Introducing Confluent Kafka Connector (Public Preview)
June 26, 2025Quest 9: I want to use a ready-made template
June 26, 2025
Hello everyone, Jon Warnken a Cloud Solutions Architect. This Blog post contains several PowerShell scripts and to not overwhelm you with a wall of code, the scripts are included in collapsible sections and have a link to my GitHub repository.
As the End of Support date for Windows 10 approaches, many of us are busy helping customers upgrade to Windows 11. (Lifecycle FAQ – Windows | Microsoft Learn) But even during those migration efforts, we are talking about the systems that cannot be upgraded and what are the options to keep those systems secure. The Windows 10 Extended Security Updates (ESU) program gives customers the option to receive security updates for PCs enrolled in the program. ESU is a paid program that provides individuals and organizations of all sizes with the option to extend the use of Windows 10 devices past the end of support date in a more secure manner. If you would like to learn more about the ESU program you can start here: Extended Security Updates (ESU) program for Windows 10 | Microsoft Learn
If you have paid to enroll your remaining Windows 10 systems in the ESU program, the next step is to install and activate the ESU key. You can find the steps here: Enable Extended Security Updates (ESU) | Microsoft Learn
If you read those steps and wonder, how can I apply this to my devices when my organization has embraced modern device management and all or most of my users are remote, you are not alone. Let’s explore how we can install and activate the ESU key using Intune.
The first thing to discuss is the prerequisites. https://learn.microsoft.com/en-us/windows/whats-new/enable-extended-security-updates#prerequisites
These are straight forward:
- The system needs to be on Windows 10 22H2 with KB5046613 (https://support.microsoft.com/help/5046613), or later.
- The device needs access to the network endpoints required for client activation.
- The process that is used for the activation needs administrative privileges on the device.
I work with many customers the have unique security requirements and can never assume that normal network endpoints are available so for troubleshooting I utilize this validation script to verify a device has the required version and patch level for Windows and it can communicate to the required network endpoints.
<# This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment.
THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING
BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
We grant You a nonexclusive, royalty-free right to use and modify the Sample Code and to reproduce #
and distribute the object code form of the Sample Code, provided that You agree: (i) to not use Our name, logo, or trademarks to market
Your software product in which the Sample Code is embedded; (ii) to include a valid copyright notice on Your software product in which the Sample Code
is embedded; and (iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against any claims or lawsuits, including attorneys’ fees,
that arise or result from the # use or distribution of the Sample Code.
#>
# Requirements Windows 10 22H2 and KB5046613 (19045.5131) https://learn.microsoft.com/en-us/windows/whats-new/enable-extended-security-updates#prerequisites
$OSCurrentersion = Get-ItemProperty -Path ‘HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion’
[byte]$CanApplyWin10ESU = 0
$Win1022H2 = “19045”
$ReqPatch = “5131”
function Test-Network {
[CmdletBinding()]
Param
([Parameter(Mandatory=$true,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true)]
[Alias(‘endpoint’, ‘uri’)]
[string[]]$ComputerName,
[Parameter(Mandatory=$true)]
[int]$Port
)
Begin{
$endpointcheck = $false
}
Process{
Foreach($pc in $ComputerName) {
Try {
$tcpconnection = Test-NetConnection -ComputerName $pc -Port $Port -WarningAction SilentlyContinue -ErrorAction SilentlyContinue -InformationLevel Quiet
if ($tcpconnection) {
Write-Verbose “TCP connection to $pc on port $Port succeeded.”
$endpointcheck = $true
} else {
Write-Verbose “TCP connection to $pc on port $Port failed.”
$endpointcheck = $false
}
} Catch {
Write-Verbose “Error testing TCP connection to $pc on port $($Port): $_”
$endpointcheck = $false
}
}
}
End{
if ($endpointcheck) {
Write-Output “All endpoints are reachable.”
return 0x4 # All endpoints are reachable
} else {
Write-Output “One or more endpoints are not reachable.”
}
}
}
#prerequisites
$OSVersion = $OSCurrentersion.CurrentBuild
if ($OSVersion -eq $Win1022H2) {
Write-Output “This system is running Windows 10 22H2 (19045). Current version: $OSVersion”
[byte]$CanApplyWin10ESU = $CanApplyWin10ESU -bor 0x1
if (($OSCurrentersion.CurrentBuildRevision -ge $ReqPatch) -or ($OSCurrentersion.UBR -ge $ReqPatch)) {
Write-Output “This system has the required patch KB5046613 (19045.5131) installed.”
[byte]$CanApplyWin10ESU = $CanApplyWin10ESU -bor 0x2
}
}
#end prerequisites
#endpoints
$sslendpoints = @(
“go.microsoft.com”,
“login.live.com”,
“activation.sls.microsoft.com”,
“validation.sls.microsoft.com”,
“activation-v2.sls.microsoft.com”,
“validation-v2.sls.microsoft.com”,
“displaycatalog.mp.microsoft.com”,
“licensing.mp.microsoft.com”,
“purchase.mp.microsoft.com”,
“displaycatalog.md.mp.microsoft.com”,
“licensing.md.mp.microsoft.com”,
“purchase.md.mp.microsoft.com”
)
$httpendpoints = @(
“crl.microsoft.com”
)
$netcheck1 = $sslendpoints | Test-Network -Port 443 -Verbose
$netcheck2 = $httpendpoints | Test-Network -Port 80 -Verbose
if ($netcheck1 -eq 0x4 -and $netcheck2 -eq 0x4) {
Write-Output “All required endpoints are reachable.”
[byte]$CanApplyWin10ESU = $CanApplyWin10ESU -bor 0x4
}else {
Write-Output “One or more required endpoints are not reachable.”
}
#end endpoints
$binary = [Convert]::ToString($CanApplyWin10ESU, 2)
if($CanApplyWin10ESU -eq 0x7) {
Write-Output “This system is eligible for Windows 10 Extended Security Updates (ESU).”
Write-Output “CanApplyWin10ESU: $binary”
#exit 0
} else {
Write-Output “This system does not meet the prerequisites for Windows 10 Extended Security Updates (ESU).”
Write-Output “CanApplyWin10ESU: $binary”
#exit 1
}
With the ability to troubleshoot covered there are two approaches I use with Intune.
- Remediations
- Win32 Application
Both options utilize a discovery process so if the key install and activation fails, it will be retried. My personal preference is to use Remediations, but there is a limit of 200 packages and in some large environments adding a Remediation means removing one. There are some licensing considerations to enable Remediations, and some smaller companies may not have that option. So, we will cover both options.
Additionally, by utilizing Remediations, you will have the option to run the script ad hoc leveraging the Run Remediation device action in Intune. This can be useful when targeting is complex or when you need to be able to apply the key to those one-off devices.
Remediations:
For the remediation we need a group to target, a discovery script, and a remediation script.
For the target group my suggestion is to utilize a dynamic group for Windows 10 22H2 devices. You can use the rule
(device.deviceOSVersion -startsWith “10.0.19045.”)
However, keep in mind that it will include all Windows 10 22H2 devices. If they are not all in scope for the ESU program, then do not use a broad rule. If you just have a small number of devices, then an assigned group may be appropriate. If you have a larger number of devices that are included, then utilizing an assigned group and a programmatic process to manage the group would be an option.
For the discovery and remediation scripts, these are the template files that you can update with your keys and utilize.
Both scripts have placeholders for your ESU keys:
$win10_Y1_Key = “Your-Year-1-ESU-Key-Here”
$win10_Y2_Key = “Your-Year-2-ESU-Key-Here”
$win10_Y3_Key = “Your-Year-3-ESU-Key-Here”
Simply update the values with your keys for each year that you are in the program.
<# This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment.
THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING
BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
We grant You a nonexclusive, royalty-free right to use and modify the Sample Code and to reproduce #
and distribute the object code form of the Sample Code, provided that You agree: (i) to not use Our name, logo, or trademarks to market
Your software product in which the Sample Code is embedded; (ii) to include a valid copyright notice on Your software product in which the Sample Code
is embedded; and (iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against any claims or lawsuits, including attorneys’ fees,
that arise or result from the # use or distribution of the Sample Code.
#>
# Requirements Windows 10 22H2 and KB5046613 (19045.5131) https://learn.microsoft.com/en-us/windows/whats-new/enable-extended-security-updates#prerequisites
$OSCurrentersion = Get-ItemProperty -Path ‘HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion’
[byte]$CanApplyWin10ESU = 0
$Win1022H2 = “19045”
$ReqPatch = “5131”
$win10_Y1_ESU = “f520e45e-7413-4a34-a497-d2765967d094”
$win10_Y2_ESU = “1043add5-23b1-4afb-9a0f-64343c8f3f8d”
$win10_Y3_ESU = “83d49986-add3-41d7-ba33-87c7bfb5c0fb”
$win10_Y1_Key = “Your-Year-1-ESU-Key-Here”
$win10_Y2_Key = “Your-Year-2-ESU-Key-Here”
$win10_Y3_Key = “Your-Year-3-ESU-Key-Here”
function Test-ESUKey {
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true)]
[string]$Key
)
# Check if the ESU key is valid for Windows 10 ESU
$PartialKey = $Key.Substring($Key.Length – 5)
$Licensed = Get-WmiObject -Query (‘SELECT ID, Name, OfflineInstallationId, ProductKeyID FROM SoftwareLicensingProduct where PartialProductKey = “{0}”‘ -f $PartialKey)
# Check if the key is Activated
$ActivationStatus = Get-WmiObject -Query (‘SELECT LicenseStatus FROM SoftwareLicensingProduct where PartialProductKey = “{0}”‘ -f $PartialKey)
if ($Licensed -and $ActivationStatus.LicenseStatus -eq 1) {
Write-Verbose “ESU key is valid and activated.”
return $true
} else {
if(!$Licensed) {
Write-Verbose “No valid ESU key found”
} else {
Write-Verbose “Valid ESU key found”
}
If($ActivationStatus.LicenseStatus -ne 1) {
Write-Verbose “ESU key is not activated.”
}
return $false
}
}
#prerequisites
$OSVersion = $OSCurrentersion.CurrentBuild
if ($OSVersion -eq $Win1022H2) {
Write-Output “This system is running Windows 10 22H2 (19045). Current version: $OSVersion”
[byte]$CanApplyWin10ESU = $CanApplyWin10ESU -bor 0x1
if (($OSCurrentersion.CurrentBuildRevision -ge $ReqPatch) -or ($OSCurrentersion.UBR -ge $ReqPatch)) {
Write-Output “This system has the required patch KB5046613 (19045.5131) installed.”
[byte]$CanApplyWin10ESU = $CanApplyWin10ESU -bor 0x2
}
}
#end prerequisites
If($CanApplyWin10ESU -eq 0x3) {
Write-Output “This system meets the prerequisites for Windows 10 ESU.”
} Else {
Write-Output “This system does not meet the prerequisites for Windows 10 ESU. Current version: $OSVersion, Current patch: $($OSCurrentersion.CurrentBuildRevision) Required version: $Win1022H2, Required patch: $ReqPatch”
exit 0 # Exiting without checking the for the ESU Activation status and NOT triggering the Remediation Script!
}
$ESUY1Status = Test-ESUKey -Key $win10_Y1_Key -Verbose
Write-Verbose “Y1 ESU key status is $ESUY1Status”
If($win10_Y2_Key -and $win10_Y2_Key -ne “Your-Year-2-ESU-Key-Here”) {
$ESUY2Status = Test-ESUKey -Key $win10_Y2_Key -Verbose
} else {
$ESUY2Status = $null # No Year 2 ESU key provided
}
Write-Verbose “Y2 ESU key status is $ESUY2Status”
If($win10_Y3_Key -and $win10_Y3_Key -ne “Your-Year-3-ESU-Key-Here”) {
$ESUY3Status = Test-ESUKey -Key $win10_Y3_Key -Verbose
} else {
$ESUY3Status = $null # No Year 3 ESU key provided
}
Write-Verbose “Y3 ESU key status is $ESUY3Status”
If(($null -ne $ESUY2Status) -and ($null -ne $ESUY3Status)) {
If($ESUY1Status -and $ESUY2Status -and $ESUY3Status) {
Write-Output “Y1, Y2, and Y3 ESU keys are valid and activated.”
exit 0 # All ESU keys are valid and activated
} Else {
Write-Output “Not all ESU keys are valid or activated.”
exit 1 # Not all ESU keys are valid or activated
}
}elseif (($null -ne $ESUY2Status)){
If($ESUY1Status -and $ESUY2Status) {
Write-Output “Y1 and Y2 ESU keys are valid and activated.”
exit 0 # All ESU keys are valid and activated
} Else {
Write-Output “Not all ESU keys are valid or activated.”
exit 1 # Not all ESU keys are valid or activated
}
}else{
If($ESUY1Status) {
Write-Output “Y1 ESU key is valid and activated.”
exit 0 # Y1 ESU key is valid and activated
} Else {
Write-Output “Y1 ESU key is not valid or activated.”
exit 1 # Y1 ESU key is not valid or activated
}
}
Download Win10ESUActivation-detect.ps1
<# This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment.
THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING
BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
We grant You a nonexclusive, royalty-free right to use and modify the Sample Code and to reproduce #
and distribute the object code form of the Sample Code, provided that You agree: (i) to not use Our name, logo, or trademarks to market
Your software product in which the Sample Code is embedded; (ii) to include a valid copyright notice on Your software product in which the Sample Code
is embedded; and (iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against any claims or lawsuits, including attorneys’ fees,
that arise or result from the # use or distribution of the Sample Code.
#>
$win10_Y1_ESU = “f520e45e-7413-4a34-a497-d2765967d094”
$win10_Y2_ESU = “1043add5-23b1-4afb-9a0f-64343c8f3f8d”
$win10_Y3_ESU = “83d49986-add3-41d7-ba33-87c7bfb5c0fb”
$win10_Y1_Key = “Your-Year-1-ESU-Key-Here”
$win10_Y2_Key = “Your-Year-2-ESU-Key-Here”
$win10_Y3_Key = “Your-Year-3-ESU-Key-Here”
function Test-ESUKey {
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true)]
[string]$Key
)
# Check if the ESU key is valid for Windows 10 ESU
$PartialKey = $Key.Substring($Key.Length – 5)
$Licensed = Get-WmiObject -Query (‘SELECT ID, Name, OfflineInstallationId, ProductKeyID FROM SoftwareLicensingProduct where PartialProductKey = “{0}”‘ -f $PartialKey)
# Check if the key is Activated
$ActivationStatus = Get-WmiObject -Query (‘SELECT LicenseStatus FROM SoftwareLicensingProduct where PartialProductKey = “{0}”‘ -f $PartialKey)
if ($Licensed -and $ActivationStatus.LicenseStatus -eq 1) {
Write-Verbose “ESU key is valid and activated.”
return $true
} else {
if(!$Licensed) {
Write-Verbose “No valid ESU key found”
} else {
Write-Verbose “Valid ESU key found”
}
If($ActivationStatus.LicenseStatus -ne 1) {
Write-Verbose “ESU key is not activated.”
}
return $false
}
}
If($win10_Y1_Key -and $win10_Y1_Key -ne “Your-Year-1-ESU-Key-Here”){
# Year 1 ESU Key
slmgr /ipk $($win10_Y1_Key)
Start-sleep -Seconds 30
slmgr /ato $($win10_Y1_ESU)
Start-Sleep -Seconds 120
$ESUY1Status = Test-ESUKey -Key $win10_Y1_Key
If($ESUY1Status -eq $true){
Write-Output “Year 1 ESU Key is valid and activated.”
}else{
Write-Output “Year 1 ESU Key is not valid or not activated.”
}
}
If($win10_Y2_Key -and $win10_Y2_Key -ne “Your-Year-2-ESU-Key-Here”){
# Year 2 ESU Key
slmgr /ipk $($win10_Y2_Key)
Start-sleep -Seconds 30
slmgr /ato $($win10_Y2_ESU)
Start-Sleep -Seconds 120
$ESUY2Status = Test-ESUKey -Key $win10_Y2_Key
If($ESUY2Status -eq $true){
Write-Output “Year 2 ESU Key is valid and activated.”
}else{
Write-Output “Year 2 ESU Key is not valid or not activated.”
}
}
If($win10_Y3_Key -and $win10_Y3_Key -ne “Your-Year-3-ESU-Key-Here”){
# Year 3 ESU Key
slmgr /ipk $($win10_Y3_Key)
Start-sleep -Seconds 30
slmgr /ato $($win10_Y3_ESU)
Start-Sleep -Seconds 120
$ESUY3Status = Test-ESUKey -Key $win10_Y3_Key
If($ESUY3Status -eq $true){
Write-Output “Year 3 ESU Key is valid and activated.”
}else{
Write-Output “Year 3 ESU Key is not valid or not activated.”
}
}
If($ESUY1Status -and $ESUY2Status -and $ESUY3Status) {
Write-Output “All ESU keys are valid and activated.”
exit 0 # All ESU keys are valid and activated
} else {
Write-Output “Not all ESU keys are valid or activated.”
exit 1 # Not all ESU keys are valid or activated
}
Download Win10ESUActivation-remediate.ps1
Additionally, I want to point out that the detection script also validates the Windows version and patch level.
If the device does not meet the prerequisites the script exits with a 0. This will report the device as without an issue and does not trigger the remediation script.
If you want to track devices that do not meet the prerequisites via the detection script, you will need to update the script to throw an error rather than exit. This will give you a non-successful status without running the remediation script.
Win32 Application:
For the Win32 Application, we need a group to target, a custom detection script, and a install script packaged to upload.
For the group, the same considerations apply as outlined for the Remediation group.
The detection and installation scripts are very similar to the scripts for the Remediation process, just adjusted for use in a Win32 Application.
<# This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment.
THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING
BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
We grant You a nonexclusive, royalty-free right to use and modify the Sample Code and to reproduce #
and distribute the object code form of the Sample Code, provided that You agree: (i) to not use Our name, logo, or trademarks to market
Your software product in which the Sample Code is embedded; (ii) to include a valid copyright notice on Your software product in which the Sample Code
is embedded; and (iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against any claims or lawsuits, including attorneys’ fees,
that arise or result from the # use or distribution of the Sample Code.
#>
$win10_Y1_ESU = “f520e45e-7413-4a34-a497-d2765967d094”
$win10_Y2_ESU = “1043add5-23b1-4afb-9a0f-64343c8f3f8d”
$win10_Y3_ESU = “83d49986-add3-41d7-ba33-87c7bfb5c0fb”
$win10_Y1_Key = “Your-Year-1-ESU-Key-Here”
$win10_Y2_Key = “Your-Year-2-ESU-Key-Here”
$win10_Y3_Key = “Your-Year-3-ESU-Key-Here”
function Test-ESUKey {
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true)]
[string]$Key
)
# Check if the ESU key is valid for Windows 10 ESU
$PartialKey = $Key.Substring($Key.Length – 5)
$Licensed = Get-WmiObject -Query (‘SELECT ID, Name, OfflineInstallationId, ProductKeyID FROM SoftwareLicensingProduct where PartialProductKey = “{0}”‘ -f $PartialKey)
# Check if the key is Activated
$ActivationStatus = Get-WmiObject -Query (‘SELECT LicenseStatus FROM SoftwareLicensingProduct where PartialProductKey = “{0}”‘ -f $PartialKey)
if ($Licensed -and $ActivationStatus.LicenseStatus -eq 1) {
Write-Verbose “ESU key is valid and activated.”
return $true
} else {
if(!$Licensed) {
Write-Verbose “No valid ESU key found”
} else {
Write-Verbose “Valid ESU key found”
}
If($ActivationStatus.LicenseStatus -ne 1) {
Write-Verbose “ESU key is not activated.”
}
return $false
}
}
If($win10_Y1_Key -and $win10_Y1_Key -ne “Your-Year-1-ESU-Key-Here”){
# Year 1 ESU Key
$ESUY1Status = Test-ESUKey -Key $win10_Y1_Key
If($ESUY1Status -eq $true){
Write-Output “Year 1 ESU Key is valid and activated.”
}else{
Write-Output “Installing and Activating Year 1 ESU Key.”
slmgr /ipk $($win10_Y1_Key)
Start-sleep -Seconds 30
slmgr /ato $($win10_Y1_ESU)
Start-Sleep -Seconds 120
}
$ESUY1Status = Test-ESUKey -Key $win10_Y1_Key
If($ESUY1Status -eq $true){
Write-Output “Year 1 ESU Key is valid and activated.”
}else{
Write-Output “Year 1 ESU Key is not valid or not activated.”
}
}
If($win10_Y2_Key -and $win10_Y2_Key -ne “Your-Year-2-ESU-Key-Here”){
# Year 2 ESU Key
$ESUY2Status = Test-ESUKey -Key $win10_Y2_Key
If($ESUY2Status -eq $true){
Write-Output “Year 2 ESU Key is valid and activated.”
}else{
Write-Output “Installing and Activating Year 2 ESU Key.”
slmgr /ipk $($win10_Y2_Key)
Start-sleep -Seconds 30
slmgr /ato $($win10_Y2_ESU)
Start-Sleep -Seconds 120
}
$ESUY2Status = Test-ESUKey -Key $win10_Y2_Key
If($ESUY2Status -eq $true){
Write-Output “Year 2 ESU Key is valid and activated.”
}else{
Write-Output “Year 2 ESU Key is not valid or not activated.”
}
}
If($win10_Y3_Key -and $win10_Y3_Key -ne “Your-Year-3-ESU-Key-Here”){
# Year 3 ESU Key
$ESUY3Status = Test-ESUKey -Key $win10_Y3_Key
If($ESUY3Status -eq $true){
Write-Output “Year 3 ESU Key is valid and activated.”
}else{
Write-Output “Installing and Activating Year 3 ESU Key.”
slmgr /ipk $($win10_Y3_Key)
Start-sleep -Seconds 30
slmgr /ato $($win10_Y3_ESU)
Start-Sleep -Seconds 120
}
$ESUY3Status = Test-ESUKey -Key $win10_Y3_Key
If($ESUY3Status -eq $true){
Write-Output “Year 3 ESU Key is valid and activated.”
}else{
Write-Output “Year 3 ESU Key is not valid or not activated.”
}
}
If($ESUY1Status -and $ESUY2Status -and $ESUY3Status) {
Write-Output “All ESU keys are valid and activated.”
exit 0 # All ESU keys are valid and activated
} elseif($ESUY1Status -and $ESUY2Status){
Write-Output “All ESU keys are valid and activated.”
exit 0 # All ESU keys are valid and activated
} elseif($ESUY1Status){
Write-Output “All ESU keys are valid and activated.”
exit 0 # All ESU keys are valid and activated
}
else {
Write-Output “Not all ESU keys are valid or activated.”
exit 1 # Not all ESU keys are valid or activated
}
<# This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment.
THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING
BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
We grant You a nonexclusive, royalty-free right to use and modify the Sample Code and to reproduce #
and distribute the object code form of the Sample Code, provided that You agree: (i) to not use Our name, logo, or trademarks to market
Your software product in which the Sample Code is embedded; (ii) to include a valid copyright notice on Your software product in which the Sample Code
is embedded; and (iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against any claims or lawsuits, including attorneys’ fees,
that arise or result from the # use or distribution of the Sample Code.
#>
# Requirements Windows 10 22H2 and KB5046613 (19045.5131) https://learn.microsoft.com/en-us/windows/whats-new/enable-extended-security-updates#prerequisites
$OSCurrentersion = Get-ItemProperty -Path ‘HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion’
[byte]$CanApplyWin10ESU = 0
$Win1022H2 = “19045”
$ReqPatch = “5131”
$win10_Y1_ESU = “f520e45e-7413-4a34-a497-d2765967d094”
$win10_Y2_ESU = “1043add5-23b1-4afb-9a0f-64343c8f3f8d”
$win10_Y3_ESU = “83d49986-add3-41d7-ba33-87c7bfb5c0fb”
$win10_Y1_Key = “Your-Year-1-ESU-Key-Here”
$win10_Y2_Key = “Your-Year-2-ESU-Key-Here”
$win10_Y3_Key = “Your-Year-3-ESU-Key-Here”
function Test-ESUKey {
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true)]
[string]$Key
)
# Check if the ESU key is valid for Windows 10 ESU
$PartialKey = $Key.Substring($Key.Length – 5)
$Licensed = Get-WmiObject -Query (‘SELECT ID, Name, OfflineInstallationId, ProductKeyID FROM SoftwareLicensingProduct where PartialProductKey = “{0}”‘ -f $PartialKey)
# Check if the key is Activated
$ActivationStatus = Get-WmiObject -Query (‘SELECT LicenseStatus FROM SoftwareLicensingProduct where PartialProductKey = “{0}”‘ -f $PartialKey)
if ($Licensed -and $ActivationStatus.LicenseStatus -eq 1) {
Write-Verbose “ESU key is valid and activated.”
return $true
} else {
if(!$Licensed) {
Write-Verbose “No valid ESU key found”
} else {
Write-Verbose “Valid ESU key found”
}
If($ActivationStatus.LicenseStatus -ne 1) {
Write-Verbose “ESU key is not activated.”
}
return $false
}
}
#prerequisites
$OSVersion = $OSCurrentersion.CurrentBuild
if ($OSVersion -eq $Win1022H2) {
Write-Verbose “This system is running Windows 10 22H2 (19045). Current version: $OSVersion”
[byte]$CanApplyWin10ESU = $CanApplyWin10ESU -bor 0x1
if (($OSCurrentersion.CurrentBuildRevision -ge $ReqPatch) -or ($OSCurrentersion.UBR -ge $ReqPatch)) {
Write-Verbose “This system has the required patch KB5046613 (19045.5131) installed.”
[byte]$CanApplyWin10ESU = $CanApplyWin10ESU -bor 0x2
}
}
#end prerequisites
If($CanApplyWin10ESU -eq 0x3) {
Write-Verbose “This system meets the prerequisites for Windows 10 ESU.”
} Else {
Write-Output “This system does not meet the prerequisites for Windows 10 ESU. Current version: $OSVersion, Current patch: $($OSCurrentersion.CurrentBuildRevision) Required version: $Win1022H2, Required patch: $ReqPatch”
exit 1 # Exiting without checking the for the ESU Activation status and this will trigger the install but that script will exit out as well.
}
$ESUY1Status = Test-ESUKey -Key $win10_Y1_Key -Verbose #Verbose commented out for Win32 detection if testing manualy, it may ver uncommented for tracing
Write-Verbose “Y1 ESU key status is $ESUY1Status”
If($win10_Y2_Key -and $win10_Y2_Key -ne “Your-Year-2-ESU-Key-Here”) {
$ESUY2Status = Test-ESUKey -Key $win10_Y2_Key -Verbose
} else {
$ESUY2Status = $null # No Year 2 ESU key provided
}
Write-Verbose “Y2 ESU key status is $ESUY2Status”
If($win10_Y3_Key -and $win10_Y3_Key -ne “Your-Year-3-ESU-Key-Here”) {
$ESUY3Status = Test-ESUKey -Key $win10_Y3_Key -Verbose
} else {
$ESUY3Status = $null # No Year 3 ESU key provided
}
Write-Verbose “Y3 ESU key status is $ESUY3Status”
If(($null -ne $ESUY2Status) -and ($null -ne $ESUY3Status)) {
If($ESUY1Status -and $ESUY2Status -and $ESUY3Status) {
Write-Output “Y1, Y2, and Y3 ESU keys are valid and activated.”
exit 0 # All ESU keys are valid and activated
} Else {
Write-Output “Not all ESU keys are valid or activated.”
exit 1 # Not all ESU keys are valid or activated
}
}elseif (($null -ne $ESUY2Status)){
If($ESUY1Status -and $ESUY2Status) {
Write-Output “Y1 and Y2 ESU keys are valid and activated.”
exit 0 # All ESU keys are valid and activated
} Else {
Write-Output “Not all ESU keys are valid or activated.”
exit 1 # Not all ESU keys are valid or activated
}
}else{
If($ESUY1Status) {
Write-Output “Y1 ESU key is valid and activated.”
exit 0 # Y1 ESU key is valid and activated
} Else {
Write-Output “Y1 ESU key is not valid or activated.”
exit 1 # Y1 ESU key is not valid or activated
}
}
Download Win10ESU-detection.ps1
Both scripts have placeholders for your ESU keys:
$win10_Y1_Key = “Your-Year-1-ESU-Key-Here”
$win10_Y2_Key = “Your-Year-2-ESU-Key-Here”
$win10_Y3_Key = “Your-Year-3-ESU-Key-Here”
Simply update the values with your keys for each year that you are in the program.
If you are new to creating Win32 Applications the install source needs to be prepared to upload. Prepare a Win32 app to be uploaded to Microsoft Intune | Microsoft Learn
When you create the application the command line for the install will be:
powershell.exe -noprofile -file .win10ESU-install.ps1
Be sure to update the file name if you rename the sample script to match the name you use.
You will also need to supply an uninstall command. Many times, for a package like this that will not be uninstalled, this is set to a non-existent placeholder like uninstall.bat. But if you needed to remove the key the command line would be:
slmgr /upk
You would replace the placeholder with the key you need to remove.
One tip on using PowerShell scripts in an install command. While Intune manages the runtime environment of the detection scripts, the install command line will use the normal PowerShell environment. Which means that if your execution policy does not allow unsigned scripts (the default execution policy), any script in the command line will immediately fail. I was reminded of this while testing on fresh virtual machines that had me scratching my head for a while, muttering “It works on my machine, it cannot be the code”. 😁
To address this, set the execution policy to remote signed or bypass. While most environments will already be managing this setting, if you are not, Intune can used to manage it. You can create a configuration profile in Intune using a Settings Catalog (Windows Components > PowerShell) and the Turn on Script Execution setting. When you enable the setting, it will allow you to specify the desired PowerShell execution policy.
Congratulations, you now have the Windows 10 ESU Key(s) installed and activated. While the scripts used in the process will validate that the key is installed and activated, if you need to manually verify the state of a device you can use the slmgr.vbs and the Activation ID for the year that you want to check:
ESU Program
Activation ID
Win10 ESU Year1
f520e45e-7413-4a34-a497-d2765967d094
Win10 ESU Year2
1043add5-23b1-4afb-9a0f-64343c8f3f8d
Win10 ESU Year3
83d49986-add3-41d7-ba33-87c7bfb5c0fb
Slmgr /dlv
If you are wondering about how patching will work with the ESU program, and if there will be any special steps for the security patches released under the ESU program. Good news, just continue to patch your devices as you do today. When the ESU patches are targeted to a device, if they have the appropriate key installed and activated, the patch can be installed. When the ESU patches are targeted to a device that does not have the ESU key installed and activated, the patches will not be applicable and will not attempt to install.
Hopefully you found this useful and until next time, wishing you quick and successful upgrade projects.