Problems with Windows 10 Extended Updates working inconsistently

Hi Tom Esker,

The behavior you are seeing on both the domain-joined and the problematic non-joined system stems from a conflict between the activation channel (your Microsoft Account/Consumer ESU subscription) and the update authority (how Windows is configured to look for updates).

Since you are using a Microsoft Account to manage these licenses (rather than a Volume Licensing MAK key or Azure Arc), you are effectively using the "Consumer/Small Business" ESU path. Here is how to fix both:

1. The Domain-Joined System (Stopped working after 1 month)

The error "Your device is no longer receiving security updates" on a domain-joined machine is almost always caused by Group Policy overriding the activation check. Even if you signed in with your MSA, a domain-joined PC usually has a Group Policy setting pointing it to a local WSUS server (or SCCM) for updates. When the PC checks for the ESU entitlement, the "UseWUServer" policy forces it to ask your local server instead of Microsoft's public servers. Your local server doesn't know about your personal ESU subscription, so the check fails, and the license drops.

To fix, you must tell this specific machine to bypass the local WSUS server to validate its license.

Open Registry Editor (regedit) as Administrator. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

Look for UseWUServer. Change it from 1 to 0. (Or delete the key). Restart the Windows Update service (net stop wuauserv then net start wuauserv). Go to Settings > Update & Security > Activation. It should re-sync the entitlement against the public Microsoft servers.

2. The Non-Domain Problem Machine (Never worked)

The fact that you deleted it from your Microsoft Account devices list and "it is not getting automatically added back" is the smoking gun. If the device does not appear in your cloud portal, the hardware fingerprint has not been registered, so Microsoft refuses to send the ESU license to it.

• Root Cause 1: Telemetry is Disabled The "Consumer ESU" requires a minimum level of telemetry to validate the hardware ID. If you used a privacy tool or script to "block spying," you broke the ESU registration.

Check Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection

Ensure AllowTelemetry is NOT set to 0. It must be 1 (Basic) or higher.

• Root Cause 2: The Sign-In Assistant is Broken The service responsible for syncing your machine to account.microsoft.com is likely disabled.

Open services.msc. Find Microsoft Account Sign-in Assistant. Ensure it is set to Manual or Automatic and is currently Running.

• Root Cause 3: Missing the "Preparation Package" Just having "all updates" isn't enough. There is a specific, separate patch required to trigger the ESU client code.

Verify you have installed the Licensing Preparation Package for Windows 10 ESU (KB5001716 or newer variant). Without this specific KB, the OS doesn't know how to consume the subscription.

3. How to verify if it worked (The "Truth" Command)

Don't rely on the GUI. Use the command line to see the actual license status. Open Command Prompt as Admin and run: slmgr /dlv

Look for a section named "Windows 10, ESU-Year1..." (or similar Add-on).

If it says "Licensed": You are good.

If it says "Notification" or "Unlicensed": The handshake failed.

If the section is missing entirely: The Licensing Preparation Package is not installed.

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to ACCEPT ANSWER. Should you have more questions, feel free to leave a message. Have a nice day!

VP

Hi Tom,

Thank you for the feedback. We are narrowing this down significantly. The absolute "smoking gun" here remains this specific symptom: "The system is still not added back to account.microsoft.com/devices".

If the device is not visible in your Microsoft Account dashboard, the Microsoft ESU cloud service technically "does not know" the computer exists. Consequently, it will never send the digital license (the ESU blob) down to the client, which is why slmgr /dlv remains empty. The OS is waiting for a license file that the cloud refuses to generate because the device registration handshake is failing.

Here is the fix:

Step 1: Force Device Re-Registration (The "Switch" Method)

Simply signing out and back in is often not enough to trigger the device-add event in the Microsoft backend. We need to completely sever the link and re-establish it to force a new Device ID generation.

Perform this on both the Non-Domain and Domain-Joined machines:

Go to Settings > Accounts > Your Info. Click "Sign in with a local account instead". Follow the prompts to create a temporary local password and sign out. Reboot the computer. Log back in with the local account.

Go back to Settings > Accounts > Your Info and click "Sign in with a Microsoft account instead". Complete the login process.

Once signed in, go to Settings > Accounts > Email & accounts. Look for your MSA listed there. If you see a button that says "Fix me" or "Verify", you must click it.

Wait 15 minutes, then check your browser at account.microsoft.com/devices to see if the machine has appeared.

Step 2: Reset the Client License Service (ClipSVC)

Since you are using the Consumer ESU (which works like a Windows Store subscription rather than a classic MAK Key), the Client License Service (ClipSVC) is responsible for handling the entitlement token. If the local token cache is corrupted (which matches the symptom of the domain machine working for a month and then dying), it will stop checking for updates.

Open Services.msc and stop the Client License Service (ClipSVC). Navigate to C:\ProgramData\Microsoft\Windows\ClipSVC.

Delete the contents of this folder (specifically the tokens.dat file). Navigate to C:\ProgramData\Microsoft\Windows\AppRepository.

You may be denied access. If so, taking ownership is messy. Instead, skip deleting AppRepository for now and focus on ClipSVC. Restart the Client License Service. Reboot the machine.

Step 3: Verify the Preparation Package (KB Number Check)

You mentioned Get-HotFix -Id KB5072653. I want to double-check this because KB5001716 is the official "Update for Windows 10 User Interface functionality" that is widely documented to facilitate the ESU trigger. Please run Get-HotFix | findstr 5001716. If it is missing, check for updates manually or download it from the catalog. Without this specific UI/Servicing handler, the OS often doesn't know how to interpret the ESU subscription flag.

Step 4: The Domain-Joined Specific Fix (Dual Scan)

For the domain-joined machine that stopped working: removing UseWUServer was the correct first step, but Group Policy has a habit of leaving "tattooed" registry keys that conflict with cloud updates (Dual Scan).

Open Registry Editor and check this specific path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

Delete these keys if they exist:

DoNotConnectToWindowsUpdateInternetLocations

DisableWindowsUpdateAccess

Then, force the ESU license check manually via PowerShell (Admin):

Get-CimInstance -Namespace root/cimv2/mdm/dmmap -ClassName MDM_EnterpriseModernAppManagement_AppManagement01

usoclient StartScan

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

VP

Thanks much again for your detailed reply!

"Sign in with a local" then "Sign in with Microsoft" account worked on all three computers to get them added back to my list of Microsoft Devices (and I figured out these options are only available when signed in with a local non/admin account) - but ESU is still not available on any of them. I even took ownership pf the C:\ProgramData\Microsoft\Windows\AppRepository folder and deleted as many files and folders as I could but got a message that some were in use so could not delete those.

KB5001716 is not available for download in the catalog or anywhere else that I could find. When I google "Licensing Preparation Package for Windows 10 ESU" it lists KB5072653 which is why I installed this newer versin instead.

I followed all other steps above on all 3 computers.

Any other suggestions?

The fact that the machines have successfully reappeared in your Microsoft Account (account.microsoft.com/devices) confirms the hardware fingerprint (Device ID) is finally registered in the backend. The reason you still don't see the ESU license in slmgr /dlv or Windows Update is likely due to license propagation latency and local cache staleness.

Unlike a traditional Volume License (MAK) which activates instantly, the Consumer ESU functions like a digital entitlement (similar to a Windows Store license). There is often a delay (sometimes up to 24 hours) between the device registering in the cloud and the specific "ESU Add-on" license token downloading to the client.

To force that token download now that the registration link is active:

1. The "Activation Troubleshooter" (The Trigger)

Since the device is now registered, you need to force Windows to fetch the entitlements associated with that MSA. slmgr is passive; the Troubleshooter is active.

Go to Settings > Update & Security > Activation.

You should see your Windows 10 Pro status. Look for the "Troubleshoot" link (usually appears if there are activation glitches, but sometimes hidden if the OS thinks it's fine).

Note: Even if "Troubleshoot" isn't there, verify the text says "Windows is activated with a digital license linked to your Microsoft account".

If the text just says "Digital License" without mentioning the account, the link is weak. Click "Add an account" to re-confirm the MSA credentials explicitly on this screen.

2. Repair the "Software Distribution" and "Catroot2" (Clear the Negative Cache)

Your machines have repeatedly asked Windows Update for ESU and been told "No" for days. Windows caches this "No" response. Now that the device is registered (the answer should be "Yes"), you must clear the history so it asks fresh.

Open Command Prompt as Administrator.

Run the following commands strictly in order:

net stop wuauserv

net stop cryptsvc

net stop bits

net stop msiserver

ren C:\Windows\SoftwareDistribution SoftwareDistribution.old

ren C:\Windows\System32\catroot2 catroot2.old

net start wuauserv

net start cryptsvc

net start bits

net start msiserver

Do not check for updates yet. Proceed to Step 3.

3. Repair the Client License Service (ClipSVC) Permissions

Since you attempted to modify/delete C:\ProgramData\Microsoft\Windows\AppRepository, permissions might be inconsistent. The Consumer ESU license is a "ClipSVC" token, which lives in that folder. If the service cannot write the new license file there, activation fails silently.

We need to reset the ACLs (Access Control Lists) for that folder to default.

Open Command Prompt as Administrator and run:

icacls "C:\ProgramData\Microsoft\Windows\AppRepository" /reset /T /C /Q

Once done, restart the computer.

4. The "Seeker" Check

After the reboot:

1. Sign in with the MSA (or the local account linked to the MSA).
2. Wait 5 minutes (let the background services start).
3. Go to Settings > Update & Security > Windows Update.
4. Click Check for Updates.
5. Watch closely: You are not just looking for "Security Update." You are looking for a specific small download often labeled "Extended Security Updates (ESU) Licensing Preparation Package" or a generic "Configuration Update."
6. If nothing appears, run this command to force the Modern Licensing check: wsreset.exe (This resets the Store cache, which shares the backend pipe with Consumer ESU entitlements).

If you have performed the "Local -> MSA" switch and the device is in the browser dashboard, you have done the hard part. If the steps above do not trigger the update within 24 hours, the issue is almost certainly on Microsoft's backend synchronization (which is common with the Consumer ESU program). The entitlement often lags behind the device registration.

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!