Windows 11 Enterprise

Enterprise unlocks Credential Guard (virtualisation-based protection for derived credentials, blocking pass-the-hash and Mimikatz-style attacks), Microsoft Defender Application Guard for Edge (sandboxes untrusted browsing in a disposable Hyper-V container), Windows Defender Application Control (WDAC) policy management, DirectAccess (deprecated but still shipping for legacy estates), AppLocker with full enterprise tooling, Windows Information Protection (also being deprecated in favour of Purview), the Long-Term Servicing Channel option, Windows Autopatch, Endpoint Privilege Management, personal data encryption keyed to Windows Hello, and the Enterprise activation paths for Microsoft 365 Apps for Enterprise. Several of these features physically exist in the Pro binary but only light up with an Enterprise licence — auditing tools detect this and flag mismatches.

For organisations on Microsoft 365 E3 or E5, Windows 11 Enterprise is included as a per-user benefit — no additional Windows licence is required and the per-user model lets a single employee activate Enterprise on up to five personal-or-corporate devices. This is the cheapest legitimate route to Enterprise for most modern shops, because the Windows licence rides along with the Office, Teams, Intune, Defender for Endpoint and Entra ID Plan 2 entitlements that the E3/E5 SKUs already provide. Pure-Windows volume agreements (without Microsoft 365) still exist but are usually only chosen by organisations that have a hard reason to keep Office and Windows licensing separate.

The Long-Term Servicing Channel is a separate Enterprise SKU intended for special-purpose devices — medical imaging stations, industrial controllers, ATMs, kiosks, point-of-sale terminals — where feature updates would break certification or operational stability. Windows 11 Enterprise LTSC 2024 ships with a five-year mainstream support window and receives only security and quality updates: no new Start menu, no Edge bundled, no Microsoft Store, no Cortana, no Teams. LTSC is deliberately inappropriate for general-purpose information-worker PCs (Microsoft has been explicit about this) and Volume Licensing agreements typically cap the percentage of an estate that can be LTSC.

Autopatch is an Enterprise-only managed service that handles Windows quality, feature, driver, firmware and Microsoft 365 Apps updates on rings the customer defines. It is included with E3 and above at no extra cost. Combined with Intune Autopilot, the end-to-end story becomes: ship a device directly from the OEM to the user, who powers it on, signs in with Entra ID, and lands on a fully managed, fully patched, fully configured device without ever touching IT. Autopatch reports compliance back into Intune and the Microsoft 365 admin centre, so leadership has a single source of truth for estate-wide patch posture — historically the hardest number to produce reliably in a Windows shop.

Volume-licensed Enterprise activates via Key Management Service (KMS host with a minimum of 25 clients re-checking every 180 days), Active Directory-based Activation (no server role, joins the activation to the AD forest), or Multiple Activation Keys (MAK) for isolated machines. Microsoft 365 subscription activation flips a qualifying Pro device into Enterprise the moment a licensed user signs in — no key entry, no reboot. When the user signs out or the subscription lapses, the device gracefully falls back to its underlying Pro licence after a grace period. This is the cleanest activation model for BYOD or for mixed estates where some users are licensed for Enterprise and others are not.

Enterprise is the SKU most often examined in formal audits because the licensing is layered: a missing Pro base licence under a valid Enterprise upgrade is still a compliance gap. Software Asset Management tools (SCCM inventory, Intune, third-party SAM) should reconcile per-device base licences against the Volume Licensing Service Center record and the Microsoft 365 user count. For Windows 10 Enterprise estates that cannot move to 11 in time, the commercial Extended Security Updates programme is sold per device for up to three years, with the per-device price escalating year over year — meaningful budget pressure that most organisations use as the forcing function to finish their Windows 11 migration.