Windows 10 ESU (Extended Security Updates) for EEA not working

Hi Sinisa — you’re not alone, this “Enrol now” window flashing/closing is a common symptom right now and usually has a few specific causes we can check quickly. Before you change anything, please make a quick backup or create a restore point.
Short summary of causes

• ESU for consumers in the EEA is handled by the Settings enrollment wizard and requires an eligible Windows 10 build and a Microsoft account (EEA users get the free path but a Microsoft account is still required).
• The enrollment wizard can fail silently if Windows services used for Microsoft account sign-in / credentials / licensing are stopped or misconfigured. Several Microsoft Q&A / TechCommunity threads report the same “spinner then closes” behavior and the fix was enabling/starting those services.

What I’ll ask you to check (fast) — please report back with results

1. Which Windows build are you on? Open Run (Win+R) → type winver → Enter. Tell me the full build line (e.g. “Version 22H2 (OS Build 19045.xxxx)”). ESU enrollment requires 22H2 + latest updates.
2. Are you signed into Windows with a Microsoft account (not a local account)? Settings > Accounts > Your info should show your Microsoft account email. If you’re using a work/domain account or the PC is managed, say so (EEA free enrollment is for consumer/personal devices).

If those are OK, try the fixes below in order.
Steps to fix the “Enrol now” window that appears then disappears
Follow these steps as Administrator.
A — Check & start the three services that commonly cause this

• Services to check: Microsoft Account Sign-in Assistant (Display name), Credential Manager, Windows License Manager Service. Their service names are wlidsvc, VaultSvc and LicenseManager respectively. If any is stopped or disabled, enrollment can fail.

Open an elevated PowerShell (right‑click Start → Windows PowerShell (Admin)) and run these commands:

• Check status:
  Get-Service wlidsvc, VaultSvc, LicenseManager
• If any is stopped, set it to Automatic (or Automatic (Delayed Start)) and start it:
  Set-Service -Name wlidsvc -StartupType Automatic
  Start-Service -Name wlidsvc
  Set-Service -Name VaultSvc -StartupType Manual # Credential Manager normally Manual but must not be disabled
  Start-Service -Name VaultSvc
  Set-Service -Name LicenseManager -StartupType Manual
  Start-Service -Name LicenseManager

After that, reboot and try Enrol now again in Settings > Update & Security > Windows Update. Several users reported success after enabling these services.
B — Basic Windows health checks (if A didn’t fix it)

1. Run the Windows Update troubleshooter:
   Settings > Update & Security > Troubleshoot > Additional troubleshooters > Windows Update → Run.
2. Run SFC and DISM from elevated admin prompt:
   sfc /scannow
   DISM /Online /Cleanup-Image /RestoreHealth
3. Clear Windows Update cache (only if the troubleshooter didn’t help):
   Open an admin PowerShell and run:
   net stop wuauserv
   net stop bits
   Rename-Item -Path C:\Windows\SoftwareDistribution -NewName SoftwareDistribution.old
   net start bits
   net start wuauserv
   Reboot, then try enrollment again.

C — Try a clean boot / temporarily disable third‑party AV

• Some users reported third‑party security suites interfering with the wizard. Do a clean boot (msconfig → Services → Hide Microsoft services → Disable third‑party services) or temporarily uninstall AV and retry. (Reinstall it if you don’t see improvement.)

D — If nothing works: In-place repair upgrade

• As a last resort an in-place upgrade (repair install) of Windows 10 keeps files/apps and repairs the OS; users with persistent enrollment problems reported success after repairing Windows. Microsoft Q&A also suggests this path.

What I need from you next

• Tell me the winver output (full Version and OS Build).
• Tell me whether you’re signed into Windows with a Microsoft account and whether this is a personal PC (not domain-joined or corporate-managed).
• If you’re comfortable running commands, paste the output of:
  Get-Service wlidsvc, VaultSvc, LicenseManager

If you prefer, I can give step‑by‑step commands for each step and explain how to undo them.
Useful references I used

• Microsoft ESU enrollment and requirements page.
• Microsoft Support: Windows 10 support ends / ESU guidance.
• Microsoft Q&A / TechCommunity threads where enabling wlidsvc/VaultSvc fixed the spinner/close bug.

If you post the winver output and the Get-Service results I can give the exact next commands to run and tailor the fix.

My Windows Version 22H2 (OS Build 19045.6456)

I,m signed into Windows with a Microsoft account.

wlidsvc was stoped
VaultSvc was running
LicenseManager was running

After restarting, "Enrol Now" still not working.

After Windows Update troubleshooter run, not problems find.

sfc /scannow, Find:
Windows Resource Protection found corrupt files and successfully repaired them.
For online repairs, details are included in the CBS log file located at
windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline
repairs, details are included in the log file provided by the /OFFLOGFILE flag.

DISM /Online /Cleanup-Image /RestoreHealth:
Deployment Image Servicing and Management tool
Version: 10.0.19041.3636

Image Version: 10.0.19045.6456

Point B/3: After restarting, "Enrol Now" still not working.
Point C: I'm using Windows Defender

Still no improvement!

Thanks — that’s helpful. You’ve got the right build and you’re on an MSA, and you already fixed the stopped services and ran SFC/DISM, so we can move to the targeted tricks that have fixed the exact “Enrol now” flash/close behaviour for many users.
What we’ll try (in this order)
1) Confirm the required cumulative/SSU patch is installed (KB5063709 or later). If that update (or later LCUs/SSUs) is missing the wizard frequently fails.
2) Force Windows to evaluate ESU eligibility (safe, reversible). This sequence is the common community/MS guidance that usually makes the enrollment UI appear:

• Enable the Connected User Experiences and Telemetry service (DiagTrack).
• Add the Feature Management override registry value that unlocks the ESU enrollment UI.
• Reboot and force an eligibility evaluation with the built‑in consumer tool.

Run these as Administrator (copy/paste each line in an elevated Command Prompt or PowerShell):

• Enable/start DiagTrack:
  sc.exe config DiagTrack start=auto
  sc.exe start DiagTrack
• Create the feature-override registry key (this triggers the local UI check):
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides" /v 4011992206 /t REG_DWORD /d 2 /f
• Reboot.
• After the reboot, open an elevated Command Prompt and run:
  cmd /c ClipESUConsumer.exe -evaluateEligibility
• Reboot again and then open Settings → Update & Security → Windows Update and click Enrol now (if present). These steps are the same sequence many community/MS threads used to make the wizard appear.

If you want to undo that registry override later:
reg delete "HKLM\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides" /v 4011992206 /f
3) If the wizard still flashes/vanishes: fix in‑app sign-in / WebAuth components (the ESU wizard relies on the OS in‑app sign‑in flow)

• Add your MSA explicitly under Settings → Accounts → Email & accounts → Add an account (choose Microsoft account) even if you’re already signed in — this often helps the enrollment dialog get the token it expects.
• Clear cached Windows web credentials (Control Panel → Credential Manager → Windows and Web credentials): remove entries for microsoft, live, microsoftaccount or your email, reboot, then re-add the account.
• Reset the Store and re-register the AAD broker packages (run from an elevated PowerShell):
  wsreset.exe
  Get-AppxPackage -AllUsers Microsoft.WindowsStore | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($.InstallLocation)\AppXManifest.xml"}
  Get-AppxPackage -AllUsers Microsoft.AAD.BrokerPlugin | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($.InstallLocation)\AppXManifest.xml"}
• (Optional) Install/repair WebView2 runtime — many in‑app sign-ins use WebView2; reinstall from Microsoft if you suspect it’s missing/corrupt.

4) Enable Windows Backup / Sync settings to OneDrive (temporary test)

• Even though the EEA free path relaxed some backup requirements, enabling Windows Backup (Settings → Accounts → Windows Backup / Sync your settings) has been the free trigger for many regions. Try enabling it temporarily and then retry the enrol flow.

5) If nothing works: last resorts

• Try the enrollment from a second eligible PC (sign in with the same MSA and enroll there) — the entitlement attaches to the MSA and may then propagate to your other devices.
• In‑place repair (Windows 10 repair install using the ISO/Media Creation Tool) — keeps files and apps and repairs the OS; community reports show it fixed stubborn enrollment problems.

What I need from you next

• Confirm whether KB5063709 (or a later cumulative update) is listed in Settings → Update & Security → View update history. If you prefer a command, run in elevated PowerShell:
  dism /online /get-packages | findstr /i KB5063709
• After running the DiagTrack + registry + ClipESUConsumer sequence above, report whether Enrol now appears or whether the same grey window flashes. If it still flashes, run these and paste the output:
  sc query DiagTrack
  ClipESUConsumer.exe -evaluateEligibility
  (If ClipESUConsumer is not found, try C:\Windows\System32\ClipESUConsumer.exe -evaluateEligibility)
• If the dialog still closes instantly, try the Store/AAD broker re-register and report any errors printed by PowerShell.

Safety notes

• The registry change and DiagTrack enable are reversible (I included the reg delete command). Creating a restore point before starting is a good precaution.
• I’m not asking you to change activation/licenses or buy anything yet — just to force Windows to run the local eligibility check and fix the sign‑in plumbing.

References / provenance

• The forced-evaluation + registry override sequence is the same safe sequence community/MS moderators documented to show the ESU UI.
• KB5063709 / August 2025 cumulative update fixed many enrollment wizard crashes for early adopters; confirm you have that (or a later LCU/SSU).
• Web-auth / Store / AAD broker resets and re-adding the Microsoft account fix numerous token/hand‑off problems that make the in‑app sign‑in window vanish.

If you want I can give single-click copy/paste command blocks for each step (DiagTrack + registry + ClipESUConsumer; and the Store/AAD re‑register block) so you can run them one after another. Which would you prefer?

How to confirm the required cumulative/SSU patch is installed (KB5063709 or later)?

Good — here are simple, reliable ways to confirm whether KB5063709 (or a later cumulative/SSU) is installed on your PC, plus what the results mean. Pick any method you prefer.
Quick note: KB5063709 (the August‑2025 cumulative update that fixed many ESU enrollment crashes) corresponds to build 19045.6216 for 22H2. If your winver build is higher than 19045.6216 it means you already have that update or a later cumulative installed. Your winver (19045.6456) is newer than 19045.6216, so you very likely have KB5063709 or a later LCU.
Method A — Fast GUI check (Settings)

1. Open Settings → Update & Security → Windows Update.
2. Click View update history → look under “Quality updates” (or “Feature updates/Other updates”) for entries named KB5063709 or any KB with a date on/after Aug 12, 2025.
   If you see KB5063709 (or a later KB like KB5xxxxxx) you’re good.

Method B — Control Panel installed updates

1. Open Control Panel → Programs and Features → View installed updates (top-left).
2. In the list search (top-right) type 5063709 or KB5063709.
   If found, it’s installed.

Method C — Command line (most reliable)
Open an elevated Command Prompt (Run as administrator) and run either of these:

• Recommended (DISM):
  dism /online /get-packages | findstr /i "5063709"
• Or to list all installed package IDs and search manually:
  dism /online /get-packages > C:\temp\packages.txt
  (then open C:\temp\packages.txt and search KB numbers)

If DISM returns a line that contains KB5063709 (package identity includes kb5063709) it’s installed.
Method D — PowerShell (quick list)
Open an elevated PowerShell and run:
Get-HotFix | Select-Object HotFixID, InstalledOn | Sort-Object InstalledOn -Descending
This lists many installed hotfixes; look for KB IDs (note: Get-HotFix sometimes misses some LCUs/SSUs — DISM is more complete).
How to interpret results

• You find KB5063709 (or any later cumulative KB): you have the required update that fixed many ESU enrollment issues. Proceed with the “force eligibility” steps I posted earlier.
• You do NOT find KB5063709 and your OS build is <= 19045.6216: install all Windows updates (Settings → Windows Update → Check for updates), reboot until no more updates, then retry.
• If Windows Update refuses or shows errors installing updates, tell me the error text and we’ll troubleshoot the update stack (SSU/LCU) — that’s the single biggest blocker for enrollment.

If you like, run this single DISM command and paste the output here:
dism /online /get-packages | findstr /i "5063709"
I’ll read the output and tell you the next step.

Updates I have instaled are:
KB5001716, KB5063523, KB5065957 Cumulative Update, KB5066198 (OS Build 19045.6396) Preview, KB5066747 Cumulative Update, KB5068164, KB5066791

Good — thanks for the update. Short answer: yes, your installed packages include the October cumulative (KB5066791), so the prerequisite LCU/SSU that fixed the enrollment-wizard problems is already present. That means we can move on to the targeted fixes (force a local eligibility check + fix the in‑app sign‑in plumbing) rather than chasing missing updates.
What that means

• KB5063709 (Aug 2025) was the patch that fixed many early enrollment crashes; any later cumulative that supersedes it (for example your KB5066791 / build 19045.6456) satisfies the “install the August patch or later” requirement. You’re good on that front.

Recommended next steps (do these in order)
1) Create a restore point (recommended)

• Settings → Recovery → Create a restore point — quick and reversible.

2) Force Windows to re-evaluate ESU eligibility

• Open an elevated Command Prompt (right‑click Start → Command Prompt (Admin) or PowerShell (Admin)) and run these lines one by one:
  sc.exe config DiagTrack start=auto
  sc.exe start DiagTrack
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides" /v 4011992206 /t REG_DWORD /d 2 /f
  (Reboot)
  After reboot, open an elevated Command Prompt and run:
  C:\Windows\System32\ClipESUConsumer.exe -evaluateEligibility
  Reboot again and open Settings → Update & Security → Windows Update and click Enrol now (if it appears).
• Why: this sequence is the community/MS guidance that forces the local eligibility check and commonly surfaces the ESU enrolment UI when it’s been hidden or not yet triggered. (You can remove the registry override later with the reg delete shown below.)
• To undo the registry override:
  reg delete "HKLM\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides" /v 4011992206 /f

3) If the enrol dialog still flashes or closes immediately: fix the in-app sign-in/token hand-off

• Add your MSA explicitly:
  Settings → Accounts → Email & accounts → Add an account → Microsoft account → sign in with the same MSA.
• Clear cached Windows credentials:
  Control Panel → Credential Manager → Windows Credentials and Web Credentials → remove entries mentioning microsoft / live / your email → reboot → re-add the account.
• Reset Store / re-register AAD broker and (optionally) reinstall WebView2:
  Open an elevated PowerShell and run:
  wsreset.exe
  Get-AppxPackage -AllUsers Microsoft.WindowsStore | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($.InstallLocation)\AppXManifest.xml"}
  Get-AppxPackage -AllUsers Microsoft.AAD.BrokerPlugin | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($.InstallLocation)\AppXManifest.xml"}
  Reboot and try Enrol now again.
• These steps repair the token hand-off used by in-app sign-ins (the small sign-in window the wizard uses). Many users with the “grey window opens then disappears” symptom fixed it this way.

4) Quick additional tests if still failing

• Enable Windows Backup / Sync settings (temporary test): Settings → Accounts → Windows Backup (Sync your settings) → Turn on. In many regions this is the free trigger; in the EEA Microsoft relaxed some backup requirements but enabling it can still help the wizard appear.
• Try enrolling from a second eligible PC: sign into that PC with the same MSA and complete enrollment — the entitlement is tied to the MSA and can apply to multiple devices.

5) Last-resort options

• In-place repair (repair install) of Windows 10 (keeps apps/files) — reported to fix stubborn enrollment/UWP sign-in problems when everything else fails.

What I need from you if it still fails

1. Run and paste these outputs (copy/paste the whole output):
   sc query DiagTrack
   C:\Windows\System32\ClipESUConsumer.exe -evaluateEligibility
   If ClipESUConsumer.exe is not found, tell me the error or try:
   dir C:\Windows\System32\ClipESUConsumer.exe
2. If you see any error messages when running the Appx re-register commands, paste those errors.
3. Tell me whether a small sign-in window briefly appears behind the Settings window (try clicking Enrol now then press Alt+Tab immediately).

Caveats & notes

• You already meet the LCU/SSU prerequisite (your KB list includes KB5066791 → build 19045.6456). That removes the most common blocker — now we focus on token/sign-in/reporting plumbing.
• These steps are reversible; I included the reg delete to remove the override. Create a restore point before running registry edits if you want the extra safety.
• If you prefer, I can give you a single copy‑paste script that runs the DiagTrack + registry + evaluate steps and then the Store/AAD re-register block. Which do you want — the one-line batch for the eligibility forcing, or the full script that also re-registers Store and broker packages?

In third point, after I open an elevated PowerShell and run:
Get-AppxPackage -AllUsers Microsoft.WindowsStore | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($.InstallLocation)\AppXManifest.xml"}

I get answer in red:

$.InstallLocation : The term '$.InstallLocation' is not recognized as the name of a cmdlet, function, script file, or o
perable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try aga
in.
At line:1 char:114
+ ... ackage -DisableDevelopmentMode -Register "$($.InstallLocation)\AppXMa ...
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($.InstallLocation:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

Add-AppxPackage : Cannot find path 'C:\AppXManifest.xml' because it does not exist.
At line:1 char:61
+ ... | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($.In ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\AppXManifest.xml:String) [Add-AppxPackage], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.Windows.Appx.PackageManager.Commands.AddAppxPackageCommand

And after I run:
Get-AppxPackage -AllUsers Microsoft.AAD.BrokerPlugin | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($.InstallLocation)\AppXManifest.xml"}

I get answer in red:

$.InstallLocation : The term '$.InstallLocation' is not recognized as the name of a cmdlet, function, script file, or o
perable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try aga
in.
At line:1 char:118
+ ... ackage -DisableDevelopmentMode -Register "$($.InstallLocation)\AppXMa ...
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($.InstallLocation:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

Add-AppxPackage : Cannot find path 'C:\AppXManifest.xml' because it does not exist.
At line:1 char:65
+ ... | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($.In ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\AppXManifest.xml:String) [Add-AppxPackage], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.Windows.Appx.PackageManager.Commands.AddAppxPackageCommand



Should I reboot now or I have some problem?

You hit the problem: a small PowerShell syntax typo. Your error comes from using $(.InstallLocation) instead of the correct $($.InstallLocation). PowerShell treats $() as a subexpression and $ is the pipeline variable; without the underscore it tries to run a command named $.InstallLocation.
Do this (exact steps)
1) Open PowerShell as Administrator (right‑click Start → Windows PowerShell (Admin) or Windows Terminal (Admin)).
2) Run wsreset first (resets the Store):
wsreset.exe
3) Run the correct re‑register commands (copy/paste each full line exactly):
Get-AppxPackage -AllUsers Microsoft.WindowsStore | ForEach-Object { Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml" }
Get-AppxPackage -AllUsers Microsoft.AAD.BrokerPlugin | ForEach-Object { Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml" }
(Those are the same commands you attempted but with the correct $_ syntax.) Community guidance uses this re‑register approach to repair the in‑app sign‑in/Store broker plumbing.
4) If you want to confirm the packages exist before re‑registering, run these to list them and their InstallLocation:
Get-AppxPackage -AllUsers Microsoft.WindowsStore | Select Name, InstallLocation
Get-AppxPackage -AllUsers Microsoft.AAD.BrokerPlugin | Select Name, InstallLocation
If a package returns no rows, that package isn’t installed and Add-AppxPackage will fail — tell me the output and I’ll give the next step to reinstall it.
5) Reboot after the commands finish.
6) Then force the ESU eligibility recheck (if you haven’t already done so):

• In an elevated Command Prompt:
  sc.exe config DiagTrack start=auto
  sc.exe start DiagTrack
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides" /v 4011992206 /t REG_DWORD /d 2 /f
• Reboot.
• Run (elevated): C:\Windows\System32\ClipESUConsumer.exe -evaluateEligibility
• Reboot and open Settings → Update & Security → Windows Update → click Enrol now.

If anything prints red/error after the corrected Add-AppxPackage lines, copy/paste the full error here. If the Get-AppxPackage checks show the packages are missing, I’ll give the exact steps to restore them (or to install the WebView2 runtime / Store repair packages) depending on what’s missing.
Short answer to your last question: don’t reboot yet — first re-run the corrected re‑register commands (with $_), then reboot. After reboot follow the eligibility steps above and try Enrol now.

After I run correct re‑register commands and confirm the packages exist before re‑registering, I reboot but still after kliking on "Enrol Now", I have only short time some empty grey window (maybe for a second).

Confirming the packages Install Location:

PS C:\WINDOWS\system32> Get-AppxPackage -AllUsers Microsoft.WindowsStore | Select Name, InstallLocation

Name InstallLocation
---- ---------------
Microsoft.WindowsStore C:\Program Files\WindowsApps\Microsoft.WindowsStore_22509.1401.11.0_x64__8wekyb3d8bbwe


PS C:\WINDOWS\system32> Get-AppxPackage -AllUsers Microsoft.AAD.BrokerPlugin | Select Name, InstallLocation

Name InstallLocation
---- ---------------
Microsoft.AAD.BrokerPlugin C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy

ESU eligibility recheck:

Microsoft Windows [Version 10.0.19045.6456]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>sc.exe config DiagTrack start=auto
[SC] ChangeServiceConfig SUCCESS

C:\WINDOWS\system32>sc.exe start DiagTrack
[SC] StartService FAILED 1056:

An instance of the service is already running.


C:\WINDOWS\system32>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides" /v 4011992206 /t REG_DWORD /d 2 /f
The operation completed successfully.

After reboot I run : C:\Windows\System32\ClipESUConsumer.exe -evaluateEligibility

and rebooted. Still same problem.

Thanks — good work so far. You’ve shown the Store and AAD broker packages exist and you ran the eligibility steps, so we’ve ruled out the common update/service / Appx-registration causes. Since the Enrol window still flashes and closes, the next step is focused diagnostics of the in‑app sign‑in / WebAuth hand‑off and any error logged when the wizard tries to start.
What I want you to try next (ordered, copy/paste where shown)
1) Quick checks (one-line)

• Confirm wlidsvc is running (Microsoft Account Sign‑in service):
  Open an elevated PowerShell and run:
  Get-Service wlidsvc, DiagTrack, VaultSvc, LicenseManager | Format-Table Name, Status, StartType

If any are Stopped, start them:
Start-Service wlidsvc
2) Enable a short Event Log capture, click Enrol now, then collect matching errors

• Run this in an elevated PowerShell BEFORE you click Enrol now — it watches recent Application events and filters for likely keywords. After you click Enrol now and see the flash, wait 10 seconds and then run the same command again to show new results:
  $start=(Get-Date).AddMinutes(-2)
  Get-WinEvent -FilterHashtable @{LogName='Application';StartTime=$start} |
  Where-Object { $_.Message -match 'ESU|ClipESU|Enroll|Enroll|Enroll now|ClipESUConsumer|WebAccount|WAM|BrokerPlugin|AAD|Store|WinStore' } |
  Select TimeCreated, ProviderName, Id, LevelDisplayName, Message -First 30 | Format-List
• Paste the output here. This will show any error entries created by the enrollment wizard or by the Store/AAD/WAM components when the dialog fails. (If nothing appears, run again but expand StartTime to AddMinutes(-5).)

Why: the enrollment dialog is a small in‑app web sign-in flow; when it fails the OS or the Store/AAD broker usually logs an error we can read. Community troubleshooting uses Event logs to find the root cause.
3) Check WebView2 runtime (in‑app UWP web views depend on this)

• In elevated PowerShell run:
  Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall* -ErrorAction SilentlyContinue |
  Where-Object { $_.DisplayName -like 'WebView2' } |
  Select DisplayName, DisplayVersion, Publisher

If nothing is returned, install the Microsoft Edge WebView2 Runtime (Evergreen) from Microsoft (download/install, then reboot) and retry the enrol flow.
Why: many UWP sign‑in dialogs use WebView2; a missing/corrupt runtime can make the sign‑in window appear/close immediately.
4) Test the sign‑in/token path manually

• Add the MSA again via Settings → Accounts → Email & accounts → Add an account → Microsoft account (you mentioned you have an MSA, but re-adding forces a fresh token).
• Open the Windows Store and sign in there with the same MSA (Store → profile icon → Sign in) — if Store sign-in works, the broker/token path is probably OK.

If Store sign-in also fails or shows an error, paste that error here.
5) Clean boot test (rules out 3rd‑party interference)

• Do a clean boot: msconfig → Services → hide Microsoft services → Disable remaining non‑Microsoft services → Startup tab → Open Task Manager → disable non‑Microsoft startup items → reboot. Then try Enrol now.

6) Try enrolling from another PC (fast check)

• If you have a second Windows 10 22H2 PC (or a friend’s), sign into it with the same Microsoft account and try the Enrol flow there. If it succeeds, the entitlement is attached to the MSA and you can then recheck your original PC — this proves the account/entitlement side is OK and the problem is local to your device.

7) If you’re OK doing a deeper trace: Procmon capture (optional)

• I can give you exact Procmon capture/filter steps to run while you click Enrol now, then you would upload the .PML and I’ll inspect which process fails and why. This is the fastest way to see what file/registry/api call fails and produces the flash. Say “yes” and I’ll provide the exact Procmon instructions.

Useful context / why we do these

• The enrollment UI is a small, transient UWP dialog that invokes the AAD/Store/WAM token path; when that hand‑off fails the dialog often opens then closes immediately. Community/MS guidance shows that Event Viewer entries, Store sign‑in tests and WebView2 checks are the most reliable way to see the underlying error.

If you paste the output from step 1 (Get-Service) and step 2 (Get-WinEvent filtered output) I’ll read the errors and give the exact next command(s). If you want the Procmon instructions now, say so and I’ll post them.

After Confirming wlidsvc is running, I get:

PS C:\WINDOWS\system32> Get-Service wlidsvc, DiagTrack, VaultSvc, LicenseManager | Format-Table Name, Status, StartType

Name Status StartType
---- ------ ---------
DiagTrack Running Automatic
LicenseManager Running Manual
VaultSvc Running Manual
wlidsvc Running Automatic


Short Event Log capture log:

PS C:\WINDOWS\system32> $start=(Get-Date).AddMinutes(-2)
PS C:\WINDOWS\system32> Get-WinEvent -FilterHashtable @{LogName='Application';StartTime=$start} |
>> Where-Object { $_.Message -match 'ESU|ClipESU|Enroll|Enroll|Enroll now|ClipESUConsumer|WebAccount|WAM|BrokerPlugin|AAD|Store|WinStore' } |
>> Select TimeCreated, ProviderName, Id, LevelDisplayName, Message -First 30 | Format-List
Get-WinEvent : No events were found that match the specified selection criteria.
At line:1 char:1
+ Get-WinEvent -FilterHashtable @{LogName='Application';StartTime=$star ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ) [Get-WinEvent], Exception
+ FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand

PS C:\WINDOWS\system32> Get-WinEvent -FilterHashtable @{LogName='Application';StartTime=$start} |
>> Where-Object { $_.Message -match 'ESU|ClipESU|Enroll|Enroll|Enroll now|ClipESUConsumer|WebAccount|WAM|BrokerPlugin|AAD|Store|WinStore' } |
>> Select TimeCreated, ProviderName, Id, LevelDisplayName, Message -First 30 | Format-List
Get-WinEvent : No events were found that match the specified selection criteria.
At line:1 char:1
+ Get-WinEvent -FilterHashtable @{LogName='Application';StartTime=$star ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ) [Get-WinEvent], Exception
+ FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand

PS C:\WINDOWS\system32> $start=(Get-Date).AddMinutes(-2)
PS C:\WINDOWS\system32> Get-WinEvent -FilterHashtable @{LogName='Application';StartTime=$start} |
>> Where-Object { $_.Message -match 'ESU|ClipESU|Enroll|Enroll|Enroll now|ClipESUConsumer|WebAccount|WAM|BrokerPlugin|AAD|Store|WinStore' } |
>> Select TimeCreated, ProviderName, Id, LevelDisplayName, Message -First 30 | Format-ListGet-WinEvent -FilterHashtable @{LogName='Application';StartTime=$start} |
>> Where-Object { $_.Message -match 'ESU|ClipESU|Enroll|Enroll|Enroll now|ClipESUConsumer|WebAccount|WAM|BrokerPlugin|AAD|Store|WinStore' } |
>> Select TimeCreated, ProviderName, Id, LevelDisplayName, Message -First 30 | Format-List
Format-ListGet-WinEvent : The term 'Format-ListGet-WinEvent' is not recognized as the name of a cmdlet, function, scrip
t file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct
and try again.
At line:3 char:77
+ ... LevelDisplayName, Message -First 30 | Format-ListGet-WinEvent -Filter ...
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Format-ListGet-WinEvent:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException


I don't belive that I did it right!

Thanks — you did the checks correctly and your services and packages look good. The next step is to capture any error the enrollment flow writes to the Event Log (and, if that fails, do a short Procmon trace). I’ll keep this minimal and give exact copy/paste commands you can run now.
Quick context: you already have the required cumulative/SSU (your build 19045.6456 includes the October cumulative), so we’re debugging the local sign‑in/hand‑off that makes the Enrol dialog open then immediately close.
Step A — reproduce + capture Application & System events (safe)
1) Close Settings so the enrol dialog starts fresh.
2) Open PowerShell as Administrator. Copy/paste exactly:
$start = Get-Date
Start-Process ms-settings:windowsupdate

Now quickly click "Enrol now" in the Windows Update pane and watch the flash.​

After the flash (wait ~5–10s) come back to PowerShell and run:​

Get-WinEvent -FilterHashtable @{LogName='Application'; StartTime=$start} -ErrorAction SilentlyContinue |
Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker|BrokerPlugin|AAD|WebAccount|MicrosoftAccount|Store|WinStore|SystemSettings' } |
Select TimeCreated, ProviderName, Id, LevelDisplayName, @{Name='Message';Expression={$.Message}} -First 100 |
Format-List
Get-WinEvent -FilterHashtable @{LogName='System'; StartTime=$start} -ErrorAction SilentlyContinue |
Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker|AAD|WebAccount|Store|WinStore|SystemSettings' } |
Select TimeCreated, ProviderName, Id, LevelDisplayName, @{Name='Message';Expression={$.Message}} -First 50 |
Format-List
3) Paste whatever output you get here. If the commands return “No events were found” (like before), proceed to Step B.
Notes: the Start-Process line just opens the Windows Update page for you. The $start variable ensures we only look at events created after you start the test.
Step B — check special AAD/WAM logs (some token errors are logged there)
Run these (still in the same elevated PowerShell), which list any specialized logs and then query them if present:
Get-WinEvent -ListLog WebAccount | Select LogName -First 10
Get-WinEvent -ListLog WAM | Select LogName -First 10
Get-WinEvent -ListLog AAD | Select LogName -First 10
If any log names appear (for example Microsoft-Windows-WebAccountManager/Admin or Microsoft-Windows-AAD/*), run this (substitute the exact LogName shown):
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-WebAccountManager/Admin'; StartTime=$start} -ErrorAction SilentlyContinue |
Select TimeCreated, ProviderName, Id, LevelDisplayName, @{Name='Message';Expression={$_.Message}} -First 200 |
Format-List
Paste results here.
Why I’m asking for the Event output

• The enrollment UI is a tiny in‑app web sign-in flow; when the token hand‑off fails the OS or the WebAccountManager/AAD/Store components often log an error we can read. You had no matching Application events earlier, so Step B helps find those specialized logs.

If both Step A and B return nothing useful, next option is Procmon (Process Monitor) trace.
Step C — Procmon trace (only if no useful EventLog output)
I can give you exact Procmon filters. Short version: we’ll capture for ~15s while you click Enrol now and then examine the .PML. If you’re comfortable, say “Yes — Procmon” and I’ll post the 1‑2 minute instructions (download link, filters, when to start/stop, and how to save the file). Procmon is the fastest way to see which process fails and which file/registry call returns error.
Extra quick checks while you decide

• Open Microsoft Store → click profile → sign in with your MSA. Does Store sign-in succeed without errors? (If it fails, please paste that error text — it’s a strong indicator the token path is broken.)
• Try a clean boot (msconfig → Hide Microsoft services → Disable non‑Microsoft → disable non‑Microsoft startup items) and retry Enrol now — this rules out third‑party interference.

What I need from you now

1. Run Step A (reproduce + paste Application & System results).
2. If no useful output, run Step B and paste those results.
3. If those are empty, tell me “Yes — Procmon” and I’ll give the exact Procmon steps.

We’ll get this — the logging usually points to a single failing component (WebAccountManager / WAM / WebView2 / Store token), and once we see the error text we can fix it.

I dont know why smily's are there. should be )

Thanks — your checks are thorough and helpful. Because the Store and AAD broker are present, wlidsvc/DiagTrack/VaultSvc/LicenseManager are running, and you’ve forced eligibility, the remaining likely causes are (a) the in‑app web sign‑in stack (WebView2 / WebAccountManager / WAM token hand‑off) or (b) a third‑party interference. Those components often don’t write obvious Application events, so next I’ll give a short checklist (fast to run) plus an optional Procmon capture if you’re comfortable with that.
Quick recap / why this matters

• Your OS build (19045.6456) includes the October cumulative, so you meet the update prerequisite.
• The “flash then close” behavior is usually the enrollment dialog failing to get a valid sign‑in token from the WebAccount/WAM/Store path; we need to test/repair that path or capture what fails. Community/MS troubleshooting uses these exact checks (re‑registering Store/AAD broker, WebView2, Event logs, Procmon).

What to try next (in this order)
1) Confirm Store sign‑in works (quick)

• Open Microsoft Store → click profile icon → Sign in → use the same Microsoft account.
• Does sign‑in succeed? If it fails, copy the exact error text here. Store sign‑in success strongly suggests the token broker path is OK; if it fails, that’s the likely cause.

2) Check WebView2 runtime and install it if missing (1–2 minutes)

• Run this in an elevated PowerShell to see if WebView2 is present:
  Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall* -ErrorAction SilentlyContinue |
  Where-Object { $_.DisplayName -like 'WebView2' } |
  Select DisplayName, DisplayVersion, Publisher
• If that returns nothing, install the Microsoft Edge WebView2 Runtime (Evergreen). After installing, reboot and try Enrol now again.
  Note: WebView2 is used by many in‑app sign‑in dialogs; installing it fixes many “flash then close” issues.

3) Try a clean boot (rules out 3rd‑party interference)

• msconfig → Services tab → check “Hide all Microsoft services” → click Disable all → Startup tab → Open Task Manager → disable non‑Microsoft startup items → Reboot → Test Enrol now.
• If Enrol now works in a clean boot, re-enable services/startup items in small groups to find the culprit.

4) Re‑add the Microsoft Account and clear cached credentials (safe)

• Settings → Accounts → Email & accounts → Add an account → sign in with the same MSA (even if already signed in).
• Control Panel → Credential Manager → Windows/Web Credentials → remove any entries referencing microsoft/live/your email → reboot → sign in again.
• Then try Enrol now.

5) Enable Windows Backup / Sync settings as a temporary test

• Settings → Accounts → Windows Backup (or Sync your settings) → Turn on.
• After enabling, try Enrol now. (In many regions this is the free trigger; EEA is more relaxed but enabling it still helps surface the UI.)

6) Try enrollment from another eligible PC (fast check)

• If you have another Windows 10 (22H2) PC, sign into it with the same MSA and try Enroll there. If that PC succeeds, the entitlement attaches to the MSA and you can then re-check your primary PC — this proves the account/entitlement side is OK and narrows the problem to your device.

7) Capture specialized logs (if Store sign‑in succeeds and the above don’t help)

• Run these elevated commands, then immediately click Enrol now and paste whatever appears:
  $start = Get-Date
  Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-WebAccountManager/Admin'; StartTime=$start} -ErrorAction SilentlyContinue |
  Select TimeCreated, ProviderName, Id, LevelDisplayName, @{Name='Message';Expression={$_.Message}} -First 200 |
  Format-List
  Get-WinEvent -FilterHashtable @{LogName='Application'; StartTime=$start} -ErrorAction SilentlyContinue |
  Where-Object { $.Message -match 'ClipESU|ClipESUConsumer|Enroll|Enrol|WAM|Broker|BrokerPlugin|AAD|WebAccount|Store' } |
  Select TimeCreated, ProviderName, Id, LevelDisplayName, @{Name='Message';Expression={$.Message}} -First 200 |
  Format-List
• If either returns records, paste them here.

8) Procmon capture (only if the logs are empty) — I can give exact 1–2 minute instructions

• Procmon is the fastest way to see which process/API fails when you click Enrol now. If you want to do this, say “Yes — Procmon” and I’ll post the exact steps: which filters to set, when to start/stop, and how to save the .PML for inspection. It’s safe but technical; I’ll keep instructions short.

If you want to proceed now, tell me which you want to try next:

• “Store sign-in” result (tell me success/error) — I’ll interpret it.
• Or say “Install WebView2” if you want the install guidance next.
• Or say “Yes — Procmon” and I’ll give the Procmon steps.

Either way we’re close: your machine meets the update/service prerequisites, and the remaining checks are the usual final fixes that resolve the sign‑in hand‑off the ESU wizard needs.

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell Install PowerShell on Windows, Linux, and macOS - PowerShell

PS C:\WINDOWS\system32> $start = Get-Date
PS C:\WINDOWS\system32> Start-Process ms-settings:windowsupdate
PS C:\WINDOWS\system32> Get-WinEvent -FilterHashtable @{LogName='Application'; StartTime=$start} -ErrorAction SilentlyContinue |
>> Where-Object { $.Message -match
>> 'ClipESU|ESU|Enroll|Enrol|WAM|Broker|BrokerPlugin|AAD|WebAccount|MicrosoftAccount|Store|WinStore|SystemSettings' } |
>> Select TimeCreated, ProviderName, Id, LevelDisplayName, @{Name='Message';Expression={$.Message}} -First 100 |
>> Format-List
PS C:\WINDOWS\system32> Get-WinEvent -FilterHashtable @{LogName='System'; StartTime=$start} -ErrorAction SilentlyContinue |
>> Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker|AAD|WebAccount|Store|WinStore|SystemSettings' } |
>> Select TimeCreated, ProviderName, Id, LevelDisplayName, @{Name='Message';Expression={$.Message}} -First 50 |
>> Format-List
$.Message : The term '$.Message' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:2 char:16
+ Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker| ...
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($.Message:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

$.Message : The term '$.Message' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:2 char:16
+ Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker| ...
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($.Message:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

$.Message : The term '$.Message' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:2 char:16
+ Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker| ...
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($.Message:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

$.Message : The term '$.Message' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:2 char:16
+ Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker| ...
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($.Message:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

$.Message : The term '$.Message' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:2 char:16
+ Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker| ...
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($.Message:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

$.Message : The term '$.Message' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:2 char:16
+ Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker| ...
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($.Message:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

$.Message : The term '$.Message' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:2 char:16
+ Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker| ...
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($.Message:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

$.Message : The term '$.Message' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:2 char:16
+ Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker| ...
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($.Message:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

$.Message : The term '$.Message' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:2 char:16
+ Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker| ...
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($.Message:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

$.Message : The term '$.Message' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:2 char:16
+ Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker| ...
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($.Message:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

$.Message : The term '$.Message' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:2 char:16
+ Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker| ...
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($.Message:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

$.Message : The term '$.Message' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:2 char:16
+ Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker| ...
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($.Message:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

Thanks — that output explains the problem: your PowerShell errors were caused by missing the pipeline variable $_ in the Where-Object and Select expressions. I’ll give the exact, corrected commands to capture the Application/System events (so we can see why the enrol dialog closes), plus a couple of quick checks (Store sign-in, WebView2) and — if logs are empty — safe Procmon steps.
Important: copy/paste the commands exactly.
1) Reproduce the failure and capture Application + System events

• Open PowerShell as Administrator.
• In PowerShell copy/paste these lines exactly (do not modify):

$start = Get-Date
Start-Process ms-settings:windowsupdate

Now click Enrol now in the Windows Update pane and wait ~5–10 seconds AFTER the grey window flashes.​

Then return to PowerShell and paste/run the next two commands:​

Get-WinEvent -FilterHashtable @{LogName='Application'; StartTime=$start} -ErrorAction SilentlyContinue |
Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker|BrokerPlugin|AAD|WebAccount|MicrosoftAccount|Store|WinStore|SystemSettings' } |
Select-Object TimeCreated, ProviderName, Id, LevelDisplayName, @{Name='Message';Expression={$.Message}} -First 100 |
Format-List
Get-WinEvent -FilterHashtable @{LogName='System'; StartTime=$start} -ErrorAction SilentlyContinue |
Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker|AAD|WebAccount|Store|WinStore|SystemSettings' } |
Select-Object TimeCreated, ProviderName, Id, LevelDisplayName, @{Name='Message';Expression={$.Message}} -First 50 |
Format-List

• Paste whatever output you get here. If it returns nothing, that’s fine — proceed to step 2 below.

Why: the corrected $_ usage is required to inspect the Message property of each event object. These event queries often show the specific token/WAM/Store error that causes the UI to close. Community troubleshooting uses this technique to find the root cause.
2) Check the WebAccount / WAM specialized logs (some failures are logged there)
Run these (still in elevated PowerShell). They list special logs and then query the WebAccountManager admin log if present:
Get-WinEvent -ListLog WebAccount | Select LogName -First 10
Get-WinEvent -ListLog WAM | Select LogName -First 10
Get-WinEvent -ListLog AAD | Select LogName -First 10
If you see a log name like Microsoft-Windows-WebAccountManager/Admin, run (replace the log name exactly if different):
$start = Get-Date

Open the Windows Update page and click Enrol now, then run:​

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-WebAccountManager/Admin'; StartTime=$start} -ErrorAction SilentlyContinue |
Select-Object TimeCreated, ProviderName, Id, LevelDisplayName, @{Name='Message';Expression={$_.Message}} -First 200 |
Format-List
Paste the output.
3) Quick checks to do now (each ~1–2 minutes)

• Microsoft Store sign-in:
  Open Microsoft Store → click profile icon → Sign in → use the same Microsoft account.
  Tell me whether sign-in succeeds or what error you see (exact error text or screenshot).
• Check WebView2 runtime (in PowerShell run):

Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall* -ErrorAction SilentlyContinue |
Where-Object { $_.DisplayName -like 'WebView2' } |
Select DisplayName, DisplayVersion, Publisher
If nothing is returned, install the Microsoft Edge WebView2 Runtime (Evergreen), reboot, then retry Enrol now. Missing/corrupt WebView2 is a common cause for instant‑closing in‑app sign‑in dialogs.
4) Clean boot test (if Store sign-in works and logs are empty)

• msconfig → Services → check “Hide all Microsoft services” → Disable all → Startup → Open Task Manager → disable non‑Microsoft startup items → reboot → try Enrol now.
  If that fixes it, re-enable disabled items in small groups to find the culprit.

5) Procmon capture (only if the event logs and Store sign-in give nothing useful)
If you’re OK doing a short capture I’ll give step-by-step Procmon instructions. Summary:

• Download and run Process Monitor (Sysinternals) as admin, set filters to only show relevant processes (SystemSettings.exe, RuntimeBroker.exe, explorer.exe), clear the display, start capture, click Enrol now, stop capture after ~8–12s, save .PML, upload it here. I’ll inspect the trace for the failing API/file/registry call and tell you which component to repair. This is the fastest way to see exactly what fails when the window opens then closes.

6) Next steps based on likely outcomes

• If Application/System or WebAccountManager logs show token/WAM errors: we’ll try clearing credentials, re-adding the MSA, wsreset, and re-register the broker/Store (you already did that), and reinstall WebView2 if needed.
• If Procmon shows an access/permission error for a file/registry: I’ll give the precise repair command.

One more note: you already met the update prerequisite (your build is 19045.6456), so the issue is local to the sign‑in/token/embedded web view path — that’s exactly what the steps above target.
Which do you want to do next?

• Run the corrected Get-WinEvent commands now and paste output here. (Recommended.)
• Or skip to Procmon and I’ll give exact short instructions. (Also fine if you prefer.)

Either way I’ll interpret the results and give the exact repair commands.

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell Install PowerShell on Windows, Linux, and macOS - PowerShell

PS C:\WINDOWS\system32> $start = Get-Date
PS C:\WINDOWS\system32> Start-Process ms-settings:windowsupdate
PS C:\WINDOWS\system32> Get-WinEvent -FilterHashtable @{LogName='Application'; StartTime=$start} -ErrorAction SilentlyContinue |
>> Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker|BrokerPlugin|AAD|WebAccount|MicrosoftAccount|Store|WinStore|SystemSettings' } |
>> Select-Object TimeCreated, ProviderName, Id, LevelDisplayName, @{Name='Message';Expression={$.Message}} -First 100 |
>> Format-List
PS C:\WINDOWS\system32> Get-WinEvent -FilterHashtable @{LogName='System'; StartTime=$start} -ErrorAction SilentlyContinue |
>> Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker|AAD|WebAccount|Store|WinStore|SystemSettings' } |
>> Select-Object TimeCreated, ProviderName, Id, LevelDisplayName, @{Name='Message';Expression={$.Message}} -First 50 |
>> Format-List
$.Message : The term '$.Message' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:2 char:16
+ Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker| ...
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($.Message:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

$.Message : The term '$.Message' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:2 char:16
+ Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker| ...
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($.Message:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

$.Message : The term '$.Message' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:2 char:16
+ Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker| ...
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($.Message:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

$.Message : The term '$.Message' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:2 char:16
+ Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker| ...
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($.Message:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

$.Message : The term '$.Message' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:2 char:16
+ Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker| ...
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($.Message:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

$.Message : The term '$.Message' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:2 char:16
+ Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker| ...
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($.Message:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

Right — the repeated errors are just the same small PowerShell typo (you used $. instead of the pipeline variable $_). Below are the exact copy/paste commands to run (no edits) plus the quick checks to do next. Do them in order and paste any output you get.
1) Reproduce + capture Application and System events

• Open PowerShell as Administrator and paste this whole block exactly (then click Enrol now in Settings → Windows Update and wait ~5–10 seconds after the grey window flashes, then return to PowerShell and press Enter to run the Get-WinEvent queries):

$start = Get-Date
Start-Process ms-settings:windowsupdate

— now click "Enrol now" and wait ~5–10s —​

Get-WinEvent -FilterHashtable @{LogName='Application'; StartTime=$start} -ErrorAction SilentlyContinue |
Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker|BrokerPlugin|AAD|WebAccount|MicrosoftAccount|Store|WinStore|SystemSettings' } |
Select-Object TimeCreated, ProviderName, Id, LevelDisplayName, @{Name='Message';Expression={$.Message}} -First 100 |
Format-List
Get-WinEvent -FilterHashtable @{LogName='System'; StartTime=$start} -ErrorAction SilentlyContinue |
Where-Object { $.Message -match 'ClipESU|ESU|Enroll|Enrol|WAM|Broker|AAD|WebAccount|Store|WinStore|SystemSettings' } |
Select-Object TimeCreated, ProviderName, Id, LevelDisplayName, @{Name='Message';Expression={$.Message}} -First 50 |
Format-List
If any events are shown, copy/paste the full output here.
2) Check WebAccountManager specialized log (some sign-in errors go there)

• Still in elevated PowerShell run:

Get-WinEvent -ListLog WebAccount | Select-Object LogName -First 10
If you see a log named Microsoft-Windows-WebAccountManager/Admin (or similar), run this (again click Enrol now first, then run it):
$start = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-WebAccountManager/Admin'; StartTime=$start} -ErrorAction SilentlyContinue |
Select-Object TimeCreated, ProviderName, Id, LevelDisplayName, @{Name='Message';Expression={$_.Message}} -First 200 |
Format-List
Paste any output.
3) Quick Store sign-in test (manual)

• Open Microsoft Store → click the profile icon (top-right) → Sign in → use the same Microsoft account you use on Windows.
• Tell me whether sign-in succeeds, or paste the exact error text if it fails.

4) Check WebView2 runtime (PowerShell)

• Run this exact command in elevated PowerShell:

Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall* -ErrorAction SilentlyContinue |
Where-Object { $_.DisplayName -like 'WebView2' } |
Select-Object DisplayName, DisplayVersion, Publisher

• If it returns nothing, install the Microsoft Edge WebView2 Runtime (Evergreen) from Microsoft, reboot, then try Enrol now again and repeat step 1.

5) Clean-boot quick test (if Store sign-in OK and logs are empty)

• msconfig → Services → check “Hide all Microsoft services” → Disable all non‑Microsoft services → Startup → Open Task Manager → disable non‑Microsoft startup items → Reboot → Try Enrol now. If that fixes it, re-enable items in small groups to find the conflict.

6) Procmon (only if logs and Store sign-in show nothing)

• If the event logs show nothing and Store sign-in succeeds, say “Yes — Procmon” and I’ll give a 1–2 minute safe Procmon procedure to capture exactly which process/API fails when the enrol window flashes.

Important notes

• Use the exact $_ variable (underscore) inside Where-Object and Select expressions — that was the earlier cause of the red errors.
• Paste the full outputs from steps 1 or 2, or the Store sign-in result. That output is what will point to the failing component and the exact next fix.

Which step did you run already and what output did it give? If you want to go straight to Procmon, say “Yes — Procmon” and I’ll post the exact capture/filter/start/stop steps.