فا
MSLicenseHub
windows · reference
🛡️

Windows 10 Enterprise

Windows 10 Enterprise — Volume Licensing, Microsoft 365 E3/E5 entitlement, LTSC 2021, and the commercial ESU path through 2028.

WINDOWS 10 ENTERPRISE
On this page

Editions · channels · activation · audit notes · FAQs

Editions covered
4
Edition matrix with feature differences and the right audience.
In-depth sections
5
Channels, activation, audit, modern management & more.
FAQs answered
6
Common questions buyers and IT admins ask before purchase.
Words of reference
0.6k
Plain-English, no vendor agenda, updated to current Product Terms.
Edition matrix

Pick the right edition

Each edition targets a specific scale and feature set. Match the workload, not the price tag.

Edition 1
Enterprise

Standard volume-licensed Enterprise on the historical Semi-Annual Channel.

Edition 2
Enterprise LTSC 2021

Long-Term Servicing Channel. Security updates only through 12 January 2027.

Edition 3
Enterprise E3 (per user)

Per-user subscription via Microsoft 365 E3 — covers up to five devices per user.

Edition 4
Enterprise E5 (per user)

Per-user subscription via Microsoft 365 E5 — adds Defender for Endpoint P2, Entra ID P2, Purview.

Side-by-side

Edition comparison

Heuristic capability matrix derived from each edition's intended use. For binding commitments, always confirm against the current Product Terms.

CapabilityEnterpriseEnterprise LTSC 2021Enterprise E3 (per user)Enterprise E5 (per user)
Target audienceEnterpriseEnterpriseEnterpriseEnterprise
Domain / Entra join
Virtualisation rights
Advanced security
Centralised management
Volume Licensing path
Deep dive

Windows 10 Enterprise — what to actually know

Windows 10 Enterprise was the volume-licensed flagship of the Windows 10 family and remains the SKU under the largest concentration of formal Volume Licensing agreements at most enterprises. With mainstream support ended on 14 October 2025, every Windows 10 Enterprise device must either be migrated to Windows 11 Enterprise, enrolled in the commercial Extended Security Updates programme (up to three years through October 2028), or shifted to a cloud-rendered session model (Windows 365, Azure Virtual Desktop) where the local OS is no longer the security boundary. This page covers what Enterprise still provides today and the practical decisions facing teams managing it.

01

What Enterprise adds on top of Pro

Credential Guard, Microsoft Defender Application Guard for Edge, Windows Defender Application Control (WDAC) tooling, AppLocker with full enterprise management, DirectAccess (deprecated but still shipping), Windows Information Protection, the Long-Term Servicing Channel option (LTSC 2021), Microsoft Desktop Optimisation Pack (MDOP) entitlements where still applicable, and the Microsoft 365 Apps for Enterprise activation paths. Several of these features physically exist in Pro binaries but only activate with an Enterprise licence; SAM tools detect the mismatch and flag it in audit reports.

02

LTSC 2021 — still the right answer for some devices

Windows 10 Enterprise LTSC 2021 is a separate SKU with a five-year mainstream support window (through 12 January 2027) intended for special-purpose devices: medical imaging, industrial controllers, ATMs, kiosks, point-of-sale terminals. It receives only security and quality updates — no feature updates, no Edge, no Store, no Cortana. LTSC is deliberately inappropriate for general-purpose information-worker PCs (Microsoft has been explicit about this for years) and Volume Licensing typically caps the percentage of an estate that can be LTSC. For fixed-function devices that cannot be re-certified often, LTSC 2021 remains the right answer until the hardware is retired.

03

Commercial Extended Security Updates

Commercial ESU for Windows 10 Enterprise is sold per device for up to three years (through 14 October 2028). Year one is the cheapest tier; year two roughly doubles; year three roughly doubles again. ESU ships security updates rated Critical and Important only — no feature updates, no quality fixes for non-security defects, no driver updates and no design changes. Enrolment is via Volume Licensing or CSP and stacks on top of an existing Enterprise licence. For most organisations, ESU is a planned bridge over a hardware refresh or a Windows 11 migration, not a long-term residence — by year three the per-device price is significantly higher than the amortised cost of new hardware.

04

Microsoft 365 E3/E5 and the migration path

Organisations already on Microsoft 365 E3 or E5 have Windows 11 Enterprise included as a per-user benefit on up to five devices. The cheapest, cleanest migration plan for most shops is: validate critical line-of-business apps against Windows 11, refresh or in-place-upgrade qualifying hardware, and let Microsoft 365 subscription activation flip the device from Windows 10 Enterprise to Windows 11 Enterprise the moment a licensed user signs in. Devices that cannot make the hardware floor either enrol in commercial ESU as a bridge or move the user to a Windows 365 Cloud PC, where the local hardware no longer matters for the OS licensing.

05

Audit and compliance posture during the transition

The window between October 2025 and October 2028 is when most large estates carry mixed Windows 10 and Windows 11 Enterprise devices, with some Windows 10 endpoints on ESU and some not. SAM tools should reconcile per-device base licences against the VLSC record and the Microsoft 365 user count, flag any unsupported Windows 10 devices without ESU enrolment, and report ESU coverage by year so that finance can plan the year-two and year-three budget impact accurately. Audit findings during this period almost always cluster around forgotten-about ESU gaps on machines IT thought had already been retired.

By channel

Where to buy this product

Relative fit of each licensing channel for typical buyers of this product. Calibrate against your own scale and renewal strategy.

Channel fit (typical buyer)
Retail / FPP7
OEM (pre-installed only)9
Volume Licensing9
CSP / Microsoft 3658
Retail / FPPIndividuals & small teams

Boxed or ESD keys, transferable, registered to a Microsoft account.

Volume LicensingMid-market & enterprise

MAK / KMS activation, centralized VLSC, optional Software Assurance.

CSP / Microsoft 365Subscription, per user

Monthly / annual seats, managed through partner or admin center.

OEM is not a buying channel for end users. OEM keys are supplied pre-installed by hardware manufacturers and are not sold standalone — choose Retail, Volume or CSP instead.
Support timeline

Lifecycle phases to plan against

Windows desktop licensing has three legitimate routes — Retail FPP, OEM pre-installation on new hardware, and Volume Licensing for organisations. Pick the wrong one and you either overpay (Retail for fleet) or break the rules (OEM after the fact).

Phase 1
General availability
Launch day

Edition matrix opens across Retail, OEM (system builders) and Volume Licensing channels. Initial servicing channel is the General Availability Channel (GAC).

Phase 2
Mainstream support
Years 1–5

Monthly cumulative updates, feature updates once a year, free non-security fixes, and warranty-grade incident support for organisations with the right agreement.

Phase 3
Extended support
Years 5–10

Security updates only. No new features, no design changes. Paid Unified Support is the only break-fix path for organisations.

Phase 4
End of support
Beyond year 10

Extended Security Updates (ESU) can be purchased for one to three additional years, with sharply rising per-device pricing. After ESU, every new CVE is permanent.

Procurement checklist

Do this, not that

The small set of decisions that determine whether you overpay, fail an audit, or land in the right place.

DO

Standardise the whole fleet on the same edition (typically Pro or Enterprise) and use Volume Licensing re-image rights on top of OEM.

DON'T

Mix Home and Pro across the same office to save a few dollars — domain join, BitLocker and Intune all silently break on Home.

DO

Verify TPM 2.0 and Secure Boot are switched on in firmware before deployment; both are required for Windows 11 and for serious BitLocker use.

DON'T

Use the unsupported registry bypass for production machines — they will not receive feature updates and Microsoft documents this explicitly.

DO

Use a Microsoft account or Entra ID account at first sign-in so the digital entitlement is recorded against the hardware.

DON'T

Activate a Retail key on multiple machines 'just for a few days' — the entitlement migrates and the original device immediately deactivates.

DO

For 6+ devices, move to Volume Licensing or a Microsoft 365 plan that includes Windows Enterprise per user.

DON'T

Buy stacks of Retail FPP boxes for a corporate rollout — the per-device cost and management overhead never recover.

Typical deployments

How buyers actually use Windows 10 Enterprise

Three reference deployments — find the closest match and adapt rather than starting from zero.

Scenario 1
Solo founder / consultant

A single laptop running client work — Pro is the floor. BitLocker, Hyper-V for testing, and the ability to join a future Entra tenant when the team grows. Retail FPP is the right channel until you cross five seats.

Scenario 2
Growing SMB (10–100 seats)

OEM Pro on every new device, Microsoft 365 Business Premium for the management layer, Intune for policy. You get Defender, conditional access and automated patching without standing up a domain controller.

Scenario 3
Enterprise fleet (500+ seats)

Enterprise Agreement with Windows Enterprise E3 or E5, Autopilot for zero-touch provisioning, Autopatch for the update train, and LTSC only for the narrow set of fixed-function devices that genuinely need it.

Cost optimisation

Where the savings actually live

None of these are tricks — they are the same levers Microsoft's own licensing specialists pull on every renewal.

💰
Layer OEM under Volume Licensing

Buy hardware with OEM Pro pre-installed (cheapest first licence) and add Volume Licensing or Microsoft 365 on top for re-imaging rights and Enterprise features. You only pay the upgrade delta, not the full retail stack.

📊
Use Microsoft 365 E3/E5 for Enterprise

Windows 11 Enterprise is included with M365 E3/E5 per-user — if you already pay for the bundle, paying again for standalone Enterprise licences is double-spend.

🎯
Plan Copilot+ rollouts around policy first

Recall and on-device AI features ship gated behind enterprise policy. Stand up the Intune policy set before rolling hardware so you do not have to retroactively disable features.

Counterfeit & risk

Red flags when buying second-hand

These four signals show up in every counterfeit-licence case we have seen. If any of them is present, walk away — no discount makes it worthwhile.

01
Standalone OEM key sold below market

OEM keys are distributed only pre-installed on hardware and stay bound to that device for life. A separately sold OEM key is almost certainly leaked, harvested from scrapped hardware, or fully counterfeit.

02
Lifetime key with no invoice or VLSC record

Microsoft entitlement always leaves a paper trail — a Volume Licensing Service Center record, a CSP invoice, a sealed Retail box with a COA, or a Microsoft Store order. No proof = no defence in an audit.

03
Key works once, then 'not genuine' after the next cumulative update

Classic symptom of a MAK key that has exceeded its activation pool, or a KMS key being abused outside its volume programme. Microsoft revokes these centrally; the activation grace period is short.

04
Seller refuses to put the entitlement in your tenant

Legitimate CSPs and LARs transfer the licence into your Microsoft 365 / Azure / VLSC tenant under your domain. If the seller insists on activating 'for you' on their account, you do not own anything.

Acronyms

Licensing terms used on this page

Quick definitions — the full glossary lives at /en/glossary if you need to dig deeper.

CSP

Cloud Solution Provider — Microsoft's primary indirect channel for subscriptions and cloud services.

VLSC

Volume Licensing Service Center — the portal where Volume Licensing keys, agreements and downloads live.

MAK

Multiple Activation Key — a Volume Licensing key with a finite activation count, used for isolated machines.

KMS

Key Management Service — an on-premises activation host that activates clients on a 180-day re-check cycle.

EA

Enterprise Agreement — Microsoft's largest commitment-based volume contract, typically a 3-year term with annual true-ups.

SA

Software Assurance — the upgrade-and-benefits add-on to Volume Licensing; required for new version rights and several mobility scenarios.

Browse the full glossary →
FAQ

Frequently asked questions

Is Windows 10 Enterprise still supported?+
Mainstream support ended 14 October 2025. Devices remain supported only under the commercial ESU programme through October 2028, or under LTSC 2021 through January 2027 for that specific SKU.
Does our Microsoft 365 E3 subscription cover ESU?+
It does not. ESU is purchased separately per device. The E3 subscription does, however, license Windows 11 Enterprise — making the migration path the cheaper choice on compatible hardware.
Can we mix LTSC 2021 and current-channel Enterprise?+
Yes, and most large estates do — LTSC for the fixed-function minority, current channel for the rest. Volume Licensing terms typically cap the LTSC share of the estate.
What happens to features we already deployed when we move to ESU?+
Nothing — ESU is purely a security-update extension. Existing Enterprise features (Credential Guard, AppLocker, WDAC, BitLocker) continue to function unchanged.
Where can I legitimately buy a license?+
Through Microsoft's Retail channel, an authorised Cloud Solution Provider (CSP), or a Volume Licensing partner (MPSA, Enterprise Agreement, Open Value, Server & Cloud Enrollment). OEM keys are distributed only pre-installed by hardware manufacturers and stay bound to that device for life — they are not sold to end users as standalone products. Anyone offering a 'cheap OEM key' as a standalone download is, by definition, operating outside Microsoft's distribution terms.
What gets checked in a Microsoft licensing audit?+
Auditors map every installed copy to a proof of purchase (VLSC record, CSP invoice, sealed Retail FPP), verify edition alignment (features used must match the licensed edition), and confirm CAL counts cover the maximum number of authenticated users or devices during the audit window. Small variances usually resolve with a true-up; large gaps escalate to Software Asset Management engagements and back-billing at list price.
Related

Other products in this category

🪟
Windows 11 Pro

Windows 11 Pro — editions, hardware floor, activation models, and the right licensing channel for business and power users.

Read reference →
🪟
Windows 11 Home

Windows 11 Home — the consumer edition of Windows 11: features, limitations, hardware floor, and when you should upgrade to Pro.

Read reference →
🛡️
Windows 11 Enterprise

Windows 11 Enterprise — the volume-only edition: Credential Guard, Application Guard, LTSC option, Autopatch and the Microsoft 365 E3/E5 bundle.

Read reference →