Jose Schenardie
Unless you are running Windows 10 LTSC or LTSB, it’s time to say goodbye to an operating system that changed how you, me and probably many other IT workers operate.
It became the backbone of remote work during the pandemic, and for many of us, it was the platform that made “work from anywhere” not just possible, but sustainable. It taught us how to be agile, how to automate, and how to work with (or around) cloud-native tools.
Today marks a very special day, when Microsoft will officially (at least for free) stop producing new security updates for Windows 10. If you planned accordingly and Windows 10 is nothing more than a bittersweet memory, pour one with me for this amazing Operating System and let’s cheer it together while it rides into the sunset.
If you, on the other hand, didn’t plan or have hard requirements (oh believe me, I know they lurk around many corners) to stay on Windows 10, and you are lucky enough that your management will support it financially (by buying ESUs (or extended security updates). And you have no idea how to get them deployed on your devices, well, then my heart goes out to you together with this blog to help you on the journey of keeping those devices secure for a little longer.
What are Windows 10 Extended Security Updates (or ESUs)?
Extended Security Updates it’s a paid program created by Microsoft that gives customers the option to received security updates on devices enrolled into the program. This program allows organizations (and also individuals) to pay a fee and get security updates for their Windows 10 past the end of support official date.
What are my options as a consumer customer to apply for ESU?
If you are a consumer, Microsoft have some ways you can get a free ESU license. A consumer device is a device that is not:
- Joined to an Active Directory domain
- Joined to Microsoft Entra
- Hybrid (joined to an Active Directory domain and Microsoft Entra)
- Enrolled in a Mobile Device Management (MDM) solution
- In kiosk mode
Option 1 – Redeem 1,000 Microsoft Rewards points
If you can accumulate 1,000 rewards points from Microsoft Rewards program, you can exchange them for the ESU. That is pretty easy to accomplish, you can download the Bing app or use the bing as a search engine while logged in.
Option 2- Use Windows Backup on Microsoft OneDrive
If you have a OneDrive account and enough space, just enable Back up and restore with Windows Backup and you are also set.
Option 3 and my personal favorite – Move to Europe
Euroconsumers called out Microsoft for planned obsolescence as it limits security support for Windows 10 and their response was to revise ESU applicability and give it for free to everyone on EEA (European Economic Area).
What are my options as a commercial customer to apply for ESU?
Well, if you, like me, are on the commercial side of Windows (Entra or On Prem AD joined, Hybrid or MDM managed) you will need to pay for that extra support. On my case, (and for the remainder of this post) I bought a license from my CSP (Cloud Solution Provider), and then once the process went through, I could see this on my Admin Portal.
Once I click Show activation keys I’m presented with a Volume License Key and the number of licenses purchased.
I’m expecting that if I bought 100 (or 1000) I would get one key to use on all my Windows 10 devices (as opposed to any new transaction will generate a new key and not add to an existing one). So be mindful to try and buy them in bulk if possilble.
Enabling Windows 10 ESU with Intune Remediation
Once you have the Product Key to turn a normal Windows 10 into an ESU Enabled Windows 10, the last thing to do is to deploy that key. Since we cannot deploy this key using configuration profiles (the WindowsLicensing CSP only works for version changes, and as this is an additional license it’s not supported) we will be using a Remediation (if you are not entitled to run Remediations because you don’t have Windows Enterprise licenses, look at the alternative method using a Win32App).
To do so, go to Devices > Scripts and remediations> Remediations > Create
Give it a name
On settings page, use the following scripts for Detection and Remediations, replacing the MAK key with your key
Detection.ps1
# Run the command and capture output of Windows installed licenses, remove first line and combine them into objects
$InstalledLicenses = ((cscript.exe /nologo "$env:SystemRoot\system32\slmgr.vbs" /dlv 2>&1 | Select-Object -Skip 1) -join "`n") -split "`n`n+"
# Parse each license and filter for ESU ones
$esuEntries = foreach ($License in $InstalledLicenses) {
$lines = $License -split "`n"
$props = @{}
foreach ($line in $lines) {
if ($line -match "^(.*?):\s*(.*)$") {
$key = $matches[1].Trim()
$value = $matches[2].Trim()
$props[$key] = $value
}
}
if ($props['Name'] -like '*ESU*') {
[PSCustomObject]@{
Name = $props['Name']
ActivationID = $props['Activation ID']
Licensed = $props['License Status']
}
}
}
# If ESU installed and licensed do nothing, otherwise exit 1 to execute remediation
if (($esuEntries) -and ($esuentries.licensed -eq "Licensed")) {Exit 0}
else {exit 1}Remediation.ps1
#Enter your ESU Key
$ESU_KEY = "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
#Install ESU key
cscript.exe /nologo "$env:SystemRoot\system32\slmgr.vbs" /ipk $ESU_KEYLeave all the other options the same and assign to your group which contain all the Windows 10 devices which you want to active the ESU on.
Alternative Method: Enabling Windows 10 ESU with Intune Win32App
For this method we will use a similar structure to the Remediation, but we will use a Win32App instead.
Create a folder and add the following PowerShell script inside it, replacing the ESU_KEY variable with your key.
Install.ps1
#Enter your ESU Key
$ESU_KEY = "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
#Install ESU key
cscript.exe /nologo "$env:SystemRoot\system32\slmgr.vbs" /ipk $ESU_KEYNow, when using the Microsoft-Win32-Content-Prep-Tool to create the .intunewin file you will use the -c parameter to point to the folder and the -s to point to the Install.ps1 file.
Once you have the Install.intunewin file go to Intune > Apps > Windows > Create > Windows app (Win32) and click Select
On App information
Select the file you just created
Change the Name and the other properties as required
On Program
Install command: %windir%\sysnative\windowspowershell\v1.0\powershell.exe -executionPolicy bypass -windowstyle hidden -file .\Install.ps1
Uninstall command: nouninstall
On Requirements
Minimum operating system: Windows 10 22H2
On Detection rules
Rules format: Use a custom detection script
Detect.ps1
# Run the command and capture output of Windows installed licenses, remove first line and combine them into objects
$InstalledLicenses = ((cscript.exe /nologo "$env:SystemRoot\system32\slmgr.vbs" /dlv 2>&1 | Select-Object -Skip 1) -join "`n") -split "`n`n+"
# Parse each license and filter for ESU ones
$esuEntries = foreach ($License in $InstalledLicenses) {
$lines = $License -split "`n"
$props = @{}
foreach ($line in $lines) {
if ($line -match "^(.*?):\s*(.*)$") {
$key = $matches[1].Trim()
$value = $matches[2].Trim()
$props[$key] = $value
}
}
if ($props['Name'] -like '*ESU*') {
[PSCustomObject]@{
Name = $props['Name']
ActivationID = $props['Activation ID']
Licensed = $props['License Status']
}
}
}
# If ESU installed and licensed do nothing, otherwise exit 1 to execute remediation
if (($esuEntries) -and ($esuentries.licensed -eq "Licensed")) {"Success"}
else {}All the other fields and blades can stay as they are.
Anders Ahl
Ben Whitmore
Add comment