Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Overview
Microsoft’s Extended Security Updates (ESU) program supplies critical and important security updates for eligible Windows 10 Enterprise and Education devices after the end of support (EOS) on October 14, 2025. This document explains how ESU entitlement, activation, and administration work for deployments using Azure Virtual Desktop (AVD), with focus on supported models, entitlement checks, policies, and technical implementation steps relevant for IT admins and customers planning for Windows 10 lifecycle management.
References: Enable Extended Security Updates for Windows Windows 10 ESU for Windows 365 Windows 10 ESU for AVD
1. ESU Entitlement Models
ESU works differently based on deployment scenario:
- Azure Virtual Desktop (AVD): Windows 10 multi-session and single-session virtual machines in Azure Virtual Desktop (across commercial, government, and education tenants) are automatically eligible for ESU. No additional license purchase or activation is required.
- Windows 365 Cloud PCs: For existing Cloud PCs running Windows 10, version 22H2 in Azure, ESUs are available at no additional cost.
- Physical/Other Endpoints: ESU coverage via Windows 365 license is possible for the underlying device used to connect to a licensed Cloud PC.
2. ESU Entitlement and Activation Logic
2.1 Azure Virtual Desktop (AVD)
Automatic Coverage: Personal and pooled session hosts running supported Windows 10 version 22H2 images receive ESU entitlement automatically. No ESU keys or manual activation are required—the host is recognized as eligible at scan time and receives ESU patches accordingly.
There are two Windows 10, version 22H2 client multi-session images in Azure Marketplace: one with Microsoft 365 Apps and one without. The image with Microsoft 365 Apps will be retired and removed from Azure Marketplace on April 14, 2026, while the image without Microsoft 365 Apps will remain until 2028.
The image with Microsoft 365 Apps requires manual ESU installation from October 2025 to April 2026, while the image without Microsoft 365 Apps needs manual ESU installation from October 2025 to 2028 to stay current.
No Per-Session/User Limit: All session hosts in AVD, regardless of how many VMs or users, are eligible if the pool is active and in a supported region. More details: Windows 10 Extended Security Updates for Azure Virtual Desktop - Azure Virtual Desktop Blog
3. Administration, Policy & Opt-In Controls
- Explicit Policy Enablement: Devices require explicit ESU policy enablement (via Microsoft Intune policy or registry configuration) before they can begin receiving ESU updates. For policy details, see Enable Windows 10 Extended Security Updates (ESU) for clients accessing cloud and virtual machines | Microsoft Learn.
- Assignments & Enforcement: IT Admins are responsible for ensuring ESU policies are configured and correctly scoped to eligible devices; improper configuration may result in devices missing eligible ESU.
- User/Device Limits: ESU entitlements are calculated per user and allow up to 10 eligible devices per user, in accordance with current policy.
- Reporting: After October 15, 2025, user-to-device ESU mapping and reporting are no longer available through Microsoft administrative tooling.
4. Technical Implementation Steps
For AVD / Azure-based VMs
- Confirm Service Eligibility: Ensure VM is running in an eligible service (such as AVD or Windows 365 in Azure).
- No Key or Purchase Needed: Entitlement is automatic with no need to buy keys or insert licenses.
- Update Management: Continue using Windows Update for Business, Autopatch, WSUS, or Intune/SCCM for patching.
- VM Image Hygiene: Regularly update golden images to get latest ESU releases before deployment.
5. Best Practices
- Prioritize Windows 11 Migration: Use ESU for Windows 10 only when hardware limitations or workload dependencies prevent an upgrade to Windows 11.
- Rigorous Device Tracking: Maintain your own records of ESU-eligible endpoints, no central admin enumeration is available after October 2025.
- Automate Where Possible: Automate ESU eligibility checks, policy assignment, and patch deployment wherever possible, particularly in dynamic or shared device environments.
- Review Policy Scope Regularly: Periodically review Group Policy and MDM scoping to ensure ESU is applied only to eligible endpoints. Retired, repurposed, or decommissioned devices should be explicitly excluded.