Intune: Upgrade Windows Pro to Enterprise AUTOMATICALLY!

Do you have a bunch of Windows 10 Pro devices and would like upgrade them to Windows 10 Enterprise? Microsoft 365 (specifically Microsoft Intune) can help you!

Note: For more information please reference Deploy Windows 10 Enterprise licenses. The following is an example on how to do this with Intune (assuming appropriate licenses have been purchased and assigned).

First, create a Microsoft Intune configuration policy. In the Azure Portal navigate to Microsoft Intune -> Device Configuration -> Profiles. Click Create Profile

Next, create a new Windows 10 and later profile, with a type of Edition Upgrade. Click Settings

 

 


Click Edition Upgrade

In the field Edition to upgrade to select Windows 10 Enterprise. In the Product Key field type in the product key (i.e. MAK). Then click OK


Click OK to save the Edition Upgrade. Click OK again then click Create


Next, click Assignments in the Assign to menu select All Users & Devices then click Save

Note: Your assignments may be different per your organization’s requirements. This is only an example. You could also assign only the machines in question, or use a dynamic security group that queries on the device serial number,etc.


On a virtual machine with Windows 10 1803, install Windows 10 Pro:

Note: I’m showing you this, to demonstrate the upgrade. Ideally you would sign in as an Organizational Account in the OOBE when installing Windows. However, if I did that here, you wouldn’t see that I’m coming from Pro 🙂

Notice it’s Windows 10 Pro:

 

Join the machine to Azure AD to receive the Intune policy:

Reboot the machine and sign in with the user’s Azure AD credentials. Once signed in, open System Information and notice that Windows has been upgraded to Enterprise!

This can be verified in the Intune portal under Device Status for the configuration policy that was previously created:

I hope you found this helpful. Questions? Please let me know in the comments below! Enjoy!

A credit score for cyber security?! Tell me more!

One of the keys to success in life is understanding your financial situation and where you sit on the scale of a credit score.  When it comes to cyber security, you want to understand your organization’s security posture and how it can be improved. That’s where Microsoft Secure Score steps in.

Microsoft Secure Score gives you visibility into your cyber security posture, with awareness of how you compare to your industry peers, along with recommendations on how to increase your posture and reduce your risk. Watch the following 3-minute video for an overview of Microsoft Secure Score. Enjoy!

Video: Do you know the Microsoft Security Story?

Do you know the Microsoft security story? Watch the video below as I present how Microsoft can help protect your ever expanding digital estate through cyber security for your digital transformation.

In the video I discuss the following topics (click to learn more):

Microsoft Teams: Limit access to only managed devices and reduce risk!

It’s amazing watching the adoption journey of Microsoft teams among organizations and how it is quickly becoming a mission critical tool. For me, it’s mission critical because of the collaboration and teamwork that’s occurring inside, and the data that is being stored is quickly becoming the heartbeat of many organizations and their project teams. There is one challenge however with storing proprietary and sensitive data in Microsoft Teams, as users are accessing the data using the Teams app on not just their PC or laptop, but mobile devices and other (even unmanaged) computers as they perform their job – if that data is leaked/spilled/exposed or compromised, it could put the organization at risk, and as IT Professionals we need to help protect against this risk.

Not to worry – Azure Active Directory Conditional Access to the rescue! Using AzureAD Conditional Access, we will ensure Microsoft Teams is only accessed on devices that are managed, whether they are Active Directory domain joined, Azure AD joined or managed by Intune. This is very easy and straight forward to setup, let’s take a look together.

Important: Conditional Access requires AzureAD Premium. I won’t be discussing licensing requirements in this blog post, please reference this article for more information.

In the Azure Portal, I am going to create a new AzureAD Conditional Access policy with the following configuration:

  • Users and Groups: “All Users”
  • Cloud apps: (Include) “Microsoft Teams”
  • Conditions: Client Apps -> Configure “Yes” -> Select Client Apps -> check “Browser” and “Mobile apps and desktop clients”


  • Access Controls: Grant Access -> Check “Require Domain Joined” and “Require device to be marked as compliant”


Important: If you check “Require device to be marked as compliant” you must create a device compliance policy in Intune. This will ensure devices such as iOS, Android, Windows, Mac that try to access Microsoft Teams using either the app, client or website must be Intune MDM enrolled (which requires an Intune subscription). If accessed from a Windows PC and is Active Directory domain joined or Azure AD joined, require MDM enrollment will not apply. Here’s what an example Device Compliance policy looks like in Intune:


Back to Conditional Access…

 
 

  • Enable Policy: “On”


     
     

    Now the policy is created, let’s test this out. It should deny access to Microsoft Teams.

     
     

    From a Windows PC that is unmanaged (not joined to Azure AD, Active Directory, or MDM enrolled):

     
     

    From a Web browser:


    Notice the error reads “Windows device is not in required device state: compliant”

     
     

    From the Microsoft Teams Windows Desktop Application:


    Next, from an iPad Pro (iOS) that is unmanaged (not MDM enrolled):

     
     


Notice it gives me the option to enroll in MDM (Intune), pretty cool!

This is a quick and easy way to ensure that users are using Microsoft Teams on managed devices, where IT can control the configuration of the device and ensure the device is healthy and compliant. What’s more is this policy can be reversed and disallow users from using the Teams web client if that becomes a requirement. For additional fun, check out Microsoft Teams: Manage it using Mobile Application Management (MAM) and Microsoft Teams: Restrict Usage with Azure AD Conditional Access

If you have questions or feedback, let me know in the comments below. Enjoy and have fun!

Microsoft 365 Overview and Briefing (Video)

Microsoft 365 is a compelling offering that enables organizations ranging from the small to mid-size business all the way to enterprise on their journey towards digital transformation. At a high level, Microsoft 365 combines the best of Windows 10, Office 365 and Enterprise Mobility + Security into a single offering that customers can purchase. However, what exactly is Microsoft 365, and what does it mean to have it? How does this technology help me and my organization? What does it mean to bring creativity into the workplace? How does teamwork enable a more collaborative environment? What does integrated for simplicity and intelligent security mean, and how does it impact me as an IT professional?

I recorded a short 20 minute presentation (click the video below to watch) that will give you an overview of Microsoft 365 Enterprise – and I hope that it will inspire you to learn more about the value this service provides and the incredible capabilities that can open new possibilities for your organization. Enjoy!

P.S. Stay tuned as I will soon have another blog post on a video of Microsoft 365 demo in action!