Windows 10 ESU Guide: Security Updates After End of Support

Millions of people who stayed on Windows 10 after Microsoft’s official cut‑off can still get security patches — and in many cases those patches are free — but the rules, trade‑offs, and costs are more complex than headlines suggest.

Background / Overview​

Microsoft ended mainstream support for Windows 10 on October 14, 2025, meaning routine feature updates, cumulative quality updates, and standard technical support stopped on that date. The company created a narrowly scoped consumer safety valve — the Windows 10 Consumer Extended Security Updates (ESU) programme — to deliver security‑only fixes for eligible devices for one additional year, through October 13, 2026. This ESU window is deliberately time‑boxed: it is a migration runway, not permanent support.
Why this matters right now: web‑connected Windows 10 systems without OS patches become progressively more attractive targets for attackers as new vulnerabilities are discovered and weaponized. Microsoft’s consumer ESU reduces that immediate risk for enrolled devices, but it does not restore feature updates, broad technical support, or driver/firmware fixes — so it is important to understand exactly what you’re getting and what you’re trading away.

---

What the ESU actually is — concise primer​

• Scope: ESU provides only security updates rated Critical or Important by Microsoft’s security team. No new features, no broad non‑security quality fixes.
• Duration (consumer): Enrollment allows security updates through October 13, 2026.
• Eligible systems: Consumer ESU is available only for devices running Windows 10, version 22H2 (with the required servicing stack and cumulative updates installed).
• Enrollment surface: The ESU enrollment wizard appears in Settings → Update & Security → Windows Update when your device meets prerequisites.

These are the core technical facts every remaining Windows 10 user must verify on their machine before planning next steps.

---

How ESU is being offered to consumers (three routes)​

Microsoft published three consumer enrollment paths that deliver the same ESU entitlement for eligible devices:

• Free if you sign into your PC with a Microsoft account and enable Windows Backup / settings sync (the “cloud‑backed” free route).
• Redeem 1,000 Microsoft Rewards points to enroll if you prefer not to enable cloud backup.
• One‑time paid purchase (widely reported at USD $30 or local currency equivalent; in the UK that works out roughly to the ~£22 figure you may have seen) if you want to avoid the cloud sync route or have no Rewards balance.

All three choices result in the same security patches being delivered to the enrolled device through the ESU window. The mechanics — and the privacy and convenience trade‑offs — differ substantially between options, so choose deliberately.

---

Verify before you act: the checklist​

• Confirm your PC is running Windows 10, version 22H2 (run winver or check Settings → System → About).
• Install all pending cumulative updates and the latest servicing stack update; Microsoft requires your device to be fully patched before enrollment appears.
• Decide which enrollment path suits you: Microsoft account + backup, Rewards, or paid purchase.
• Back up your files separately (local image or third‑party cloud) before making account or system changes. OneDrive’s free tier is only 5 GB, so large backups will require pruning or a paid plan.

---

Step‑by‑step: how to enroll in ESU (consumer flow)​

• Open Settings → Update & Security → Windows Update. If prerequisites are met you’ll see an Enroll now link. Click it.
• The wizard validates eligibility and then presents the three options (sync/backup, Rewards, purchase). Follow the prompts for your chosen route.
• If you choose the free backup route, sign into the device with the Microsoft Account you want to use, enable Windows Backup / sync to OneDrive, and complete the enrollment steps.
• If redeeming 1,000 Microsoft Rewards points, sign into Rewards from the wizard and apply the redemption; if buying, the one‑time purchase will be charged to the Microsoft account payment method.

Note: If you are signed into Windows with a local account you will be prompted to sign into a Microsoft account to finish enrollment — Microsoft ties the consumer ESU entitlement to an MSA. Expect that prompt.

---

What it costs — consumer vs business​

• Consumer: the consumer routes let many users get ESU at no additional cash cost (sync or Rewards). The paid route is broadly reported at US $30 / region equivalent for a one‑year entitlement that can cover multiple devices tied to the same Microsoft account (commonly up to 10 devices, per Microsoft’s documentation).
• Commercial / enterprise: businesses must use the commercial ESU channels (volume licensing, Intune, or cloud options). Commercial pricing is materially higher and structured to encourage migration: about $61 per device in Year 1, $122 in Year 2, and $244 in Year 3 (the price doubles each year and the enterprise route can run for up to three years). That makes ESU a short‑term, expensive bridge for organizations.

If you manage corporate assets, calculate the total three‑year cost and weigh it against hardware refresh and migration expenses — ESU is often the most expensive long‑term option.

---

How many users are affected (scale & context)​

Public telemetry and pageview‑weighted trackers showed Windows 10 still accounted for roughly mid‑40s percent of Windows version share in the months leading up to and around the end‑of‑support transition — figures that translate to hundreds of millions of devices worldwide. That large installed base explains the urgency and the varied responses (free options, paid ESU, and regional adjustments).
Be cautious with big round numbers in headlines: they provide context but don’t change the practical steps any individual must take. The important point is this — there remain large numbers of active Windows 10 machines that need a plan.

---

Privacy, product design, and regional exceptions — the trade‑offs​

The free ESU route that relies on account sync raises two debates:

• Privacy and account linkage: To get free updates you must sign into a Microsoft account and enable cloud backup/sync — that ties the device’s safety token to an MSA. Privacy‑conscious users who prefer local accounts must either pay the one‑time fee or accept account linkage. Microsoft’s consumer documentation explains the requirement, and some outlets reported friction and user confusion in early rollouts.
• European rule change: Regulators and consumer groups pushed back in the European Economic Area (EEA). Microsoft subsequently adjusted enrollment rules in the EEA to make free ESU truly free without the same backup preconditions for consumers there, and added periodic sign‑in checks to validate continued eligibility — a regionally specific accommodation. That regional variation is important: the free‑by‑default path differs between the EEA and other markets.

Verdict: the free route is practical for many users, but it does change how you manage accounts and cloud storage; weigh the security benefits against your privacy posture and OneDrive storage limits.

---

Potential pitfalls and troubleshooting​

• Enrollment wizard absent: ensure you’re on 22H2 and fully patched; Microsoft phased the rollout, so some devices saw the wizard earlier than others.
• Problems redeeming Rewards: users reported intermittent failures redeeming the 1,000‑point option in some locales; Microsoft’s community Q&A shows reports and commonly successful retries after installing missing updates or trying again. If a Rewards redemption fails, use the paid route or the backup route as fallback.
• OneDrive storage: the free OneDrive allowance is 5 GB; if your Windows Backup exceeds that you’ll either need to prune what you sync, buy more OneDrive storage, or use the paid ESU route. Microsoft documents the 5 GB free quota explicitly.

If the wizard reports an enrollment error, check that your Microsoft account is not a child/managed account (those have limitations), confirm admin rights, and confirm there are no pending updates. If problems persist, capture the error text before contacting vendor support — MS support for ESU is limited, but the error detail helps community support and IT pros diagnose activation issues.

---

Alternatives and the migration plan — what to do during your ESU year​

ESU is a short runway; use the extended protected year to execute one of the following, in this order of preference for most users:

• Upgrade eligible devices to Windows 11 (free upgrade path remains for qualifying Windows 10 machines). Confirm eligibility with the PC Health Check app, enable TPM and Secure Boot where possible, and verify drivers. Windows 11 restores full vendor servicing and modern security features.
• If a device cannot meet Windows 11 requirements, retire or repurpose it: install a modern Linux distribution (Ubuntu, Linux Mint, Fedora) or ChromeOS Flex for web‑centric tasks. These options keep the machine receiving security updates for the long term.
• For Windows‑only business workflows, consider cloud desktops (Windows 365 / Azure Virtual Desktop / other hosted options) so endpoints remain lightweight while patching responsibility shifts to the cloud provider. This is particularly useful where app compatibility is mandatory.

Treat ESU as breathing room to complete migration testing, procure replacements, transfer licenses, and update backup/restore plans. Do not use ESU as an excuse to indefinitely delay migration — vulnerabilities accumulate and third‑party software vendors will eventually stop supporting legacy platforms.

---

Specific recommendations for different users​

• Home users with sensitive data (banking, tax records, photos): enroll in ESU by the free backup route or redeem Rewards if you can, then use the year to upgrade or replace hardware. Keep local backups of irreplaceable files.
• Home users with privacy concerns about cloud sync: consider the paid one‑time route or migrate to Linux/ChromeOS Flex; understand that the paid route still requires an MSA during purchase, per Microsoft’s flow.
• Small businesses and SOHO: evaluate commercial ESU pricing vs bulk migration; if many devices are incompatible with Windows 11, ESU is a stopgap but budget the doubling commercial costs if you plan to extend beyond Year 1.
• IT managers in regulated sectors: don’t rely on consumer ESU; use volume licensing ESU or accelerate hardware refresh to remain compliant with audits and cyber‑insurance requirements.

---

Critical analysis — strengths and risks of Microsoft’s approach​

Strengths:

• Microsoft’s consumer ESU provides an actionable safety net for many households and small users who cannot upgrade immediately, and the free enrollment via account sync or Rewards lowers economic friction for lower‑income users. The one‑year window is a pragmatic compromise given Windows 11’s hardware gate.
• For enterprises, the tiered commercial ESU channels give IT organizations time to plan migrations while keeping critical endpoints patched (albeit at a significant cost).

Risks and concerns:

• Account & cloud trade‑offs: requiring a Microsoft account and cloud backup for the free route forces a privacy/operational decision on users who previously ran local accounts. That trade‑off is contested and was moderated in the EEA after regulatory pressure. The net effect is a fragmentation of options across regions.
• Short‑termism: ESU is explicitly temporary. Relying on it delays inevitable migration and can create future technical debt and compatibility headaches. For organizations, ESU costs can quickly exceed replacement or migration budgets if used for multiple years.
• Operational friction: Rewards redemptions and account prompts showed glitches in early rollouts; some users reported failed redemptions or enrollment hiccups that required updates or reattempts. That increases support overhead for non‑technical households.

In short: ESU is a practical short bridge, but not a policy solution. It reduces immediate exposure but also nudges consumers into vendor account ecosystems or paid choices, raising fair‑use and equity questions that regulators and consumer groups continue to debate.

---

Quick checklist to act today​

• Run winver and confirm you’re on Windows 10, version 22H2.
• Install all Windows updates and the latest servicing stack.
• Open Settings → Update & Security → Windows Update and look for Enroll now. If present, choose your preferred ESU route.
• Back up crucial files to an external drive or cloud storage (remember OneDrive free is 5 GB).
• Use the ESU year to test and migrate to Windows 11, Linux, or a cloud desktop solution.

---

Microsoft’s ESU programme is real, narrowly scoped, and available — and the free options make it accessible to many users who aren’t ready to upgrade hardware. But the clock is finite and the trade‑offs are concrete: account linkage, OneDrive limits, and regional differences mean you should verify your device’s eligibility, secure backups, and pick a migration path this year. The ESU year is a runway — use it to land on a supported OS, not as a permanent parking spot.

---

Source: GB News Still relying on Windows 10? How YOU can secure free PC updates from Microsoft to stay safe this year