![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 7.000000000000001%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDP%3C/text%3E%3C/svg%3E)
3,085 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
This entitlement is automatically recognized for VMs running on AVD. You do not need to purchase or manually install ESU keys. Microsoft identifies the eligibility for free ESUs via the Azure metadata and platform identifiers, AVD session host role assignment on the VM, and licensing info reported to Windows Update services and telemetry.
As long as the VM is running on Azure and is a registered AVD session host, Microsoft considers it ESU-eligible.
Endpoint Configuration Manager can be used to deploy ESU patches to AVDs, just as with any standard patching workflow. To accomplish this, it must be able to correctly identify the device as ESU-entitled (which it does via normal telemetry and update classification sync from Windows Update for Business or WSUS). You do not need to point AVDs directly to Windows Update as long as ECM is synchronized with a WSUS instance that’s getting the correct ESU updates, and the devices are recognized as AVD-hosted (which they are if you’ve set them up properly).
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin