Problems with Windows 10 Extended Updates working inconsistently

Hi Tom Esker,

The behavior you are seeing on both the domain-joined and the problematic non-joined system stems from a conflict between the activation channel (your Microsoft Account/Consumer ESU subscription) and the update authority (how Windows is configured to look for updates).

Since you are using a Microsoft Account to manage these licenses (rather than a Volume Licensing MAK key or Azure Arc), you are effectively using the "Consumer/Small Business" ESU path. Here is how to fix both:

1. The Domain-Joined System (Stopped working after 1 month)

The error "Your device is no longer receiving security updates" on a domain-joined machine is almost always caused by Group Policy overriding the activation check. Even if you signed in with your MSA, a domain-joined PC usually has a Group Policy setting pointing it to a local WSUS server (or SCCM) for updates. When the PC checks for the ESU entitlement, the "UseWUServer" policy forces it to ask your local server instead of Microsoft's public servers. Your local server doesn't know about your personal ESU subscription, so the check fails, and the license drops.

To fix, you must tell this specific machine to bypass the local WSUS server to validate its license.

Open Registry Editor (regedit) as Administrator. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

Look for UseWUServer. Change it from 1 to 0. (Or delete the key). Restart the Windows Update service (net stop wuauserv then net start wuauserv). Go to Settings > Update & Security > Activation. It should re-sync the entitlement against the public Microsoft servers.

2. The Non-Domain Problem Machine (Never worked)

The fact that you deleted it from your Microsoft Account devices list and "it is not getting automatically added back" is the smoking gun. If the device does not appear in your cloud portal, the hardware fingerprint has not been registered, so Microsoft refuses to send the ESU license to it.

• Root Cause 1: Telemetry is Disabled The "Consumer ESU" requires a minimum level of telemetry to validate the hardware ID. If you used a privacy tool or script to "block spying," you broke the ESU registration.

Check Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection

Ensure AllowTelemetry is NOT set to 0. It must be 1 (Basic) or higher.

• Root Cause 2: The Sign-In Assistant is Broken The service responsible for syncing your machine to account.microsoft.com is likely disabled.

Open services.msc. Find Microsoft Account Sign-in Assistant. Ensure it is set to Manual or Automatic and is currently Running.

• Root Cause 3: Missing the "Preparation Package" Just having "all updates" isn't enough. There is a specific, separate patch required to trigger the ESU client code.

Verify you have installed the Licensing Preparation Package for Windows 10 ESU (KB5001716 or newer variant). Without this specific KB, the OS doesn't know how to consume the subscription.

3. How to verify if it worked (The "Truth" Command)

Don't rely on the GUI. Use the command line to see the actual license status. Open Command Prompt as Admin and run: slmgr /dlv

Look for a section named "Windows 10, ESU-Year1..." (or similar Add-on).

If it says "Licensed": You are good.

If it says "Notification" or "Unlicensed": The handshake failed.

If the section is missing entirely: The Licensing Preparation Package is not installed.

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to ACCEPT ANSWER. Should you have more questions, feel free to leave a message. Have a nice day!

VP

Hi Tom,

Thank you for the feedback. We are narrowing this down significantly. The absolute "smoking gun" here remains this specific symptom: "The system is still not added back to account.microsoft.com/devices".

If the device is not visible in your Microsoft Account dashboard, the Microsoft ESU cloud service technically "does not know" the computer exists. Consequently, it will never send the digital license (the ESU blob) down to the client, which is why slmgr /dlv remains empty. The OS is waiting for a license file that the cloud refuses to generate because the device registration handshake is failing.

Here is the fix:

Step 1: Force Device Re-Registration (The "Switch" Method)

Simply signing out and back in is often not enough to trigger the device-add event in the Microsoft backend. We need to completely sever the link and re-establish it to force a new Device ID generation.

Perform this on both the Non-Domain and Domain-Joined machines:

Go to Settings > Accounts > Your Info. Click "Sign in with a local account instead". Follow the prompts to create a temporary local password and sign out. Reboot the computer. Log back in with the local account.

Go back to Settings > Accounts > Your Info and click "Sign in with a Microsoft account instead". Complete the login process.

Once signed in, go to Settings > Accounts > Email & accounts. Look for your MSA listed there. If you see a button that says "Fix me" or "Verify", you must click it.

Wait 15 minutes, then check your browser at account.microsoft.com/devices to see if the machine has appeared.

Step 2: Reset the Client License Service (ClipSVC)

Since you are using the Consumer ESU (which works like a Windows Store subscription rather than a classic MAK Key), the Client License Service (ClipSVC) is responsible for handling the entitlement token. If the local token cache is corrupted (which matches the symptom of the domain machine working for a month and then dying), it will stop checking for updates.

Open Services.msc and stop the Client License Service (ClipSVC). Navigate to C:\ProgramData\Microsoft\Windows\ClipSVC.

Delete the contents of this folder (specifically the tokens.dat file). Navigate to C:\ProgramData\Microsoft\Windows\AppRepository.

You may be denied access. If so, taking ownership is messy. Instead, skip deleting AppRepository for now and focus on ClipSVC. Restart the Client License Service. Reboot the machine.

Step 3: Verify the Preparation Package (KB Number Check)

You mentioned Get-HotFix -Id KB5072653. I want to double-check this because KB5001716 is the official "Update for Windows 10 User Interface functionality" that is widely documented to facilitate the ESU trigger. Please run Get-HotFix | findstr 5001716. If it is missing, check for updates manually or download it from the catalog. Without this specific UI/Servicing handler, the OS often doesn't know how to interpret the ESU subscription flag.

Step 4: The Domain-Joined Specific Fix (Dual Scan)

For the domain-joined machine that stopped working: removing UseWUServer was the correct first step, but Group Policy has a habit of leaving "tattooed" registry keys that conflict with cloud updates (Dual Scan).

Open Registry Editor and check this specific path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

Delete these keys if they exist:

DoNotConnectToWindowsUpdateInternetLocations

DisableWindowsUpdateAccess

Then, force the ESU license check manually via PowerShell (Admin):

Get-CimInstance -Namespace root/cimv2/mdm/dmmap -ClassName MDM_EnterpriseModernAppManagement_AppManagement01

usoclient StartScan

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

VP