Microsoft’s end-of-support deadline for Windows 10 has arrived, and for organizations that must keep Windows 10 devices in production the Extended Security Updates (ESU) program is the single most important stopgap to retain critical security patches — but only if those devices are prepared, licensed, and activated correctly. This guide walks enterprise IT teams through where to find your Windows 10 ESU Multiple Activation Key (MAK), how to deploy and verify ESU activation at scale (including offline and proxy activation options), what network and OS prerequisites to check, and how Windows 365 entitlements change the activation story for physical endpoints. The instructions and recommendations below are grounded in Microsoft’s official ESU guidance and validated against independent reporting and community experience; any inconsistent or unverifiable items are flagged with cautionary language.
Background / Overview
Windows 10 mainstream updates ended on October 14, 2025. After that date, Microsoft stopped issuing routine cumulative feature and quality updates to non‑ESU Windows 10 devices;
security updates are available only for devices enrolled in ESU (consumer or commercial) or for qualifying cloud/virtual environments where Microsoft provides the coverage automatically. Microsoft’s official ESU documentation defines the requirements, activation mechanics, and cloud entitlements that follow. Why this matters now: ESU is a narrowly scoped, time‑boxed program that supplies
security‑only fixes (Critical and Important) — it is not a long‑term replacement for migration to a supported OS. Treat ESU as a controlled breathing room to complete application, hardware and desktop migration projects while keeping the attack surface reduced. Independent reporting and community playbooks reinforce the same practical advice: inventory, backup, pilot, then enroll the highest‑risk machines in ESU while you schedule broader upgrades.
Microsoft ESU programs — consumer vs commercial (brief)
- Consumer ESU: one‑year coverage (through Oct 13, 2026), with enrollment options that include a free route (sync/OneDrive backup), Microsoft Rewards redemption, or a paid one‑time purchase (roughly US$30). One consumer ESU license can often be applied to multiple personal devices tied to the same Microsoft account (implementation limits apply).
- Commercial ESU: sold via Volume Licensing / Cloud Service Provider channels, sold per device and renewable annually for up to three years; Microsoft’s stated Year‑1 commercial price is US$61 per device (subsequent years increase). Commercial ESU requires activation with a MAK (5x5 key) and administrative control to install it on devices.
Treat both as temporary: ESU covers security updates only and intentionally excludes feature updates and broad support.
Quick executive checklist (what to complete before mass activation)
- Confirm each device runs Windows 10, version 22H2 and has the required preparatory cumulative and servicing stack updates applied (see KB prerequisites below).
- Ensure local administrator rights are available for the activation step or that a management tool can run the install/activation script.
- Ensure devices can reach Microsoft activation and validation endpoints (transparent firewall/proxy rules).
- Obtain the ESU MAK from the Microsoft 365 Admin Center (Product Key Reader or VL Administrator role required).
- Decide activation method: slmgr.vbs script, Intune/ConfigMgr remote script, VAMT proxy activation, or phone activation for isolated networks.
- Verify activation with slmgr.vbs /dlv or Windows Event Viewer (ClipESU event 113) depending on the ESU scenario.
- For Windows 365-connected endpoints, confirm Microsoft Entra join state and the EnableESUSubscriptionCheck flag is deployed where required.
Prerequisite details: versions, KBs, and the KB5066791 caveat
- Required OS build: Devices must be on Windows 10, version 22H2. Commercial guidance specifically references 22H2 with the listed KB updates as a minimum baseline.
- Key servicing baseline: Microsoft’s October 2025 cumulative (KB5066791) was distributed as the last broadly‑distributed public cumulative update, and the ESU enrollment/activation flows expect devices to be fully patched to the updated servicing baseline before they will be eligible for ESU updates. That KB has been widely reported as the October 2025 release and appears in multiple Microsoft pages and industry coverage. If you haven’t installed the preparatory updates you may not see enrollment or ESU activation succeed.
- Local admin rights: You need admin privileges to run slmgr.vbs or to allow management tools to install keys.
Caution: Some devices have reported a
display‑only “end of support” banner in Settings after installing KB5066791; Microsoft confirmed this is a UI display bug and that devices with valid ESU entitlements continue to receive updates. Do not rely solely on the Settings banner — use the
slmgr.vbs /dlv output or ClipESU Event 113/registry keys for authoritative verification.
Where to find the Windows 10 ESU Multiple Activation Key (MAK)
To retrieve the commercial ESU MAK you must be assigned either the
Product Key Reader or
VL Administrator role in the Microsoft 365 admin center. Once you have appropriate rights:
- Sign in to the Microsoft 365 admin center.
- Go to Billing > Your products, then select the Volume licensing tab.
- In Contracts, choose View contracts for the agreement under which ESU was purchased.
- Select the three‑dot menu (More actions) and choose View product keys. The ESU 5x5 MAK will appear on the Product keys page.
If the MAK is not visible, confirm your account roles and that the purchase mapping is complete; contact Microsoft volume licensing support or your reseller if necessary.
Enabling and activating ESU on devices (step‑by‑step)
Microsoft’s supported activation uses the built‑in Volume Activation script (slmgr.vbs). The canonical online activation flow is:
- From an elevated Command Prompt on the client run:
- slmgr.vbs /ipk <ESU MAK>
- (This installs the ESU MAK on the device and shows a success dialog.
- Use the Activation ID that corresponds to the ESU year and run:
- slmgr.vbs /ato <Activation ID>
- Activation IDs (Microsoft provided):
- Win10 ESU Year1: f520e45e-7413-4a34-a497-d2765967d094
- Win10 ESU Year2: 1043add5-23b1-4afb-9a0f-64343c8f3f8d
- Win10 ESU Year3: 83d49986-add3-41d7-ba33-87c7bfb5c0fb
- Verify with:
- slmgr.vbs /dlv
- The output should show the Name of the ESU program and a License Status of “Licensed” for that entry.
Activation can be automated or executed remotely:
- Management tools: Use Microsoft Intune, Configuration Manager (SCCM), or your RMM to push a simple script that runs the slmgr commands on endpoints (run elevated).
- Volume Activation Management Tool (VAMT): Use VAMT as a proxy to activate batches of devices and manage MAK usage counts; Microsoft publishes VAMT updates and PkeyConfig packages to support ESU keys.
- Telephone activation: For isolated or air‑gapped fleets, phone activation is supported per standard Microsoft volume activation workflows.
Operational tip: Keep a centrally audited runbook and automation that records the MAK used, activation dates, and which activation ID was applied (Year1/Year2/Year3). That avoids accidental re-use of the wrong year and simplifies renewals.
Network and firewall requirements: endpoints that must be reachable
ESU activation and servicing require contact with Microsoft activation and validation endpoints. Confirm proxies, NGFW rules, and egress filters permit access to the following domains from devices that will be activated or validated:
Additionally, if your physical Windows 10 endpoints will access Windows 365 Cloud PCs you must allow:
Microsoft documents this list and notes that some cloud and virtualization scenarios are automatically entitled to ESU without keys (Azure Virtual Desktop, Azure VMs, Windows 365 Cloud PCs, etc., while other non‑Azure virtualization platforms may require manual activation. Confirm these endpoints in your environment and test with a pilot device. Caution: Microsoft does not publish stable IP ranges for these services — allow domain/URL access rather than static IPs.
Verifying activation and enrollment
There are multiple authoritative checks depending on how the ESU was assigned:
- MAK (key‑based) activations:
- Run slmgr.vbs /dlv and verify the ESU program name and License Status = Licensed. This is the canonical verification for MAK scenarios.
- Windows 365 / Cloud‑backed entitlements:
- Verify the registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ESU\Win10CommercialW365ESUEligible = 1 (REG_DWORD).
- Check Event Viewer: Applications and Services Logs > Microsoft > Windows > ClipESU → look for Event ID 113 which indicates the Windows 365 ESU license was successfully applied. Note: Event ID 113 and the Win10CommercialW365ESUEligible key are specific to the Windows 365 path and not the MAK 5x5 scenario.
Operational note: The Settings UI may display an “end of support” banner even for devices that are correctly licensed. Use the tools above for authoritative status.
Windows 365 entitlements and physical endpoint eligibility
Microsoft provides ESU coverage at no additional cost in several cloud/virtual environments (Windows 365 Cloud PCs, Azure Virtual Desktop, Azure VMs, Azure Dedicated Host, Azure Stack variants). For organizations using Windows 365, local Windows 10 endpoints used by Windows 365 users may also be entitled to ESU if specific conditions are met:
- The local device must be Microsoft Entra joined or Microsoft Entra hybrid joined (registered only or plain AD‑joined devices do not qualify for this entitlement).
- Users must sign in to the physical Windows 10 device with the same Microsoft Entra ID they use for their Windows 365 Cloud PC on a regular cadence. Microsoft’s documentation indicates the requirement is to sign in at least once every 22 days in some pages and at least once every month in others; this inconsistency exists in the documentation, so configure your compliance policy to require the more frequent 22‑day cadence to be safe.
- IT must enable the EnableESUSubscriptionCheck flag (REG_DWORD = 1) via Intune (custom policy / OMA‑URI), another MDM, or a registry deployment so that the device verifies Windows 365 subscription entitlement. Microsoft documents the Intune OMA‑URI and registry location and the procedure for verification.
An eligible user can activate ESU on up to
10 devices when using the Windows 365 entitlement path. Note that personal / BYOD devices that are merely Entra registered and unmanaged may not qualify; those devices should follow consumer ESU enrollment paths instead. Caution: Microsoft’s documentation contains minor wording variations between pages (22 days vs “once per month”) — implement the stricter sign‑in cadence and use the registry/Event Viewer checks for confirmation.
Mass deployment strategies and automation best practices
- Use your endpoint management stack (Intune, SCCM/ConfigMgr, or RMM) to:
- Ensure Windows 10 clients are patched to the required baseline automatically.
- Push the slmgr /ipk and slmgr /ato commands as a single elevated scheduled task or PowerShell runbook.
- Deploy the EnableESUSubscriptionCheck policy via Intune OMA‑URI for Windows 365 eligibility checks.
- For large offline or segmented fleets, deploy VAMT as a proxy activation server and import the ESU PkeyConfig updates Microsoft supplies for VAMT to streamline activations and monitor MAK usage counts.
- Keep activation logs: capture slmgr output, activation timestamps, and license status into your SIEM or a central CMDB for audit and renewal planning.
- Build a rollback/restore plan: image backups before mass activation or servicing changes; ESU activation itself is reversible but change control still matters.
Troubleshooting and common pitfalls
- KB5066791 display issue: Some devices show an erroneous “end of support” banner after installing KB5066791 — Microsoft stated this is only a UI bug and does not affect licensed ESU updates. Verify via slmgr /dlv or ClipESU event 113.
- Activation fails due to blocked endpoints: Check proxy/firewall rules and TLS interception appliances; ensure TLS 1.2 support and SNI pass‑through for the activation domains listed earlier. Microsoft explicitly recommends allowing domain access rather than IPs.
- MAK visibility: If the MAK does not appear in the Microsoft 365 admin center, verify Product Key Reader/VL Administrator role assignment and that the EA/Volume agreement mapping is complete with your tenant or reseller. If it still doesn’t appear, contact Microsoft volume licensing support.
- Windows Update not delivering ESU CUs: Verify device eligibility, registry keys for Windows 365 scenarios, and Event Viewer entries. For key‑based devices, slmgr.vbs /dlv is the primary check. For Windows 365‑backed devices use ClipESU operational logs and the Win10CommercialW365ESUEligible registry value.
Security and compliance considerations — risk analysis
Strengths:
- ESU reduces immediate exposure to high‑severity vulnerabilities and provides breathing room for migration planning.
- Windows 365 and Azure VM entitlements provide a cost‑effective option for many workloads without manual key activation.
Risks and limitations:
- ESU is time‑limited and progressively more expensive for commercial licenses; organizations should not rely on it as permanent support. Microsoft’s published pricing (Year‑1 commercial US$61, consumer US$30 for Year‑1 consumer options) and the documented year‑over‑year increases make long‑term use financially unattractive and are intended to accelerate migration. Verify pricing with your licensing reseller because programs and discounts (Intune/Windows Autopatch customers, education discounts, or CSP offers) may apply.
- ESU does not restore feature/update parity and is unlikely to satisfy auditors or insurers indefinitely — many compliance frameworks require supported software versions. Consult legal, audit, and risk teams before electing ESU as a compliance workaround.
- BYOD and privacy: consumer free enrollment options require a Microsoft Account and optional OneDrive backup/sync, which may not be acceptable for some users. Document and communicate privacy tradeoffs if you adopt the free consumer route.
Flag for IT leaders: any absolute claims about the number of Windows 10 devices still in the wild are estimations; do not base procurement or migration budgets on a single third‑party telemetry claim without cross‑validation.
A practical, prioritized rollout plan (recommended)
- Inventory and classify (Days 0–7)
- Identify every Windows 10 device (edition, build, owner, role, network zone).
- Tag devices by upgradeability (Windows 11 eligible, firmware changes possible, permanently ineligible).
- Prioritize (Days 7–14)
- Migrate or replace internet-facing, privileged, or regulated devices first.
- Enroll only the devices that cannot be migrated within your migration window.
- Baseline and patch (Days 7–21)
- Install the required servicing updates (KB5066791 or the MS‑documented baseline), SSUs and rollups; confirm update health.
- Pilot activation (Days 21–35)
- Activate ESU on a small set via slmgr or VAMT; validate Windows Update delivery for ESU CUs and verify with slmgr /dlv or ClipESU Event 113.
- Mass activation with automation (Days 35–90)
- Push scripted activation via Intune/ConfigMgr or use VAMT proxy for offline segments; record activations.
- Sunset plan (within ESU term)
- Schedule migration of ESU devices to Windows 11 or alternative platforms before ESU coverage ends (commercial renewal costs rise quickly).
Closing recommendations (what to prioritize this week)
- Audit: run a fast inventory to find high‑risk Windows 10 endpoints and confirm 22H2 + KB baseline status.
- Network: unlock the activation/validation endpoints from your proxy and test a pilot activation to catch firewall issues early.
- Roles: ensure at least one account in your tenant has the Product Key Reader or VL Administrator role so you can retrieve the MAK immediately.
- Automation: build a script in your management tool to run slmgr.vbs /ipk → /ato and to capture slmgr /dlv output for compliance records.
- Windows 365: if you already use Windows 365, deploy the EnableESUSubscriptionCheck Intune policy and enforce the 22‑day sign‑in cadence (or “once per month” where relevant) to avoid surprise ineligibility; log Event ID 113 on endpoints for audit trails.
This is a technical and operational sprint: ESU is designed to buy time, not to defer modernization. Use the activation and entitlement checks described above as the source of truth; rely on slmgr.vbs /dlv and ClipESU.Event logs rather than Settings banners; document every activation and automate the routine where possible. For any unresolved MAK visibility, activation failures, or ambiguous licensing questions, open a ticket with your Microsoft licensing partner or Microsoft volume licensing support — don’t guess on entitlement.
(Selected related reading and community playbooks available in your organization’s knowledge base.
Source: Microsoft - Message Center
Preparing commercial Windows 10 devices for ESUs - Windows IT Pro Blog