The original version of this article covered the Windows 7 Extended Security Updates (ESU) activation script. Windows 7 ESU ended definitively on January 10, 2023 — no further extensions were offered. This updated article pivots to the current ESU topic that matters in 2026: Windows 10 ESU activation, which became relevant from October 14, 2025 when Windows 10 mainstream support ended. If you are managing a fleet that cannot yet migrate to Windows 11, this guide covers every activation method — manual, SCCM, and Intune.
| Detail | |
|---|---|
| Last Updated | March 2026 |
| Applies To | Windows 10 22H2 (all commercial editions) |
| Windows 10 EoS | October 14, 2025 |
| ESU Year 1 Coverage | October 2025 – October 2026 (~$61/device) |
| ESU Max Duration | 3 years (until October 2028 for volume licensing) |
| LTSB/LTSC | NOT covered by Windows 10 ESU — separate lifecycle |
Windows 7 ESU — Historical Context
For historical reference: Windows 7 ESU ran for three years after the January 14, 2020 end-of-support date. Year 3 — the final year — ended on January 10, 2023. On that date, Windows 7 Extended Security Updates reached their end of support with no further extension offered by Microsoft. Any Windows 7 devices still in production are receiving no security updates and represent a significant compliance and security risk. Migration to Windows 10 22H2 (with ESU) or Windows 11 is the only viable path.
Windows 10 ESU — What You Need to Know
Windows 10 support ended on October 14, 2025, but organisations can continue receiving critical security updates through the Extended Security Updates (ESU) program. Each year doubles in price, encouraging customers to migrate to Windows 11 sooner.
| Year | Coverage Period | Approx. Price / Device |
|---|---|---|
| Year 1 | Oct 2025 – Oct 2026 | ~$61 USD |
| Year 2 | Oct 2026 – Oct 2027 | ~$122 USD |
| Year 3 | Oct 2027 – Oct 2028 | ~$244 USD |
Key rules to be aware of before purchasing:
- Must be on Windows 10 22H2 — devices must be on Windows 10 version 22H2 as the minimum baseline.
- Preparation package required first — the ESU Licensing Preparation Package KB5072653 must be installed after KB5066791 before ESU activation will work.
- Years are cumulative — to purchase Year 2, you must also have purchased Year 1
- LTSB/LTSC is excluded — these have their own separate lifecycles and are not covered by this ESU program
- Two licence types — Standard ESU (MAK key, for on-premise/SCCM environments) and Cloud Managed ESU (no MAK required, for Intune/EA environments)
Step 1: Install the ESU Preparation Package
Before activating any ESU key, both prerequisite KBs must be installed in order:
# Step 1 — Install the October 2025 cumulative update (last public CU)
# KB5066791 — must be installed first
wusa.exe KB5066791_x64.msu /quiet /norestart
# Step 2 — Install the ESU Licensing Preparation Package
# KB5072653 — must be installed AFTER KB5066791
wusa.exe KB5072653_x64.msu /quiet /norestart
# Verify both are installed
Get-CimInstance -ClassName Win32_QuickFixEngineering |
Where-Object { $_.HotFixID -in @("KB5066791", "KB5072653") } |
Select-Object HotFixID, InstalledOnDownload both KBs from the Microsoft Update Catalog (catalog.update.microsoft.com) on an internet-connected machine and transfer to the target device if it has no internet access.
Step 2: Obtain Your MAK Key
To find the ESU licence MAK, sign in to the Microsoft 365 admin center, navigate to Billing → Your Products → Volume licensing → View contracts, find the licence ID under which the ESU licences were purchased, then select View product keys. You need the Product Key Reader or VL Administrator Entra ID role to view keys.
Method 1: Activate Manually via slmgr.vbs
For single devices or quick testing. Run from an elevated Command Prompt or PowerShell:
# Install the ESU MAK key (replace with your actual MAK)
slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
# Activate online
slmgr.vbs /ato
# Verify activation — look for "License Status: Licensed" under ESU entry
slmgr.vbs /dlvThe /dlv output should show an entry for the Windows 10 ESU program with License Status: Licensed. If the device has no internet access, use phone activation instead:
# Phone activation — get Installation ID for offline activation
# Replace Activation ID with the correct one for your ESU year (from Microsoft docs)
# Year 1 Activation ID: notated in your ESU documentation from Microsoft
slmgr.vbs /dti
# Call Microsoft activation line with the Installation ID displayed
# Enter the Confirmation ID you receive back
slmgr.vbs /atp Method 2: Deploy via PowerShell Script (SCCM or Intune)
For fleet-wide deployment, wrap the activation in a PowerShell script and push via SCCM as a package or Intune as a Platform script. Organisations can use management tools such as Microsoft Intune or Configuration Manager to run activation scripts remotely. Devices must have outbound internet access to Microsoft activation and validation endpoints.
# Windows10_ESU_Year1_Activate.ps1
# Deploy via SCCM Package or Intune Platform Script (run as SYSTEM, 64-bit)
$ESUMakKey = "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX" # Replace with your MAK
try {
# Check prerequisites — must be Windows 10 22H2
$os = Get-CimInstance -ClassName Win32_OperatingSystem
if ($os.BuildNumber -lt 19045) {
Write-Host "ERROR: Device is not on Windows 10 22H2 (build 19045). Exiting."
exit 1
}
# Check ESU preparation package is installed
$prepKB = Get-CimInstance -ClassName Win32_QuickFixEngineering |
Where-Object { $_.HotFixID -eq "KB5072653" }
if (-not $prepKB) {
Write-Host "ERROR: ESU Preparation Package KB5072653 not installed. Install it first."
exit 1
}
# Install the MAK key
Write-Host "Installing ESU MAK key..."
$installResult = & cscript.exe //nologo "$env:SystemRoot\System32\slmgr.vbs" /ipk $ESUMakKey
Write-Host $installResult
# Activate online
Write-Host "Activating ESU key..."
$activateResult = & cscript.exe //nologo "$env:SystemRoot\System32\slmgr.vbs" /ato
Write-Host $activateResult
Write-Host "ESU Year 1 activation complete."
exit 0
} catch {
Write-Host "Error during ESU activation: $_"
exit 1
}Detection Script for SCCM Application or Intune Remediation
# Detection script: Is Windows 10 ESU Year 1 activated?
$slmgrOutput = & cscript.exe //nologo "$env:SystemRoot\System32\slmgr.vbs" /dlv 2>&1
if ($slmgrOutput -match "ESU" -and $slmgrOutput -match "Licensed") {
Write-Host "ESU is activated."
exit 0 # Compliant
} else {
Write-Host "ESU not activated."
exit 1 # Non-compliant
}Method 3: Cloud Managed ESU (Intune / EA — No MAK Required)
If your organisation uses an Enterprise Agreement (EA/EAS) and manages devices via Intune or Windows Autopatch, the Cloud Managed ESU licence requires no MAK keys — updates are delivered automatically and silently, simplifying deployment and reducing administrative overhead.
For Intune-managed devices using the Windows 365 entitlement path, deploy the EnableESUSubscriptionCheck policy via OMA-URI:
- In Intune admin center, go to Devices → Manage devices → Configuration → Create → New Policy
- Platform: Windows 10 and later, Profile type: Templates → Custom
- Add an OMA-URI setting with the following values:
| Field | Value |
|---|---|
| Name | EnableESUSubscriptionCheck |
| OMA-URI | ./Device/Vendor/MSFT/Policy/Config/Update/EnableESUSubscriptionCheck |
| Data type | Integer |
| Value | 1 |
Assign the policy to your Windows 10 device group. To verify a device is enrolled in the ESU program, check for the registry entry at HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ESU and check Event Viewer → Applications and Services Logs → Microsoft → Windows → ClipESU for Event ID 113.
Verify ESU Activation — All Methods
# Method 1: slmgr.vbs — look for ESU entry with "Licensed" status
cscript.exe //nologo "$env:SystemRoot\System32\slmgr.vbs" /dlv
# Method 2: Registry check
$esuPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ESU"
if (Test-Path $esuPath) {
Get-ItemProperty -Path $esuPath
} else {
Write-Host "ESU registry key not found — ESU not activated or preparation package missing."
}
# Method 3: Event Viewer — ClipESU Event ID 113 (Cloud Managed / Windows 365 path only)
Get-WinEvent -LogName "Microsoft-Windows-ClipESU/Admin" -MaxEvents 5 -ErrorAction SilentlyContinue |
Where-Object { $_.Id -eq 113 } |
Select-Object TimeCreated, MessageFleet Audit: Identify Windows 10 Devices Needing ESU
Before deploying ESU keys, identify all Windows 10 devices in your environment that need coverage. Use this as an SCCM collection query or Intune Remediation detection script:
# Identify Windows 10 devices and their ESU eligibility
$os = Get-CimInstance -ClassName Win32_OperatingSystem
$esuStatus = "Unknown"
$esuPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ESU"
if (Test-Path $esuPath) {
$esuStatus = "Activated"
} else {
$slmgr = & cscript.exe //nologo "$env:SystemRoot\System32\slmgr.vbs" /dlv 2>&1
$esuStatus = if ($slmgr -match "ESU" -and $slmgr -match "Licensed") { "Activated" } else { "Not Activated" }
}
[PSCustomObject]@{
ComputerName = $env:COMPUTERNAME
OSCaption = $os.Caption
BuildNumber = $os.BuildNumber
Version = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").DisplayVersion
ESUStatus = $esuStatus
EligibleBuild = ($os.BuildNumber -eq 19045)
}Troubleshooting
| Issue | Cause | Fix |
|---|---|---|
| slmgr /ato returns “Key not found” | MAK key not installed or wrong key for edition | Re-run slmgr /ipk with correct MAK, then /ato again |
| No ESU entry in slmgr /dlv output | KB5072653 preparation package not installed | Install KB5066791 first, then KB5072653, then retry activation |
| Activation fails — cannot connect to activation servers | No internet access or firewall blocking Microsoft endpoints | Use phone activation (slmgr /dti) for air-gapped devices |
| Device shows “ESU not applicable” | Device is not on Windows 10 22H2 or is LTSC/LTSB edition | Upgrade to 22H2 first; LTSC/LTSB use separate lifecycle |
| Year 2 key rejected | Year 1 was not purchased or activated first | Years are cumulative — must activate each year in sequence |
Summary
Windows 10 ESU is the current ESU topic that matters for enterprise IT in 2026. With Windows 10 mainstream support ended in October 2025, any unmitigated Windows 10 device in your fleet is accumulating unpatched vulnerabilities unless it is covered by ESU. The activation process is straightforward once the prerequisite KBs are in place — use the MAK + slmgr approach for on-premise/SCCM environments, or Cloud Managed ESU with Intune for EA-licensed cloud-managed fleets.
- Windows 7 ESU ended January 10, 2023 — no extension. Migrate immediately if still in production.
- Windows 10 ESU requires Windows 10 22H2, KB5066791, and KB5072653 as prerequisites before MAK activation
- Standard ESU uses a MAK key deployed via slmgr.vbs — scriptable via SCCM or Intune Platform scripts
- Cloud Managed ESU (EA/EAS only) requires no MAK — configure via Intune OMA-URI policy
- ESU is a stopgap — plan your Windows 11 migration. Year 3 (2027-2028) pricing makes the business case for migration clear.