abbodi1406/Consumer_ESU_Feature.cmd

## README.md

      
    Raw
  

              README.md
            
          
    Consumer ESU Features Management


Hybrid Windows Batch and Powershell script to manage Windows 10 Consumer Extended Security Updates (ESU) features state.


This script allow to enable (activate) the Consumer ESU required features, or reset and query the features state.


This script does not enroll or activate the Consumer ESU license itself.


EEA region users are required to install KB5066135 or KB5066791 first

for other users, KB5061087 (19045.6036) or later is required.


Usage


Click on the Download ZIP at the top to download.
Extract and Run Consumer_ESU_Feature.cmd as administrator.
Press [1] to enable the features, or press other numbers for the other options.


## Consumer_ESU_Feature.cmd
@echo off
set "SysPath=%SystemRoot%\System32"
set "Path=%SystemRoot%\System32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SystemRoot%\System32\WindowsPowerShell\v1.0\"
if exist "%SystemRoot%\Sysnative\reg.exe" (
set "SysPath=%SystemRoot%\Sysnative"
set "Path=%SystemRoot%\Sysnative;%SystemRoot%;%SystemRoot%\Sysnative\Wbem;%SystemRoot%\Sysnative\WindowsPowerShell\v1.0\;%Path%"
)
set "_psc=powershell -nop -c"
set "_err===== ERROR ===="
whoami /groups 2>nul | findstr /i /c:"S-1-16-16384" /c:"S-1-16-12288" >nul || (
echo %_err%
echo This script requires administrator privileges.
goto :E_Exit
)
if not exist "%SysPath%\ClipESUConsumer.exe" (
echo %_err%
echo ClipESUConsumer.exe is not detected.
echo Make sure to install update 2025-06 KB5061087 ^(19045.6036^) or later.
goto :E_Exit
)
set _pwsh=1
for %%# in (powershell.exe) do @if "%%~$PATH:#"=="" set _pwsh=0
cmd /c "%_psc% "$ExecutionContext.SessionState.LanguageMode"" | find /i "FullLanguage" 1>nul || (set _pwsh=0)
if %_pwsh% equ 0 (
echo %_err%
cmd /c "%_psc% "$ExecutionContext.SessionState.LanguageMode""
echo Windows PowerShell is not installed or not working properly.
echo It is required for this script to work.
goto :E_Exit
)

:mMenu
@cls
echo ============================================================
echo Consumer ESU Features Management
echo ============================================================
echo.
echo [1] Enable
echo.
echo [2] Reset User overrides
echo.
echo [3] Reset All overrides
echo.
echo [4] Query
echo.
echo [9] Exit
echo.
echo ============================================================
echo.
choice /C 12349 /N /M "Choose a menu option: "
set _elr=%errorlevel%
if %_elr%==5 exit /b
if %_elr%==4 (set "_opt=Inquire"&goto :shellpower)
if %_elr%==3 (set "_opt=Clean"&goto :shellpower)
if %_elr%==2 (set "_opt=Desert"&goto :shellpower)
if %_elr%==1 (set "_opt=Instate"&goto :shellpower)
goto :mMenu

:shellpower
@cls
set "0=%~f0" &%_psc% $f=[IO.File]::ReadAllText($env:0) -split ':embdbin\:.*';iex($f[1]);%_opt%

:E_Exit
echo.
echo Press 9 or q to exit.
choice /c 9Q /n
if errorlevel 1 (exit /b) else (rem.)
exit /b

:embdbin:
function CONOUT($strObj)
{
	Out-Host -Input $strObj
}

function ExitScript($ExitCode = 0)
{
	Exit $ExitCode
}

if ($ExecutionContext.SessionState.LanguageMode.value__ -NE 0) {
	CONOUT "==== ERROR ====`r`n"
	CONOUT "Windows PowerShell is not running in Full Language Mode."
	ExitScript 1
}

if (-Not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
	CONOUT "==== ERROR ====`r`n"
	CONOUT "Windows PowerShell is not running as administrator."
	ExitScript 1
}

$SysPath = "$env:SystemRoot\System32"
if (Test-Path "$env:SystemRoot\Sysnative\reg.exe") {
	$SysPath = "$env:SystemRoot\Sysnative"
}

#region Globals
$SupEEA = ([System.Diagnostics.FileVersionInfo]::GetVersionInfo("$SysPath\ClipESUConsumer.exe").FilePrivatePart) -ge 6392
$fcState = @{
	0 = " 0 Default";
	1 = " 1 Disabled";
	2 = " 2 Enabled";
}
$fcPriority = @{
	0 = " 0 ImageDefault";
	1 = " 1 EKB";
	2 = " 2 Persistent";
	3 = " 3 Reserved";
	4 = " 4 Service";
	5 = " 5 Reserved";
	6 = " 6 Dynamic";
	7 = " 7 Reserved";
	8 = " 8 User";
	9 = " 9 Security";
	10 = "10 UserPolicy";
	11 = "11 Reserved";
	12 = "12 Test";
	13 = "13 Reserved";
	14 = "14 Reserved";
	15 = "15 ImageOverride";
}

$eeStatus = @{
	0 = " 0 Unknown";
	1 = " 1 Ineligible";
	2 = " 2 Eligible";
	3 = " 3 DeviceEnrolled";
	4 = " 4 ReEnrollReq";
	5 = " 5 MSAEnrolled";
	6 = " 6 ConsumerESUInactive";
	7 = " 7 CommercialMigratedDevice";
	8 = " 8 LoginWithPrimaryAccountToEnroll";
	9 = " 9 LoginWithPrimaryAccountToCompletePreOrder";
	10 = "10 ComingSoon";
	11 = "11 EEAFreeMSAEnrolled";
	12 = "12 EEAPaidMSAEnrolled";
	13 = "13 WarnInactiveMSA";
	14 = "14 ReEnrollReqInactiveMSA";
}
$eeResult = @{
	1 = " 1 SUCCESS";
	2 = " 2 CONSUMER_ESU_PROGRAM_NOT_ACTIVE";
	3 = " 3 NON_CONSUMER_DEVICE";
	4 = " 4 COMMERCIAL_DEVICE";
	5 = " 5 NON_ADMIN";
	6 = " 6 CHILD_ACCOUNT";
	7 = " 7 REGION_IN_EMBARGOED_COUNTRY";
	8 = " 8 AZURE_DEVICE";
	9 = " 9 COMMERCIAL_MIGRATED_DEVICE";
	10 = "10 LOGIN_WITH_PRIMARY_ACCOUNT_TO_COMPLETE_PREORDER";
	11 = "11 CONSUMER_ESU_FEATURE_DISABLED";
	12 = "12 KEY_BASED_ESU";
	13 = "13 EEA_REGION_POLICY_ENABLED";
	14 = "14 WARN_INACTIVE_MSA";
	15 = "15 REENROLL_REQ_INACTIVE_MSA";
	100 = "UNKNOWN_ERROR";
	101 = "CONSUMER_ESU_PROGRAM_ACTIVE_CHECK_FAILED";
	102 = "LICENSE_CHECK_FAILED";
	103 = "CONSUMER_DEVICE_CHECK_FAILED";
	104 = "COMMERCIAL_DEVICE_CHECK_FAILED";
	105 = "ADMIN_CHECK_FAILED";
	106 = "CHILD_ACCOUNT_CHECK_FAILED";
	107 = "ENTITLEMENT_CHECK_FAILED";
	108 = "ELIGIBILITY_EVALUATION_FAILED";
	109 = "AZURE_DEVICE_CHECK_FAILED";
	110 = "COMMERCIAL_MIGRATED_DEVICE_CHECK_FAILED";
	111 = "EMBARGOED_REGION_CHECK_FAILED";
	112 = "KEY_BASED_ESU_CHECK_FAILED";
	113 = "FREE_MSA_ELIGIBILITY_CHECK_FAILED";
}

$fps = @(1,2,3,4,5,6,7,8,11,12,13,14)
$fKeyFM = 'HKLM:\SYSTEM\CurrentControlSet\Control\FeatureManagement\Overrides\'
$fKey08 = $fKeyFM + '8'
$fKey10 = 'HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides'
$TN = "ReconcileFeatures"; $TP = "\Microsoft\Windows\Flighting\FeatureConfig\"
$svc = 'DiagTrack'
$enablesvc = $false
try {$obj = Get-Service $svc -EA 1; $enablesvc = ($obj.StartType.value__ -eq 4)} catch {}
$featureESU = 0
$BSD = $false

$gKey = "HKCU:\Control Panel\International\Geo"
$rKey = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\DeviceRegion"
$GeoId = (Get-ItemProperty $gKey "Nation" -EA 0).Nation
$GeoCN = (Get-ItemProperty $gKey "Name" -EA 0).Name
if ($null -eq $GeoCN) {try {$GeoCN = [Windows.System.UserProfile.GlobalizationPreferences,Windows,ContentType=WindowsRuntime]::HomeGeographicRegion} catch {}}
$jPath = "$SysPath\IntegratedServicesRegionPolicySet.json"
$DMA_SSO = $false
if (Test-Path $jPath) {
	$jData = Get-Content $jPath | ConvertFrom-Json
	$jList = ($jData.policies | where {$_.guid.Contains("1d290cdb-499c-4d42-938a-9b8dceffe998")}).conditions.region.disabled
	$DMA_SSO = $jList -contains $GeoCN
}

function NativeMethods
{
	$t = [AppDomain]::CurrentDomain.DefineDynamicAssembly((Get-Random), 1).DefineDynamicModule((Get-Random), $False).DefineType((Get-Random))
	$t.DefinePInvokeMethod('RtlQueryFeatureConfiguration', 'ntdll.dll', 22, 1, [Int32], @([UInt32], [UInt32], [UInt64].MakeByRefType(), [UInt32[]]), 1, 3).SetImplementationFlags(128)
	$t.DefinePInvokeMethod('RtlQueryFeatureConfigurationChangeStamp', 'ntdll.dll', 22, 1, [UInt64], @(), 1, 3).SetImplementationFlags(128)
	$t.DefinePInvokeMethod('RtlSetFeatureConfigurations', 'ntdll.dll', 22, 1, [Int32], @([UInt64].MakeByRefType(), [UInt32], [Byte[]], [Int32]), 1, 3).SetImplementationFlags(128)
	$t.DefinePInvokeMethod('RtlSetSystemBootStatus', 'ntdll.dll', 22, 1, [Int32], @([Int32], [Int32].MakeByRefType(), [Int32], [IntPtr]), 1, 3).SetImplementationFlags(128)
	$t.DefinePInvokeMethod('RtlGetSystemBootStatus', 'ntdll.dll', 22, 1, [Int32], @([Int32], [Int32].MakeByRefType(), [Int32], [IntPtr]), 1, 3).SetImplementationFlags(128)
	$t.DefinePInvokeMethod('RtlCreateBootStatusDataFile', 'ntdll.dll', 22, 1, [Int32], @([String]), 1, 3).SetImplementationFlags(128)
	$Win32 = $t.CreateType()
}

function ReRegion($gID)
{
	$null = New-ItemProperty $gKey "Nation" -Value $gID -Type String -Force -EA 0
	if ($null -ne (Get-ItemProperty $rKey -EA 0)) {
		Copy-Item (Get-Command reg.exe).Source .\reg1.exe -Force -EA 0
		& .\reg1.exe add "$($rKey.Replace(':',''))" /v DeviceRegion /t REG_DWORD /d $gID /f > $null 2>&1
		Remove-Item .\reg1.exe -Force -EA 0
	}
}
#endregion

#region FCon
function RtlBSD
{
	$state = 0
	try {$nRet = $Win32::RtlGetSystemBootStatus(17, [ref]$state, 4, 0)} catch {return $FALSE}
	if ($nRet -eq 0 -Or $state -gt 0) {return $TRUE}

	if ($nRet -eq 0xC0000034) {
		try {$nRet = $Win32::RtlCreateBootStatusDataFile([NullString]::Value)} catch {return $FALSE}
		if ($nRet -eq 0 -Or $nRet -eq 0xC0000035) {return $TRUE}
	}

	if ($nRet -eq 0xC0000059) {
		$state = 0xb0
		try {$nRet = $Win32::RtlSetSystemBootStatus(0, [ref]$state, 4, 0)} catch {return $FALSE}
		if ($nRet -eq 0) {return $TRUE}
	}

	return $FALSE
}

function RevertService
{
	if ($BSD) {return}
	if ($enablesvc) {
		try {Set-Service $svc -StartupType Disabled -EA 1} catch {}
		try {Stop-Service $svc -Force -Confirm:$false -EA 1} catch {}
	}
}

function RunService
{
	if ($BSD) {return}
	if ($enablesvc) {
		try {Set-Service $svc -StartupType Automatic -EA 1} catch {}
		try {Start-Service $svc -EA 1} catch {}
	} else {
		try {Start-Service $svc -EA 1} catch {}
	}
}

function RunTask
{
	try {$task = Get-ScheduledTask $TN $TP -ErrorAction Stop} catch {return}
	$null = Enable-ScheduledTask $TN $TP
	Start-ScheduledTask $TN $TP; while ((Get-ScheduledTask $TN $TP).State.value__ -eq 4) {start-sleep -sec 1}
}

function SetConfig($fID, $fState, $fReg)
{
	if ($fState -eq 2) {
		$fPriority = 10
		if ($null -eq (Get-ItemProperty $fKey10 -EA 0)) {$null = New-Item $fKey10 -Force -EA 0}
		$null = New-ItemProperty $fKey10 $fReg -Value $fState -Type DWord -Force -EA 0
	} else {
		$fPriority = 8
		if ($null -eq (Get-ItemProperty $fKey08 -EA 0)) {$null = New-Item $fKey08 -Force -EA 0}
		$fKeySub = $fKey08 + '\' + $fReg
		$null = New-Item $fKeySub -Force -EA 0
		$null = New-ItemProperty $fKeySub 'EnabledState' -Value $fState -Type DWord -Force -EA 0
		$null = New-ItemProperty $fKeySub 'EnabledStateOptions' -Value 0 -Type DWord -Force -EA 0
		if ($null -ne (Get-ItemProperty $fKey10 $fReg -EA 0)) {$null = Remove-ItemProperty $fKey10 $fReg -Force -EA 0}
	}

	[byte[]]$fcon = [BitConverter]::GetBytes([UInt32]$fID) + [BitConverter]::GetBytes($fPriority) + [BitConverter]::GetBytes($fState) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(1)
	try {[UInt64]$fccs = $Win32::RtlQueryFeatureConfigurationChangeStamp()} catch {[UInt64]$fccs = 0}
	try {
		$nRet = $Win32::RtlSetFeatureConfigurations([ref]$fccs, 1, $fcon, 1)
		if ($nRet -lt 0) {
			CONOUT ("Operation Failed: 0x" + ($nRet + 0x100000000L).ToString("X"))
			return
		}
	} catch {
		$host.UI.WriteLine('Red', 'Black', $_.Exception.Message + $_.ErrorDetails.Message)
		return
	}

	return
}

function DefConfig($fID, $fReg)
{
	try {
		$fInfo = [UInt32[]]::new(3)
		$nRet = $Win32::RtlQueryFeatureConfiguration([UInt32]$fID, 1, [ref]$null, $fInfo)
		if ($nRet -eq 0) {
			$fPriority = ($fInfo[1] -band 0xF)
		} else {
			return
		}
	} catch {
		return
	}

	if ($fPriority -ne 10 -And $fPriority -ne 8) {
		return
	}

	[byte[]]$fcon = [BitConverter]::GetBytes([UInt32]$fID) + [BitConverter]::GetBytes($fPriority) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(4)
	try {[UInt64]$fccs = $Win32::RtlQueryFeatureConfigurationChangeStamp()} catch {[UInt64]$fccs = 0}
	try {
		$nRet = $Win32::RtlSetFeatureConfigurations([ref]$fccs, 1, $fcon, 1)
	} catch {
	}

	if ($null -ne (Get-ItemProperty $fKey10 $fReg -EA 0)) {$null = Remove-ItemProperty $fKey10 $fReg -Force -EA 0}
	$fKeySub = $fKey08 + '\' + $fReg
	if ($null -ne (Get-Item $fKeySub -EA 0)) {$null = Remove-Item $fKeySub -Force -EA 0}

	return
}

function ClearConfig($fID, $fReg)
{
	try {
		$fInfo = [UInt32[]]::new(3)
		$nRet = $Win32::RtlQueryFeatureConfiguration([UInt32]$fID, 1, [ref]$null, $fInfo)
		if ($nRet -eq 0) {
			$fPriority = ($fInfo[1] -band 0xF)
		} else {
			return
		}
	} catch {
		return
	}

	if ($fPriority -eq 0 -Or $fPriority -eq 9 -Or $fPriority -eq 15) {
		return
	}

	[byte[]]$fcon = [BitConverter]::GetBytes([UInt32]$fID) + [BitConverter]::GetBytes($fPriority) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(4)
	try {[UInt64]$fccs = $Win32::RtlQueryFeatureConfigurationChangeStamp()} catch {[UInt64]$fccs = 0}
	try {
		$nRet = $Win32::RtlSetFeatureConfigurations([ref]$fccs, 1, $fcon, 1)
	} catch {
	}

	$fps | foreach {Remove-Item ($fKeyFM + $_ + '\' + $fReg) -Force -EA 0}
	$null = Remove-ItemProperty $fKey10 $fReg -Force -EA 0

	return
}

function QueryConfig($fID)
{
	try {
		$fInfo = [UInt32[]]::new(3)
		$nRet = $Win32::RtlQueryFeatureConfiguration([UInt32]$fID, 1, [ref]$null, $fInfo)
		if ($nRet -eq 0) {
			return [int](($fInfo[1] -band 0x30) -shr 4)
		} else {
			return 0
		}
	} catch {
		return 0
	}
}

function QueryInfo($fID, $fName)
{
	CONOUT ("`n==== {0}" -f $fName)
	$fInfo = [UInt32[]]::new(3)
	$nRet = $Win32::RtlQueryFeatureConfiguration([UInt32]$fID, 1, [ref]$null, $fInfo)
	if ($nRet -ne 0) {
		CONOUT "Not configured"
		return
	}
	[int]$iPriority = ($fInfo[1] -band 0xF)
	[int]$iState = ($fInfo[1] -band 0x30) -shr 4
	CONOUT ("State   : {0}" -f $fcState[$iState])
	CONOUT ("Priority: {0}" -f $fcPriority[$iPriority])
}
#endregion

#region EsuMgr
function PrintEligibility($esuStatus, $esuResult)
{
	$showStatus = ("Unknown", $eeStatus[$esuStatus])[($null -ne $eeStatus[$esuStatus])]
	CONOUT ("Eligibility Status: {0}" -f $showStatus)
	$showResult = ("UNKNOWN_RESULT", $eeResult[$esuResult])[($null -ne $eeResult[$esuResult])]
	CONOUT ("Eligibility Result: {0}" -f $showResult)
}

function CheckEligibility
{
	CONOUT "`nEvaluate ESU Eligibility state ..."
	& $SysPath\cmd.exe '/c' $SysPath\ClipESUConsumer.exe -evaluateEligibility
	$esuStatus = (Get-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows\ConsumerESU" "ESUEligibility" -ErrorAction SilentlyContinue).ESUEligibility
	$esuResult = (Get-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows\ConsumerESU" "ESUEligibilityResult" -ErrorAction SilentlyContinue).ESUEligibilityResult
	if ($null -eq $esuStatus -Or $null -eq $esuResult) {
		CONOUT "Operation Failed."
		return
	}
	PrintEligibility $esuStatus $esuResult
}
#endregion

. NativeMethods
$BSD = RtlBSD
$featureESU = QueryConfig 57517687

function DoInquire
{
	CONOUT "`nQuery features state ..."
	QueryInfo 57517687 "ConsumerESU"
	if ($DMA_SSO) {
		QueryInfo 59064570 "ConsumerESU_EEARegion_Available"
		QueryInfo 58992578 "ConsumerESU_EEARegion_ComingSoon"
		QueryInfo 58755790 "ConsumerESU_EEARegion_Blocked"
	}
}

function Inquire
{
	DoInquire
	ExitScript 0
}

function Clean
{
	CONOUT "`nRemove All overrides for features ..."
	RunService
	ClearConfig 57517687 "4011992206"
	ClearConfig 58992578 "2216818319"
	ClearConfig 58755790 "2642149007"
	ClearConfig 59064570 "4109366415"
	RunTask
	RevertService
	DoInquire
	CheckEligibility
	ExitScript 0
}

function Desert
{
	CONOUT "`nRemove User overrides for features ..."
	RunService
	DefConfig 57517687 "4011992206"
	DefConfig 58992578 "2216818319"
	DefConfig 58755790 "2642149007"
	DefConfig 59064570 "4109366415"
	RunTask
	RevertService
	DoInquire
	CheckEligibility
	ExitScript 0
}

function HandleEEA
{
	if (-Not $SupEEA) {
		CONOUT "`nConsumer ESU for EEA Region require update 2025-09 KB5066198 (19045.6396) or later."
		SetConfig 58755790 1 "2642149007"
		SetConfig 58992578 2 "2216818319"
		$changed = $true
		return
	}
	ReRegion $GeoId
	$EEAavailable = QueryConfig 59064570
	$EEAsoon = QueryConfig 58992578
	$EEAblocked = QueryConfig 58755790
	if ($EEAblocked -ne 1 -Or $EEAsoon -ne 1 -Or $EEAavailable -ne 2) {
		CONOUT "`nEnable Consumer ESU EEA Region feature ..."
		$changed = $true
	}
	if ($EEAblocked -ne 1) {
		SetConfig 58755790 1 "2642149007"
	}
	if ($EEAsoon -ne 1) {
		SetConfig 58992578 1 "2216818319"
	}
	if ($EEAavailable -ne 2) {
		SetConfig 59064570 2 "4109366415"
	}
}

function Instate
{
	RunService
	$changed = $false
	if ($featureESU -ne 2) {
		CONOUT "`nEnable Consumer ESU feature ..."
		SetConfig 57517687 2 "4011992206"
		$changed = $true
	}
	if ($DMA_SSO) {
		. HandleEEA
	}
	if ($changed) {RunTask}
	RevertService
	if (!$changed) {
		CONOUT "`nConsumer ESU features are already configured."
	}
	DoInquire
	CheckEligibility
	ExitScript 0
}
:embdbin:
	@echo off
	set "SysPath=%SystemRoot%\System32"
	set "Path=%SystemRoot%\System32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SystemRoot%\System32\WindowsPowerShell\v1.0\"
	if exist "%SystemRoot%\Sysnative\reg.exe" (
	set "SysPath=%SystemRoot%\Sysnative"
	set "Path=%SystemRoot%\Sysnative;%SystemRoot%;%SystemRoot%\Sysnative\Wbem;%SystemRoot%\Sysnative\WindowsPowerShell\v1.0\;%Path%"
	)
	set "_psc=powershell -nop -c"
	set "_err===== ERROR ===="
	whoami /groups 2>nul \| findstr /i /c:"S-1-16-16384" /c:"S-1-16-12288" >nul \|\| (
	echo %_err%
	echo This script requires administrator privileges.
	goto :E_Exit
	)
	if not exist "%SysPath%\ClipESUConsumer.exe" (
	echo %_err%
	echo ClipESUConsumer.exe is not detected.
	echo Make sure to install update 2025-06 KB5061087 ^(19045.6036^) or later.
	goto :E_Exit
	)
	set _pwsh=1
	for %%# in (powershell.exe) do @if "%%~$PATH:#"=="" set _pwsh=0
	cmd /c "%_psc% "$ExecutionContext.SessionState.LanguageMode"" \| find /i "FullLanguage" 1>nul \|\| (set _pwsh=0)
	if %_pwsh% equ 0 (
	echo %_err%
	cmd /c "%_psc% "$ExecutionContext.SessionState.LanguageMode""
	echo Windows PowerShell is not installed or not working properly.
	echo It is required for this script to work.
	goto :E_Exit
	)

	:mMenu
	@cls
	echo ============================================================
	echo Consumer ESU Features Management
	echo ============================================================
	echo.
	echo [1] Enable
	echo.
	echo [2] Reset User overrides
	echo.
	echo [3] Reset All overrides
	echo.
	echo [4] Query
	echo.
	echo [9] Exit
	echo.
	echo ============================================================
	echo.
	choice /C 12349 /N /M "Choose a menu option: "
	set _elr=%errorlevel%
	if %_elr%==5 exit /b
	if %_elr%==4 (set "_opt=Inquire"&goto :shellpower)
	if %_elr%==3 (set "_opt=Clean"&goto :shellpower)
	if %_elr%==2 (set "_opt=Desert"&goto :shellpower)
	if %_elr%==1 (set "_opt=Instate"&goto :shellpower)
	goto :mMenu

	:shellpower
	@cls
	set "0=%~f0" &%_psc% $f=[IO.File]::ReadAllText($env:0) -split ':embdbin\:.*';iex($f[1]);%_opt%

	:E_Exit
	echo.
	echo Press 9 or q to exit.
	choice /c 9Q /n
	if errorlevel 1 (exit /b) else (rem.)
	exit /b

	:embdbin:
	function CONOUT($strObj)
	{
	Out-Host -Input $strObj
	}

	function ExitScript($ExitCode = 0)
	{
	Exit $ExitCode
	}

	if ($ExecutionContext.SessionState.LanguageMode.value__ -NE 0) {
	CONOUT "==== ERROR ====`r`n"
	CONOUT "Windows PowerShell is not running in Full Language Mode."
	ExitScript 1
	}

	if (-Not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
	CONOUT "==== ERROR ====`r`n"
	CONOUT "Windows PowerShell is not running as administrator."
	ExitScript 1
	}

	$SysPath = "$env:SystemRoot\System32"
	if (Test-Path "$env:SystemRoot\Sysnative\reg.exe") {
	$SysPath = "$env:SystemRoot\Sysnative"
	}

	#region Globals
	$SupEEA = ([System.Diagnostics.FileVersionInfo]::GetVersionInfo("$SysPath\ClipESUConsumer.exe").FilePrivatePart) -ge 6392
	$fcState = @{
	0 = " 0 Default";
	1 = " 1 Disabled";
	2 = " 2 Enabled";
	}
	$fcPriority = @{
	0 = " 0 ImageDefault";
	1 = " 1 EKB";
	2 = " 2 Persistent";
	3 = " 3 Reserved";
	4 = " 4 Service";
	5 = " 5 Reserved";
	6 = " 6 Dynamic";
	7 = " 7 Reserved";
	8 = " 8 User";
	9 = " 9 Security";
	10 = "10 UserPolicy";
	11 = "11 Reserved";
	12 = "12 Test";
	13 = "13 Reserved";
	14 = "14 Reserved";
	15 = "15 ImageOverride";
	}

	$eeStatus = @{
	0 = " 0 Unknown";
	1 = " 1 Ineligible";
	2 = " 2 Eligible";
	3 = " 3 DeviceEnrolled";
	4 = " 4 ReEnrollReq";
	5 = " 5 MSAEnrolled";
	6 = " 6 ConsumerESUInactive";
	7 = " 7 CommercialMigratedDevice";
	8 = " 8 LoginWithPrimaryAccountToEnroll";
	9 = " 9 LoginWithPrimaryAccountToCompletePreOrder";
	10 = "10 ComingSoon";
	11 = "11 EEAFreeMSAEnrolled";
	12 = "12 EEAPaidMSAEnrolled";
	13 = "13 WarnInactiveMSA";
	14 = "14 ReEnrollReqInactiveMSA";
	}
	$eeResult = @{
	1 = " 1 SUCCESS";
	2 = " 2 CONSUMER_ESU_PROGRAM_NOT_ACTIVE";
	3 = " 3 NON_CONSUMER_DEVICE";
	4 = " 4 COMMERCIAL_DEVICE";
	5 = " 5 NON_ADMIN";
	6 = " 6 CHILD_ACCOUNT";
	7 = " 7 REGION_IN_EMBARGOED_COUNTRY";
	8 = " 8 AZURE_DEVICE";
	9 = " 9 COMMERCIAL_MIGRATED_DEVICE";
	10 = "10 LOGIN_WITH_PRIMARY_ACCOUNT_TO_COMPLETE_PREORDER";
	11 = "11 CONSUMER_ESU_FEATURE_DISABLED";
	12 = "12 KEY_BASED_ESU";
	13 = "13 EEA_REGION_POLICY_ENABLED";
	14 = "14 WARN_INACTIVE_MSA";
	15 = "15 REENROLL_REQ_INACTIVE_MSA";
	100 = "UNKNOWN_ERROR";
	101 = "CONSUMER_ESU_PROGRAM_ACTIVE_CHECK_FAILED";
	102 = "LICENSE_CHECK_FAILED";
	103 = "CONSUMER_DEVICE_CHECK_FAILED";
	104 = "COMMERCIAL_DEVICE_CHECK_FAILED";
	105 = "ADMIN_CHECK_FAILED";
	106 = "CHILD_ACCOUNT_CHECK_FAILED";
	107 = "ENTITLEMENT_CHECK_FAILED";
	108 = "ELIGIBILITY_EVALUATION_FAILED";
	109 = "AZURE_DEVICE_CHECK_FAILED";
	110 = "COMMERCIAL_MIGRATED_DEVICE_CHECK_FAILED";
	111 = "EMBARGOED_REGION_CHECK_FAILED";
	112 = "KEY_BASED_ESU_CHECK_FAILED";
	113 = "FREE_MSA_ELIGIBILITY_CHECK_FAILED";
	}

	$fps = @(1,2,3,4,5,6,7,8,11,12,13,14)
	$fKeyFM = 'HKLM:\SYSTEM\CurrentControlSet\Control\FeatureManagement\Overrides\'
	$fKey08 = $fKeyFM + '8'
	$fKey10 = 'HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides'
	$TN = "ReconcileFeatures"; $TP = "\Microsoft\Windows\Flighting\FeatureConfig\"
	$svc = 'DiagTrack'
	$enablesvc = $false
	try {$obj = Get-Service $svc -EA 1; $enablesvc = ($obj.StartType.value__ -eq 4)} catch {}
	$featureESU = 0
	$BSD = $false

	$gKey = "HKCU:\Control Panel\International\Geo"
	$rKey = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\DeviceRegion"
	$GeoId = (Get-ItemProperty $gKey "Nation" -EA 0).Nation
	$GeoCN = (Get-ItemProperty $gKey "Name" -EA 0).Name
	if ($null -eq $GeoCN) {try {$GeoCN = [Windows.System.UserProfile.GlobalizationPreferences,Windows,ContentType=WindowsRuntime]::HomeGeographicRegion} catch {}}
	$jPath = "$SysPath\IntegratedServicesRegionPolicySet.json"
	$DMA_SSO = $false
	if (Test-Path $jPath) {
	$jData = Get-Content $jPath \| ConvertFrom-Json
	$jList = ($jData.policies \| where {$_.guid.Contains("1d290cdb-499c-4d42-938a-9b8dceffe998")}).conditions.region.disabled
	$DMA_SSO = $jList -contains $GeoCN
	}

	function NativeMethods
	{
	$t = [AppDomain]::CurrentDomain.DefineDynamicAssembly((Get-Random), 1).DefineDynamicModule((Get-Random), $False).DefineType((Get-Random))
	$t.DefinePInvokeMethod('RtlQueryFeatureConfiguration', 'ntdll.dll', 22, 1, [Int32], @([UInt32], [UInt32], [UInt64].MakeByRefType(), [UInt32[]]), 1, 3).SetImplementationFlags(128)
	$t.DefinePInvokeMethod('RtlQueryFeatureConfigurationChangeStamp', 'ntdll.dll', 22, 1, [UInt64], @(), 1, 3).SetImplementationFlags(128)
	$t.DefinePInvokeMethod('RtlSetFeatureConfigurations', 'ntdll.dll', 22, 1, [Int32], @([UInt64].MakeByRefType(), [UInt32], [Byte[]], [Int32]), 1, 3).SetImplementationFlags(128)
	$t.DefinePInvokeMethod('RtlSetSystemBootStatus', 'ntdll.dll', 22, 1, [Int32], @([Int32], [Int32].MakeByRefType(), [Int32], [IntPtr]), 1, 3).SetImplementationFlags(128)
	$t.DefinePInvokeMethod('RtlGetSystemBootStatus', 'ntdll.dll', 22, 1, [Int32], @([Int32], [Int32].MakeByRefType(), [Int32], [IntPtr]), 1, 3).SetImplementationFlags(128)
	$t.DefinePInvokeMethod('RtlCreateBootStatusDataFile', 'ntdll.dll', 22, 1, [Int32], @([String]), 1, 3).SetImplementationFlags(128)
	$Win32 = $t.CreateType()
	}

	function ReRegion($gID)
	{
	$null = New-ItemProperty $gKey "Nation" -Value $gID -Type String -Force -EA 0
	if ($null -ne (Get-ItemProperty $rKey -EA 0)) {
	Copy-Item (Get-Command reg.exe).Source .\reg1.exe -Force -EA 0
	& .\reg1.exe add "$($rKey.Replace(':',''))" /v DeviceRegion /t REG_DWORD /d $gID /f > $null 2>&1
	Remove-Item .\reg1.exe -Force -EA 0
	}
	}
	#endregion

	#region FCon
	function RtlBSD
	{
	$state = 0
	try {$nRet = $Win32::RtlGetSystemBootStatus(17, [ref]$state, 4, 0)} catch {return $FALSE}
	if ($nRet -eq 0 -Or $state -gt 0) {return $TRUE}

	if ($nRet -eq 0xC0000034) {
	try {$nRet = $Win32::RtlCreateBootStatusDataFile([NullString]::Value)} catch {return $FALSE}
	if ($nRet -eq 0 -Or $nRet -eq 0xC0000035) {return $TRUE}
	}

	if ($nRet -eq 0xC0000059) {
	$state = 0xb0
	try {$nRet = $Win32::RtlSetSystemBootStatus(0, [ref]$state, 4, 0)} catch {return $FALSE}
	if ($nRet -eq 0) {return $TRUE}
	}

	return $FALSE
	}

	function RevertService
	{
	if ($BSD) {return}
	if ($enablesvc) {
	try {Set-Service $svc -StartupType Disabled -EA 1} catch {}
	try {Stop-Service $svc -Force -Confirm:$false -EA 1} catch {}
	}
	}

	function RunService
	{
	if ($BSD) {return}
	if ($enablesvc) {
	try {Set-Service $svc -StartupType Automatic -EA 1} catch {}
	try {Start-Service $svc -EA 1} catch {}
	} else {
	try {Start-Service $svc -EA 1} catch {}
	}
	}

	function RunTask
	{
	try {$task = Get-ScheduledTask $TN $TP -ErrorAction Stop} catch {return}
	$null = Enable-ScheduledTask $TN $TP
	Start-ScheduledTask $TN $TP; while ((Get-ScheduledTask $TN $TP).State.value__ -eq 4) {start-sleep -sec 1}
	}

	function SetConfig($fID, $fState, $fReg)
	{
	if ($fState -eq 2) {
	$fPriority = 10
	if ($null -eq (Get-ItemProperty $fKey10 -EA 0)) {$null = New-Item $fKey10 -Force -EA 0}
	$null = New-ItemProperty $fKey10 $fReg -Value $fState -Type DWord -Force -EA 0
	} else {
	$fPriority = 8
	if ($null -eq (Get-ItemProperty $fKey08 -EA 0)) {$null = New-Item $fKey08 -Force -EA 0}
	$fKeySub = $fKey08 + '\' + $fReg
	$null = New-Item $fKeySub -Force -EA 0
	$null = New-ItemProperty $fKeySub 'EnabledState' -Value $fState -Type DWord -Force -EA 0
	$null = New-ItemProperty $fKeySub 'EnabledStateOptions' -Value 0 -Type DWord -Force -EA 0
	if ($null -ne (Get-ItemProperty $fKey10 $fReg -EA 0)) {$null = Remove-ItemProperty $fKey10 $fReg -Force -EA 0}
	}

	[byte[]]$fcon = [BitConverter]::GetBytes([UInt32]$fID) + [BitConverter]::GetBytes($fPriority) + [BitConverter]::GetBytes($fState) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(1)
	try {[UInt64]$fccs = $Win32::RtlQueryFeatureConfigurationChangeStamp()} catch {[UInt64]$fccs = 0}
	try {
	$nRet = $Win32::RtlSetFeatureConfigurations([ref]$fccs, 1, $fcon, 1)
	if ($nRet -lt 0) {
	CONOUT ("Operation Failed: 0x" + ($nRet + 0x100000000L).ToString("X"))
	return
	}
	} catch {
	$host.UI.WriteLine('Red', 'Black', $_.Exception.Message + $_.ErrorDetails.Message)
	return
	}

	return
	}

	function DefConfig($fID, $fReg)
	{
	try {
	$fInfo = [UInt32[]]::new(3)
	$nRet = $Win32::RtlQueryFeatureConfiguration([UInt32]$fID, 1, [ref]$null, $fInfo)
	if ($nRet -eq 0) {
	$fPriority = ($fInfo[1] -band 0xF)
	} else {
	return
	}
	} catch {
	return
	}

	if ($fPriority -ne 10 -And $fPriority -ne 8) {
	return
	}

	[byte[]]$fcon = [BitConverter]::GetBytes([UInt32]$fID) + [BitConverter]::GetBytes($fPriority) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(4)
	try {[UInt64]$fccs = $Win32::RtlQueryFeatureConfigurationChangeStamp()} catch {[UInt64]$fccs = 0}
	try {
	$nRet = $Win32::RtlSetFeatureConfigurations([ref]$fccs, 1, $fcon, 1)
	} catch {
	}

	if ($null -ne (Get-ItemProperty $fKey10 $fReg -EA 0)) {$null = Remove-ItemProperty $fKey10 $fReg -Force -EA 0}
	$fKeySub = $fKey08 + '\' + $fReg
	if ($null -ne (Get-Item $fKeySub -EA 0)) {$null = Remove-Item $fKeySub -Force -EA 0}

	return
	}

	function ClearConfig($fID, $fReg)
	{
	try {
	$fInfo = [UInt32[]]::new(3)
	$nRet = $Win32::RtlQueryFeatureConfiguration([UInt32]$fID, 1, [ref]$null, $fInfo)
	if ($nRet -eq 0) {
	$fPriority = ($fInfo[1] -band 0xF)
	} else {
	return
	}
	} catch {
	return
	}

	if ($fPriority -eq 0 -Or $fPriority -eq 9 -Or $fPriority -eq 15) {
	return
	}

	[byte[]]$fcon = [BitConverter]::GetBytes([UInt32]$fID) + [BitConverter]::GetBytes($fPriority) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(0) + [BitConverter]::GetBytes(4)
	try {[UInt64]$fccs = $Win32::RtlQueryFeatureConfigurationChangeStamp()} catch {[UInt64]$fccs = 0}
	try {
	$nRet = $Win32::RtlSetFeatureConfigurations([ref]$fccs, 1, $fcon, 1)
	} catch {
	}

	$fps \| foreach {Remove-Item ($fKeyFM + $_ + '\' + $fReg) -Force -EA 0}
	$null = Remove-ItemProperty $fKey10 $fReg -Force -EA 0

	return
	}

	function QueryConfig($fID)
	{
	try {
	$fInfo = [UInt32[]]::new(3)
	$nRet = $Win32::RtlQueryFeatureConfiguration([UInt32]$fID, 1, [ref]$null, $fInfo)
	if ($nRet -eq 0) {
	return [int](($fInfo[1] -band 0x30) -shr 4)
	} else {
	return 0
	}
	} catch {
	return 0
	}
	}

	function QueryInfo($fID, $fName)
	{
	CONOUT ("`n==== {0}" -f $fName)
	$fInfo = [UInt32[]]::new(3)
	$nRet = $Win32::RtlQueryFeatureConfiguration([UInt32]$fID, 1, [ref]$null, $fInfo)
	if ($nRet -ne 0) {
	CONOUT "Not configured"
	return
	}
	[int]$iPriority = ($fInfo[1] -band 0xF)
	[int]$iState = ($fInfo[1] -band 0x30) -shr 4
	CONOUT ("State : {0}" -f $fcState[$iState])
	CONOUT ("Priority: {0}" -f $fcPriority[$iPriority])
	}
	#endregion

	#region EsuMgr
	function PrintEligibility($esuStatus, $esuResult)
	{
	$showStatus = ("Unknown", $eeStatus[$esuStatus])[($null -ne $eeStatus[$esuStatus])]
	CONOUT ("Eligibility Status: {0}" -f $showStatus)
	$showResult = ("UNKNOWN_RESULT", $eeResult[$esuResult])[($null -ne $eeResult[$esuResult])]
	CONOUT ("Eligibility Result: {0}" -f $showResult)
	}

	function CheckEligibility
	{
	CONOUT "`nEvaluate ESU Eligibility state ..."
	& $SysPath\cmd.exe '/c' $SysPath\ClipESUConsumer.exe -evaluateEligibility
	$esuStatus = (Get-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows\ConsumerESU" "ESUEligibility" -ErrorAction SilentlyContinue).ESUEligibility
	$esuResult = (Get-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows\ConsumerESU" "ESUEligibilityResult" -ErrorAction SilentlyContinue).ESUEligibilityResult
	if ($null -eq $esuStatus -Or $null -eq $esuResult) {
	CONOUT "Operation Failed."
	return
	}
	PrintEligibility $esuStatus $esuResult
	}
	#endregion

	. NativeMethods
	$BSD = RtlBSD
	$featureESU = QueryConfig 57517687

	function DoInquire
	{
	CONOUT "`nQuery features state ..."
	QueryInfo 57517687 "ConsumerESU"
	if ($DMA_SSO) {
	QueryInfo 59064570 "ConsumerESU_EEARegion_Available"
	QueryInfo 58992578 "ConsumerESU_EEARegion_ComingSoon"
	QueryInfo 58755790 "ConsumerESU_EEARegion_Blocked"
	}
	}

	function Inquire
	{
	DoInquire
	ExitScript 0
	}

	function Clean
	{
	CONOUT "`nRemove All overrides for features ..."
	RunService
	ClearConfig 57517687 "4011992206"
	ClearConfig 58992578 "2216818319"
	ClearConfig 58755790 "2642149007"
	ClearConfig 59064570 "4109366415"
	RunTask
	RevertService
	DoInquire
	CheckEligibility
	ExitScript 0
	}

	function Desert
	{
	CONOUT "`nRemove User overrides for features ..."
	RunService
	DefConfig 57517687 "4011992206"
	DefConfig 58992578 "2216818319"
	DefConfig 58755790 "2642149007"
	DefConfig 59064570 "4109366415"
	RunTask
	RevertService
	DoInquire
	CheckEligibility
	ExitScript 0
	}

	function HandleEEA
	{
	if (-Not $SupEEA) {
	CONOUT "`nConsumer ESU for EEA Region require update 2025-09 KB5066198 (19045.6396) or later."
	SetConfig 58755790 1 "2642149007"
	SetConfig 58992578 2 "2216818319"
	$changed = $true
	return
	}
	ReRegion $GeoId
	$EEAavailable = QueryConfig 59064570
	$EEAsoon = QueryConfig 58992578
	$EEAblocked = QueryConfig 58755790
	if ($EEAblocked -ne 1 -Or $EEAsoon -ne 1 -Or $EEAavailable -ne 2) {
	CONOUT "`nEnable Consumer ESU EEA Region feature ..."
	$changed = $true
	}
	if ($EEAblocked -ne 1) {
	SetConfig 58755790 1 "2642149007"
	}
	if ($EEAsoon -ne 1) {
	SetConfig 58992578 1 "2216818319"
	}
	if ($EEAavailable -ne 2) {
	SetConfig 59064570 2 "4109366415"
	}
	}

	function Instate
	{
	RunService
	$changed = $false
	if ($featureESU -ne 2) {
	CONOUT "`nEnable Consumer ESU feature ..."
	SetConfig 57517687 2 "4011992206"
	$changed = $true
	}
	if ($DMA_SSO) {
	. HandleEEA
	}
	if ($changed) {RunTask}
	RevertService
	if (!$changed) {
	CONOUT "`nConsumer ESU features are already configured."
	}
	DoInquire
	CheckEligibility
	ExitScript 0
	}
	:embdbin:
No results found