Blog Post

Core Infrastructure and Security Blog
19 MIN READ

Enabling Extended Security Updates (ESU) for Windows 10 with Intune

Jon Warnken's avatar
Jon Warnken
Icon for Microsoft rankMicrosoft
Jun 26, 2025

Guidance on enabling Extended Security Updates (ESU) for Windows 10 using Intune, especially for systems that cannot be upgraded to Windows 11

Hello everyone, Jon Warnken a Cloud Solutions Architect. This Blog post contains several PowerShell scripts and to not overwhelm you with a wall of code, the scripts are included in collapsible secti...
Updated Jul 09, 2025
Version 4.0
Esu license
Intune
JonathanWarnken
windows 10
asafmag's avatar
asafmag
Copper Contributor
Aug 18, 2025

Thanks for the post, Jon. This is extremely useful. I was wondering regarding the part where you have mentioned "If you are wondering about how patching will work with the ESU program, and if there will be any special steps for the security patches released under the ESU program. Good news, just continue to patch your devices as you do today. When the ESU patches are targeted to a device, if they have the appropriate key installed and activated, the patch can be installed. When the ESU patches are targeted to a device that does not have the ESU key installed and activated, the patches will not be applicable and will not attempt to install." 

After applying the ESU keys using the method shown in your post, will this work for devices where patching is managed via another product other than Microsoft (Intune, WSUS)? i.e. Ivanti EPM, ManageEngine Patch Manager Plus etc..?

  • Jon Warnken's avatar
    Jon Warnken
    Icon for Microsoft rankMicrosoft
    Aug 22, 2025

    Yes, any patching method will work. The patches released for the ESU program will have a detection for the appropriate key. If the key is not installed and activated the patch will show as not applicable.