Microsoft has confirmed that a display bug introduced after October’s cumulative updates is incorrectly telling some paid Extended Security Updates (ESU) customers that their Windows 10 installations have “reached the end of support,” even though those devices remain entitled to and continue receiving security patches.
Microsoft formally ended mainstream support for Windows 10 on October 14, 2025, and released the final broad monthly cumulative updates for the consumer servicing branch on that date. That October update is tracked under the KB family number associated with the release commonly cited as KB5066791 and moved affected 22H2 installs to build numbers in the 19045.x family. Because millions of machines still run Windows 10, Microsoft offered an Extended Security Updates (ESU) pathway to give eligible devices one additional year of security-only updates through October 13, 2026 (consumer ESU), or multi‑year options for enterprise customers. Consumer enrollment is available via three methods: enable Windows Backup (sync settings) for a free path, redeem 1,000 Microsoft Rewards points, or make a one-time purchase (about $30 USD) for the year’s coverage.
This incident shows how a single presentation-layer regression can cascade through operational tooling. Expect the following downstream outcomes:
Source: ZDNET Microsoft confirms a bug is hitting paid Windows 10 ESU users - here's what's happening
Background
Microsoft formally ended mainstream support for Windows 10 on October 14, 2025, and released the final broad monthly cumulative updates for the consumer servicing branch on that date. That October update is tracked under the KB family number associated with the release commonly cited as KB5066791 and moved affected 22H2 installs to build numbers in the 19045.x family. Because millions of machines still run Windows 10, Microsoft offered an Extended Security Updates (ESU) pathway to give eligible devices one additional year of security-only updates through October 13, 2026 (consumer ESU), or multi‑year options for enterprise customers. Consumer enrollment is available via three methods: enable Windows Backup (sync settings) for a free path, redeem 1,000 Microsoft Rewards points, or make a one-time purchase (about $30 USD) for the year’s coverage. What happened: the bug summarized
After installing updates released on or after October 14, 2025 (the October cumulative tracked as KB5066791), some Windows 10 devices started showing an alarming banner in Settings → Windows Update reading: “Your version of Windows has reached the end of support. Your device is no longer receiving security updates.” This banner appeared not only on unenrolled machines but also on devices that are properly enrolled in ESU, and on LTSC/IOT Enterprise SKUs that remain within their published servicing timelines. Microsoft characterizes the issue as a display/diagnostic error — a UI/flagging regression — rather than a revocation of update service or a failure in the update pipeline. In other words, devices that have a valid, activated ESU entitlement or are LTSC/IOT Enterprise builds covered under longer lifecycles should continue to receive security updates despite the warning.Which systems are affected
The incorrect “end of support” banner has been reported on these primary SKUs:- Windows 10, version 22H2 — Pro, Education, and Enterprise editions that are correctly enrolled in the ESU program and configured with an ESU product key.
- Windows 10 Enterprise LTSC 2021 and Windows 10 IoT Enterprise LTSC 2021, both of which have their own servicing windows that extend beyond October 2025.
Why this matters — practical and operational risks
The problem is more than cosmetic for many organizations. The Settings page banner feeds into dashboards, compliance scans, monitoring rules, and security operations workflows.- False positive compliance alerts: Automated tools that read device lifecycle state can misclassify machines as unsupported and trigger unnecessary escalations.
- Operational confusion: In some configurations the Windows Update page also temporarily disables or hides the “Check for updates” button, increasing uncertainty even when updates continue flowing.
- Helpdesk and ticket churn: Support teams face extra calls and tickets from users who believe their systems have been unceremoniously abandoned. News of “end of support” banners quickly generates anxiety.
Microsoft’s response and remediation steps
Microsoft has acknowledged the problem publicly on the Windows 10 “known issues and notifications” pages and described two remediation approaches:- A cloud configuration update (server-side fix) was rolled out to correct the diagnostic flag for connected devices. Devices must be able to receive dynamic updates from Microsoft to benefit from this fix — that typically requires internet connectivity and permission for OneSettings/dynamic updates. Microsoft notes the update might not reach devices that are offline, that block OneSettings downloads via Group Policy, or that use restrictive firewalls.
- For enterprise-managed or air-gapped environments where the cloud fix cannot reach devices, Microsoft published a Known Issue Rollback (KIR) mechanism that administrators can deploy via Group Policy or management tooling to forcibly remove the incorrect banner. The KIR approach is the standard enterprise path for undoing a Windows behavior regression without waiting for a full cumulative patch.
How to check whether your PC is affected
- Open Settings → Update & Security → Windows Update.
- Look for the red banner that reads: “Your version of Windows has reached the end of support. Your device is no longer receiving security updates.”
- For enterprise environments: your inventory/MDM/endpoint management console for ESU product key status and activation flags.
- For Azure VMs: confirm that the VM is configured to receive updates via Azure Update Manager or Windows Update settings; eligible Azure VMs should be automatically entitled to ESU at no additional cost in many Azure services.
Workarounds and recommended actions
- For most home and small-business users: simply ensure your device is connected to the internet, allow dynamic/OneSettings updates, and restart. The cloud configuration update should clear the banner within hours of receiving it.
- For enterprises and air-gapped systems: deploy the Known Issue Rollback (KIR) or the Group Policy configuration Microsoft documented to suppress the incorrect banner. Use your change-control process to apply KIR and verify the change in a pilot group first.
- Validate update delivery: don’t rely on the banner alone. Confirm actual patch delivery in one of these ways:
- Check Windows Update history (Settings → Update & Security → Windows Update → View update history) to ensure monthly cumulative updates are listed.
- Cross-check endpoint management consoles (Intune, WSUS, SCCM, third-party EDR/patching dashboards) for the last applied KB numbers.
- For Azure-hosted workloads, validate the VM’s update compliance in the Azure Update Manager.
Why this bug slipped through and what it teaches IT teams
This issue is a textbook example of a small diagnostic regression causing outsized operational pain.- The Windows Update UX is an integration point for lifecycle metadata that feeds security posture tooling. When the UX misreports state, automation and human teams respond the way they’re designed to: with alerts and escalations.
- The bug likely stems from lifecycle metadata or a flag interpretation change that accompanied the October servicing wave (KB5066791). Because October’s release was a major milestone marking the platform’s formal end of mainstream support, any lifecycle-related changes had a high potential to cascade into misreporting.
- The incident underscores the value of defense-in-depth for monitoring and reporting: rely on update delivery evidence (patch history, management console reports, signature-based endpoint checks) rather than a single UI banner to declare device compliance.
Cost, enrollment and the broader ESU picture
For readers considering ESU as a deliberate strategy rather than an emergency stopgap, here’s the concrete consumer-side picture:- Enrollment options: free if you enable Windows Backup and sync settings to your Microsoft account, redeem 1,000 Microsoft Rewards points, or make a one-time purchase (roughly $30 USD) that covers up to 10 devices tied to the same Microsoft account.
- Scope: the consumer ESU program delivers security-only updates for eligible Windows 10 22H2 devices through October 13, 2026. It does not include feature updates, broad quality fixes, or standard technical support. Enterprises can purchase multi-year ESU through volume licensing at higher per-device rates.
- Azure and cloud semantics: many Azure-hosted VMs and Windows 365/AVD workloads have ESU entitlements included by configuration; these should not require individual purchases but must be configured to receive updates. This is why seeing the “end of support” banner on Azure VMs created particular concern.
Practical checks for administrators (quick checklist)
- Confirm whether affected devices show the end-of-support banner in Settings → Update & Security → Windows Update.
- Verify actual update receipt by viewing Update history and management console records.
- Ensure devices are connected to the internet and that OneSettings/dynamic updates aren’t blocked so the cloud configuration update can be delivered.
- For disconnected or locked-down fleets, plan a staged KIR deployment and document the change for auditors.
- Communicate clearly to end users and security teams that the banner is currently considered a diagnostic error and to rely on patch history for compliance reporting.
Risk analysis — short and medium term
Short term (days to weeks): most organizations that allow dynamic updates and have internet connectivity will see the banner clear as the cloud configuration update is applied. The main risk is operational noise — unnecessary tickets, rushed remediation work, and wasted hours chasing a false alarm. Medium term (weeks to months): if tooling and compliance systems were implicitly configured to treat the Windows Update banner as authoritative, organizations may need to revisit those automation rules. Relying on a single client-side UX for compliance is brittle; teams should adopt cross-checks (update history, server-side telemetry, EDR indicators, inventory records) to avoid future false positives. Unverifiable or emerging claims: precise counts or percentages of affected devices have not been publicly published by Microsoft; vendor and media reports are anecdotal and regionally varied. Treat any widely circulated “how many PCs are affected” numbers as estimates until Microsoft publishes telemetry-based figures. This lack of a hard telemetry figure is a gap in the public data.Longer-term implications for Windows lifecycle messaging
Windows 10’s official end-of-support moment was a major lifecycle inflection: Microsoft moved many devices into ESU, consumer or enterprise, and adjusted lifecycle metadata accordingly. That lifecycle data powers UI banners, compliance APIs, and Graph/management hooks.This incident shows how a single presentation-layer regression can cascade through operational tooling. Expect the following downstream outcomes:
- Administrators will add redundancy to lifecycle reporting and will treat client UI banners as support signals, not compliance proof.
- Microsoft will likely tighten validation around message triggers and test lifecycle metadata flows more explicitly in servicing waves that coincide with lifecycle transitions. The swift cloud config update and KIR guidance signal Microsoft’s awareness of that testing need.
Final recommendations
- If you see the banner and your device shows “Your PC is enrolled to get extended security updates”, do nothing rash: updates should continue. Verify patch history to be safe.
- Ensure devices are connected to the internet and allowed to receive dynamic updates so the cloud configuration fix arrives automatically.
- For organizations, deploy the Known Issue Rollback (KIR) if you manage offline or tightly controlled fleets and need an immediate, auditable remediation patch.
- Revisit compliance automation that consumes client UI state; add cross-checks against update history, management-console records, and telemetry to avoid false positives in the future.
Conclusion
The alarmingly worded “end of support” banner that popped up after the October 14, 2025 cumulative update was a high-profile example of how lifecycle messaging and UI diagnostics can inadvertently trigger operational panic. Microsoft’s assessment — that this is a display/diagnostic error rather than a revocation of ESU coverage — is reassuring, and the company has already pushed a cloud configuration update along with Known Issue Rollback guidance for enterprises. Still, the incident should be a reminder: lifecycle transitions are delicate. IT teams should validate entitlement with hard telemetry and update history, not a single banner in the Settings app, and prepare operational playbooks for answering the questions that will come the next time a lifecycle message changes for a widely deployed platform.Source: ZDNET Microsoft confirms a bug is hitting paid Windows 10 ESU users - here's what's happening
