Enable Windows 10 Extended Security Updates (ESU) for clients accessing cloud and virtual machines

The Windows 10 Extended Security Updates (ESU) program allows organizations to receive critical and important security updates for PCs enrolled in the paid subscription service. ESU extends the use of Windows 10 devices past the end of support date on October 14, 2025. This article provides instructions on how to enable the ESU keys in commercial environments.

Prerequisites

To enable ESU for Windows 10, you must meet the following prerequisites:

Device requirements:

• Windows 10, version 22H2 with KB5066791, or a later update installed
• Extended Security Updates (ESU) Licensing Preparation Package for Windows 10 KB5072653 must be installed after KB5066791
• Administrative privileges on the device

Windows 10 Long Term Servicing releases (LTSB/LTSC) have their own lifecycles and are NOT covered via the Windows 10 ESU program. For more information, see Microsoft Lifecycle.

Endpoints needed for Windows 10 devices accessing Windows 365 Cloud PCs:

• https://dls.microsoft.com
• https://login.windows.net

Cloud and virtualization scenario considerations

Some cloud and virtualization scenarios have specific considerations for enabling ESU. In some cases, ESU is already enabled for you and in others, you may need to take additional steps. The following list summarizes these scenarios:

• Extended Security Updates (ESU) are available at no additional cost for Windows 10 virtual machines in the following Microsoft-hosted or Azure-integrated environments. No additional configuration or keys are needed in the following environments:

  • Azure Virtual Desktop
  • Azure virtual machines
  • Azure Dedicated Host
  • Azure Local (Azure Local is the new name for Azure Stack HCI)
  • Azure Stack Hub
  • Azure Stack Edge
  • Windows 365 Cloud PCs

• Other virtualization platforms that run on Azure (such as Nutanix, Citrix, or Omnissa Horizon on Azure VMware Solution) may require manual ESU key activation.
  
  Contact your Microsoft account team to obtain a 5x5 key. Activation can be managed with the Volume Activation Management Tool or with a script.

Configure nonpersistent VDI

When configuring Windows 10 ESU in nonpersistent VDI configuration, it's important to follow the following steps otherwise you'll consume activations on the Windows 10 ESU key:

1. Install Windows 10, version 22H2.

2. Install and activate the Windows 10 ESU key using the install and activate the ESU key instructions.

3. Install latest update and restart.

4. Remove the Windows 10 ESU product key with the following command, where <Activation ID> is the Activation IDs from the table:

   ESU Program	Activation ID
   Win10 ESU Year1	f520e45e-7413-4a34-a497-d2765967d094
   Win10 ESU Year2	1043add5-23b1-4afb-9a0f-64343c8f3f8d
   Win10 ESU Year3	83d49986-add3-41d7-ba33-87c7bfb5c0fb

   cscript.exe %windir%\system32\slmgr.vbs /upk <Activation ID>
   

5. Run sysprep to prepare the VDI image for duplication.

6. Create your golden image.

Follow the same steps to update your golden image used for deployment with VDI devices when new updates are released.

Extended Security Update for local devices accessing Windows 365

Windows 10 devices accessing Windows 365 Enterprise Cloud PCs and Windows 365 Frontline Cloud PCs in dedicated mode are automatically entitled to ESU for the duration of the ESU offer if the user has an active Windows 365 Enterprise license assigned or Windows 365 Frontline Cloud PC in dedicated mode provisioned, provided the following conditions are met:

• The local Windows 10 device is either Microsoft Entra joined or Microsoft Entra hybrid joined.
  • Devices that are only Microsoft Entra registered or on-premises Active Directory joined aren't eligible for commercial ESU access with Windows 365. Windows Autopatch enrollment isn't a requirement.
  • Personal or BYOD devices that aren't managed by the organization and are only Microsoft Entra registered won't qualify for this entitlement. These devices should be enrolled via the Consumer ESU program. An eligible user can activate up to 10 devices.
• Users must sign in to their physical Windows 10 device using the same Microsoft Entra ID account they use for Windows 365 Cloud PCs at least once every 22 days to maintain eligibility for ESU updates on that device.
• IT administrators must use Microsoft Intune or another MDM provider to deploy a custom policy that enables the EnableESUSubscriptionCheck flag. This policy helps verify whether a device is enrolled in the Windows 10 ESU subscription program.

To configure EnableESUSubscriptionCheck flag with Intune

1. Sign in to the Microsoft Intune admin center.
2. Go to Devices > Manage devices > Configuration.
3. Select Create then New Policy.
4. Select the following properties for the policy profile:
   1. Platform: Windows 10 and later
   2. Profile type: Custom, or Templates > Custom
5. Select Create.
6. Under Basics, provide following properties, then select Next when done.
   1. Name: EnableESUSubscriptionCheck
   2. Description: Enable Windows 10 ESU subscription check
7. Under Configuration settings, select Add to add a new OMA-URI setting with the following properties, then select Next when done:
   1. Name: EnableESUSubscriptionCheck
   2. Description: Enable Windows 10 ESU subscription check
   3. OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Licensing/EnableESUSubscriptionCheck
   4. Data type: Integer
   5. Value: 1 (A value of 0 disables the check.)
8. Under Assignments, select the groups you want to assign the policy to, then select Next.
9. Select Next under Applicability Rules.
10. Under Review + create, review your settings.
11. Select Create to finish creating the policy.

Verify ESU enrollment for Windows 365 users and devices

Windows 365 Enterprise

To confirm ESU enrollment for Windows 365 Enterprise users:

1. Sign in to the Microsoft 365 admin center.
2. Select Billing > Licenses.
3. Select the Windows 365 Enterprise subscription.
4. Select a user you'd like to verify, then select Manage apps & services.
5. In the flyout, confirm the user has the Windows 10 ESU Commercial listed and enabled for the user.

Windows 365 Frontline (Dedicated)

To confirm ESU enrollment for Windows 365 Frontline users:

1. From the Microsoft 365 admin center, go to Billing > Your Products > Windows 365 Frontline.

2. From the Microsoft Intune admin center, go to Devices > Windows 365 > All Cloud PCs. Filter the Cloud PCs by Frontline Type = Dedicated.

Verify ESU enrollment on devices

To verify a device is enrolled in the ESU program, check for the following registry entry on the Windows 10 physical endpoint that would connect to a Windows 365 Cloud PC:

• Key: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ESU
• Name: EnableESUSubscriptionCheck
• Type: REG_DWORD
• Value: 1

Verify ESU eligibility and update readiness

To confirm that a device has completed enrollment and is eligible to receive ESU updates, check for the following on the Windows 10 physical endpoint that would connect to a Windows 365 Cloud PC:

• Registry entry:

  • Key: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ESU
  • Name: Win10CommercialW365ESUEligible
  • Type: REG_DWORD
  • Value: 1

• In Event Viewer > Applications and Services Logs > Microsoft > Windows > ClipESU, check for Event ID 113. This event indicates that the Windows 365 ESU license was successfully installed.

  Note

  This event log is specific to the Windows 365 user and devices ESU solution. It's not for the ESU MAK 5x5 product key ESU solution.

Related content

• Enable Windows 10 Extended Security Updates (ESU) for physical machines
• Slmgr.vbs options
• Extended Security Updates (ESU) program for Windows 10