Windows Enterprise Update

[Louann Mauffray]

Itused to be that imaging required identical hardware, technical staff to be physically present, and (for the polished options) a big budget. None of which were\are true for the organizations we help.

I have to assume imaging has changed and evolved in the years since, what would be a recommended solution for geographically dispersed non profits with only remote technical support, dissimilar hardware (whatever happens to be the best deal at Dell that month is the hardware they get), and little to no budget to waste on this.

There are new licensing options for you to purchase Windows 10 Enterprise E3 or Windows 10 Enterprise E5. There was something posted on this here: Microsoft announces subscription pricing for Windows 10 Enterprise with new options to purchase under a CSP licensing channel.

Re-install Win 10 Enterprise on one notebook. After which I would run a few of the downloaded scripts to remove those Win10 apps as much as possible and run windows updates and install necessary apps (Acrobat reader, Office, Java, Chrome etc).

Before I deploy the notebook to user, I would then change hostname, join domain, login as the user for 1st time, check Win activation, check office activation, remove edge from taskbar & start, remove all icons from start (un-install seems stupid as they cannot be removed permanently), put IE and chrome on taskbar ans start.

Although the course is focused on analyzing Windows-based systems and servers, the techniques and investigative processes are applicable to all systems and applications. The course includes detailed discussions of common forms of endpoint, network and file-based forensic evidence collection and their limitations as well as how attackers move around in a compromised Windows environment. The course also explores information management that enriches the investigative process and bolsters an enterprise security program. Discussion topics include the containment and remediation of a security incident, and the connection of short-term actions to longer-term strategies that improve organizational resiliency.

Incident response team members, threat hunters and information security professionals. Prerequisites Background in conducting forensic analysis, network traffic analysis, log analysis, security assessments and penetration testing, or security architecture and system administration. Learners must have a working understanding of the Windows operating system, file system, registry and use of the command line. Familiarity with Active Directory and basic Windows security controls, plus common network protocols, is beneficial.

Recently we found on Tech Soup (we are a non profit) that the F3 License included Windows 10 Enterprise upgrade (from Pro) However upon testing this License my test machine is still showing as Pro. here is a screen clip from Techsoup

Basically, we are trying to find a solution for the front line workers we have that do not need the full E3 package, our frontline workers do not need the desktop apps, but they do need the enterprise upgrade for other reasons like the Policies, lock screen force thru GPO etc...

have you confirmed that Windows 10 Enterprise 'Step-Up' license is enable for your user account in the M365 Admin portal? depending on how the license SKU shows up in the portal the Windows 10 Enterprise license may show outside of the F3 license. Licensing groups are your friend here as you can set up the licensing group profile to turn on specific licenses/and or toggle on/off sub-components automatically...

either way, thank you all for your help and suggestions. My Company now decided to go with E3 for everyone, so effectively my problem is solved. I may play around with this to see if I can get it to work, and If I do I'll post my findings.

@John-CAI Please don't think af this as "a catch", but there is a slight nuance. As this is intended for "Frontline Workers" (i.e. people that spend little time at a desk and are more likely to interact with tablet and/or smartphones) it only includes the right to use a shared device (or a very small personal windows device - screen smaller than 10.1").

I would like to use Ignition perspective for our project. Is Ignition supports the Windows 10 IoT Enterprise LTSC 2021? In the system requirements web page, it is just mentioned as windows OS supports but how to check the specific windows OS type supports or not?

Ignition is basically platform independent and supports the Windows platform. It also supports Linux.

You can use any of the well-known web interfaces. Chrome ver 57 up, Edge Ver 16 up, Firefox Ver52 up and Safari ver 11 up. In general, the supported browser listed above do a good job at staying up to date with implementation and support of these new specifications.

The general policy is to only use features that have been supported for some time, whenever possible. Overall, they will always recommend that you keep your browser up to date to take advantage of browser features, fixes, and most importantly for security updates.

We deploy many Ignition systems each year and are slowly moving away from Win Server (standard in our corner of the automation industry) and testing Win10 IOT as something our clients consider palatable. I'm not concerned about installing Ignition direct on Windows and loading our golden gateway backup, but I am always up for optimizing deployments. Our rugged server vendor can pre-load a custom drive image on our units, then we can use containers/stacks to deploy just as we are starting to do in our non-prod environments.

Modular, end-to-end business applications that connect all your data for continuous insights can help you rapidly respond to change. Discover how Microsoft Dynamics 365 brings the best of what modern enterprise resource planning has to offer to your business.

Are you experiencing problems with the automatic upgrade from Windows 11 Pro to Windows 11 Enterprise during Autopilot on the latest Windows build? Or are your current Windows 11 Enterprise devices reverting to Windows Pro? If so, this blog is for you!

This process could cause issues and prevent the device from upgrading to enterprise. I posted a blog some time ago explaining how to fix this problem. With an easy one-liner, you can ensure that Windows 11 Pro has been upgraded to Enterprise.

If that scheduled task fails, the Windows License is NOT upgraded to Enterprise, and with it all off, the security-related features that are only applicable to Enterprise builds are not going to be applied

To find out what was happening, I installed Procmon and just tried to kick off that task. With the proper filtering in place (Cliprenew and access denied), it became evident that the Cliprenew executable was attempting to create/set a new registry key called mfarequiredcliprenew.

With the installation of KB5036980, existing devices will eventually drop from Windows Enterprise to Windows Pro, depending on their update ring. This update causes the scheduled task responsible for renewing the license to fail due to a permission issue with creating necessary MFA registry keys. As a result, the device cannot maintain its Enterprise status.

How will this look when MFA is required? As shown below, users will be prompted for authentication with a toast notification when Subscription Activation needs to be reactivated. This toast message would read: Please Sign in to your work or school account to verify your information.

Authentication prompts typically appear when a device has been offline for an extended duration. With Windows 11, version 23H2, and KB5034848 or later, this change removes the necessity for an exclusion in the Conditional Access policy. However, a Conditional Access policy can still be applied if you prefer not to prompt users for authentication via a toast notification.

If you want to fix it in the meantime before Microsoft releases the official fix, you could deploy this PowerShell script to your device during Autopilot. This will ensure the license acquisition scheduled task can be launched.

While fixing the issue, my curiosity got the best of me. I opened cliprenew.exe with IDA and started looking into it. The handle access denied feature was added to the cliprenew.exe in the mainhr function.

When getting a better view by using the pseudocode, it looks like it is indeed trying to create or open the mfarequiredkey just at the first steps of the licenceactivation

This part of the licenceactivation will check if a specific feature related to Multi-Factor Authentication (MFA) is enabled. If this MFACheckinClipRenew feature is enabled, it proceeds with additional actions.

Microsoft has acknowledged this issue and released a potential fix in the Windows Insider Preview Build 26227.5000, which adds a feature to handle access denied errors during license upgrades. However, my tests showed that the fix is not entirely effective, as the required registry key is still not being created, although the task no longer produces errors.

Subsequent updates in June (KB5039302) and July (KB5040442) incorporated these features but did not fully resolve the problem. My comparisons revealed no significant changes in the July update, indicating that a complete fix is still pending. Until then, a manual workaround involving the creation of the necessary registry keys and permission adjustments remains essential. Hopefully, future updates will address the issue entirely.

As expected, Microsoft has enabled the handle_access_denied feature mentioned, which I explained in the Patch my PC blog above. This handle_access_denied feature was previously disabled by default but is now enabled with the KB5040527 preview July update.

With this feature enabled, it will ignore the results of the mfarequiredkey creation. This bypass allows the scheduled license acquisition task to execute successfully. Once this task is executed successfully, your Windows will upgrade to the Enterprise edition again.

3a8082e126