2

We have an employee who is about to change roles. They're moving to another state, and we are accommodating this by letting them switch to a remote position. After the change, the employee will only return onsite a couple times per year, with potentially up to 8 months between visits.

We would like to allow the employee to keep using their current domain-joined laptop for the remainder of its service life. However, this laptop was provisioned with Windows Enterprise. I do not have any MAK keys for Enterprise Edition in Volume Licensing Service Center (only Professional, though we are licensed for Enterprise), and we do not provide VPN or similar access to allow for KMS activation remotely.

The other employees in similar roles (there are only two at present) were accommodated by manually installing Professional Edition on their laptop when they were first hired, rather than provisioning via our WIM image, so we could use MAK keys. (That was annoying enough in itself!) The new wrinkle is transitioning an existing employee without the opportunity to rebuild the machine.

How can I keep Windows happy over the remaining three years of service life for this laptop?

Joel Coel
  • 12,932
  • 14
  • 62
  • 100
  • Can you get a pinhole configured in your firewall, allowing access just to the KMS port from just the particular IP address of the remote client machine? Have you double-checked with the vendor that you are not entitled to MAK keys? – Harry Johnston Nov 21 '19 at 21:08
  • ... oh, and is there any reason not to just downgrade the licence to Professional? That doesn't require a reinstall. – Harry Johnston Nov 21 '19 at 21:10
  • @HarryJohnston The last time I tried that Windows wouldn't activate properly. I may just need to read up some more on a step I missed, in which case that's a valid answer (that I'd upvote) if you posted it along with instruction on how to do it. – Joel Coel Nov 21 '19 at 21:27
  • For the pinhole... I won't know the source address for this employee, and since we're still doing old-school KMS vs Active Directory there's no other boundary to limit things; opening that pinhole could potentially open up my KMS service to anyone in the wild for pirated KMS activations. – Joel Coel Nov 21 '19 at 21:29
  • It depends a bit on the situation the employee will be in, but typically a static IP address could be arranged. You wouldn't need to set up the pinhole in advance, you've got 180 days from the last successful KMS activation. But I agree that it isn't an ideal solution. – Harry Johnston Nov 21 '19 at 21:51

1 Answers1

1

Provided you are running at least Windows 10 v1607, you should be able to convert from Enterprise to Professional simply by installing the Professional MAK key in place of the KMS client key. This is simple from the command line:

cscript.exe c:\windows\system32\slmgr.vbs /ipk AAAAA-BBBBB-CCCCC-DDDDD-EEEEE

There is more detail in this Microsoft blog post, Changing between Windows SKUs.

We have done this at my site the other way around, taking machines that were running Professional (with OEM keys) and converting them to KMS-based Enterprise licences. Everything went smoothly.

Harry Johnston
  • 6,005
  • 4
  • 35
  • 52
  • Okay, this did work. Weird. I'm _**sure**_ last time I tried this it failed to activate afterwards. It's still disappointing I need to downgrade the machine, but I least I have a system that will work. – Joel Coel Dec 04 '19 at 14:28