Action Required to Enable Extended Security Update for local devices accessing Windows 365

Originally posted by Microsoft Nov 7, 2025 Uncategorized 0 Comments

Windows 10 devices accessing Windows 365 Enterprise Cloud PCs and Windows 365 Frontline (Dedicated) Cloud PCs are automatically entitled to ESU under certain conditions. IT administrators must use Microsoft Intune or another MDM provider to deploy a custom policy that helps verify whether a device is enrolled in the Windows 10 ESU subscription program.

Action is required in order for these devices to install the upcoming November 2025 Windows security update, which will be available on November 11, 2025. Learn more about this change at Enable Windows 10 Extended Security Updates (ESU) for clients accessing cloud and virtual machines.
When will this happen:
The upcoming November 2025 Windows security update will be available on November 11, 2025. It’s necessary to take action prior to this date, in order for devices to be eligible for this update.
 
Entitlement to ESU is available for qualifying devices any time. We advise taking action prior to November 11 in order to receive this month’s update.
How this will affect your organization:
Windows 10 devices accessing Windows 365 Enterprise Cloud PCs and Windows 365 Frontline Cloud PCs in dedicated mode are automatically entitled to ESU for the duration of the ESU offer if the user has an active Windows 365 Enterprise license assigned or Windows 365 Frontline Cloud PC in dedicated mode provisioned, provided the following conditions are met:
  • IT administrators must deploy a custom policy that enables the EnableESUSubscriptionCheck flag. This policy helps verify whether a device is enrolled in the Windows 10 ESU subscription program. Microsoft Intune or another MDM provider can be used to deploy this custom policy. See the documentation To configure EnableESUSubscriptionCheck flag with Intune and the resources in the Additional Information section, below.
  • The local Windows 10 device is either Microsoft Entra joined or Microsoft Entra hybrid joined.
  • Users must sign in to their physical Windows 10 device using the same Microsoft Entra ID account they use for Windows 365 Cloud PCs at least once every 22 days to maintain eligibility for ESU updates on that device.
Please also note the following:
  • Physical devices that are only Microsoft Entra registered or on-premises Active Directory joined are not eligible for this Windows 365 ESU entitlement. 
  • Personal or BYOD devices that aren’t managed by the organization and are only Microsoft Entra registered will not qualify for this entitlement. These devices should be enrolled via the Consumer ESU program. An eligible user can activate up to 10 devices.
What you need to do to prepare:
Ensure that the Windows 10 devices across your organization meet the above requirements in order to continue to be protected under the ESU offering. We advise taking action prior to November 11 in order to remain protected. See the Additional information section for details and resources.
Additional information:

Message ID: MC1183612

Comments are closed.

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: