Enroll in Extended Security Updates: Step-by-Step Activation Process

What if your Windows PC stops getting security fixes the day support ends—would you notice before trouble arrives?
Extended Security Updates (ESU) lets eligible machines keep getting critical patches after official support ends, but activation isn’t automatic.
This guide walks you through the step-by-step activation process, getting an ESU key, installing it, activating via MAK or Azure Arc, and verifying enrollment.
Read on to learn exactly what to click, which commands to run, and who needs to act now to keep systems protected.

Step-by-Step Process to Activate Extended Security Updates

Extended Security Updates keep your system protected with critical security patches after official support ends. If you’re running Windows 10 past October 14, 2025, or specific Windows Server versions beyond their end-of-support dates, activating ESU ensures you continue receiving security fixes for up to one additional year (consumers) or three years (organizations). Activation isn’t automatic. You need to install an ESU key and complete the activation process to start receiving updates.

The activation process changes slightly depending on your licensing method, but the core structure stays the same: get your ESU key, install it on your system, activate it using either a Multiple Activation Key (MAK) or Azure Arc connection, and verify successful enrollment. Most users complete activation through the Settings app or command-line tools. Organizations managing multiple devices typically use volume activation methods or cloud management.

1. Open an elevated Command Prompt by typing “cmd” in the taskbar search, right-clicking Command Prompt, and selecting “Run as administrator.”
2. Install the ESU product key by entering the command slmgr /ipk [YOUR-ESU-KEY] and pressing Enter.
3. Wait for the confirmation message stating “Installed product key successfully.”
4. Activate the ESU key using MAK by running the command slmgr /ato [ESU Activation ID] (your activation ID comes with your ESU key documentation).
5. If you’re using Azure Arc instead, make sure your device is connected to Azure Arc-enabled servers before moving forward.
6. For Azure Arc activation, go to the Azure portal, select your connected device, and enable ESU from the ESU management panel.
7. Verify activation by running slmgr /dlv in Command Prompt and checking that the ESU license shows “Licensed” status.
8. Confirm that Windows Update recognizes your ESU enrollment by opening Settings > Update & Security > Windows Update and checking for the message “Your PC is enrolled to get Extended Security Updates.”
9. Check for updates manually so your device begins downloading ESU security patches right away.
10. Review the activation event log in Event Viewer under Applications and Services Logs > Microsoft > Windows > Security-SPP for any activation errors.

Once ESU is successfully activated, you’ll see a “Licensed” status when checking activation details. Windows Update will display confirmation that your device is enrolled for Extended Security Updates. Your device will now receive critical security patches through the ESU coverage period. You won’t get new features or non-security updates, though.

Requirements and Prerequisites for ESU Enrollment

Before activating Extended Security Updates, your device must meet specific technical and licensing requirements. For Windows 10, you need version 22H2 with all cumulative updates installed up to the latest available patch. Your system must also be signed in with a Microsoft account that has administrator privileges. Local accounts will be prompted to switch during enrollment. Organizations enrolling devices through Volume Licensing must have active Software Assurance or equivalent subscription agreements in place before ESU keys can be issued.

All devices must be running supported editions of Windows. Windows 10 Home, Pro, Pro Education, Pro for Workstations, and Enterprise editions qualify for consumer or organizational ESU enrollment. Unsupported editions, preview builds, and Long-Term Servicing Channel (LTSC) versions have separate ESU rules or may not be eligible. For Windows Server, only specific versions like Server 2008, 2012, and 2012 R2 qualify for ESU. Newer server versions still receive regular support and don’t need ESU activation.

Before attempting activation, complete these required system checks:

• Install the latest Windows 10 cumulative update (KB number varies by release date)
• Verify your Windows edition is eligible using Settings > System > About
• Ensure you have administrator access to the device
• Confirm your Microsoft account is linked to the device (Settings > Accounts > Your info)
• Check that your device has an active internet connection for activation verification
• If enrolling via Azure Arc, confirm the Azure Connected Machine agent is installed and the device appears in your Azure portal

How to Obtain ESU Keys

ESU keys are distributed through Microsoft’s official licensing channels. The method you use depends on your organization size and licensing agreement type. Individual consumers enrolling in Windows 10 ESU don’t need to manually obtain keys. Enrollment through the Settings app provisions access automatically when you complete the enrollment wizard. Organizations, however, must retrieve ESU product keys from their licensing portal before deployment.

Volume Licensing Service Center (VLSC) is the primary source for organizations with existing Microsoft Volume Licensing agreements. After purchasing ESU licenses, administrators log into the VLSC portal, navigate to the Licenses section, and download ESU keys tied to their agreement number. Each key includes an activation ID and instructions for MAK-based activation. VLSC keys are typically used for on-premises deployments where devices don’t connect to Azure.

Cloud Solution Providers (CSPs) offer ESU licensing starting September 1, 2025, for organizations that purchase Microsoft products through partner resellers rather than direct Volume Licensing. CSP customers work with their provider to add ESU licenses to their account. The provider provisions keys or configures Azure-based activation on behalf of the customer. This route is common for small and mid-sized businesses that rely on managed services.

Azure-enrolled servers can obtain ESU automatically when connected through Azure Arc-enabled servers. Instead of manual key installation, administrators enable ESU directly in the Azure portal, and the system provisions licenses dynamically. This simplifies management for hybrid environments and eliminates the need to track and deploy individual product keys. Organizations can also combine Azure Arc activation with pay-as-you-go billing rather than prepaying for ESU licenses.

Procurement options:

• Volume Licensing Service Center (VLSC) for traditional enterprise agreements
• Cloud Solution Provider (CSP) partners for managed licensing and deployment
• Azure Arc-enabled automatic provisioning for cloud-connected devices
• Microsoft 365 admin center for organizations with eligible Microsoft 365 subscriptions

ESU Activation Methods: MAK, Azure Arc, and Other Options

Extended Security Updates can be activated using multiple methods depending on your infrastructure and licensing setup. The most common approach is Multiple Activation Key (MAK) activation, which works similarly to standard Windows product key activation. Azure Arc offers a cloud alternative that simplifies management for organizations with hybrid environments. Key Management Service (KMS) activation is available in limited scenarios for volume-licensed deployments.

MAK Activation

MAK activation is the traditional method for applying ESU keys to individual devices or small groups of machines. After obtaining your ESU product key from VLSC or your CSP, you install the key using the Software Licensing Management Tool (slmgr) via Command Prompt. The key contacts Microsoft’s activation servers to verify licensing, then applies ESU entitlement to the device. This works best for organizations managing on-premises devices that don’t connect to Azure or for IT teams that prefer direct control over activation without dependencies on cloud services.

Azure Arc Activation

Azure Arc-enabled servers allow ESU activation without manual key entry by linking on-premises or multi-cloud servers to Azure management. Once a device is onboarded to Azure Arc, administrators enable ESU from the Azure portal, and the system automatically provisions the required licenses. This reduces administrative overhead, provides centralized visibility into ESU enrollment status, and supports pay-as-you-go billing. Azure Arc activation works well for organizations already using Azure management tools or those with distributed server estates that are difficult to manage with traditional keys.

KMS Activation

Key Management Service activation is available for organizations with KMS infrastructure already configured for Windows volume activation. ESU keys can be added to an existing KMS host, allowing client devices to activate ESU automatically when they contact the KMS server. This method only works in environments with established KMS setups and is less common for ESU than MAK or Azure Arc. KMS activation simplifies deployment in large, centrally managed networks but requires additional configuration on the KMS host and isn’t supported for all ESU-eligible Windows versions.

Supported Products and Version-Specific Notes

Microsoft offers Extended Security Updates for specific operating system versions that have reached end of support. Not all Windows versions qualify for ESU, and activation methods vary depending on the product. Consumer ESU for Windows 10 supports only version 22H2 and is limited to a one-year extension through October 13, 2026. Organizational ESU programs cover older server and client operating systems with different timelines and pricing structures.

Operating System	ESU Availability Period	Activation Type
Windows 10 22H2 (Consumer)	October 14, 2025 – October 13, 2026 (1 year)	Settings enrollment wizard, OneDrive sync, or Microsoft Rewards redemption
Windows Server 2012 / 2012 R2	Up to 3 years past end of support	MAK, Azure Arc, or KMS
Windows 7 SP1 / Windows 8.1	Ended (historical ESU program)	MAK or volume activation (no longer available for new enrollments)
Windows Server 2008 / 2008 R2	Ended (historical ESU program)	MAK or Azure Arc (no longer available for new enrollments)

Windows 10 LTSC editions have separate ESU rules and timelines that differ from the consumer program. Organizations using Windows 10 Enterprise LTSC should consult Microsoft’s Volume Licensing documentation for version-specific ESU availability. Windows 11 doesn’t require ESU activation. It continues to receive regular security updates through its standard support lifecycle.

Pricing and Licensing Considerations for ESU

ESU pricing varies significantly between consumer and organizational licensing. Individual Windows 10 users pay a one-time fee of $30 for one year of Extended Security Updates, or they can enroll for free by syncing PC settings to OneDrive or redeeming 1,000 Microsoft Rewards points. This consumer pricing covers up to 10 devices linked to the same Microsoft account, making it cost-effective for households with multiple PCs.

Organizations face higher per-device costs and multi-year pricing structures. Windows 10 ESU for businesses starts at $61 per device for the first year when purchased through Volume Licensing or Cloud Solution Providers. Organizations can renew ESU for up to three total years, but pricing increases with each renewal year. Microsoft hasn’t published exact year-two and year-three rates, though historical ESU programs for Windows 7 and Server 2008 showed steep annual increases. Organizations with Windows 365 Cloud PCs or eligible Azure Virtual Desktop subscriptions receive Windows 10 ESU at no additional cost as part of their existing licensing. Windows Server ESU follows a similar escalating price model, with costs calculated per core or per device depending on the server edition and licensing method used.

ESU Enrollment Deadlines and Lifecycle Timelines

Missing ESU enrollment deadlines can leave your device unprotected, so understanding key dates is critical. Windows 10’s official support ends October 14, 2025, and ESU coverage runs for exactly one year through October 13, 2026. After that final date, no further security updates will be issued for Windows 10 22H2, regardless of ESU enrollment status.

Critical ESU deadlines:

• October 14, 2025: Windows 10 22H2 end of support; last day to receive standard security updates
• October 13, 2026: Windows 10 Extended Security Updates program ends; final ESU patch delivery date
• September 1, 2025: Organizational ESU available through Cloud Solution Providers
• August 2026: Microsoft 365 feature updates cease for Windows 10; security updates continue through October 2028
• October 2028: Microsoft Defender Antivirus definition updates end for Windows 10
• October 10, 2028: Microsoft 365 app security updates end for Windows 10

If you don’t enroll before October 14, 2025, you can still activate ESU after that date, but your coverage period doesn’t extend beyond October 13, 2026. Late enrollment doesn’t add extra months. You simply receive fewer total updates. Organizations should plan ESU deployment well before the end-of-support date to ensure continuous protection and avoid gaps in security patch coverage.

Troubleshooting ESU Activation Failures

ESU activation can fail due to missing updates, incorrect keys, or network connectivity issues. The most common error is attempting activation before installing required cumulative updates. ESU keys won’t activate on systems that aren’t fully patched. Always run Windows Update and install all available updates before trying to activate ESU, especially the latest servicing stack update and cumulative update for your Windows version.

Incorrect or mistyped product keys cause immediate activation failures. Double-check that you’re using the correct ESU key for your Windows edition and that the key hasn’t been entered incorrectly. ESU keys are distinct from standard Windows product keys, and using the wrong key type will result in error codes. If you received your key from VLSC, verify in the portal that the key matches your purchased SKU and hasn’t exceeded its activation limit.

Azure Arc connectivity problems prevent cloud-based ESU activation. If your device doesn’t appear in the Azure portal or shows a “disconnected” status, the Azure Connected Machine agent may not be running, or firewall rules may be blocking required endpoints. Check that the agent service is running, verify outbound connectivity to Azure Arc URLs, and confirm that the device identity is correctly registered in your Azure subscription. Network proxy configurations and certificate issues can also interfere with Azure Arc communication.

Troubleshooting steps:

1. Open Settings > Update & Security > Windows Update and install all available updates, especially servicing stack and cumulative updates.
2. Verify your ESU product key matches your Windows edition by running slmgr /dlv and checking the displayed license information.
3. Restart the Software Protection service by opening Services, locating “Software Protection,” right-clicking, and selecting Restart.
4. Check activation error codes in Event Viewer under Applications and Services Logs > Microsoft > Windows > Security-SPP.
5. For MAK activation failures, confirm you have internet connectivity and that activation servers are reachable (test by running slmgr /ato and reviewing any returned error messages).
6. For Azure Arc issues, verify the Azure Connected Machine agent is installed and running by checking Services for “Azure Connected Machine Agent.”
7. Run azcmagent check from an elevated Command Prompt to diagnose Azure Arc connectivity and configuration problems.

Final Words

In the action: you now have the install-and-activate checklist—install the ESU key, activate with MAK or Azure Arc, meet prerequisites, get keys, compare methods, check supported OS, watch pricing and deadlines, and troubleshoot activation errors.

If you’re keeping older Windows systems, run the eligibility checks, follow the numbered activation steps, and confirm success in logs or with activation tools.

If you haven’t already, make a plan to enroll in extended security updates before the window closes so your systems stay patched and supported.

FAQ

Q: What is enrol in extended security updates?

A: Enrolling in Extended Security Updates (ESU) is a paid extension that delivers security patches for out-of-support Windows versions, letting organizations stay protected while they plan and complete upgrades.

Q: Should I enroll in the Windows 10 extended security updates program?

A: You should enroll in Windows 10 ESU if your device can’t be upgraded yet and needs continued security patches; otherwise prioritize upgrading, since ESU is temporary and incurs extra cost.

Q: How to get extended security updates in ESU?

A: To get ESU you purchase a key (via VLSC, CSP, or Azure), install prerequisite updates, add the ESU key, then activate with MAK, KMS, or by connecting the device to Azure Arc.

Q: Why can’t I enroll in extended security updates?

A: You can’t enroll in ESU when your OS isn’t eligible, required updates aren’t installed, your licensing channel doesn’t allow ESU, or the enrollment window closed; check eligibility, update, and contact your licensing provider.