Deploy Windows 10 Extended security update key (ESU) with Intune or SCCM

With Windows 10 support ending October 14, 2025, organizations face a critical choice: upgrade to Windows 11 or purchase Extended Security Updates (ESU) to maintain protection for a limited time.

If you’re still planning your Windows 11 transition, check out our detailed breakdown of SCCM/Intune upgrade paths before diving into ESU activation.

This post will guide you through the installation of the Windows 10 Extended Security Update using Intune and SCCM.

Intune Windows 10 ESU – Prerequisites

Before deploying Windows 10 Extended Security Updates (ESU) keys via Intune or SCCM, ensure the following requirements are met:

• Windows 10 22h2
• The latest Servicing Stack Update (SSU) and Cumulative Update are installed
  • at minimum, KB5046613 (2024-11) or later.
• Internet Access:
  • activation.sls.microsoft.com
  • validation.sls.microsoft.com
• Valid ESU MAK Keys
  • Obtain from your Microsoft Volume Licensing Service Center (VLSC) or authorized provider.
• Firewall/Proxy Configuration: Allow outbound connections to Microsoft activation endpoints.

Windows 10 devices accessing Windows 365 Cloud PCs, VMs hosted in Azure, or Windows 365 Cloud PC are automatically included in Windows 10 Extended Security updates.

See Microsoft Learn for more details about Prerequisites

What is Windows 10 ESU?

The Windows 10 Extended Security Updates program provides critical security patches for up to three years beyond the official end of support date. It’s intended for systems that cannot be upgraded immediately due to hardware, software compatibility, or organizational constraints.

What are Extended Security Update Deployment Options

• Automatic Inclusion – Windows 365 Cloud PCs / Azure‑hosted VMs
• Microsoft Intune and SCCM
  • Via Script with or without compliance check
• VAMT
  • Install and activate the key remotely
  • Need direct access to devices
• Manual Activation – Local command execution on individual PCs

Prepare the Windows 10 Extended Security Update PowerShell script

To change our Windows 10 licensing method, we’ll use a PowerShell script.

• Edit to include your specific ESU MAK and select the number of years.

# Replace with your actual ESU product key
$ESU_MAK = "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"  
$ESU_Year = 1  # Set to 1, 2, or 3

# ESU Activation IDs
$ActivationIDs = @{
    1 = "f520e45e-7413-4a34-a497-d2765967d094"
    2 = "1043add5-23b1-4afb-9a0f-64343c8f3f8d"
    3 = "83d49986-add3-41d7-ba33-87c7bfb5c0fb"
}
$ActivationID = $ActivationIDs[$ESU_Year]

Write-Output "Installing ESU MAK key..."
cscript.exe $env:windir\system32\slmgr.vbs /ipk $ESU_MAK

Write-Output "Activating ESU MAK key for Year $ESU_Year..."
cscript.exe $env:windir\system32\slmgr.vbs /ato $ActivationID

# Replace with your actual ESU product key
$ESU_MAK = "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"  
$ESU_Year = 1  # Set to 1, 2, or 3

# ESU Activation IDs
$ActivationIDs = @{
    1 = "f520e45e-7413-4a34-a497-d2765967d094"
    2 = "1043add5-23b1-4afb-9a0f-64343c8f3f8d"
    3 = "83d49986-add3-41d7-ba33-87c7bfb5c0fb"
}
$ActivationID = $ActivationIDs[$ESU_Year]

Write-Output "Installing ESU MAK key..."
cscript.exe $env:windir\system32\slmgr.vbs /ipk $ESU_MAK

Write-Output "Activating ESU MAK key for Year $ESU_Year..."
cscript.exe $env:windir\system32\slmgr.vbs /ato $ActivationID

Deploying Windows 10 Extended Security Update with Microsoft Intune

• Go to Intune portal
• Browse to Devices / Scripts and Remediation / Platform scripts and click Add

• Provide the name

• Upload the PowerShell script

• Assign to target device groups and finalize the script wizard

For more details about PowerShell script in Intune, see Microsoft Learn.

Deploying ESU Key with SCCM

In SCCM, there are multiple options. Package, Application, Task sequence, or even Configuration Baseline. For this post, we’ll cover a simple Package.

• Create a Package with the PowerShell script.
• Program command:
  • powershell.exe -ExecutionPolicy Bypass -File ESUActivation.ps1

Validation ESU key is well configured

One simple way to do this is to check the update reporting status once we reach November for the monthly release of the Cumulative Update for Windows 10 22H2. This isn’t perfect, but it will help figure out which devices didn’t work.

It can be validated manually with this simple command line.

• slmgr /dlv in a command prompt.

This simple script can be used as a Configuration baseline or Remediation script to evaluate whether the device is well-configured or not.

$ESU_Year = 1  # Set to 1, 2, or 3
$Compliant = $false

# ESU Activation IDs
$ActivationIDs = @{
    1 = "f520e45e-7413-4a34-a497-d2765967d094"
    2 = "1043add5-23b1-4afb-9a0f-64343c8f3f8d"
    3 = "83d49986-add3-41d7-ba33-87c7bfb5c0fb"
}
$ActivationID = $ActivationIDs[$ESU_Year]

# Retrieve license details
$slmgrOutput = Get-CimInstance -ClassName SoftwareLicensingProduct -Filter "ID LIKE '$ActivationID' AND LicenseStatus = 1"

if ($slmgrOutput) {
        Write-Host "ESU key is installed and LICENSED."
        $Compliant = $true
}
return $Compliant

$ESU_Year = 1  # Set to 1, 2, or 3
$Compliant = $false

# ESU Activation IDs
$ActivationIDs = @{
    1 = "f520e45e-7413-4a34-a497-d2765967d094"
    2 = "1043add5-23b1-4afb-9a0f-64343c8f3f8d"
    3 = "83d49986-add3-41d7-ba33-87c7bfb5c0fb"
}
$ActivationID = $ActivationIDs[$ESU_Year]

# Retrieve license details
$slmgrOutput = Get-CimInstance -ClassName SoftwareLicensingProduct -Filter "ID LIKE '$ActivationID' AND LicenseStatus = 1"

if ($slmgrOutput) {
        Write-Host "ESU key is installed and LICENSED."
        $Compliant = $true
}
return $Compliant

Here are a few collection queries to track the activation status.

• ESU 1 year

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client 
from SMS_R_System 
inner join SMS_G_System_SOFTWARE_LICENSING_PRODUCT on SMS_G_System_SOFTWARE_LICENSING_PRODUCT.ResourceID = SMS_R_System.ResourceId 
where SMS_G_System_SOFTWARE_LICENSING_PRODUCT.ID = "f520e45e-7413-4a34-a497-d2765967d094" 
AND SMS_G_System_SOFTWARE_LICENSING_PRODUCT.LicenseStatus = 1

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client 
from SMS_R_System 
inner join SMS_G_System_SOFTWARE_LICENSING_PRODUCT on SMS_G_System_SOFTWARE_LICENSING_PRODUCT.ResourceID = SMS_R_System.ResourceId 
where SMS_G_System_SOFTWARE_LICENSING_PRODUCT.ID = "f520e45e-7413-4a34-a497-d2765967d094" 
AND SMS_G_System_SOFTWARE_LICENSING_PRODUCT.LicenseStatus = 1

• ESU 2 Years

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client 
from SMS_R_System 
inner join SMS_G_System_SOFTWARE_LICENSING_PRODUCT on SMS_G_System_SOFTWARE_LICENSING_PRODUCT.ResourceID = SMS_R_System.ResourceId 
where SMS_G_System_SOFTWARE_LICENSING_PRODUCT.ID = "1043add5-23b1-4afb-9a0f-64343c8f3f8d" 
AND SMS_G_System_SOFTWARE_LICENSING_PRODUCT.LicenseStatus = 1

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client 
from SMS_R_System 
inner join SMS_G_System_SOFTWARE_LICENSING_PRODUCT on SMS_G_System_SOFTWARE_LICENSING_PRODUCT.ResourceID = SMS_R_System.ResourceId 
where SMS_G_System_SOFTWARE_LICENSING_PRODUCT.ID = "1043add5-23b1-4afb-9a0f-64343c8f3f8d" 
AND SMS_G_System_SOFTWARE_LICENSING_PRODUCT.LicenseStatus = 1

• ESU 3 Years

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client 
from SMS_R_System 
inner join SMS_G_System_SOFTWARE_LICENSING_PRODUCT on SMS_G_System_SOFTWARE_LICENSING_PRODUCT.ResourceID = SMS_R_System.ResourceId 
where SMS_G_System_SOFTWARE_LICENSING_PRODUCT.ID = "83d49986-add3-41d7-ba33-87c7bfb5c0fb" 
AND SMS_G_System_SOFTWARE_LICENSING_PRODUCT.LicenseStatus = 1

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client 
from SMS_R_System 
inner join SMS_G_System_SOFTWARE_LICENSING_PRODUCT on SMS_G_System_SOFTWARE_LICENSING_PRODUCT.ResourceID = SMS_R_System.ResourceId 
where SMS_G_System_SOFTWARE_LICENSING_PRODUCT.ID = "83d49986-add3-41d7-ba33-87c7bfb5c0fb" 
AND SMS_G_System_SOFTWARE_LICENSING_PRODUCT.LicenseStatus = 1

Note that the following Hardware inventory, Software Licensing Product, class is needed for these collections to work.

Final thoughts about Intune Windows 10 ESU

While not ideal to pay extra money to continue supporting Windows 10, this is still the best solution to stay secure until Windows 11 can be implemented in your environment.

Hope this helped!