Windows 10 ESU: Free and Low-Cost Patches in EEA and US

Microsoft’s last-minute change gives many Windows 10 users breathing room: Extended Security Updates (ESU) that were due to be behind a paywall or conditional on cloud backup will now be available at no extra charge for consumers across the European Economic Area, and U.S. users have a newly clarified set of free and low-cost enrollment paths — but the relief comes with strings, regional differences, and fresh questions about privacy, planned obsolescence, and practical security for millions of devices.

Background and overview​

Support for Windows 10 officially ends on October 14, 2025. After that date Microsoft will stop delivering regular feature updates, technical support, and the monthly critical and important security patches users have relied on for nearly a decade. In recognition that a large share of the installed base cannot or will not move immediately to Windows 11, Microsoft created a short-term Extended Security Updates (ESU) program to bridge the transition.
The ESU program was always designed as a temporary stopgap — critical security patches only, no new features or regular non-security fixes — but the consumer-facing terms sparked a public backlash after Microsoft initially tied the cheapest free enrollment route to using cloud backup or offered paid and rewards-based alternatives. Under pressure from consumer groups and regulators, Microsoft revised its approach for European Economic Area (EEA) consumers and clarified the U.S. options, producing the policy shuffle that dominated headlines in the final weeks before the October cutoff.
This article explains what Microsoft announced, how the new enrollment options work in practice, why consumer groups pushed for changes, and what the move means for the security, privacy, and economics of staying on Windows 10. It also lays out step-by-step guidance for users and assesses longer-term implications for device lifecycle, e-waste, and platform fragmentation.

---

What Microsoft is offering — the details​

The big picture​

• End of mainstream Windows 10 support: October 14, 2025.
• Consumer ESU coverage window: ESU coverage for personal devices runs from October 15, 2025 through October 13, 2026.
• Enrollment options for consumers (summary):
• Free enrollment via a Microsoft account + certain verification/enrollment steps (conditions differ by region).
• Redeem 1,000 Microsoft Rewards points (no cash outlay).
• Pay a one-time fee of $30 USD (local pricing and taxes may vary).
• Commercial pricing: Organizations can buy ESU per-device licenses, starting at $61 USD per device for year one, with prices doubling in each subsequent year for up to three years.

Microsoft’s public messaging positions ESU as a short-term safety net while encouraging migration to Windows 11, Windows 365 cloud PCs, or device refreshes.

Regional differences that matter​

• European Economic Area (EEA) consumers: Microsoft agreed to provide a no-cost ESU option for consumer devices in the EEA without the previously criticized requirement to enable the Windows Backup feature or to upload device settings to OneDrive. EEA users must still sign in with a Microsoft account on the device, and Microsoft has clarified operational requirements such as periodic sign-in checks.
• United States and other regions: The enrollment paths remain a combination of:
• Use Windows Backup to sync settings and enroll (previously emphasized by Microsoft, and still part of the enrollment flow outside EEA).
• Redeem 1,000 Microsoft Rewards points.
• Or pay $30 for a one-year consumer ESU.

Microsoft’s enrollment wizard — delivered through Windows notifications and accessible from Settings — is the official pathway for consumer devices and has been rolling out gradually in Insider builds before broader availability.

Enrollment mechanics and practical caveats​

• Enrollment is intended to be simple: the on-device wizard walks users through the options and automatically enrolls a device once a choice is made.
• In the EEA the “backup to OneDrive” requirement was removed as a mandatory condition for free access; globally, Microsoft still uses the Microsoft account (MSA) as the primary identity and verification mechanism.
• Microsoft has indicated EEA-enrolled devices must re-authenticate with the same Microsoft account periodically (for example, within a rolling 60-day window) or risk losing ESU access until re-enrollment.
• Commercial ESU is sold through Volume Licensing and Cloud Service Providers, with a higher cost profile and multi-year options.

---

Why Microsoft changed course — regulator and consumer pressure​

The reversal on mandatory backup and the EEA concession did not happen in a vacuum. Multiple consumer organizations campaigned publicly against what they characterized as an unfair nudge toward paid OneDrive storage or an implicit “tax” for keeping older but functional hardware secure.

• Consumer groups argued the original approach unduly pressured users into enabling cloud backup (and potentially buying more OneDrive storage) just to receive security updates.
• European advocacy groups pointed to regional consumer protection laws and the Digital Markets Act as leverage, arguing Microsoft’s enrollment conditions created an unfair lock-in.
• French groups including HOP (Halte à l’Obsolescence Programmée) and broader coalitions launched petitions demanding longer, free support windows — one notable petition explicitly requested free updates through 2030 — and raised environmental and social concerns about forcing hardware replacement.

Microsoft’s decision to alter the EEA enrollment flow reflects the practical influence of public advocacy and regulatory scrutiny, producing a regionally tailored path that avoids explicit cloud-storage coercion for consumers while still tying enrollment to Microsoft account sign-in. The company's public statements frame the changes as an alignment with “local expectations” and a smoother, secure transition to Windows 11.

---

What ESU actually gives you — and what it doesn’t​

Understanding the limits of ESU is crucial for users weighing options.

• ESU covers monthly critical and important security updates only. It does not include:
• New features or functional improvements.
• Regular non-security patches or ongoing product support for feature requests.
• Technical assistance beyond the scope of security-patching.
• Microsoft continued to clarify that some services tied to Windows 10, like Microsoft 365 Apps, will continue to receive updates on Windows 10 for a limited period (for example, Microsoft maintained Microsoft 365 Apps security updates for Windows 10 through a later date), but those continuations are separate from OS ESU.
• Windows Defender/Microsoft Defender threat intelligence updates may continue beyond the OS lifecycle, but relying on antivirus-only protection is not an adequate substitute for OS-level security patches.

In short: ESU is a temporary, security-only lifeline. It does not make an older machine functionally equivalent to Windows 11 or eliminate all long-term risks of running an out-of-support operating system.

---

Security and privacy implications​

Security benefits — immediate and real​

The single biggest advantage of ESU is practical: receiving security patches for known vulnerabilities reduces the attack surface and lowers the immediate risk of remote exploitation, ransomware incidents, and drive-by compromises that target unpatched systems.
For users with legacy hardware, ESU buys time to plan a safer migration without being exposed to easily avoidable security risks. For enterprises with complex application stacks, ESU can be a pragmatic part of migration budgeting and scheduling.

Privacy and consent concerns — the trade-offs​

The original enrollment design raised clear privacy concerns:

• Requiring the enablement of Windows Backup to OneDrive as a precondition for the cheapest enrollment path effectively pushed users into cloud storage and generated legitimate questions about data collection, telemetry, and long-term retention.
• Removing the backup requirement for EEA customers addressed the most overt criticism, but the Microsoft account requirement (MSA) is still central. Some users are uncomfortable linking local machines to cloud identities or prefer local-only accounts for privacy reasons.

Users who create or use an MSA should understand what account-linked features send to cloud services and whether the account’s privacy and security settings meet their expectations.

Fragmentation and attacker incentives​

The staggered and region-specific policies create fragmentation that can be exploited:

• Attackers often focus on the largest and most vulnerable pools of unpatched systems. Where ESU uptake is incomplete, or if enrollment mechanics are confusing and unevenly adopted, attackers may target those segments.
• A patch-after-patch world where some machines receive security updates and others don’t increases the complexity of threat modeling for organizations and ISPs.

---

Economics: who pays and how much​

• Consumer tier: $30 for one year per device (or an MSA-backed free or rewards-backed enrollment path where available).
• Rewards redemption: 1,000 Microsoft Rewards points can be redeemed in lieu of cash for a consumer ESU enrollment.
• Commercial tier: $61 per device for Year One, with the price doubling each subsequent year (Year Two $122, Year Three $244), capping cumulative costs if an organization purchased the full three-year set.

These numbers make the calculus straightforward but stark for large estates: for organizations with hundreds or thousands of devices, ESU becomes a material line item in IT budgets. For consumers the fee is modest per device, but the underlying friction — inability to meet Windows 11 hardware requirements — is the bigger problem.
The different pricing for consumers and organizations also signals Microsoft’s strategy: nudge personal users toward an easy path (free or cheap short-term options) while keeping the enterprise monetization channel open for legacy systems that companies are slower to refresh.

---

Practical guidance — what users should do now​

The choice a user makes depends on device age, role, and appetite for risk. Here’s a practical checklist and a step-by-step enrollment guide.

Immediate checklist (high-level)​

• Verify the end-of-support date: October 14, 2025.
• Check Windows 11 compatibility if you want to upgrade in-place:
• Open Start > Settings > Windows Update.
• Run the PC Health Check app or use Settings > Update & Security > Windows Update.
• Decide whether to migrate to Windows 11, buy a new device, or enroll in ESU for one year.
• If you keep the device, back up your data now using your preferred tool — local backup, external drive, or cloud — regardless of ESU enrollment choices.

How to enroll in ESU for consumers (generalized steps)​

• When the enrollment wizard appears (via Windows notifications or Settings), open it and follow the prompts.
• Choose an enrollment path:
• Sign in with your Microsoft account and enroll through the free pathway if available in your region.
• Or redeem 1,000 Microsoft Rewards points if you have them.
• Or purchase the $30 one-year ESU option.
• Confirm that your device is enrolled and note any re-authentication windows (e.g., the 60-day sign-in rule for some regions).
• Verify Windows Update is enabled and that ESU-specific patches are being delivered monthly.
• Maintain a backup of critical files independent of the ESU enrollment process.

Options for machines that can’t upgrade​

• Cloud PC / Windows 365: moving workloads to cloud-hosted Windows instances can give ESU entitlement and isolate legacy endpoints.
• Virtualization: run legacy apps inside a VM on a newer host OS that is still supported.
• Linux or alternative OS: for devices that no longer need Windows-specific applications, consider migrating to a supported Linux distribution as a long-term option.
• Offline usage: reduce exposure by restricting internet access and using the machine only for isolated, offline tasks — not a sustainable security strategy but a risk reduction approach for specific scenarios.

---

Consumer advocacy, environmental impact, and the “upgrade tax”​

The controversy around Microsoft’s original terms tapped into broader societal issues:

• Planned obsolescence and e-waste: Advocacy groups argued that forcing consumers to buy new machines or pay for updates accelerates electronic waste, with environmental and social costs.
• Affordability and equity: Many consumers cannot afford immediate device replacement; the ESU fee was framed as a reasonable short-term measure, but some groups called for longer free support to prevent a de facto “upgrade tax” on lower-income users.
• Petitions and political pressure: Groups like HOP and national consumer associations launched petitions and public campaigns asking Microsoft to extend free updates beyond the one-year ESU window — some demanded free updates through 2030 — and pressed regulators to scrutinize the company’s approach.

Microsoft’s EEA concession illustrates how regulatory pressure and consumer campaigns can change commercial product policies, but the response remains constrained by business and product strategy: ESU is a bridge, not a permanent policy shift.

---

Critical analysis — strengths, risks, and what to watch next​

Notable strengths of Microsoft’s approach​

• Practical safety net: ESU provides a real reduction in immediate risk for many users who cannot upgrade hardware quickly.
• Flexible consumer options: Offering multiple enrollment paths (MSA, rewards points, paid option) recognizes different user preferences and economic realities.
• Regulatory sensitivity: The EEA-specific concession shows responsiveness to regional consumer protections and a willingness to change tactics under scrutiny.

Key risks and weaknesses​

• Regional inconsistency: Differing rules by geography create complexity, user confusion, and potential enforcement headaches.
• Privacy trade-offs: Even without mandatory backup, the reliance on Microsoft accounts means many users must tie local devices to cloud identities that collect metadata and sync settings.
• Short-termism: A one-year ESU window may be insufficient for users and organizations that need multi-year migration plans, especially for devices bought within the last five years.
• Fragmented attack surface: Mixed adoption levels and inconsistent patching across the user base can create hotspots for attackers to exploit.
• Possible future friction: If Microsoft reintroduces tighter enrollment conditions or monetizes adjacent services (cloud storage, rewards programs), public pushback could resume.

What to monitor​

• How many consumers in each region enroll in ESU and which enrollment path they choose.
• Whether regulators pursue additional enforcement or policy guidance about OS end-of-life and consumer protections.
• If consumer pressure results in any further extensions of free ESU beyond the one-year window in the EEA.
• Whether third-party software and peripheral vendors continue to support Windows 10 applications and drivers after the OS lifecycle ends.

---

Conclusion — practical takeaway​

Microsoft’s last-minute adjustments to Extended Security Updates reduce immediate harm for many Windows 10 users, particularly in Europe, where the company backed away from requiring cloud backup as a precondition for free updates. The company has balanced competing pressures — customer goodwill, regulatory scrutiny, and its product roadmap centered on Windows 11 — but the resolution is imperfect: it delivers short-term security without addressing the deeper, long-term issues of affordability, device longevity, and platform fragmentation.
For users: prioritize checking device eligibility for Windows 11, back up your data now, and enroll in ESU only if it buys you the planning time you need. For organizations: treat ESU as a contingency, not a strategy; price and timetable migrations accordingly. For policymakers and advocates: the episode underscores the value of consumer oversight in shaping how major platform providers manage end-of-life transitions.
The bottom line is simple: ESU is a bridge, not a destination. Use it to move decisively — whether that means upgrading hardware, moving workloads to the cloud, or redesigning software stacks — because the security landscape after an OS reaches end-of-life is unforgiving, and short-term patches can’t substitute for long-term platform health.

---

Source: IOL Microsoft offers no-cost Windows 10 lifeline