![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 80%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 16%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
Hello Zupo, Massimo,
To address your first concern, the Windows 10 ESU program utilizes a Multiple Activation Key (MAK) rather than a digital license tied to hardware IDs in the cloud. You do not need a Microsoft Account on the specific machines. However, your organization, the legal entity must interface with a Cloud Solution Provider (CSP) to purchase the ESU licenses. Once purchased, the CSP will provide you with the MAK key for the ESU Year 1 add-on. This key is distinct from the OS activation key; it acts as an "enablement" key that authorizes the system to install the specific ESU security packages.
For the activation itself on offline machines, you should use the Volume Activation Management Tool (VAMT), which is part of the Windows Assessment and Deployment Kit (ADK). VAMT allows for a process called "Proxy Activation." You would install VAMT on a technician’s laptop or a bridge machine that has internet access. You then discover the offline Windows 10 clients on your local network (or manually add them), install the ESU MAK key onto those clients using VAMT, and export the Installation IDs (IID) to a file. You take this file on your connected VAMT console to Microsoft's servers to retrieve the Confirmation IDs (CID), which you then import back to the offline clients to complete the activation. This effectively acts as a "man-in-the-middle" for the activation handshake, keeping your target PCs strictly offline.
If VAMT is too heavy for your infrastructure or the network is physically air-gapped (sneakernet), you can fallback to the command line and phone activation. You would open an elevated Command Prompt on the target machine, run slmgr /ipk <ESU_Key> to install the key, and then use slui 4 to initiate the telephone activation wizard, or generate the Installation ID via slmgr /dti and call the Microsoft Activation Center manually. Once activated, verify the status by running slmgr /dlv and looking for the ESU licensing descriptions. Note that activation only allows the installation of the updates; you will still need an offline patch management strategy, such as an offline WSUS upstream server or manually importing the MSU update packages from the Microsoft Update Catalog each month.
I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!
VP