Windows 11 Pro

If a device will be used in any organisational context — even a one-person consultancy or a household shared between work and personal accounts — Pro is the right floor. Features such as BitLocker, the Remote Desktop host role, Assigned Access (kiosk mode), AppLocker, Windows Information Protection and the ability to defer or stage feature updates only exist in Pro and above. The moment you intend to manage the device with Microsoft Intune, join an Entra ID tenant, run nested virtual machines, or apply Group Policy from an on-premises domain controller, Windows 11 Home will quietly block you, often without an obvious error message. Pro is also the SKU that exposes Hyper-V — and therefore Docker Desktop's Windows containers, WSL 2's hypervisor backend, and the Windows Sandbox. Anyone running developer tooling on Windows should consider Pro the minimum viable license.

Windows 11 enforces a stricter hardware floor than Windows 10: UEFI with Secure Boot enabled, a TPM 2.0 module (firmware fTPM is fine), a CPU on Microsoft's compatibility list (8th-generation Intel Core / AMD Zen 2 / Qualcomm Snapdragon 7c gen 2 or newer), 4 GB of RAM, 64 GB of storage and DirectX 12-capable graphics. The PC Health Check tool reports compatibility in plain language. Most enterprise hardware purchased after 2019 qualifies without changes — the TPM and Secure Boot are simply switched off in firmware by the OEM and a quick BIOS visit re-enables them. Older hardware can sometimes run Windows 11 via the documented registry bypass, but those installations are explicitly unsupported and will not receive feature updates through Windows Update; they are a stopgap, not a strategy.

Windows 11 Pro reaches end users through three documented channels: Retail (Full Packaged Product or a digital purchase from the Microsoft Store), Volume Licensing for organisations with five or more devices, and CSP subscriptions for cloud-attached deployments. Pre-installed OEM copies — the ones that ship on new laptops and desktops — are bound to the device they shipped on and remain with that hardware for life. OEM keys are not transferable, not refundable, and absolutely not sold separately to consumers; any 'OEM key' offered as a standalone download is, by definition, outside Microsoft's distribution terms. For organisations that buy hardware in volume, OEM pre-installation through an authorised system builder is still the cheapest legitimate path for the first license per device, with Volume Licensing layered on top via re-imaging rights for standardisation.

Retail keys can be moved between devices, but only one active install is allowed at a time — uninstall from the old machine before activating the new one. A digital entitlement is created the moment you sign in to the activated device with a Microsoft account, which lets you reinstall Windows on the same hardware without ever re-entering the key. Volume Licensing uses Key Management Service (KMS) for fleets — a single internal server activates clients automatically as long as they re-check in every 180 days — or Active Directory-based Activation for domain-joined estates, which has no server role to maintain. Multiple Activation Keys (MAK) suit isolated machines that cannot reach the internal KMS host, but each MAK has a finite pool of activations and is consumed on every clean install.

Pro for Workstations is the right SKU for high-end engineering, media and finance workstations that need ReFS as a primary filesystem, persistent memory (Optane / CXL) support, SMB Direct (RDMA), or more than 2 TB of RAM. It targets the hardware most IT shops only see once or twice. Enterprise is volume-only and adds Credential Guard, Application Guard for Edge, Windows Defender Application Control, DirectAccess (deprecated but still shipping), Windows Autopatch, the Long-Term Servicing Channel option, and the Microsoft 365 Apps for Enterprise activation paths. Enterprise is included with Microsoft 365 E3 and E5 per-user subscriptions — for organisations already on those plans, Enterprise costs nothing extra beyond what is already being paid for the cloud bundle.

Windows 10 reached end of mainstream support on 14 October 2025. Devices that meet the Windows 11 hardware floor can upgrade in place for free through Windows Update — existing Windows 10 Pro licences convert to Windows 11 Pro digital entitlements automatically, with the same key and the same edition. For machines that fail the compatibility check, the supported paths are hardware refresh, enrolling in the consumer or commercial Extended Security Updates (ESU) programme for an additional year of security patches, or migrating the user to a cloud PC (Windows 365) where the local hardware only needs to render the session. In-place upgrades preserve installed applications, files and most settings; clean installs are still recommended for machines with persistent driver issues or long upgrade histories.

Windows 11 Pro is the floor for modern management with Microsoft Intune: Autopilot zero-touch provisioning, configuration profiles, compliance policies, conditional access integration and remote actions all assume Pro or higher. The newer Copilot+ PC class — devices with a 40+ TOPS NPU running Recall, Live Captions translation and on-device generative features — is a hardware classification that overlays Pro and Enterprise; the licensing is unchanged, but features such as Recall ship gated behind enterprise policy controls so that IT can disable them centrally before rollout. Plan a Copilot+ pilot around Intune policies first; the features are useful, but several of them touch sensitive content and benefit from explicit data-classification rules.