Christopher Engelhardt
I see the same thing in small offices three or four times a year. The owner walks into Costco, picks up a nice-looking laptop on sale, hands it to the new front-desk hire, and asks me a week later why we can’t join it to Entra, why BitLocker is greyed out, why nobody can RDP into it from home, and why every Group Policy I push gets silently ignored.
The answer is always the same: it shipped with Windows 11 Home.
Windows 11 Home is a fine operating system for one human being using one device at one kitchen table. It is the wrong product to run a business on, and the gap between Home and Pro is the single most-overlooked source of preventable IT incidents I see in SMB land. The good news is the upgrade is $99, takes ten minutes, doesn’t require a reinstall, and unlocks every feature this post covers.
💼 Why Your SMB Needs Windows 11 Pro, Not Home
This post is for anyone buying laptops for a small business — owners, office managers, the person who got drafted into “IT” because they’re the youngest in the room. By the end you’ll know exactly what Pro buys you, how to check what you’ve got, and how to upgrade in place if you guessed wrong.
🔍 What edition am I running?
Easiest check is winver from the Start menu — pops up a dialog with the edition. From PowerShell:
Get-ComputerInfo | Select-Object `
WindowsProductName, WindowsEditionId, WindowsVersion, OsBuildNumberYou’re looking for WindowsProductName to say Windows 11 Pro and WindowsEditionId to say Professional. If it says Core or Windows 11 Home, keep reading.
1. 🔒 Real BitLocker, not “Device Encryption”
This is the headline. Windows 11 Home does have something called Device Encryption — but it’s a stripped-down variant with serious limits:
- Requires a Microsoft account. You cannot use Device Encryption with a local account; the recovery key has to escrow to your personal Microsoft account. For an SMB endpoint that’s a non-starter.
- No PowerShell management.
Enable-BitLocker,Get-BitLockerVolume,manage-bde— all missing or crippled. - No XTS-AES 256. Device Encryption uses AES-128-CBC. Fine for casual theft, weaker than what Pro defaults to.
- No per-drive control. You can’t separately encrypt a second internal drive or an external one.
- No recovery-key escrow to Entra ID or AD. Which means when (not if) the TPM clears during a firmware update, you’re looking at the user’s personal Microsoft account password to recover the laptop’s drive. Good luck if they forgot it and quit two weeks ago.
Windows 11 Pro ships real BitLocker — the same drive-encryption stack we built the Lock Down Windows 11 in 15 Minutes checklist around. XTS-AES 256, PowerShell-scriptable, key-escrow to Entra ID or Active Directory or a third-party vault, separately encrypt every drive in the machine. Try this on Pro vs Home and watch the second one error out:
# Real BitLocker — works on Pro, fails on Home
Enable-BitLocker -MountPoint "C:" `
-EncryptionMethod XtsAes256 `
-UsedSpaceOnly `
-TpmProtector
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtectorOn Home: Enable-BitLocker : The term 'Enable-BitLocker' is not recognized as a name of a cmdlet… or — if the cmdlet exists — a hard error about edition support.
Why this matters: the difference between a stolen laptop being “a hardware loss” and “a notifiable data-breach incident” is whether the drive was properly encrypted with a recovery story. Pro gives you that. Home gives you a sketchy approximation.
2. 🛠️ Group Policy Editor (gpedit.msc)
Open Start → type gpedit.msc on a Home machine. You get “Windows cannot find ‘gpedit.msc’.” On Pro it opens the Local Group Policy Editor and the entire Windows policy surface — hundreds of toggles for everything from “Block password reuse” to “Disable USB removable drives” to “Force Defender Tamper Protection.”
The two big consequences:
1. Most security-hardening guides — including ours — assume you can edit local Group Policy. Without gpedit.msc, you’re stuck doing the registry-key version of every setting, which is more error-prone and gets undone by Windows updates more often. 2. GPOs from a domain controller silently fail to apply. Home machines on a domain (which is itself a Pro-only feature, see below) won’t pull policy from your AD or Entra environment. They just ignore it.
If you ever want to push a settings baseline to a fleet of laptops without paying for Intune, Pro is the minimum.
3. 🏢 Join the Company (Entra ID + Active Directory)
This is the one that bites people first. Windows 11 Home cannot join an Entra ID tenant, an Active Directory domain, or be managed by Intune. Full stop. The “Access work or school” pane in Settings has the option greyed out with a tooltip telling you to upgrade.
What that means in practice:
- No central identity. Every user signs in with a personal Microsoft account or a local account. Onboarding and offboarding is per-machine. When someone leaves, you’re back to that “did anyone change the Wi-Fi password” feeling.
- No conditional access. You can’t enforce “only company-managed laptops can open Outlook.” Anyone with the user’s password gets in from anywhere.
- No automatic BitLocker key escrow. Pro + Entra = your IT admin can recover the drive from the portal. Home + Microsoft account = pray the user remembers their personal MS account password.
- No Intune / Defender for Endpoint. Both refuse to enroll Home editions. Those are the only two ways to push a consistent security baseline to remote laptops at scale.
If your business has more than one or two computers, central identity is not a luxury, it’s a survival mechanism. Pro is the price of admission.
4. 🖥️ Accept Incoming Remote Desktop
Windows 11 Home can be an RDP client — it can connect out to other machines. It cannot be an RDP host — nobody can RDP into it. The receiving end has to be Pro or better.
For SMB owners, this comes up the first time someone says “I forgot a file on my office desktop, can I grab it from home?” On Pro: enable RDP, set up port-forwarding (or better, a VPN, or much better, a Zero Trust mesh like Tailscale or Cloudflare Access), done. On Home: install third-party remote-access software (TeamViewer, AnyDesk, Splashtop) and now you’re paying a per-seat subscription forever to do what’s built into the OS.
# Enable RDP on Windows 11 Pro (run as admin)
Set-ItemProperty `
-Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server' `
-Name 'fDenyTSConnections' -Value 0
Enable-NetFirewallRule -DisplayGroup 'Remote Desktop'
# Restrict to a specific user (don't leave it wide open)
Add-LocalGroupMember -Group 'Remote Desktop Users' -Member 'christopher'This won’t even run on Home — the registry key exists but the service that backs it refuses to accept connections.
Important caveat: turning RDP on does not mean opening port 3389 to the internet. Don’t do that. Put it behind a VPN, a Tailscale tailnet, or a Cloudflare Access policy. RDP on the public internet has been brute-forced into oblivion since 2017.
5. 🧪 Hyper-V and Windows Sandbox
Both are Pro+ features. Both are wildly useful for an SMB:
- Hyper-V lets you spin up a free Linux VM to test something, run a legacy XP app for one stubborn line-of-business tool, or stand up a domain controller in a lab on your laptop. Built into Windows, no VirtualBox / VMware required.
- Windows Sandbox is a 30-second disposable Windows VM. You launch it, drag in a sketchy installer, run it, see what it does, close the window — poof, the entire VM is gone. Zero state persists. This is the single best tool for safely opening that “is this attachment legit?” file your insurance broker just emailed.
# One-line enable on Pro (reboot required)
Enable-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM -All
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -AllHome doesn’t expose either feature.
6. 📱 Mobile Device Management (MDM)
If you ever want to enroll a Windows laptop in Intune, Microsoft 365 Business Premium device management, or any third-party MDM (Kandji, Jamf, NinjaOne, etc.) — it has to be Pro or higher. Home cannot be MDM-managed. Period.
This is the single biggest reason SMBs end up doing nightmare reinstalls. They buy ten laptops from Costco, deploy them, then six months later sign up for Microsoft 365 Business Premium because they want central email and security policies. They go to enroll the laptops in Intune. Half of them are Home. Now you’re either upgrading them one at a time (next section) or doing a clean wipe-and-Pro-reinstall on every one.
7. 🔄 Update for Business (defer + ring deployment)
Pro gives you fine-grained control over Windows Update:
- Defer feature updates by 14, 30, 60, 90+ days (Home: applied immediately, can crash you on day one).
- Defer quality updates by 0–7 days (Home: applied as soon as they download).
- Pause updates for up to 35 days (Home: 7 days max).
- Deployment rings via WUfB — test updates on one pilot machine for a week before they roll to the rest.
These are accessible via GPO, registry, or any MDM. On Home you get “updates happen when Microsoft decides.” For an SMB whose accountant needs QuickBooks to launch on the morning of payroll, deferral is the difference between “we patch on Tuesday after we test on the lab machine on Monday” and “QuickBooks is broken and no one knows why.”
# Defer feature updates by 30 days, quality updates by 4 days
$wu = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate'
New-Item -Path $wu -Force | Out-Null
Set-ItemProperty -Path $wu -Name 'DeferFeatureUpdates' -Value 1
Set-ItemProperty -Path $wu -Name 'DeferFeatureUpdatesPeriodInDays' -Value 30
Set-ItemProperty -Path $wu -Name 'DeferQualityUpdates' -Value 1
Set-ItemProperty -Path $wu -Name 'DeferQualityUpdatesPeriodInDays' -Value 4
gpupdate /forceAbove is a no-op on Home — the policy registry keys exist but Windows ignores them.
💰 The actual math
Retail price difference, fresh laptop: ~$70–$100. Microsoft’s in-place upgrade SKU (Settings → Activation → Upgrade your edition of Windows) is $99 once per machine, no reinstall, no data loss.
Now compare against what one preventable incident on a Home machine actually costs:
| Incident | Realistic SMB cost |
|---|---|
| Laptop stolen, drive not encrypted | $2,000 – $25,000 (data-breach notification, legal review, lost client trust) |
| Cryptolocker on unmanaged laptop spreads to NAS | $4,000 – $40,000 (ransom, downtime, recovery labor) |
| Departing employee, no central identity | $500 – $3,000 (per-app password resets, file-share permission re-papering, productivity drag) |
| New laptop can’t enroll in Intune, full rebuild | $400 – $1,200 (labor + the day the user is on a loaner) |
| RDP-into-office workaround via TeamViewer | $25 – $80 per user per month, forever |
The Pro upgrade pays for itself the first time any one of those gets avoided. Most SMBs hit two or three of them in the first three years.
🔧 How to upgrade in place
You don’t have to reinstall. Microsoft sells an upgrade SKU that flips the edition on a running machine in about ten minutes.
The supported path:
1. Settings → System → Activation → Upgrade your edition of Windows 2. Click Open Store under “Upgrade to Windows 11 Pro.” 3. Buy the upgrade ($99 USD as of writing). Wait ~10 minutes. Reboot. 4. Edition now reads Professional. All your files, apps, and accounts are intact.
If you already have a Pro product key (a lot of Microsoft 365 Business and Volume Licensing customers do):
1. Settings → System → Activation → Change product key. 2. Enter the 25-character Pro key. 3. Windows verifies, switches edition, reboots.
# Same thing from PowerShell (useful for scripting across a fleet)
changepk.exe /productkey XXXXX-XXXXX-XXXXX-XXXXX-XXXXXIf you’re scripting this across multiple machines, slmgr.vbs /ipk and slmgr.vbs /ato are the licensing-service equivalents.
Don’t fall for $5 keys on shady marketplaces. They’re usually grey-market volume keys that Microsoft will deactivate within months, leaving you in worse shape than where you started. $99 from the Microsoft Store; $30–$50 from reputable resellers if you really want to penny-pinch.
✅ The buying rule
If you’re buying a Windows laptop for a small business, the rule is short:
- [ ] Windows 11 Pro — non-negotiable for any work-related device.
- [ ] TPM 2.0 and Secure Boot enabled — required for Win11 anyway, but verify in firmware.
- [ ] At least 16 GB RAM, 256 GB NVMe SSD — Pro features (Hyper-V, Sandbox, BitLocker on-the-fly) all want headroom.
- [ ] A business-line model (ThinkPad T/X series, Dell Latitude, HP EliteBook). Consumer-line laptops (IdeaPad, Inspiron, Pavilion) often ship Home by default and have flakier driver support for management tooling.
If you’ve got a closet full of Home laptops bought before you read this — upgrade in place; you don’t need to throw them out. If you’re about to buy: look for the “Windows 11 Pro” line on the spec sheet, every time, no exceptions.
What’s next
The Pro upgrade is the prerequisite for actually doing security right on a Windows endpoint. The follow-up is what to do with it once you have it — that’s the Lock Down Windows 11 in 15 Minutes checklist we put up last week. After that comes the fleet-management post: doing all of this across every endpoint with TacticalRMM, Microsoft Defender, and a managed SOC (Huntress) backing you up.
If your shop is staring at a closet full of Home laptops and not sure whether to upgrade in place or replace — that’s exactly the kind of audit we do for free. Drop me a line at [email protected] or book a 15-minute call. I’ll tell you honestly whether it’s a $99-times-six problem or a “next refresh, buy better” problem.
Thanks, and buy Pro!
