Windows 10 ESU Deployment via Intune (Win32 App)

Applies to: Business Premium tenants

Windows 10 reached end of support on October 14, 2025. Microsoft's ESU program allows devices to continue receiving security patches for up to three years via MAK (Multiple Activation Key) licensing.

Note: Remediations requires Windows Enterprise E3/E5 or M365 E3/E5 licensing. Business Premium doesn't qualify - Win32 app deployment is used instead.

• Device must be running Windows 10 22H2 (Build 19045)
• ESU MAK keys purchased via distributor (Dicker Data, Ingram Micro, Pax8, Synnex) and assigned to the tenant
• Device enrolled in Intune under the client tenant
• IntuneWinAppUtil.exe available (Download from GitHub)
• Device group created in Entra ID containing only the target device(s)

Run from an elevated PowerShell on the target device:

Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' |
    Select-Object CurrentBuild, UBR, DisplayVersion

Expected output:

CurrentBuild  UBR    DisplayVersion
------------  ---    --------------
19045         xxxx   22H2

@{
    "Year 1" = "f520e45e-7413-4a34-a497-d2765967d094"
    "Year 2" = "1043add5-23b1-4afb-9a0f-64343c8f3f8d"
    "Year 3" = "83d49986-add3-41d7-ba33-87c7bfb5c0fb"
}.GetEnumerator() | ForEach-Object {
    $result = cscript //nologo "$env:SystemRoot\System32\slmgr.vbs" /dlv $_.Value 2>&1 |
        Select-String "License Status"
    Write-Host "$($_.Key): $result"
}

Expected output:

Year 1: License Status: Unlicensed
Year 2: License Status: Unlicensed
Year 3: License Status: Unlicensed

Create a folder on your packaging machine, e.g. C:\Packaging\Win10ESU\.

# Replace key values below with actual MAK keys for the client
 
$win10_Y1_Key = "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
$win10_Y2_Key = "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
$win10_Y3_Key = "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
 
$win10_Y1_ESU = "f520e45e-7413-4a34-a497-d2765967d094"
$win10_Y2_ESU = "1043add5-23b1-4afb-9a0f-64343c8f3f8d"
$win10_Y3_ESU = "83d49986-add3-41d7-ba33-87c7bfb5c0fb"
 
function Install-ESUKey {
    Param(
        [string]$Key,
        [string]$ActivationID
    )
    slmgr /ipk $Key
    Start-Sleep -Seconds 30
    slmgr /ato $ActivationID
    Start-Sleep -Seconds 120
}
 
Install-ESUKey -Key $win10_Y1_Key -ActivationID $win10_Y1_ESU
Install-ESUKey -Key $win10_Y2_Key -ActivationID $win10_Y2_ESU
Install-ESUKey -Key $win10_Y3_Key -ActivationID $win10_Y3_ESU

$win10_Y1_Key = "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"  # Must match install script
$win10_Y2_Key = "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
$win10_Y3_Key = "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
 
function Test-ESUKey {
    Param([string]$Key)
    $PartialKey = $Key.Substring($Key.Length - 5)
    $Licensed = Get-WmiObject -Query ('SELECT ID FROM SoftwareLicensingProduct where PartialProductKey = "{0}"' -f $PartialKey)
    $ActivationStatus = Get-WmiObject -Query ('SELECT LicenseStatus FROM SoftwareLicensingProduct where PartialProductKey = "{0}"' -f $PartialKey)
    return ($Licensed -and $ActivationStatus.LicenseStatus -eq 1)
}
 
$OSVersion = (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').CurrentBuild
if ($OSVersion -ne "19045") {
    Write-Output "Not Windows 10 22H2 - skipping."
    exit 0
}
 
$Y1 = Test-ESUKey -Key $win10_Y1_Key
$Y2 = Test-ESUKey -Key $win10_Y2_Key
$Y3 = Test-ESUKey -Key $win10_Y3_Key
 
if ($Y1 -and $Y2 -and $Y3) {
    Write-Output "ESU Years 1, 2 and 3 all activated."
    exit 0
} else {
    if (-not $Y1) { Write-Output "ESU Year 1 key not activated." }
    if (-not $Y2) { Write-Output "ESU Year 2 key not activated." }
    if (-not $Y3) { Write-Output "ESU Year 3 key not activated." }
    exit 1
}

1. Open a Command Prompt on your packaging machine
2. Run:

IntuneWinAppUtil.exe -c C:\Packaging\Win10ESU -s Win10ESU-install.ps1 -o C:\Packaging\Output

1. When prompted “Do you want to specify a catalog folder?” → N
2. Output: C:\Packaging\Output\Win10ESU-install.intunewin

Navigate to Intune admin center > Apps > Windows > Add > Windows app (Win32)

Assign as Required to the Entra ID device group containing the target device(s).

Allow 15-30 minutes for the device to check in, or trigger a sync from the Intune device page. Then verify via RMM/elevated PowerShell:

@{
    "Year 1" = "f520e45e-7413-4a34-a497-d2765967d094"
    "Year 2" = "1043add5-23b1-4afb-9a0f-64343c8f3f8d"
    "Year 3" = "83d49986-add3-41d7-ba33-87c7bfb5c0fb"
}.GetEnumerator() | ForEach-Object {
    $result = cscript //nologo "$env:SystemRoot\System32\slmgr.vbs" /dlv $_.Value 2>&1 |
        Select-String "License Status"
    Write-Host "$($_.Key): $result"
}

All three years should return License Status: Licensed.

If the app fails, check the IME log on the device:

C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log

Two policies are required - a Feature Update policy and a Settings Catalog policy.

Navigate to Intune > Devices > Windows updates > Feature updates > + Create

Navigate to Intune > Devices > Configuration > + Create > Settings Catalog

Add the following settings:

Assign both policies to the same device group. Verify the policies have applied:

Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Update' |
    Select-Object ProductVersion, TargetReleaseVersion, DeferFeatureUpdatesPeriodInDays

Expected output:

ProductVersion                 : Windows 10
TargetReleaseVersion           : 22H2
DeferFeatureUpdatesPeriodInDays: 365

Devices enrolled in ESU may still display this warning in Windows Update. This is cosmetic display bug only - updates are still being received.

Microsoft acknowledged and resolved this on 2025-11-11. See: Windows 10 22H2 Resolved Issues #3706

Fix is delivered via Windows Update. Advise end user to install all pending updates, restart, and repeat until no updates remain.

windows10 esu intune win32app licensing slmgr