KB5065429: Windows 10 ESU Enrollment & End-of-Support 2025

Microsoft pushed Windows 10 cumulative update KB5065429 to 22H2 machines this week, a mandatory security rollup that arrives as the platform approaches its October 14, 2025 end‑of‑support deadline — and it’s tightly linked to Microsoft’s consumer Extended Security Updates (ESU) enrollment path that can grant eligible PCs one additional year of security patches through October 13, 2026.

Background / Overview​

Microsoft set a firm end‑of‑support date for Windows 10: October 14, 2025. After that date, routine free security updates and mainstream support for Windows 10 consumer SKUs stop. To give consumers a narrow safety window, Microsoft published a consumer ESU program that delivers security‑only updates for one additional year, through October 13, 2026. The company published the consumer ESU rules and the enrollment workflow on its support pages; the program requires a Microsoft account and offers three enrollment routes: enable Windows settings backup (free), redeem 1,000 Microsoft Rewards points, or pay a one‑time $30 (USD equivalent) fee. (support.microsoft.com)
Those public rules are the canonical reference for the consumer ESU program, and they explain both the limited scope of coverage (Critical and Important security fixes only) and the eligibility gating (Windows 10 version 22H2 consumer SKUs, not domain‑joined or enterprise‑managed devices). Multiple independent outlets and community reporting echo Microsoft’s guidance and note the same three enrollment paths and one‑year duration. (windowslatest.com, theverge.com)

---

What KB5065429 is — and why it matters now​

KB5065429 is the September 2025 cumulative security update for Windows 10 servicing branches that remain active. It is a mandatory cumulative rollup distributed via Windows Update and published as standalone .msu packages on the Microsoft Update Catalog for offline installs.

• The update advances Windows 10 22H2 installations to OS Build 19045.6332 (and equivalent 21H2 builds where applicable), reflecting cumulative security content and servicing stack improvements. This build number and the release mapping for KB5065429 are publicly visible in update catalogs and build lists. (en.wikipedia.org)
• For most consumer PCs the package arrives automatically through Windows Update; administrators and power users can download the full offline installer (.msu) from the Microsoft Update Catalog and apply it manually. Running the .msu requires elevated rights and can take longer than an incremental Windows Update delta because the Update Catalog package is the combined SSU+LCU bundle. Practical deployment notes and checksum verification guidance are standard best practice: verify downloaded files with SHA‑256, keep multiple backup copies, and stage any large catalog packages for offline distribution. (asec.ahnlab.com)

Why this specific cumulative matters beyond its security fixes is that Microsoft used the August and September cumulative rollups to restore and expose the in‑product “Enroll now” ESU enrollment wizard for consumer devices. Earlier August fixes repaired a crash that prevented the wizard from loading for some users; the September package continued the work of exposing the UI more broadly. Those servicing updates are the technical precondition for the enrollment path to appear inside Settings → Update & Security → Windows Update. (windowslatest.com)

---

What’s included (user‑visible and technical fixes)​

KB5065429 is primarily a security rollup, not a feature release, but the release notes and field testing call out a few user‑facing and under‑the‑hood items worth highlighting:

• Security fixes: standard monthly mitigations for vulnerabilities across the Windows kernel, graphics stack, networking components and system services. The update is cumulative and includes the usual set of Critical and Important patches. (As with any cumulative rollup, the package contains multiple CVE fixes consolidated into the LCU.) (asec.ahnlab.com)
• ESU enrollment readiness: the update ensures the Settings‑hosted enrollment wizard behaves reliably and is visible on more systems, fixing earlier crashes and registration problems that blocked consumer signups. This is the operational change that lets many users complete the ESU enrollment flow inside Windows Update after the package is applied. (windowslatest.com, hothardware.com)
• Stability and feature repairs called out by community testing: among the bug fixes noted in coverage and hands‑on tests were improvements to streaming/NDI behavior between devices (addressing reports of audio delays and stuttering after a prior update) and refinements to SMB handling for administrators managing shares and group policies. These are the type of targeted quality fixes that follow a monthly security rollup rather than broad new capabilities. Field reporting identified specific NDI‑related regressions and SMB hardening tweaks, which the cumulative aims to address. Readers should treat these as practical fixes rather than new features. (windowslatest.com, hothardware.com)

Important operational detail: the KB does not add new consumer features beyond the ESU enrollment plumbing; it is a servicing rollup with patch and reliability content. The key value for many users is that installing KB5065429 (or the August servicing that preceded it) unlocks the in‑product ESU enrollment experience, when other prerequisites are met.

---

How to get the update (automatic vs manual .msu)​

Windows Update will push KB5065429 automatically to eligible Windows 10 22H2 PCs. If automatic delivery fails, or if you prefer offline installation, download the full .msu package from the Microsoft Update Catalog and install it manually:

• Visit the Microsoft Update Catalog and search KB5065429 to find the correct .msu for your architecture (x86/x64/ARM64).
• Download the .msu to a local folder. Confirm the file hash (SHA‑256) either using the value Microsoft publishes or by comparing repeated downloads to ensure integrity: PowerShell Get‑FileHash -Algorithm SHA256 <filename> is sufficient.
• Run the .msu as administrator and follow on‑screen prompts. Expect manual installs to take longer than Windows Update deltas because you’re applying the combined package. Reboot if required. (asec.ahnlab.com)

Practical tips:

• In business environments use WSUS/SCCM/Intune to manage rollouts; the catalog package sizes are larger and may cause bandwidth spikes if pushed to many devices at once. Test on pilot hardware before broad distribution.
• If you rely on offline images, consider slipstreaming the KB into installation media or creating a patched recovery ISO using DISM or third‑party offline servicing tools.

---

ESU enrollment: the three consumer paths (exact mechanics)​

The consumer ESU program intentionally offers three ways to enroll a device and obtain one year of security updates. These are the official options documented by Microsoft:

• Free path by enabling Windows Backup / settings sync to OneDrive: sign in with a Microsoft account and enable Settings/Windows Backup sync; Microsoft uses this as the no‑charge route to grant ESU entitlements.
• Redeem 1,000 Microsoft Rewards points: use accumulated Rewards points to purchase an ESU license token.
• Pay a one‑time $30 USD (or local currency equivalent plus tax): a paid ESU license tied to your Microsoft Account that can be applied to up to 10 eligible devices associated with that account.

All three options produce the same result — ESU coverage through October 13, 2026 — and all require a Microsoft account to finalize enrollment. Microsoft’s consumer ESU page is explicit about the account requirement and the licensing tie to a single MSA for up to 10 devices. (support.microsoft.com, techcommunity.microsoft.com)
Enrollment flow (typical on an eligible consumer PC):

• Ensure the device is running Windows 10 version 22H2 and is fully patched (install KBs such as the August and September cumulative updates).
• Go to Settings → Update & Security → Windows Update.
• If prerequisites are met, you’ll see an Enroll now link or banner under the Windows Update pane.
• Click Enroll now and follow the wizard; sign in with a Microsoft Account if you’re using a local account. Choose backup‑sync, Rewards redemption, or one‑time purchase and complete the flow. (windowslatest.com, hothardware.com)

---

Hands‑on reports, rollout quirks and what users saw​

Independent testers and outlets that exercised the enrollment flow reported a mixed but improving experience:

• In some hands‑on cases the ESU enrollment toggle only appeared after installing the latest cumulative update that raised the machine to Build 19045.6332 (the September cumulative). In those tests, enabling OneDrive/Windows Backup or choosing a Rewards/purchase path completed enrollment and the device became eligible for ESU updates. That anecdotal path — install KB, reboot, see Enroll now, enroll — was reported by community testing and by Windows‑focused outlets. (windowslatest.com)
• Microsoft has cautioned that the “Enroll now” control is being phased in; not all eligible devices will see it at the same time. If your device meets the prerequisites and you still don’t see the option immediately, Microsoft’s guidance is to install the latest servicing updates and wait for the staged rollout to reach your device. The company’s public support documentation and community Q&A reiterate that this staged approach is intentional. (support.microsoft.com, learn.microsoft.com)
• Some early reports surfaced about registration or wizard crashes prior to the August servicing updates; Microsoft fixed the crash and improved the wizard behavior in the August and September rollups. If you still see wizard crashes after updating, troubleshooting steps include verifying servicing stack installation, repairing Store app registration, and confirming your account/registration state. (hothardware.com)

Important caveat: the experience is device‑ and environment‑dependent. Domain‑joined devices, enterprise MDM managed machines, kiosk devices, and child accounts are excluded. Home users, especially those already signed into Microsoft Accounts and using OneDrive backups, will see the simplest path. For privacy‑conscious users who run local accounts by deliberate choice, the account requirement is a meaningful change. (techcommunity.microsoft.com)

---

Security and privacy analysis — tradeoffs and risks​

Microsoft’s consumer ESU program solves a practical problem — it gives a one‑year safety net to many devices that cannot upgrade to Windows 11 because of hardware limits — but the implementation introduces a few material tradeoffs consumers must weigh.
Strengths and benefits

• Immediate security coverage: ESU ensures monthly Critical and Important patches continue for one year beyond EOL, reducing immediate exploitation risk for internet‑exposed or sensitive devices.
• Flexible enrollment: Microsoft offers three paths (sync, Rewards, purchase), lowering the financial friction for households with multiple machines.
• Household efficiency: a single paid license covers up to 10 eligible devices tied to one Microsoft account, which can be economical for multi‑PC households. (support.microsoft.com)

Potential downsides and risks

• Microsoft account requirement: enrollment — even paid enrollment — requires a Microsoft Account. This shifts sign‑in and entitlement management into Microsoft’s account system and can be a non‑starter for users who intentionally rely on local accounts for privacy or policy reasons. Expect some users to object to this condition on principle. (tomshardware.com)
• One‑year limit and migration pressure: ESU is a one‑year bridge, not a long‑term support path. Organizations and individuals should use the ESU period to plan and execute migrations to supported platforms (Windows 11 or replacement hardware) or to isolate legacy workloads in VMs or segmented networks. Treat ESU as emergency breathing space, not a permanent strategy.
• OneDrive storage implications for free route: the no‑charge path uses Windows Backup/settings sync to OneDrive. Free OneDrive includes 5 GB; larger backups may require paid OneDrive storage, which adds ongoing cost and complexity if users rely on that path. That nuance is easy to miss when people hear “free enrollment.” (theverge.com)
• Operational complexity for managed environments: enterprise and compliance‑sensitive systems often cannot or should not rely on the consumer ESU path; enterprise ESU remains the formal route for domain‑joined fleets and multi‑year commitments. Consumer ESU is unsuitable for many regulated environments.

---

Practical checklist — what to do next (step‑by‑step)​

• Verify your device: Settings → System → About — confirm you’re on Windows 10, version 22H2 and that activation is valid.
• Patch now: Run Windows Update and install all pending cumulative updates. If auto‑update fails, download KB5065429’s .msu from the Update Catalog and install manually. Verify file integrity (SHA‑256). (asec.ahnlab.com)
• Prepare your account: decide which Microsoft account you will use for ESU coverage (one account can cover up to 10 devices). Convert or add an MSA as an administrator on the PC if you currently use a local account.
• Back up: create a full image backup and verify restore media. Don’t rely solely on OneDrive for disaster recovery.
• Enroll: Once updated, go to Settings → Update & Security → Windows Update and click Enroll now if the option appears. Follow the wizard and choose your enrollment path (sync / Rewards / purchase). If you don’t see the option, wait — the enrollment UI is rolling out in stages. (windowslatest.com, support.microsoft.com)
• Use the year: treat the ESU period as time to migrate. Inventory applications and drivers, test Windows 11 eligibility, and budget for replacement hardware if needed.

---

Final assessment — who should use ESU and who shouldn’t​

ESU is a pragmatic, narrowly scoped program that addresses a real need for people who cannot move to Windows 11 for hardware or cost reasons. For many households the free sync path or the 1,000 Rewards route will be an inexpensive way to maintain security while they plan migrations.
That said, ESU is not for everyone:

• Privacy‑first users who will not or cannot bind devices to Microsoft Accounts must evaluate whether the convenience of one more year of patches justifies the account requirement.
• Organizations subject to compliance rules should not treat consumer ESU as a long‑term solution; enterprise ESU or migration strategies are more appropriate.
• Anyone who depends on long‑term patching beyond October 13, 2026 should plan for migration now; ESU is a bridge year, not a replacement for supported platforms.

Use ESU deliberately: patch, enroll if needed, and use the extra year to migrate safely rather than to delay indefinitely. Microsoft’s public documentation and the hands‑on community reporting make the conditions and tradeoffs clear; read the official ESU guidance and verify your device meets the prerequisites before relying on it as your long‑term plan. (support.microsoft.com)

---

Quick reference: where the key claims stand (verification summary)​

• End‑of‑support and consumer ESU coverage period: EOL Oct 14, 2025; consumer ESU through Oct 13, 2026 — confirmed by Microsoft’s ESU support page. (support.microsoft.com)
• Enrollment options: backup sync (free), redeem 1,000 Rewards, or pay $30 — documented by Microsoft and corroborated by community Q&A and independent outlets. (support.microsoft.com, techcommunity.microsoft.com)
• KB5065429 availability and build mapping: KB5065429 is the September cumulative that advances Windows 10 22H2 to Build 19045.6332 — catalog and build lists reflect that mapping. (en.wikipedia.org)
• Enroll now visibility: experience is staged; some users only saw the ESU toggle after installing the cumulative that produced build 19045.6332 — reported in hands‑on coverage and community testing; Microsoft confirms staged rollout. That behavior is anecdotal for some test machines and is not a universal guarantee. (windowslatest.com)

When specific rollout timing or wizard behavior matters (for example in managed environments), rely on Microsoft’s official update documentation and the device’s Update history as the ground truth. If enrollment is critical, apply the latest cumulative and servicing stack updates, sign in with a Microsoft account, and check for the Enroll now path in Settings. (support.microsoft.com, hothardware.com)

---

Microsoft’s move — a one‑year consumer ESU bridged to an in‑product enrollment experience — is a pragmatic compromise for a huge installed base that cannot all move to Windows 11 overnight. KB5065429’s release is less about flashy features and more about making the transition mechanics reliable and discoverable in the final months before Windows 10’s mainstream retirement. For users who must stay on Windows 10, the responsible path is clear: patch now, enroll if you need the extra year, and use that breathing space to complete a planned migration to a supported platform.

---

Source: windowslatest.com Windows 10 KB5065429 released ahead of EOL, direct download links (.msu)