Table of Contents
- Will Your Business Survive Windows 10's End of Support Without These Critical Extended Security Updates?
- What Are Extended Security Updates?
- Why Use Intune for ESU Activation?
- Prerequisites You Must Meet
- System Requirements
- Network Access
- How to Activate ESU Through Intune
- Detection Script Process
- Activation Script Process
- Deployment Steps
- Verification and Troubleshooting
- Timeline and Availability
- Benefits of This Approach
Will Your Business Survive Windows 10's End of Support Without These Critical Extended Security Updates?
Windows 10 support ends in just a few months. I know this creates real problems for businesses with older computers that can't run Windows 11. But there's a solution that can help you keep your systems secure.
Extended Security Updates (ESU) gives you three more years of critical security patches after Windows 10 support ends on October 14, 2025. The best part? You can manage everything through Microsoft Intune instead of manually updating hundreds of computers.
What Are Extended Security Updates?
ESU is Microsoft's paid program that extends security support for Windows 10 devices past their end-of-life date. This program targets organizations with systems that cannot upgrade to Windows 11 due to hardware limitations or software compatibility issues.
The program covers Windows 10 Pro, Enterprise, and Education editions. Your devices must run Windows 10 version 22H2 with the latest updates installed.
Cost Structure:
- First year: $61 per device
- Second year: $122 per device
- Third year: $244 per device
The pricing doubles each year, and ESU licenses are cumulative. This means enrolling in the second year requires payment for both the first and second years.
Why Use Intune for ESU Activation?
Managing ESU activation manually across hundreds or thousands of devices creates a nightmare for IT administrators. Microsoft Intune provides a centralized platform to deploy and manage ESU activation efficiently across your entire fleet.
With Windows 7 ESU, assigning valid licenses to individual clients was tedious and time-consuming. Microsoft designed the Windows 10 ESU process to work seamlessly with Intune, eliminating manual intervention.
Prerequisites You Must Meet
Before activating ESU through Intune, your environment needs these requirements:
System Requirements
- Windows 10 version 22H2 installed
- Update KB5046613 or later version installed
- Administrative privileges for the activation process
Network Access
- Connectivity to Microsoft activation endpoints
- Access to go.microsoft.com and login.live.com
Microsoft provides a PowerShell validation script called "Check-Win10ESUPrereq.ps1" that verifies your devices meet all requirements. This script checks the Windows version, patch level, and network connectivity to required endpoints.
How to Activate ESU Through Intune
The activation process uses PowerShell scripts deployed through Intune. You need two scripts: a detection script and an activation script.
Detection Script Process
The detection script verifies prerequisites including OS version, required updates, and network connectivity. It checks if devices run Windows 10 22H2 and have the necessary patches installed.
Activation Script Process
The activation script installs and activates the ESU keys using these commands:
- Install ESU Key: cscript.exe C:\Windows\System32\slmgr.vbs /ipk [ESU_KEY]
- Activate ESU Key: cscript.exe C:\Windows\System32\slmgr.vbs /ato
Deployment Steps
- Create a PowerShell script deployment in Intune
- Navigate to Devices > Scripts in the Intune portal
- Upload your detection script with proper configuration
- Set script to run with administrative privileges
- Assign scripts to appropriate device groups
- Create remediation scripts for ongoing management
Verification and Troubleshooting
After deployment, verify successful ESU activation using this command on client devices:
cscript.exe C:\Windows\System32\slmgr.vbs /dlv
This command displays detailed license information, confirming whether ESU activation succeeded.
The validation script helps troubleshoot activation issues by checking prerequisites and network connectivity. Use this script to identify devices that don't meet requirements before attempting activation.
Timeline and Availability
ESU licenses for enterprise customers become available through Cloud Solution Providers (CSP) starting September 2025. This gives you time to plan your deployment strategy before Windows 10 support ends in October.
Microsoft recently announced free enrollment options for consumers, extending support for one additional year at no cost. However, enterprise customers still need paid ESU licenses for continued security updates.
Benefits of This Approach
Using Intune for ESU activation provides several advantages:
- Centralized Management: Deploy to hundreds of devices simultaneously
- Automated Process: Eliminate manual license assignment
- Consistent Results: Ensure all devices receive proper activation
- Easy Verification: Monitor activation status across your fleet
- Reduced Workload: Free up IT staff for other priorities
The PowerShell script approach streamlines what was previously a complex, time-consuming process. Instead of touching each device individually, you can activate ESU licenses across your entire Windows 10 fleet from a single console.
This solution helps organizations maintain security compliance while planning their eventual migration to Windows 11 or newer systems.