Windows 10 ESU enablement key deployment
As of October 2025 Windows 10 22H2 Enterprise no longer receives updates from Microsoft. If you are not able to upgrade and still need to get patches for Windows 10 Enterprise you can purchase Extended Security Updates or ESU from Microsoft which provide continued installation of updates from October 2025 to October 2026. Two additional years can be purchased per year for the following years 2026 to 2027 and 2027 to 2028. More details about this can be found directly from Microsoft at the link below.
officedocspr5
If your organization purchases ESU for Windows 10 they will receive an enablement key which must be installed on each Windows 10 device in order to continue to install updates. These keys are an enablement MAK key which does not replace a Windows activation key and is a one time use.
For engineers the issue now becomes how do we install the keys on systems. I have updated and modified scripts that I also used for Windows Server 2012 R2 enablement keys for this purpose.
The script below can be used with ConfigMgr as a deployed script or with Intune as a remediation script. The script supports all three years of ESU support. At the time this is published only year 1 is available so years 2 and 3 code is commented out. If you use this script you must place the ESU key you receive in the $ESUy1 variable. In the next section I will share a detection script that can be used with Intune.
<#
.SYNOPSIS
Script for ConfigMgr or Intune to install Windows 10 ESU enablement key
.DESCRIPTION
Checks if Windows 10 ESU Year 1 license is installed and activated.
Used as a detection script in Intune remediation packages.
.NOTES
Author: Robert Wheeler
Version: 1.0
Exit Codes:
0 = Compliant (ESU Year 1 is installed and activated)
1 = Non-compliant (ESU Year 1 not found, remediation needed)
.EXAMPLE
.\Install-ESUKey.ps1
Checks for ESU Year 1 license and exits with appropriate code
#>
# First get the active license object from the computer
$license = get-ciminstance softwarelicensingproduct | where-object {$_.PartialProductKey}
# Partial name of the ESU Key name per year
$ESUy1 = "*Client-ESU-Year1*"
#$ESUy2 = "*Client-ESU-Year2*"
#$ESUy3 = "*Client-ESU-Year3*"
# ESU Product keys per year replace with you product key
$ESUKey1 = "XXXX"
#$ESUKey2 = "YYYY"
#$ESUKey3 = "ZZZZ"
# Activation ID per ESU Key per year, this is needed to activate the key
$IDyear1 = "f520e45e-7413-4a34-a497-d2765967d094"
#$IDyear2 = "83d49986-add3-41d7-ba33-87c7bfb5c0fb"
#$IDyear3 = "55b1dd2d-2209-4ea0-a805-06298bad25b3"
if ($license.Name -like $ESUy1) {
Write-Host "Windows 10 ESU Year 1 detected." -ForegroundColor Green
} else {
Write-Host "Did not detect the Year 1 ESU" -ForegroundColor Red
slmgr //b /ipk $ESUKey1
slmgr //b /ato $IDyear1
}
<#if ($license.Name -like $ESUy2) {
Write-Host "Windows 10 ESU Year 2 detected." -ForegroundColor Green
} else {
Write-Host "Did not detect the Year 2 ESU" -ForegroundColor Red
slmgr //b /ipk $ESUKey2
slmgr //b /ato $IDyear2
}#>
# Year 3 ESU support, uncomment to use if/when needed
<#if ($license.Name -like $ESUy3) {
Write-Host "Windows 10 ESU Year 3 detected." -ForegroundColor Green
} else {
Write-Host "Did not detect the Year 3 ESU"" -ForegroundColor Red
slmgr //b /ipk $ESUKey3
slmgr //b /ato $IDyear3
}#>The following script is a detection script that can be used with Intune to detect the ESU key per year. At the time this is published only year 1 is available so the following years are commented out.
<#
.SYNOPSIS
Script for Intune dectection of Windows 10 ESU enablement key
.DESCRIPTION
Checks if Windows 10 ESU Year 1 license is installed and activated.
Used as a detection script in Intune remediation packages.
.NOTES
Author: Robert Wheeler
Version: 1.0
Exit Codes:
0 = Compliant (ESU Year 1 is installed and activated)
1 = Non-compliant (ESU Year 1 not found, remediation needed)
.EXAMPLE
.\Detect-ESUKey.ps1
Checks for ESU Year 1 license and exits with appropriate code
#>
# First get the active license object from the computer
$license = get-ciminstance softwarelicensingproduct | where-object {$_.PartialProductKey}
# Partial name of the ESU Key name per year
$ESUy1 = "*Client-ESU-Year1*"
#$ESUy2 = "*Client-ESU-Year2*"
#$ESUy3 = "*Client-ESU-Year3*"
# ESU Product keys per year detection
if ($license.Name -like $ESUy1) {
Write-Host "Windows 10 ESU Year 1 detected." -ForegroundColor Green
Exit 0
} else {
Write-Host "Did not detect the Year 1 ESU" -ForegroundColor Red
Exit 1
}
<#if ($license.Name -like $ESUy2) {
Write-Host "Windows 10 ESU Year 2 detected." -ForegroundColor Green
} else {
Write-Host "Did not detect the Year 2 ESU" -ForegroundColor Red
slmgr //b /ipk $ESUKey2
slmgr //b /ato $IDyear2
}#>
# Year 3 ESU support, uncomment to use if/when needed
<#if ($license.Name -like $ESUy3) {
Write-Host "Windows 10 ESU Year 3 detected." -ForegroundColor Green
} else {
Write-Host "Did not detect the Year 3 ESU"" -ForegroundColor Red
slmgr //b /ipk $ESUKey3
slmgr //b /ato $IDyear3
}#>The scripts are simple and effective using the same logic and process that I have used for previous ESU deployments. For deployment you will need to create filtered collections or groups only with the devices that you want to have the key installed on. As these are MAK keys the charges for the key will decrease with each activation. To prevent it from continued re-use I have included detection for the current keys to be detected before they are added.
This doesn't take into account re-images or rebuilds of Windows 10 systems. Typically once we are purchasing ESU support the goal is to remove or upgrade devices to limit the growing cost year over year.
If you need additional assistance with implementing the scripts please reach out to me.