Share via

Windows 11 PRO + Microsoft 365 Frontline F3 License

Vitalii Mishchenko 45 Reputation points
2026-04-02T10:18:41.6+00:00

Good afternoon.

We are deploying a hybrid infrastructure: Microsoft Entra ID + on-premises Active Directory (Hybrid AD).

Users receive a basic Microsoft 365 F3 license, as well as additional licenses for specific services as needed.

Devices (laptops) are shipped with Windows 11 Pro (OEM) pre-installed.

When a user logs in with an Entra ID account that has an F3 license, the system automatically switches to the Windows Enterprise edition and appears as activated.

At the same time, some devices are used as shared devices (multiple users work on a single laptop, each under their own account with an F3 license).

Please clarify:

  1. Is it correct to use Windows Enterprise (which activates automatically upon login with an existing license) on shared devices in a scenario where each user has an F3 license, but the device is not the primary device for each of them?
  2. Am I correct in understanding that we do not need our own KMS server or the ADBA role on AD DS if we are using W11 PRO (OEM) + F3 user licenses?

Thank you.

Windows for business | Windows Client for IT Pros | Devices and deployment | Licensing and activation
0 comments

Answer accepted by question author

  1. VPHAN 31,830 Reputation points Independent Advisor
    2026-04-02T11:18:40.11+00:00

    Hi Vitalii Mishchenko,

    Your hybrid infrastructure design using Microsoft 365 F3 licenses on shared Windows 11 Pro OEM devices is fully compliant and represents the modern standard for deploying Windows Enterprise. Microsoft 365 F3 natively supports frontline shared device scenarios without requiring the hardware to be assigned as any user's primary workstation. Furthermore, you are entirely correct that you do not need a local Key Management Service server or the Active Directory-Based Activation role. The modern subscription activation mechanism bypasses traditional volume activation entirely by using the firmware-embedded OEM key as the qualifying base license and managing the Enterprise step-up exclusively through Entra ID.

    Since completely deleting the affected person's FSLogix profile and starting from ground zero did not resolve the issue you are experiencing, the root cause definitively resides outside of the user's roaming data container. Windows Subscription Activation relies on a device-wide scheduled task and caches its digital tickets locally on the machine rather than strictly within the user profile. When an F3-licensed user authenticates, the operating system attempts to pull a Primary Refresh Token from Entra ID to validate the license. This token interaction often fails on shared machines if the device-level activation cache becomes corrupted or if the underlying Hybrid join state desynchronizes, preventing the operating system from reading the user's cloud entitlement.

    To resolve this persisting step-up failure on your shared laptops, you must target the local machine cache rather than the roaming user data. You can start by checking the registry path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion to verify if the EditionID value is properly reflecting the Enterprise state or if it is dropping back down to Pro. Additionally, you should run the dsregcmd /status command in an elevated prompt to ensure the device maintains a healthy AzureAdJoined state and successfully acquires the Primary Refresh Token. If the tokens are healthy but the step-up still fails, restarting the Client License Service, known as ClipSVC, will force the system to clear its local Microsoft Store API cache and re-evaluate the F3 license ticket directly from Entra ID upon the next login.

    Hope this answer brought you some useful information. If it did, please hit “accept answer”. Should you have any questions, feel free to leave a comment.

    VP

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-04-02T10:18:55.6266667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more
    1. Yes. Windows subscription activation is explicitly a per-user entitlement and supports shared devices, including BYO/CYOD and mobile worker scenarios. When a device is running a supported Windows Pro edition, is Microsoft Entra joined or hybrid joined, and a user with a qualifying Windows Enterprise entitlement signs in, the OS silently steps up from Pro to Enterprise for that device. This is tied to the user’s license and Microsoft Entra sign-in, not to the device being “primary.”

    Key points from subscription activation behavior:

    • Devices must be running a supported Windows Pro edition and be Microsoft Entra joined or hybrid joined.
    • A Windows Enterprise license is assigned per user in Microsoft Entra/Microsoft 365.
    • When a licensed user signs in, the device steps up from Pro to Enterprise and Enterprise features are unlocked.
    • Up to five devices can be upgraded for each user license; if a sixth device is used, the device with the oldest sign-in reverts to Pro.
    • Licenses can be reallocated between users.

    This model is designed to support shared devices as long as:

    • Each user who causes an Enterprise step-up has a valid Enterprise entitlement (for F3, this includes Windows Enterprise rights as described in the Windows 365 Frontline / M365 licensing context), and
    • The per-user limit (up to five devices per user) is respected.
    1. Correct. In the scenario described (Windows 11 Pro OEM + Microsoft 365 per-user licensing with subscription activation), a KMS server or ADBA role is not required for Windows Enterprise activation.

    From the subscription activation model:

    • Subscription activation uses the underlying Pro OEM key (firmware-embedded) as the base license.
    • Enterprise is delivered as an online service and activated via Microsoft Entra credentials and cloud licensing, not via KMS/MAK/ADBA.
    • Devices periodically contact Microsoft’s activation service over the internet (about every 30 days) to renew the subscription; if offline past expiry, they revert to Pro until they can reconnect.

    KMS/ADBA are only needed when using traditional volume activation (KMS/MAK/ADBA) for Enterprise. With Windows 11 Pro OEM plus per-user Enterprise rights (via M365 F3 and related entitlements) and subscription activation, the cloud-based model replaces the need for on-premises KMS or ADBA for those devices.

    References:

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.