As Windows 10 version 22H2 approaches its end-of-support date on October 14, 2025, organizations are faced with the challenge of maintaining security and compliance for devices that cannot be upgraded to Windows 11. To address this, Microsoft offers the Extended Security Updates (ESU) program, providing critical and important security updates for up to three additional years. This article explores the process of activating ESU licenses using Microsoft Intune, a cloud-based endpoint management solution, to streamline deployment across enterprise environments.
The ESU program is designed to extend the security update lifecycle for Windows 10 devices beyond their official end-of-support date. This is particularly beneficial for organizations with systems that cannot transition to Windows 11 due to hardware limitations or software compatibility issues. By enrolling in the ESU program, organizations can continue to receive security updates, thereby mitigating potential vulnerabilities.
Key Points:
Understanding the ESU Program
The ESU program is designed to extend the security update lifecycle for Windows 10 devices beyond their official end-of-support date. This is particularly beneficial for organizations with systems that cannot transition to Windows 11 due to hardware limitations or software compatibility issues. By enrolling in the ESU program, organizations can continue to receive security updates, thereby mitigating potential vulnerabilities.Key Points:
- Duration and Cost: ESU licenses are available for three years, with the cost doubling each subsequent year. For instance, the first year is priced at $61 per device, the second year at $122, and the third year at $244. It's important to note that ESUs are cumulative; enrolling in the second year requires payment for both the first and second years. (techcommunity.microsoft.com)
- Eligibility: ESU is available for Windows 10 Pro, Enterprise, and Education editions. Devices must be running Windows 10 version 22H2 with the latest updates installed.
Prerequisites for ESU Activation via Intune
Before proceeding with ESU activation through Intune, ensure the following prerequisites are met:- Operating System Requirements:
- Devices must be running Windows 10 version 22H2.
- Install update KB5046613 or a later version to support ESU activation. (learn.microsoft.com)
- Network Connectivity:
- Devices need access to specific Microsoft endpoints for activation:
[url="https://go.microsoft.com/"]Microsoft – AI, Cloud, Productivity, Computing, Gaming & Apps[/url][url="https://login.live.com"]Sign in to your Microsoft account[/url][url="https://activation.sls.microsoft.com/%5B/url%5D%5B/ICODE"]https://activation.sls.microsoft.com/[/url][/ICODE[/url] [*][ICODE][url="http://crl.microsoft.com/%5B/url%5D%5B/ICODE"]http://crl.microsoft.com/[/url][/ICODE[/url] [*][ICODE][url="https://validation.sls.microsoft.com/%5B/url%5D%5B/ICODE"]https://validation.sls.microsoft.com/[/url][/ICODE[/url] [*][ICODE][url="https://activation-v2.sls.microsoft.com/%5B/url%5D%5B/ICODE"]https://activation-v2.sls.microsoft.com/[/url][/ICODE[/url] [*][ICODE][url="https://validation-v2.sls.microsoft.com/%5B/url%5D%5B/ICODE"]https://validation-v2.sls.microsoft.com/[/url][/ICODE[/url] [*][ICODE][url="https://displaycatalog.mp.microsoft.com/%5B/url%5D%5B/ICODE"]https://displaycatalog.mp.microsoft.com/[/url][/ICODE[/url] [*][ICODE][url="https://licensing.mp.microsoft.com/%5B/url%5D%5B/ICODE"]https://licensing.mp.microsoft.com/[/url][/ICODE[/url] [*][ICODE][url="https://purchase.mp.microsoft.com/%5B/url%5D%5B/ICODE"]https://purchase.mp.microsoft.com/[/url][/ICODE[/url] [*][ICODE][url="https://displaycatalog.md.mp.microsoft.com/%5B/url%5D%5B/ICODE"]https://displaycatalog.md.mp.microsoft.com/[/url][/ICODE[/url] [*][ICODE][url="https://licensing.md.mp.microsoft.com/%5B/url%5D%5B/ICODE"]https://licensing.md.mp.microsoft.com/[/url][/ICODE[/url] [*][ICODE][url="https://purchase.md.mp.microsoft.com/%5B/url%5D%5B/ICODE"]https://purchase.md.mp.microsoft.com/[/url][/ICODE[/url] [*]Ensure these URLs are accessible and not blocked by firewalls or network policies. ([url="https://learn.microsoft.com/en-us/windows/whats-new/enable-extended-security-updates?utm_source=openai"]learn.microsoft.com[/url]) [*][B]Administrative Privileges:[/B] [*]Administrative rights are required on each device to install and activate the ESU keys. [/LIST] [HEADING=1]Acquiring ESU Licenses[/HEADING] ESU licenses can be purchased through Microsoft's Cloud Solution Provider (CSP) program. As of September 2025, organizations can acquire these licenses to extend support for their Windows 10 devices. Once purchased, the Multiple Activation Keys (MAKs) for ESU can be retrieved from the Microsoft 365 admin center: [LIST] [*]Navigate to the [B]Billing > Your Products[/B] page. [*]Select the [B]Volume Licensing[/B] tab. [*]Under [B]Contracts[/B], click on [B]View contracts[/B]. [*]Locate the relevant License ID, click the three dots ([B]More actions[/B]), and select [B]View product keys[/B]. [/LIST] Note that ESU MAKs become active at the start of the ESU coverage period. ([url="https://learn.microsoft.com/en-us/windows/whats-new/enable-extended-security-updates?utm_source=openai"]learn.microsoft.com[/url]) [HEADING=1]Activating ESU via Microsoft Intune[/HEADING] Microsoft Intune provides a centralized platform to deploy and manage ESU activation across multiple devices efficiently. The process involves creating and deploying PowerShell scripts to install and activate the ESU keys. [HEADING=1]Step 1: Prepare PowerShell Scripts[/HEADING] Two scripts are required: a detection script to verify prerequisites and an activation script to install and activate the ESU keys. [B]Detection Script:[/B] This script checks if the device meets the necessary prerequisites for ESU activation, including OS version, required updates, and network connectivity. [CODE]# Check Windows 10 Version $OSVersion = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').ReleaseId if ($OSVersion -ne '22H2') { Write-Output "Device is not running Windows 10 22H2." exit 1 } # Check for Required Update $Update = Get-HotFix | Where-Object { $_.HotFixID -eq 'KB5046613' } if (-not $Update) { Write-Output "Required update KB5046613 is not installed." exit 1 } # Check Network Connectivity $Endpoints = @( '[Microsoft – AI, Cloud, Productivity, Computing, Gaming & Apps](https://go.microsoft.com/)', '[Sign in to your Microsoft account](https://login.live.com)', '[url]https://activation.sls.microsoft.com/[/url]', '[url]http://crl.microsoft.com/[/url]', '[url]https://validation.sls.microsoft.com/[/url]', '[url]https://activation-v2.sls.microsoft.com/[/url]', '[url]https://validation-v2.sls.microsoft.com/[/url]', '[url]https://displaycatalog.mp.microsoft.com/[/url]', '[url]https://licensing.mp.microsoft.com/[/url]', '[url]https://purchase.mp.microsoft.com/[/url]', '[url]https://displaycatalog.md.mp.microsoft.com/[/url]', '[url]https://licensing.md.mp.microsoft.com/[/url]', '[url]https://purchase.md.mp.microsoft.com/[/url]' ) foreach ($Endpoint in $Endpoints) { try { $Response = Invoke-WebRequest -Uri $Endpoint -UseBasicParsing -Method Head if ($Response.StatusCode -ne 200) { Write-Output "Unable to reach $Endpoint." exit 1 } } catch { Write-Output "Unable to reach $Endpoint." exit 1 } } Write-Output "Device meets all prerequisites for ESU activation." exit 0[/CODE] [B]Activation Script:[/B] This script installs and activates the ESU MAK on the device. [CODE]param ( [string]$ESUKey ) if (-not $ESUKey) { Write-Output "ESU Key is required." exit 1 } # Install ESU Key Start-Process -FilePath 'cscript.exe' -ArgumentList "C:\Windows\System32\slmgr.vbs /ipk $ESUKey" -Wait # Activate ESU Key Start-Process -FilePath 'cscript.exe' -ArgumentList 'C:\Windows\System32\slmgr.vbs /ato' -Wait Write-Output "ESU Key installed and activated successfully." exit 0[/CODE] [HEADING=1]Step 2: Deploy Scripts via Intune[/HEADING] [LIST] [*][B]Create a PowerShell Script Deployment:[/B] [*]In the Intune portal, navigate to [B]Devices > Scripts[/B]. [*]Click on [B]Add[/B] and select [B]Windows 10[/B]. [*]Provide a name and description for the script. [*]Upload the detection script. [*]Configure the script settings: [*]Run this script using the logged-on credentials: [B]No[/B] [*]Enforce script signature check: [B]No[/B] [*]Run script in 64-bit PowerShell Host: [B]Yes[/B] [*]Assign the script to the appropriate device groups. [*][B]Create a Remediation Script:[/B] [*]Navigate to [B]Devices > Remediations[/B]. [*]Click on [B]Create remediation[/B]. [*]Provide a name and description. [*]Upload both the detection and activation scripts. [*]Assign the remediation to the appropriate device groups. [/LIST] By deploying these scripts through Intune, organizations can automate the ESU activation process, ensuring that all eligible devices receive necessary security updates without manual intervention. [HEADING=1]Verifying ESU Activation[/HEADING] After deployment, it's crucial to verify that the ESU keys have been successfully installed and activated. This can be done using the following command on the client device: [ICODE]cscript.exe C:\Windows\System32\slmgr.vbs /dlv
This command displays detailed licensing information, including the activation status of the ESU key. Ensure that the License Status indicates Licensed for the ESU program.
Troubleshooting Common Issues
During the activation process, administrators may encounter issues such as activation errors or connectivity problems. Common error codes include:- 0x80072EE7: Indicates that the device cannot communicate with the Microsoft Activation and Validation Services. Ensure that the device has internet access and that the required endpoints are reachable. (learn.microsoft.com)
Source: BornCity Windows 10 22H2: Acticate ESU with Microsoft Intune
