92 is half of 99

Windows 10 ESU: Free security updates even after the end of support

Are you still using Windows 10 and worried about what will happen after the official support end? Don't panic! Microsoft offers a way to continue receiving free security updates through the Consumer Extended Security Updates (ESU) program. And the best part: You can easily sign up for it with a PowerShell script.

What is the Consumer ESU Program?

The Consumer ESU program is Microsoft's answer to the concerns of millions of Windows 10 users. Instead of being completely without updates after the support end, you can still get important security updates via the free ‘backup’ option. Interesting here: The backup feature doesn't even need to be enabled, and you don't even need a Microsoft account for it.

What do you need for this?

Before you get started, make sure your system meets the requirements:

  • The right update: You need at least the cumulative update 2025-07 KB5061087 (Build 19045.6036) or later
  • Admin rights: The script must be run as an administrator
  • Internet connection: Logically, for registration with the ESU service
  • No geo-blocking: Unfortunately, some countries are excluded (Russia, Belarus, Iran, Cuba, North Korea, Syria, Sudan, Lebanon, Venezuela)
  • Consumer ESU feature enabled: This is what the script does automatically for you.

How does the script work?

The clever thing about this PowerShell script is that it tries different sign-in paths in case one doesn't work:

  1. First, it tries to sign in using your currently signed in Microsoft account
  2. If that doesn't work, try the Microsoft Store account.
  3. Next, try logging in through your local user account
  4. The last option is to manually obtain a Consumer ESU license

This order ensures that in most cases one of the options works.

The easy use for beginners

If you don't have much on your hat with the command line, this is the easiest way:

  1. Download: Click on GitHub at abbodie1406 or here on ‘Download ZIP“ and downloads the files
  2. Unpacking: Pack all files from the ZIP file into a folder of your choice
  3. Execute: Right click on Consumer_ESU_Enrollment_run.cmd and select "Run as administrator"

That was it! The script runs through all options and logs in automatically.

Important note: If the script had to activate the ESU function first, it will ask you to close the session. In this case, simply close the command line window and run the script again.

Extended use via the command line

For those who want more control, there are several parameters you can use to control the behavior of the script:

Use command line

Open the command line as administrator in the folder where you unpacked the files and run the script with desired parameters:

Consumer_ESU_Enrollment_run.cmd -Store -Proceed

For example, this command would only try and do the Microsoft Store sign-in, even if you're already signed in.

Consumer_ESU_Enrollment_run.cmd -Local

Here you would only try to log in via your local account.

Consumer_ESU_Enrollment_run.cmd -License

This option gets an ESU license directly without trying to log in.

Consumer_ESU_Enrollment_run.cmd -Remove

If you want to remove the ESU license, this is your order.

PowerShell for more flexibility

Alternatively, you can work directly with PowerShell. Open PowerShell as administrator in your script folder and activate the execution of unsigned scripts for this session:

Set-ExecutionPolicy Bypass -Scope Process -Force

Then you can run the actual script:

.\Consumer_ESU_Enrollment.ps1

Or with specific parameters:

.\Consumer_ESU_Enrollment.ps1 -Store -Proceed

The different parameters in detail

Here are all the available options you can use:

  • -online: Just try signing in through your Microsoft account and cancel if that doesn't work
  • Store: Focuses exclusively on the Microsoft Store account
  • -Local: Use only your local Windows user account to sign in
  • -License: Get an ESU license directly, whether you are already registered or not
  • -Remove: Completely removes an existing ESU license
  • -Proceed: This parameter is particularly practical – it forces the script to perform the login even if you are already logged in

Important: You can only use one of the first five parameters at a time. Only -Proceed can be combined with the login parameters to force a new login with another token.

If the Consumer ESU feature is not yet activated

Don't worry if the feature isn't available on your system yet. The script will automatically try to activate it. If this works, you will have to close the PowerShell session and run the script again for the changes to take effect.

Manual activation of the feature (for professionals)

If you prefer to activate the feature manually, here is the guide:

  1. Set registry entry: Opens the command line as administrator and executes this command:
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides" /v 4011992206 /t REG_DWORD /d 2 /f
  1. Enable Scheduled Tasks: Opens PowerShell as administrator and inserts these commands:
$TN = "ReconcileFeatures"; $TP = "\Microsoft\Windows\Flighting\FeatureConfig\"; $null = Enable-ScheduledTask $TN $TP Start-ScheduledTask $TN $TP; while ((Get-ScheduledTask $TN $TP).State.value__ -eq 4) {start-sleep -sec 1}; "Task Completed" $TN = "UsageDataFlushing"; $TP = "\Microsoft\Windows\Flighting\FeatureConfig\"; $null = Enable-ScheduledTask $TN $TP Start-ScheduledTask $TN $TP; while ((Get-ScheduledTask $TN $TP).State.value__ -eq 4) {start-sleep -sec 1}; "Task Completed"
  1. restart: Restart your system for the changes to take effect.
  2. verification: After restarting, you reopen the command line as administrator and execute these commands:
cmd /c ClipESUConsumer.exe -evaluateEligibility reg.exe query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ConsumerESU"

The second command should show you an ESUEligibility value that is not zero. If the value is 0x0 or does not exist at all, the activation did not work, and you will have to wait for the official wide availability.

Bypass geo-blocking (if necessary)

If you live in or temporarily stay in one of the blocked countries, there is a workaround:

  1. Temporarily change region: Go to the Windows settings under "Time and Language > Region" and temporarily change your country to a non-blocked country (e.g. Germany with the Geo-ID 244).

Alternatively, you can do this via PowerShell:

Set-WinHomeLocation -GeoId 244
  1. Execute script: Runs the login script as described above.
  2. Verify success: Ensures that the ‘ESU Eligibility state’ is displayed as ‘DeviceEnrolled / SUCCESS’.
  3. Disable Scheduled Task: Opens the command line as administrator and executes this command:
SCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\Clip\ClipESUConsumer"
  1. Reset region: Restore your original region.

conclusion

With this script you can easily sign up for the free Extended Security Updates of Windows 10. The best part is the flexibility – the script will try different sign-in paths automatically, but you still have control over the exact process through the different parameters.

Keep in mind that this is a free option to keep your Windows 10 system safe even after the official support end. It's definitely worth using this option before switching to Windows 11 or looking for alternative solutions.

tip: It's best to test the script now so you can be sure that everything works if you really need the updates!

Stephan
| |
| |
to the top | homepage | to search