Category
planForChange
Severity
normal
Major change
True
Last modified
2025-11-08 00:44:14
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
2025-11-11 17:00:00
Action by (AI)
โ
Services
Windows
Tags
Admin impact
Master tags
Security
Roadmap IDs
One-line summary
Admins must deploy a custom policy via Intune or MDM to enable Windows 10 ESU for Windows 365 Cloud PCs before November 11, 2025, to receive the November security update.
Similar updates
More like thisMC1172447 Windows 10 has reached end of support
Organizations with devices running Windows 10, version 22H2 have the option to enroll in the Extended Security Updates (ESU) program to maintain security coverage. Upgrade eligible devices to Windows 11 using solutions like Microsoft Intune, Windows Autopatch, or Windows Autopilot. Additional information: Stay secure with Windows 11, ....
MC1115160 90-Day Reminder: Windows 10, version 22H2 end of servicing and Windows 10 2015 LTSB end of support
Organizations with devices running Windows 10, version 22H2 have the option to enroll in the Extended Security Updates (ESU) program to maintain security coverage. Additional information: Stay secure with Windows 11, Copilot+ PCs and Windows 365 before support ends for Windows 10 Enable Extended Security Updates (ESU) Windows 10 release.
MC1152188 30-Day Reminder: Windows 10, version 22H2 will reach end of servicing on October 14, 2025
Organizations with devices running Windows 10, version 22H2 have the option to enroll in the Extended Security Updates (ESU) program to maintain security coverage. Additional information: Stay secure with Windows 11, Copilot+ PCs and Windows 365 before support ends for Windows 10 Windows 10 reaching end of support Enable Extended Security.
MC1135159 60-Day Reminder: Windows 10, version 22H2 will reach end of servicing on October 14, 2025
Organizations with devices running Windows 10, version 22H2 have the option to enroll in the Extended Security Updates (ESU) program to maintain security coverage. Additional information: Stay secure with Windows 11, Copilot+ PCs and Windows 365 before support ends for Windows 10 Enable Extended Security Updates (ESU) Windows 10 release.
MC1182993 Preparing commercial Windows 10 devices for ESUs
N... What you need to do to prepare: Follow the steps in the new guide to locate MAK keys, activate ESU licenses on each applicable device, prepare devices used by people with Windows 365 Cloud PC and Azure Virtual Desktop licenses, and verify enrollment. What you need to do to prepare: Follow the steps in the new guide to locate MAK keys,.
MC1182678 Feature updates Policy Change: Deprecating Option for Windows 10 Feature Updates on Devices Ineligible for Windows 11
[What you need to do to prepare:] If you plan to upgrade devices to Windows 10 22H2 to enable Extended Security Updates (ESU), you can continue to use the Feature Update workflow in Intune and programmatic controls via Graph API until the deprecation date. Additional Information and details will also be included on docs.microsoft.com post.
Details
Body (from Message Center)
Windows 10 devices accessing Windows 365 Enterprise Cloud PCs and Windows 365 Frontline (Dedicated) Cloud PCs are automatically entitled to Windows 10 Extended Security Updates (ESU) under certain conditions. IT administrators must use Microsoft Intune or another MDM provider to deploy a custom policy that helps verify whether a device is enrolled in the Windows 10 ESU subscription program.
Action is required in order for these devices to install the upcoming November 2025 Windows security update, which will be available on November 11, 2025. Learn more about this change at Enable Windows 10 Extended Security Updates (ESU) for clients accessing cloud and virtual machines.
When will this happen:
The upcoming November 2025 Windows security update will be available on November 11, 2025. It's necessary to take action prior to this date, in order for devices to be eligible for this update.
Entitlement to ESU is available for qualifying devices any time, however, we advise taking action prior to November 11 in order to receive this month's update and remain protected.
How this will affect your organization:
Windows 10 devices accessing Windows 365 Enterprise Cloud PCs and Windows 365 Frontline Cloud PCs in dedicated mode are automatically entitled to ESU for the duration of the ESU offer if the user has an active Windows 365 Enterprise license assigned or Windows 365 Frontline Cloud PC in dedicated mode provisioned, provided the following conditions are met:
- IT administrators must deploy a custom policy that enables the EnableESUSubscriptionCheck flag. This policy helps verify whether a device is enrolled in the Windows 10 ESU subscription program. Microsoft Intune or another MDM provider can be used to deploy this custom policy. See the documentation To configure EnableESUSubscriptionCheck flag with Intune and the resources in the Additional Information section, below.
- The local Windows 10 device is either Microsoft Entra joined or Microsoft Entra hybrid joined.
- Users must sign in to their physical Windows 10 device using the same Microsoft Entra ID account they use for Windows 365 Cloud PCs at least once every 22 days to maintain eligibility for ESU updates on that device.
Please also note the following:
- Physical devices that are only Microsoft Entra registered or on-premises Active Directory joined are not eligible for this Windows 365 ESU entitlement.
- Personal or BYOD devices that aren't managed by the organization and are only Microsoft Entra registered will not qualify for this entitlement. These devices should be enrolled via the Consumer ESU program. An eligible user can activate up to 10 devices.
What you need to do to prepare:
Ensure that the Windows 10 devices across your organization meet the above requirements in order to continue to be protected under the ESU offering. We advise taking action prior to November 11 in order to remain protected. See the Additional information section for details and resources.
Additional information:
- Enable Windows 10 Extended Security Updates (ESU) for clients accessing cloud and virtual machines - Learn more about this change
- To configure EnableESUSubscriptionCheck flag with Intune - Learn about the custom policy that enables the EnableESUSubscriptionCheck flag
- What is Microsoft Entra? - Microsoft Entra joined devices
- What is Windows 365?
- Windows 10 Consumer Extended Security Updates (ESU)
Raw JSON (for debugging)
Expand/collapse the full payload below.
Show/hide raw
{
"snapshot_item": {
"action_required_by": "2025-11-11T17:00:00Z",
"ai_action_required_by": null,
"ai_actions": [
"Deploy custom policy to enable ESU subscription check",
"Ensure devices are Entra joined or hybrid joined",
"Verify users sign in with Entra ID at least every 22 days"
],
"ai_master_tags": [
"Security"
],
"ai_model": "gpt-4.1",
"ai_summary": "Admins must deploy a custom policy via Intune or MDM to enable Windows 10 ESU for Windows 365 Cloud PCs before November 11, 2025, to receive the November security update.",
"ai_topics": [
"Windows",
"Windows 365",
"Intune",
"Entra"
],
"category": "planForChange",
"details_map": {},
"id": "MC1183612",
"importance": 5,
"is_major_change": true,
"last_modified": "2025-11-08T00:44:14Z",
"ms_products": [
"Windows"
],
"platforms": null,
"roadmap_ids": [],
"services": [
"Windows"
],
"severity": "normal",
"tags": [
"Admin impact"
],
"title": "Action Required to Enable Extended Security Update for local devices accessing Windows 365"
}
}