Windows 10 End of Support: Practical Steps to Stay Safe with ESU and Defender

Windows 10 has reached its official end of support, but millions of machines still run it — and that reality means users must take immediate, practical steps to lower their risk of being hacked. Microsoft ended mainstream security updates for Windows 10 on October 14, 2025, and while a short-term safety net exists (consumer Extended Security Updates and continued Defender intelligence updates), those measures are time-limited and incomplete. This article explains exactly what changed, what protections remain, and a prioritized, actionable plan to keep a Windows 10 PC safer for as long as you need it — plus the strategic trade-offs if you decide to stay put rather than upgrade.

Background / Overview​

Windows 10’s lifecycle officially closed on October 14, 2025; Microsoft will not issue routine security or feature updates for the OS after that date. Consumers do, however, have the option to enroll eligible devices in Microsoft’s Extended Security Updates (ESU) program for a limited period, and Microsoft has committed to continuing Microsoft Defender Antivirus security intelligence updates for Windows 10 through at least October 2028. These policies buy time, not permanence. The details matter: eligibility rules, account requirements, and the scope of ESU are narrow, and Defender’s updates do not replace missing OS patches.
StatCounter and other telemetry trackers showed Windows 11 overtaking Windows 10 in overall pageview-weighted share in mid‑2025, but a significant portion of the installed base remained on Windows 10 at the time support ended — especially older or incompatible devices. That means many real-world PCs will need to be hardened rather than upgraded immediately. Use migration when feasible, but secure older machines if you can’t move them.

---

What “End of Support” Actually Means​

• No more cumulative OS security updates. Microsoft will not ship the monthly cumulative patches that address newly discovered Windows kernel, driver, or system-component vulnerabilities. That leaves system-level attack surfaces exposed unless you enroll in ESU.
• No technical support. If you call Microsoft about a Windows 10 problem, you’ll be told the product is no longer supported. That includes troubleshooting and remediation guidance for new Windows 10–specific bugs.
• Software compatibility will degrade over time. New apps and drivers will increasingly target Windows 11, meaning future hardware and high-end tools may not work on Windows 10. Expect friction with new peripherals and professional software.
• Limited compensations remain. Microsoft’s consumer ESU program allows enrolled Windows 10 devices to receive critical and important security updates for one year past EOS (through October 13, 2026) if prerequisites are met; enterprises may extend longer at higher costs. Separately, Microsoft stated it will deliver Defender security intelligence updates through at least October 2028 — but those are antivirus intelligence updates, not OS patches.

This combination means you’re not instantly defenseless, but your margin for error is shrinking with every unpatched OS vulnerability discovered.

---

The ESU Program: How It Works, Costs, and Limits​

What ESU gives you​

• Access to security updates classified as Critical and Important by Microsoft’s Security Response Center (MSRC) for enrolled Windows 10, version 22H2 devices.
• Delivery via Windows Update to enrolled PCs. ESU does not include new features, non-security fixes, or technical support.

Eligibility and enrollment​

• Devices must be running Windows 10, version 22H2 and be fully updated.
• For consumers, enrollment can be done from Settings > Windows Update; consumer rules differ from enterprise licensing. Microsoft requires either signing in with a Microsoft account (free ESU enrollment path for those who enable Windows Backup) or a one-time purchase (consumer option) for people who prefer local accounts — the typical one-time fee quoted was $30 for the single-year consumer ESU in many markets. Organizations face a different, tiered pricing model.

Important limitations​

• Time-limited: Consumer ESU extends Windows 10 security updates only through October 13, 2026; enterprise ESU may go further but at increasing cost per year. ESU purposely does not restore general support or regular feature updates.
• Account requirements: Microsoft’s consumer enrollment paths can require a Microsoft account for the “free” or low-friction enrollment option. If you insist on staying local-only, the one-time paid option exists but is not free — and the consumer ESU only covers a single extra year. Tom’s Hardware and other outlets reported on how local-account users must purchase ESU or link a Microsoft account.

Bottom line: ESU is a useful stopgap if you need time to migrate, but it’s neither cheap nor open-ended for consumers.

---

Microsoft Defender and What It Does — And Doesn’t — Protect​

Microsoft has committed to keeping Microsoft Defender Antivirus receiving security intelligence updates for Windows 10 through at least October 2028. That means signature and cloud-driven threat intelligence used to detect malware will continue to be refreshed even after Windows 10 EOS. However, Defender’s updates are not a replacement for OS-level security patches. Defender can detect, quarantine, and sometimes prevent malware execution, but it can’t fundamentally fix an exploitable kernel or driver bug. Use Defender as a critical layer in a broader defense-in-depth strategy — not as your sole line of defense.
Why that matters: many modern attacks chain multiple small issues (phishing -> credential theft -> privilege escalation via unpatched OS bug). If the OS bug cannot be patched, a successful first-stage compromise can become far more damaging. Defender helps with detection and response, but the most resilient approach is to combine Defender with other mitigations described below.

---

Practical Steps to Lower Your Risk — Immediate Actions​

If you plan to keep using Windows 10 for a while, treat the next 6–12 months as a risk‑management sprint. The list below is prioritized from highest to lower immediate impact.

1. Enroll in ESU if you qualify and need time​

• Check Settings > Update & Security > Windows Update — look for an ESU enrollment link if you meet prerequisites.
• If you want to stay on a local account, be prepared to pay the one-time consumer fee or purchase ESU via other channels; otherwise, switching to a Microsoft account can enable different enrollment paths. ESU buys you time, not permanence.

2. Harden account security — passwords, MFA, and Windows Hello​

• Turn on Multi‑Factor Authentication (MFA) for your Microsoft account and other critical services (email, financial, cloud storage).
• Deploy a password manager and replace reused or weak passwords with long, unique credentials.
• Use Windows Hello (biometrics) where available to remove password-based remote access risk.
• Audit local admin accounts; operate day-to-day as a non-admin account. This reduces the ability of malware to install system-wide components.

3. Lock down remote access and network exposure​

• Disable or tightly restrict remote administration protocols (RDP, SMB) unless absolutely needed. If RDP must remain open, use a VPN and multi-factor authentication. Blocking RDP on the firewall and router is a fast improvement.
• Harden router admin credentials, keep router firmware updated, and use WPA3 (or WPA2 at a minimum) on Wi‑Fi.

4. Use a strong, modern security stack​

• Keep Microsoft Defender enabled and verify it receives updates. Defender remains effective but do not rely on it alone.
• Consider a reputable third-party security suite (EDR-capable if you need enterprise-style protections) that includes exploit firewalling and behavior-based detection.
• Use browser hardening: enable reputation checks, block potentially unwanted apps, and limit plugin use.
  ad defenses
• Enable Exploit Protection and Core Isolation settings where supported by your hardware.
• Turn on Smart App Control or reputation-based blocking in App & Browser Control to reduce the risk of executing untrusted code.

6. Isolate high-risk activities​

• Use a different machine or a virtualized environment for high-risk tasks (torrenting, unknown downloads).
• Consider running a separate hardened browser profile (or different browser) for banking and sensitive services.

7. Backups that resist ransomware​

• Maintain at least three copies of important data: local, external offline (disconnected after backup), and cloud with versioning.
• Periodically test restore procedures. A backup you can’t restore is worthless.

8. Reduce attack surface: uninstall unused apps and drivers​

• Remove legacy software and drivers you no longer use. Legacy code contains many historical vulnerabilities.
• Keep third-party apps (Java, Adobe Reader, browsers, Office) updated independently of the OS.

9. Network-level protections: DNS filtering and VPN​

• Configure secure DNS (Cloudflare, Quad9) to block known malicious domains.
• Use a reputable VPN when on untrusted networks, but don’t rely on VPN for local OS protection.

10. Monitor and respond​

• Enable logging and alerts where feasible. Use built-in Windows Event logs and set a simple schedule to review unusual authentications or service crashes.
• If compromised, disconnect the device from the network and use a known-clean system to change passwords and investigate.

Many of these practical mitigations are drawn from standard hardening guidance and the Windows security feature set; they echo the summary advice many community threads and explainers recommended while Windows 10 was still supported.

---

A Tactical Two‑Month Checklist (Copy / Paste)​

• Check Windows Update and your Windows 10 version (must be 22H2 for ESU).
• Decide: enroll in ESU (if eligible) or plan migration. If enrolling, perform it now.
• Turn on Defender, run full scans, confirm cloud-delivered protection is enabled.
• Enable MFA on email, Microsoft account, and other critical services.
• Configure automatic backups (local + cloud with versioning) and test a restore.
• Disable unnecessary inbound services (RDP, SMB) at the firewall.
• Patch all third-party apps and drivers.
• Install a modern security suite if you handle sensitive data or use the PC for work.
• Audit admin accounts; remove or rename the default admin account and use a standard account for daily use.
• Document your recovery plan and keep a hardcopy of your essential account recovery data.

---

Risks, Strengths, and Pragmatic Trade-offs​

Strengths of staying on Windows 10 (short-term)​

• Familiar environment; no hardware purchases required.
• If you enroll in ESU and keep Defender + a layered security stack, you can reduce immediate risk and extend safe use while you plan migration.

Real risks and long-term downsides​

• Unpatched OS vulnerabilities can be discovered after EOS and weaponized; without cumulative updates, these can lead to privilege escalation and persistence that antivirus alone may not stop.
• Compatibility erosion: new peripherals, drivers, and apps will gradually drop Windows 10 support; this can hinder productivity or push you to upgrade under pressure.
• Rising operational cost: ESU is a stopgap and can be more expensive for organizations (and inconvenient for consumers relying on account linkage vs. paying a fee). Enterprise costs escalate for longer-term ESU.

Unverifiable or variable claims to watch for​

• Headlines that claim specific global user counts or precise timelines without vendor telemetry often compress nuance. Always check vendor docs (Microsoft) and independent market trackers (StatCounter) for the specific metric you need. Some numbers in media pieces can be estimates or sample-based. Treat sensational headlines cautiously.

---

When to Stop Trying to Harden and Start Upgrading​

• If your PC is used for work involving sensitive corporate data, healthcare information, or financial operations, treat EOS as an immediate migration requirement — hardening is not equivalent to support.
• If your device cannot run Windows 11 (hardware incompatibilities like unsupported CPU or missing TPM 2.0) and you rely on modern apps that declare Windows 11 only compatibility, plan a hardware refresh on your schedule.
• If you repeatedly rely on mission-critical software vendors who drop Windows 10 support — migrate sooner rather than later.

Upgrading to Windows 11 or purchasing a new, supported PC is the only long-term fix for platform-level risk; ESU and Defender updates are bridges, not endpoints.

---

Final Recommendations — A Clear, Actionable Plan​

• Immediate (today–week): Verify your Windows 10 build (22H2 recommended), enable Defender, enable MFA, and take a complete backup. If you’re eligible and want time, enroll in ESU now.
• Near term (30–90 days): Harden the device using the checklist above (disable RDP, remove unnecessary services, apply third-party updates, enable exploit mitigations). Start mapping software/hardware that may require Windows 11.
• Medium term (3–12 months): Plan migration. If hardware supports Windows 11, test and perform the upgrade during a maintenance window. If not, budget for a new device and schedule migration to avoid last-minute compromises.
• Ongoing: Maintain layered security: Defender + firewall + backups + MFA. Monitor vendor advisories and the threat landscape.

If you want one immediate, high‑value action: enable strong backups and verify restores. That protects against a large proportion of ransomware and disaster scenarios while you pursue the other steps.

---

Windows 10’s end of support changes the calculus from passive to active security: the OS will keep running, but you must assume responsibility for your device’s resilience. Use ESU only as a bridge, rely on Defender and a hardened security posture in the short term, and prioritize migration where risk and compatibility demands make it necessary. The result: you can meaningfully lower the chance of being hacked even on Windows 10 — but it requires layered controls, disciplined account hygiene, and a plan to move to a supported platform before the temporary protections run out.

---

Source: PCMag Using Windows 10? Do This Now to Lower Your Risk of Being Hacked

 

[ChatGPT]

Windows 10 didn’t “die” overnight, but the safety net did — and if you plan to keep using it, you need a plan today to reduce your risk of being hacked. The advice in PCMag’s recent primer is right: Windows 10 users can buy time, but they must harden their systems and either enroll in Microsoft’s consumer Extended Security Updates (ESU) program or migrate to a supported platform. view
Microsoft formally ended mainstream support for Windows 10 on October 14, 2025. After that date, standard monthly cumulative updates, feature updates, and vendor technical support for consumer Windows 10 editions stopped unless a device is enrolled in an approved Extended Security Updates (ESU) program. Microsoft’s lifecycle pages and support documentation make this explicit: Windows 10 Home/Pro/Enterprise/Education and related SKUs reached end of support on October 14, 2025.
That statement needs unpacking: an unsupported Windows 10 PC continues to run, but it no longer receives OS-level security fixes. This is the critical change. Without cumulativecovered kernel, driver, and privilege‑escalation vulnerabilities remain unpatched and can be weaponized by attackers. In short, the platform becomes increasingly fragile over time unless you take compensating action.
Microsoft did, however, provide a set of narrowly scoped continuations:

• A consumer ESU program that provides security-only updates for eligible Windows 10 devices through October 13, 2026.
• Continued security intelligence (definition) updates for Microsoft Defender Antivirus on Windows 10 through at least October 202ity updates for Microsoft 365 apps through similar windows. Microsoft reiterated these protections in its Windows Experience Blog and support channels.

Those continuations are valuable but limited: ESU is a one‑year bridge for consumers, Defender’s ongoing intelligence updates do not fix unpatched OS flaws, and Microsoft’s messaging explicitly frames ESU as a time‑buying measure — not a long‑term substitute for a supported OS.

---

Why this matters: the real security picture​

The difference between malware definitions and OS patches​

Microsoft Defender Antivirus will continue to receive security intelligence updates (signatures, cloud-delivered telemetry, behavioral updates) through at least October 2028, which helps detect and block known malware families and many new samples. That’s important — but it’s not the same as OS security patches. Defender can detect and quarantine malicious code, but it cannot reloitable kernel or driver bug that attackers can chain into privilege escalation or persistence. Relying only on Defender creates a fragile posture: detection helps, patching prevents the underlying vectors.

The network and compatibility vectors​

Unsupported OSes also suffer growing compatibility decay. New applications, drivers for recent peripherals, and high‑end developer tools increasingly declare Windows 11 as the minimum supported platform. Over time you’ll face either degraded functionality (older software) or lack of driver support (new printers, hobbyist devices, GPUs). That operational friction often forces upgrades on shorter timelines — and that’s an additional real cost beyond security.

Popularity and context​

Market‑share data for Windows versions moves month to month. By mid‑2025 the two camps were very close; some trackers and outlets reported Windows 11 taking the lead in certain months, while others showed Windows 10 still widely used. Treat any single percentage as a snapshot — useful for context, not a guarantee of behavior on your specific machine or network. In practice, tens of millions of systems remained on Windows 10 at end of support, so risk exposure is nontrivial. (See the industry coverage and StatCounter‑driven reporting for June–July 2025 for examples of differing figures.)

---

Extended Security Updates (ESU): what it is and how it works​

What ESU gives you (consumer)​

• Security‑only updates: Microsoft will deliver Critical and Important security fixes for eligible Windows 10 version 22H2 devices enrolled in consumer ESU through October 13, 2026. ESU does not include non‑security bug fixes, feature updates, or technical support.
• Multiple enrollment paths: Consumers can enroll at no additional cost if they enable Windows Backup (syncing PC settings), redeem 1,000 Microsoft Rewards points, or pay a one‑time fee (roughly $30 USD or local equivalent) for ESU enrollment. Enrollment requires a Microsoft Account (MSA) administrator and a fully‑patched Windows 10, version 22H2 device.
• Device coverage: Once enrolled, an ESU license can cover multiple devices (Microsoft’s documentation notes you can use a single consumer ESU license on up to 10 devices tied to the same MSA). Commercial ESU pricing and duration differ and are costlier for organizations.

Key caveats and eligibility​

• ESU is a short bridge: for consumers it’s one year, not a multi‑year program. Businesses have a multi‑year option buevice cost.
• Enrollment mechanics require an MSA and some account/backup choices — local accounts alone are not sufficient for the free Windows Backup enrollment path in many cases. If you prefer a local account, you may need to pay or redeem Rewards. Independent outlets and forums highlighted this friction during rollout; verify the enrollment path on your device before assuming free enrollment will work for your configuration.
• ESU is security-only and does not restore vendor technical support; if you need Microsoft help with non‑security behavior you’ll ([support.microsoft.com](Windows 10 Extended Security Updates | Microsoft Windows, prioritized security plan: how to protect a Windows 10 PC now

If you decide to keep using Windows 10 for now, treat the next 6–12 months as a hard security sprint. The following checklist is arranged by priority anctionable steps you can implement immediately.

Immediate (do these right away)​

• Verify your build: confirm you’re on Windows 10 version 22H2 and have installed all pending updates and cumulative patches. ESU requires a fully patched 22H2 system to enroll.
• Back up and verify restores: and an independent offline copy (external drive), plus a cloud copy if you use cloud backups. Test restoring a small file to verify backups work. Backups are your single most effective mitigation against ransomware.
• Enroll in ESU if you need time: go to Settings → Update & Security → Windows Update and look for the ESU enrollment link. Choose the eligibility path that fits (Windows Backup, Microsoft Rewards, or the $30 one‑time purchase). If you’re unsure, sign in to a Microsoft Account wefore you attempt enrollment. (support.microsoft.com

High‑impact hardening (next few days)​

• Keep Microsoft Defender Antivirus enabled and confirm it receives updates (it will receive security intelligence updates through 2028). Uline, but do not rely on it as your only defense. ([blogs.windows.com](Stay secure with Windows 11, Copilot+ PCs and Windows 365 before support ends for Windows 10 reputable third‑party security suite (modern suites offer exploit‑firewalling, behavior‑based detection, and anti‑exploit protections that are specifically useful when OS Choose vendors with a good track record for exploit mitigation and low false positives.
• Turn on Multi‑Factor Authentica your Microsoft Account, email, banking, cloud services. MFA blocks the most common credential‑based takeover paths.
• Operate daily from a non‑admin account: create a standard local user or linked MSA non‑adminve credentials only for installs and maintenance. This limits the blast radius of a successful exploit.

Network and remote access controls​

• Disable or restrict remote services: block RDP on the router and host firewall unless you absolutely need it; if RDP is necessary, tunnel it through a VPN with MFA. Attackers frequently probe exposed RDP endpoints to gain initial footholds.
• Harden your router: redentials, update firmware, use WPA3 or WPA2 (s disable WPS. Segment IoT devices on a separate VLAN if possithy VPN for untrusted networks: a VPN reduces exposure to malicious website k attacks when you’re on public Wi‑Fi.

System‑level mitigations​

• Enable Windownd Core Isolation where supported by your hardware (these raise the bar for exploitation ofnerabilities). Turn on Memory Integrity (part of Core Isolation) if your CPU and drivers suompatibility first because older drivers can block it.
• Enable Smart App Conted protection in App & Browser Control if available to you — these help block untrusted lly unwanted apps) from executing.
• Keep browsers and browser extensions up tned browsers or containers (separate browser profile for banking). Modern exploit chains frequently begin in the brows hygiene (ongoing)
• Patch third‑party apps promptly (Adobe, Java, Zoom, Office updates) — threat actors exploit unpatched third‑party software as often as OS bugs. Use vendor auto‑update or a reliable patch manager.
• Run periodic full‑system scans with your AV and occasional offline scans using bootable rescue media. Verify the AV is performing scheduled scans and signature updates.
• Use a password manager and unique passwords; enable passkeys or Windows Hello where possible to reduce phishing impact.
• Minimize installed software: uninstall unneededve unnecessary Windows features (especially legacy components you don’t use). Fewer installed components means fewer potential vulnerabilities.

---

A 14‑point immediate checklist you can copy/paste​

• Confirm Windows 10 version is 22H2 and fully patched.
• Enroll in ESU if you require a predictable migration window.
• Enable and verify Microsoft Defender updates (security intelligence).
• Add a third‑party security suite witf you want defense‑in‑depth.
• Create and use a non‑admin daily account.
• Turn on MFA for Microsoft and other critical accounts.
• Back up (local image + offline external + cloud) and verify restores.
• Disable RDP and unnecessary remote ports; if need+ MFA.
• Enable Windows Exploit Protection, Core Isolation, Memory Integrity where supported.
• Harden browser: block plugins, enable reputation checks, and isolate banking tasks.
• Keep third‑party apps (Office, Acrobat, Java) updated via vendor tools.
• Audit local services and remove unnecessary ones (disable SMBv1, unused shares).
• Harden router: firmware, WPA3/WPA2, change admin password, segment IoT.
• Prepare a migration plan: test Windows 11 compatibility or budget for replacement hardware within 3–12 months.

---

How long can you safely run Windows 10?​

There is no single answer — risk is contextual. For a lightly used home PC that rarely stores or transmitsn, sitting behind a modern router, running Defender + a layered security stack, and following the checklist above can keep you safe for a time. For any device that touches work data, healthcare information, or financial systems, treat end of support as an urgent migration trigger: hardening reduces risk but is not equivalent to vendor support. ESU is a bridge, not a permanent fix.
Microsoft’s own messaging summarizes the practical approach: enroll in ESU if you need time, keep Defender and third‑party protections enabled, and plan migration to Windows 11 or another organization has compliance requirements, you should consider migration immediately rather than depending on consumer ESU.

---

What to watch for — risks and pitfalls​

• Don’t treat Defender updates as a panacea. Security intelligence is critical, but a patched kernel or driver is the only true fix for some classes of exploits. Relying on AV alone is risky.
• Enrollment mechanics and ails changed during rollout. If an article quotes a specific percentage of users or a single enrollment trick, verify the mechanics on your device at the time you act — Microsoft’s documentation is the definitive source. Public coverage sometimes condensed or misstated the nuances of the consumer ESU enrollment routes.
• Compatibility erosion is real. New peripherals, GPU drivers, developer tools, and business software will progressively favor Windows 11. If you depend on recent hardware or software, the migration decision may be forced sooner than you expect.

---

Concrete migration options (if you decide to leave Windows 10)​

• Upgrade in place: run the PC Health Check app and Windows Update → if your system meets Windows 11 hardware requirements, upgrade after testing backups and application compatibility. This keeps data and settings (mostly) intact.
• Buy a new Windows 11 PC: a clean solution if your hardware is unsupported or unreliable — but weigh budget and supply considerations.
• Move to an alternative OS: if your workflow allows it, consider a Linux distro or ChromeOS Flex for older laptops — great for web work, less so for Windows‑only software. Test compatibility for mission‑critical apps first.

---

Final analysis and recommendation​

The PCMag piece that prompted this deep dive correctly framed the problem: Microsoft’s withdrawal of full Windows 10 support removes the OS safety net, but defenders exist. If you can’t or won’t upgrade right now, take the situation seriously and act: back up, enroll in ESU if you need the time, run Defender plus a strong third‑party security stack, reduce network exposure, and operate from a non‑admin account with MFA everywhere. ESU is a pragmatic, low‑cost bridge — use it to buy time, not to procrastinate indefinitely.
Long‑term, the only resilient answer is a supported platform. Windows 11’s security model and hardware‑backed protections are Microsoft’s recommended path; for risk‑averse users and organizations, migration to a supported OS should be the principal objective. Meanwhile, the checklist above gives you an immediate, evidence‑based roadmap to lower your attack surface and buy the planning time you need.
If you follow nothing else, do these three things: back up and test your restore today; enable MFA on all accounts; and enroll in ESU if your device qualifies and you need time to migrate. That combination will sharply reduce your odds of being hacked while you move toward a permanent, supported solution.

---

Source: PCMag Australia Using Windows 10? Do This Now to Lower Your Risk of Being Hacked