I’ve posted a fair bit about Intune on this blog previously, and I try to use this as a place to answer my own questions but also those of customers and partners that I engage with in my day job. One of those questions that recur from time to time is:
How do I upgrade from Windows 10 Home to Windows 10 Pro or Education using Intune if I can’t join a Windows Home device to Intune?Common question to me!
I first tackled this topic back in 2017 in this post, but like the Intune product itself, my knowledge has evolved a fair bit since then! To that end, I decided to make the following video showing how you can easily upgrade Windows Home Edition devices to higher versions provided you have an eligible Volume Licensing key and suitable licensing in M365.
Check it out:
What do you need?
- Windows Home device
- I used a Hyper-V virtual machine running the standard Windows 10 ISO and selected Windows Home Edition when installing it in the VM (I selected “I don’t have a product key” so it was unactivated)
- Microsoft Endpoint Manager / Intune and Azure Active Directory Premium licensing
- There’s a lot of ways you can license this, I had a demo tenant with M365 A5 licensing in it so was sorted. I created a demo user called Niamh and allocated an M365 A5 student license to the user.
- Windows Volume Licensing Upgrade Key
- This was not that easy for me to source a valid one, but I was able to test this in my demo environment using a KMS Client Key for Windows Education from here
Step By Step Guide
For those that don’t like to watch videos and prefer something to follow along, I’ll outline the process below. For the sake of brevity I’m not going to recreate every step (you need to do some work yourself!) but the main thrust of the process is here.
Ensure you’ve got a Windows 10 Home Edition VM working correctly:
This is easy to do by going to Windows Settings and About and looking under the Windows Specifications:
AzureAD Register the device to start getting policies/settings applicable for Windows Home Edition:
Go to Access Work or School and click on Connect:
Enter your relevant user details – note that in my example I’ve customised the login screen with a backdrop image of the school and the school logo above the username to provide some visual cues and assurance that the user is indeed validating against their own school correctly:
It might take a minute or two to complete the registration but be patient:
Once you’ve done you should see your account listed now:
At this point you can either wait patiently for the policy to apply or you can speed it up by clicking on the account, choosing “info” and then manually forcing a sync:
Time to leave that for a minute or two and head over to Intune to complete the process
Configure Microsoft Endpoint Manager (MEM) / Intune with an Edition Upgrade Policy
I’m only going to give you the basics here and assume you’ve got a working knowledge of creating and assigning configuration profiles in Intune, but you’re going to need to create a new Windows Configuration Policy and use the Template for “Edition Upgrade and Mode Switch”
You’ll need to walk through the wizard to complete and assign it to the relevant user/groups you want to upgrade but when completed should look something like this:
Note that I’ve selected Education Edition because this matches my VL Upgrade Key that I obtained above, and I’ve opted not to configure the S Mode Switch as I’m running standard Windows 10 Home Edition in my VM. I’ve also taken the lazy approach and assigned this to All Devices group (you should be more granular in your targeting of this type of policy ideally!)
Check to see if your Win10 Home Device has received any apps / policy
This is where the fun begins – if you go back to your Windows VM you should be able to hit the start menu and see if any of your apps have been deployed to the device (assuming you’ve configured apps to be deployed to this group of devices). Here are mine – all of which arrived on the device in the first 5minutes after registering it:
You might be asking: how are you deploying applications to a Windows 10 Home device? The answer is that Intune allows an AzureAD Registered device to receive apps from the Microsoft Store for Education and also some policy that is applicable to Windows Home. So now I know I’ve got apps on the device from Intune, what is the dashboard showing me?
A couple of things to note here:
- When the device first registers the “Device Name” is rarely shown correctly – it requires a full sync to update correctly.
- The same is true for the “OS Version” field – usually it starts out as 0.0.0.0 until the Windows device reports home
- Note the “Ownership” – because this is effectively a BYOD that has been AzureAD Registered only (and not Joined) it’s automatically categorised as Personal vs Corporate. You can do some funky stuff with dynamically populated AzureAD groups based off Corporate vs Personal ownership devices.
- Lastly, you can see the Primary User UPN on the far right confirming the M365 A5 user (vs the local administrative user on the Windows 10 Home which was simply “John”
If you click on the device name here and go to Device Configuration you can see which policies have applied:
It’s worth nothing some have succeeded and some have failed. Given this is a Windows Home Edition device not all policies apply. Even the Edition Upgrade Policy has failed and if you click on it you can see this:
Do not be deterred – the upgrade has worked, but the error here I believe is a combination of using a non-activated Win10 Home testing licensing and also the KMS Client VL Key for this demo. The trick now is to reboot the device and watch the upgrade take place!
Reboot your Windows 10 Home VM & Watch The Magic Happen:
You will note that during the reboot, there is a display showing Adding Features:
This is the upgrade from Windows 10 Home Edition to Windows 10 Education Edition taking place. Once this is completed you’ll still sign in with the local user on the device – in my instance the Intune compliance policy applied and required a password reset to a more complex password:
And now all that is required to do is check the upgrade has worked successfully:
Edition Windows 10 Education
Installed on 10/12/2021
OS build 19044.1288
Experience Windows Feature Experience Pack 120.2212.3920.0
A Word Of Caution:
I was interested to see what would happen if I initiated an Intune “Fresh Start” or “Wipe” of this device – would it revert back to the Windows 10 Home Edition that I started with. Afterall, one scenario that this whole process might apply to is student BYOD devices being upgraded to Windows 10 Education whilst they are students at a school and then reverting back to Home when they leave. (There is actually a way they can upgrade to Windows 10 Education for the life of their device using the Kivuto Store and Student Use Benefit – check this blog here)
What I leant from my testing is that both a Fresh Start and a Wipe did not remove the VL Key. In fact, I saw this message flash up during the reset of the device:
I decided to test further with a physical laptop I had that came with an OEM embedded license of Windows 10 Pro Education which I had automatically upgraded to Windows 10 Education as a result of completing an AzureAD Join and the Windows Subscription Activation process kicking in.
So, I initiated a remote wipe of this device from Intune and it duly reset and reverted back to the OEM Windows 10 Pro Education based off the embedded key the device shipped with.
Learnings: It would appear that from my testing when you use a Windows 10 VM that does not have an embedded key, a reset of the device retains the VL activation key implemented via the Intune Edition Upgrade Policy. However, when you use this upgrade from Home to Pro or Education on a physical machine that has an embedded key, a remote wipe will revert back to the original key. Phew!
What If You Want The User To Sign In With Their AzureAD UPN Instead Of Their Local Account?
A friend asked me about this – now you’ve upgraded from Windows Home to Windows Education how can you get the user to now sign in with their AzureAD credentials instead of the local user they had created when the device was running Windows 10 Home Edition?
Well, follow along to see how this can be done – first the user signs in with their local admin account
Remember the device is currently registered to AzureAD so you will need to go to Accounts and “Access work or school” and then disconnect:
This might take a couple of minutes, but then you’re going to add the account back this time, but take care to select “Join this device to Azure Active Directory”
Authenticate as you normally would with your AzureAD user:
You will be prompted about joining this device:
It takes only a minute or two and then you’re prompted the device is connected to the organisation (in my demo example this is called “Contoso” and then you’re guided to signing out and switching account to log in with your AzureAD Credentials:
It’s worth noting the icon has changed showing the AzureAD connected status:
If you now sign out of the device as your local admin user (John in my instance) you’ll see the option to sign in as “Other user” in the bottom left:
A couple of things to note here:
- The AzureAD domain name is already pre-populated with”sign in to: m365.education” – this is actually an Intune policy to make it easier and faster to sign in.
- Hence, I only need to enter “niamh” in the username field and not the full UPN of firstname.lastname@example.org
Because the device is AzureAD Joined it immediately resolves the full name of the user and displays on screen (subsequent signins would also load the profile pic from AzureAD:
You can now see that the account is connected to Contoso’s AzureAD – this is different from theb “work or school account” that Niamh’s account was previously signed in as when the device was Windows10 Home Edition and also after the immediate upgrade to Windows 10 Education. Note also that the Intune policy has already pushed out the Chrome Browser (via an MSI) to the desktop with other applications and settings being applied to this user too:
- This device started as Windows 10 Home Edition with a local admin user
- We completed a “Work or School account” AzureAD register of the device
- This enabled us to push out a policy from Intune for a Windows Edition Upgrade to take the device from Windows 10 Home to Education Edition
- We then signed back into the device with the local user account (John) and disconnected the school or work account from AzureAD, and instead completed an AzureAD Join with the same user.
- We then logged out of the device and signed back in with the AzureAD account of Niamh McNeill (and not the local user John)
As I said at the start – one of the primary reasons I write this blog is to cement my own learnings, upskill so I can advise customers and partners more effectively and accurately and then share this learned knowledge with the wider community. This question of how to go from Windows 10 Home Edition to higher version of Windows e.g. Pro or Education via Intune is one that has come back time and time again – in fact, for me ever since Scott Duffey wrote a blog post entitled 10 Ways to Enroll Windows 10 Into Intune
Where would this scenario be useful? Well, obviously if you wanted to allow students/staff to bring a BYOD to your school or workplace and then upgrade the Windows Edition to provide additional functionality, security and compliance would be a prime example in my mind.
I trust this has been helpful – if I’ve missed something or you’ve got other questions or scenarios throw it in the blog comments below.