Windows 10 ESU Licensing and Auditing

Purpose

This solution provides automated auditing of Windows 10 Extended Security Updates (ESU) license status across Windows 10 22H2 machines using NinjaOne platform. It includes functionality to track activation status and optionally deploy ESU licenses when needed.

References:

Associated Content

Custom Fields

Content	Type	Available Options	Function
cPVAL ESU Status	Text		Stores the endpoint's ESU status fetched by the ESU License Activation Detection script
cPVAL ESU Key	Text		Stores the ESU license key for activation of Windows 10 extended use
cPVAL ESU Year	Drop-down	`1`, `2`, `3`	Stores the ESU license key year validation

Automations

Content	Function
ESU License Activation Detection	Checks ESU license activation status and updates the ESU Status custom field
Windows 10 ESU License Upgrade	Applies ESU license on Windows 10 22H2 systems

Groups

Content	Function
cPVAL Windows 10 22H2	Contains Windows 10 22H2 machines for ESU auditing
cPVAL Win10 ESU Activated	Dynamic group of Windows 10 devices with activated ESU
cPVAL Win10 ESU Not Activated	Dynamic group of Windows 10 devices without ESU activation

Tasks

Content	Function
Windows 10 22H2 ESU Audit	Daily scheduled task that runs ESU License Activation Detection script on Windows 10 22H2 machines

Implementation

Step 1

Create the following custom fields:

Step 2

Create the following automations:

Step 3

Create the following groups:

Step 4

Create the Windows 10 22H2 ESU Audit scheduled task to run daily ESU status checks.

Step 5

To activate ESU on machines:

Set the ESU Key and ESU Year values at organization/location/device level
Run the Windows 10 ESU License Upgrade automation on target devices
Monitor the ESU activation status through dynamic groups.

Frequently Asked Questions

Q: What is Windows 10 ESU?

A: Extended Security Updates (ESU) for Windows 10 provides critical security updates after Windows 10's end of support date. This helps organizations maintain security compliance while planning their Windows 11 migration.

Q: How do I know if ESU is activated on a device?

A: You can check the ESU activation status in two ways:

View the cPVAL ESU Status custom field value for the device
Check if the device appears in the cPVAL Win10 ESU Activated dynamic group

Q: How often is the ESU status checked?

A: The ESU status is checked daily through the Windows 10 22H2 ESU Audit scheduled task that runs at 11:30 AM.

Q: Can I exclude specific devices from ESU deployment?

A: Yes, you can manage ESU deployment at three levels:

Organization level: Set default ESU key and year
Location level: Override organization settings if needed
Device level: Configure specific settings for individual devices

Q: What happens if ESU activation fails?

A: If activation fails:

The device will appear in the cPVAL Win10 ESU Not Activated group
The cPVAL ESU Status field will indicate the failure reason
You can retry activation by running the Windows 10 ESU License Upgrade automation again

Q: Can I automate the ESU license deployment?

A: Yes, you can:

Configure the ESU key and year at the desired level (organization/location/device)
Create a scheduled task using the Windows 10 ESU License Upgrade automation
Target the cPVAL Win10 ESU Not Activated group

Purpose​

Associated Content​

Custom Fields​

Automations​

Groups​

Tasks​

Implementation​

Step 1​

Step 2​

Step 3​

Step 4​

Step 5​

Frequently Asked Questions​

Q: What is Windows 10 ESU?​

Q: How do I know if ESU is activated on a device?​

Q: How often is the ESU status checked?​

Q: Can I exclude specific devices from ESU deployment?​

Q: What happens if ESU activation fails?​

Q: Can I automate the ESU license deployment?​