with a rep over a few weeks.

First and foremost, make sure in Office365 that the E5 license has the option checked off for Windows 10 Enterprise.

First Troubleshooting Recommendation: dsregcmd

Run dsregcmd /status on the affected machine as the logged in user (and not a System or admin account).

If WamDefaultSet : ERROR and / or AzureAdPrt : NO are found, these would indicate an issue on Azure’s end. You want to see both answered with YES. These fields indicate whether the user has successfully authenticated to Azure AD when signing in to the device.

If the values are NO, it could be due to:

  • Bad storage key in the TPM associated with the device upon registration (check the KeySignTest while running elevated).
  • Alternate Login ID
  • HTTP Proxy not found

Activation Error on New Microsoft Azure Server VM

Ran into this today, but luckily there is a quick fix (at least for me)! I created a new B2ms VM running Server 2016 Datacenter but as soon as I booted it up, I saw there was an activation error. I tried to run the activation tool but no dice.

I found this help doc which provided this Powershell one-liner to add Azure’s KMS licensing servers just in case they were missed:

Invoke-Expression "$env:windir\system32\cscript.exe $env:windir\system32\slmgr.vbs /skms"

I re-ran the licensing troubleshooter and voila, I was activated!

Updating Azure Application SAML Roles in Microsoft Graph

Something on my list of things to do has been to update SAML roles for an application setup a few years ago before Microsoft simplified certain aspects of SAML applications. After tickets with Microsoft support that ended up escalated but with no assistance from them, I found that these roles could be updated via Microsoft Graph. Let’s dive in.

I have my application ID and have requested the body via GET below and the URL{ID} (without the curly brackets surrounding your ID)

In the JSON Response Preview, you can see the appRoles listed for the application. After using my Google-FU and not finding any documentation on this at all, I experimented and after trial and error, figured out how to update the approles while keeping existing appRoles.

First, you’ll need a unique GUID for the new approle. In Powershell, you can run new-guid to generate a new GUID for your new approle(s).

Next, copy your entire existing Approle digest from the Response Preview to your editor of choice; I like Visual Studio Code. This means everything from the approles: [ line to the bracket at the end of the last role.

Add a new approle (you can copy a previously used one), paste in your GUID, and change the description, displayname, and value. Because this is JSON, you’ll need to add a comma to the curly bracket for the previous approle.

Once you’re done editing your approles, go back to Microsoft Graph. Where before you chosen to GET , now select PATCH. Keep the URL the same.

Be sure to validate the JSON (you may need to add curly brackets to the beginning and end of the JSON file) using any free online tool or Visual Studio Code. Paste the JSON code in to the Request Body in Microsoft Graph and hit Run Query.

If everything went well, you should see a green OK!