Navigation section

Windows 10 ESU: One-Year Security Patches Through Oct 2026

  • Thread Author
Microsoft has closed the chapter on Windows 10’s decade-long run — but Microsoft’s one-year Extended Security Updates (ESU) lifeline means many home PCs can still receive security-only patches through October 13, 2026, and for most consumers there is a legitimate no‑cash route to claim that year by enrolling inside Settings.

A computer monitor on a wooden desk displays 'Enroll now' with a 2026 calendar icon, flanked by cloud decorations.Background / Overview​

Windows 10’s official end-of-support date is October 14, 2025. After that date Microsoft stopped providing routine feature and quality updates, plus standard technical support, for consumer editions — meaning machines left unprotected will grow steadily more vulnerable to new threats unless they are enrolled in an extension path.
To reduce the immediate security cliff for millions of households, Microsoft introduced a consumer ESU program: a time-limited, security‑only update stream that runs for one additional year for enrolled devices — coverage ends October 13, 2026. The ESU program is deliberately narrow: it supplies only the security patches Microsoft classifies as Critical or Important, not feature updates, performance fixes, or full product support.
Why the lifeline matters: many older but otherwise functional PCs cannot meet Windows 11’s minimum hardware requirements (TPM 2.0, secure boot, certain CPU families). ESU buys time to patch known vulnerabilities while users plan upgrades, replacements, or migrations to alternative platforms. Treat ESU as a planning window — not a long‑term strategy.

What Microsoft actually published (the essentials)​

  • Official Windows 10 end-of-support date: October 14, 2025.
  • Consumer ESU coverage window for enrolled devices: through October 13, 2026.
  • Eligible consumer editions: Windows 10, version 22H2 (Home, Pro, Pro Education, Pro for Workstations). Devices must be fully patched with the latest cumulative and servicing stack updates to be eligible.
  • Enrollment surface: an in‑Windows “Enroll now” wizard appears under Settings → Update & Security → Windows Update on eligible devices; the rollout was staged through Insider channels before broader deployment.
  • Three consumer enrollment paths (all provide the same ESU entitlement):
  • Free cloud‑backed route: sign into Windows with a Microsoft account and enable Windows Backup / Sync your settings (OneDrive backup). This is the common no‑cash option.
  • Microsoft Rewards: redeem 1,000 Microsoft Rewards points and apply them to enroll the Microsoft account.
  • One‑time paid purchase: a consumer ESU license (around $30 USD or local equivalent) can be bought and assigned to your Microsoft account; this option lets you remain on a local account if you prefer not to sign into Windows with an MSA.
These are the load‑bearing facts that matter for home users deciding whether to enroll or migrate. Multiple independent outlets reported the details and the practical enrollment flow shortly after Microsoft’s announcement.

Eligibility and immediate checks — what to confirm now​

Before you try to enroll, verify these four basic things on the PC you plan to keep on Windows 10:
  • Confirm your Windows build: open Settings → System → About and check you’re on Windows 10, version 22H2. If you’re on an older 10 feature update branch, upgrade to 22H2 first.
  • Install all pending updates: run Settings → Update & Security → Windows Update and complete Check for updates until no further cumulative or servicing updates remain outstanding. The ESU wizard may not appear unless specific preparatory updates are present.
  • Use an administrator account: the user enrolling must be an administrator on the PC. If you share a machine, sign in with the original admin or an account that has Admin privileges.
  • Decide whether you will sign into Windows with a Microsoft Account (MSA): the free cloud-backed route requires an MSA. If you insist on a local offline account, the paid path (or Rewards redemption) is the alternative.
If the “Enroll now” link does not appear immediately, it may reflect Microsoft’s staged rollout; ensure prerequisites, reboot, and check again. Some users reported waiting until their device received a specific preparatory cumulative update before the wizard showed up.

Step-by-step: how many people can get the free year (practical walkthrough)​

The in‑Windows flow is intentionally simple for eligible machines. The high-level steps are:
  • Back up your important files locally (external drive) before making any account or setting changes. Do a full copy of Documents, Pictures, and any application data you cannot re-create. Never rely on a single backup.
  • Confirm Windows 10 version and that Windows Update is fully current.
  • Sign into Windows with your Microsoft Account (if you plan to take the free cloud route). If you used a local account, you’ll be prompted to add or switch to an MSA during enrollment.
  • Go to Settings → Update & Security → Windows Update and look for the “Enroll now” or Extended Security Updates banner. Click it and follow the wizard. You’ll be shown the enrollment options (Windows Backup sync, Rewards, or paid). Choose the free backup option if you want the no‑cash path.
  • If you pick Windows Backup, enable the Windows Backup settings that sync to OneDrive. The wizard will associate the ESU entitlement with your Microsoft account and the device. When you see the confirmation — “Add this device to receive Extended Security Updates” or similar — the device is enrolled.
The entire flow can take just a few minutes once your device meets the prerequisites, which explains why many outlets used the phrase “instant” extension — but that shorthand omits the prerequisite checks and staged rollout caveats.

Regional nuance and privacy trade-offs​

Microsoft’s consumer ESU program includes regional exceptions and privacy trade‑offs that matter depending on where you live.
  • European Economic Area (EEA): following pressure from consumer groups and regulators, Microsoft relaxed some of the cloud‑tie requirements inside the EEA so free ESU access is available without the OneDrive backup obligation imposed elsewhere. The difference reflects regional consumer protection rules and was widely reported by consumer groups. If you live in the EEA you may see a different enrollment experience and fewer mandatory cloud conditions.
  • Outside the EEA (including the United States): the primary free route ties the ESU entitlement to a Microsoft Account plus Windows Backup/OneDrive sync. That means:
  • You’ll be signing in with or adding an MSA to your device, which links your PC to Microsoft’s cloud services (CoPilot, OneDrive, Microsoft 365, Rewards, etc.) if you weren’t already using them. Many users already have an MSA, but a local‑account holdout must weigh the privacy and telemetry implications.
  • The OneDrive free tier is 5 GB — if your Windows Backup exceeds that you’ll either need to selectively disable large categories (Documents, Pictures, Videos) or pay for more OneDrive storage. The backup toggle options allow you to limit what syncs so many households can remain under the 5 GB cap.
Be explicit about these trade‑offs: the free entry path is not literally “free” in the sense of no concessions — it exchanges cash for cloud linkage and potential data that Microsoft may use to provide connected services. Evaluate whether that trade is acceptable for a one‑year extension.

What ESU does — and crucially, what it does not do​

Understand the program’s strict limits before relying on ESU as a risk management strategy:
  • What ESU provides:
  • Security-only patches that Microsoft classifies as Critical or Important, delivered via Windows Update for enrolled devices through October 13, 2026.
  • What ESU does not provide:
  • No feature updates, performance improvements, or ecosystem enhancements.
  • No full technical support or troubleshooting comparable to mainstream support.
  • No driver or firmware fixes beyond the security updates Microsoft issues.
  • Not a multi-year support plan (the consumer ESU is a single-year bridge; enterprise ESU for businesses follows a different paid multi‑year model).
Treat ESU as a last-resort buffer while you patch, migrate software, or replace hardware. If you use Windows 10 for sensitive work (small business, payroll, health records, financial operations), move off unsupported software as soon as practical — ESU reduces risk but does not eliminate it.

Risks, downsides and unverifiable claims to watch for​

  • Short window: ESU is only a one‑year option for consumers; plan migrations during that time. Do not assume ESU will be extended.
  • Privacy trade-off: the free route typically requires a Microsoft Account and Windows Backup; if you previously used a local account by design, the cloud bind may be unacceptable. The EEA exception eases this for European users, but elsewhere the condition stands.
  • Storage costs: the OneDrive free tier is 5 GB; if your backup exceeds that, you may face a recurring cost for storage. You can selectively disable categories to keep under the free limit.
  • Verification gaps and enrollment timing: some early posts referenced a particular preparatory cumulative update (reported in community threads) that fixed enrollment glitches. That specific KB number appears in some community summaries but is not necessary for every device; if you don’t see the wizard, confirm Windows Update is fully current and check Microsoft’s ESU support page for updates. Treat specific community-circulated KB numbers as potentially helpful but not authoritative unless confirmed on Microsoft’s support pages.
  • Not a cure for legacy hardware or driver compatibility: older devices may still face driver problems or app incompatibilities even with ESU patches. If a device has aging firmware or drivers that vendors no longer update, ESU will not magically restore compatibility.
If you encounter unclear messages or your device won’t enroll, take screenshots, confirm your version and update status, and consult Microsoft’s official ESU support page for the most recent guidance.

Alternatives to ESU — practical options ranked​

  • Upgrade to Windows 11 (free if your device meets the Windows 11 system requirements and is running Windows 10, version 22H2). This is the recommended long‑term outcome for consumers who want full ongoing support.
  • Buy a new or refurbished Windows 11 PC (often easier for older hardware that lacks TPM/UEFI requirements). Consider trade‑in and recycling programs to reduce e‑waste and cost.
  • Migrate to an alternative OS (mainstream Linux distributions like Ubuntu, Fedora; Chrome OS Flex for compatible devices). These are valid long‑term options for many users — but confirm app compatibility and peripheral driver support first.
  • Enroll in consumer ESU for one year if you need time to plan a migration; use the year to patch, migrate, and prepare replacement hardware.

A practical checklist — what to do this week​

  • 1) Verify your Windows 10 version (22H2) and install all pending updates.
  • 2) Back up everything to an external drive and verify restore capability. Do not rely on a single backup location.
  • 3) Decide whether you’ll accept the Microsoft Account / OneDrive trade‑off for free ESU; if not, factor the paid $30 option or Microsoft Rewards redemption into your plan.
  • 4) Check Settings → Update & Security → Windows Update for the “Enroll now” flow; follow the wizard if present.
  • 5) If you plan a migration to Windows 11, run the PC Health Check and plan driver/firmware updates; if you plan a different OS, test hardware compatibility on a non-critical machine first.

Critical analysis — strengths and strategic risks of Microsoft’s approach​

Strengths:
  • The consumer ESU program is a pragmatic safety valve that acknowledges real-world device fragmentation. It reduces the immediate risk of a security cliff and gives households breathing room to plan upgrades without being forced into rushed hardware purchases. The staged, in‑Windows enrollment lowers friction and makes the program accessible.
Risks and open questions:
  • The free route’s requirement to link an MSA and OneDrive backup outside the EEA raises privacy and consumer-choice concerns. Tying essential security updates to adoption of cloud services invites regulatory scrutiny and contributed to Microsoft’s concessions in the EEA. For many users who deliberately chose local accounts, the choice now becomes cloud‑bind or pay.
  • The one‑year duration is helpful but short. That brevity risks shifting the cost and environmental burden onto consumers who must replace otherwise functional devices to stay supported long‑term — a policy angle that has already attracted criticism from consumer groups and sustainability advocates.
  • The program relies on accurate rollout and clear messaging; early reports of enrollment bugs and missing wizards highlight the need for solid user‑facing troubleshooting steps and Microsoft transparency. Community posts and news coverage flagged specific update sequences that affected enrollment timing; verify guidance against Microsoft’s official pages when in doubt.
In short: the ESU is a useful tactical tool, but it does not absolve Microsoft or consumers of the larger migration, privacy, and e‑waste questions that accompany platform lifecycle management.

Recommended posture for households and small offices​

  • Use ESU as a defined buffer: enroll if you need one year to migrate safely, but set an explicit migration target date inside that window. Do not treat ESU as indefinite support.
  • Harden your environment while on ESU: use reputable antivirus/endpoint tools, keep browsers and apps updated, switch off remote access you don’t need, and consider network segmentation for sensitive tasks. ESU protects the OS patch surface but cannot fix poor configuration or third‑party vulnerabilities.
  • If privacy matters to you, weigh the trade of switching to an MSA vs paying for ESU; consider redeeming Microsoft Rewards if you already have points. If you live in the EEA, confirm your local experience with Microsoft’s EEA adjustments.
  • Document your enrollment: take a screenshot of the final ESU confirmation screen and record which Microsoft account you used; these details matter if you need to troubleshoot an update lapse later.

Conclusion​

Microsoft’s consumer ESU program provides a narrow but real one‑year lifeline for many Windows 10 users who need time to migrate; when the in‑Windows enrollment wizard appears and you meet the prerequisites, the extension can be claimed quickly and often without cash — at the cost of signing into a Microsoft Account and enabling cloud backup in many regions. That trade is pragmatic for households that prefer to defer hardware purchases, but it also raises clear privacy, environmental, and policy questions that consumers should weigh before deciding. Use the ESU year intentionally: back up, enroll if needed, and migrate on a firm schedule before October 13, 2026.
(If you don’t see the enrollment wizard yet: confirm you’re on Windows 10 version 22H2, fully updated, and signed in to an administrator Microsoft Account; then check Settings → Update & Security → Windows Update. If the wizard still doesn’t appear, consult Microsoft’s ESU support pages or wait for the staged rollout to reach your device.)
Source: Engadget Microsoft has ended Windows 10 support, but here's how to get an extra year for free
 

Click to expand...
Problems with Windows Extended Security Updates

Hi Everyone I am JR this is my 1st time on here since the days of go old XP :)

Last week when I was enabling Windows Extended Security Updates My Laptop shut down during the procese. When I rebooted, I when to Windows Updates it said that I had Extended Security Updates. Today when I were in to Windows Update it not working. I checked my other Laptop and it is work ok with todays updates.

What can I do I have tried reset Extended Security Updates nothing is happening.
Any suggestion Please :)
 

Hi JR — welcome back and thanks for the clear description. Sorry that happened while enrolling. That interruption can leave Windows Update/ESU in a partly‑completed state, but we can fix it. First a couple quick questions, then a safe step‑by‑step you can try.
Quick questions
  1. Which Windows 10 build are you on? (Open Start → type winver → Enter and tell me the build line, e.g. 19045.xxxx.)
  2. Were you signed into that laptop with a Microsoft Account (MSA) when you started enrollment?
  3. Does Settings → Update & Security → Windows Update still show any message about being “enrolled” or any error code? If yes, what exactly does it say?
Why these matter
  • Consumer ESU enrollment requires Windows 10 version 22H2 and certain recent cumulative/SSU updates (many enrollment problems were fixed by the August 2025 cumulative). If those prerequisites aren’t present the enrollment wizard and update flow can fail.
  • If the enrollment UI was interrupted it’s safe to force Windows to re‑evaluate ESU eligibility and re‑show the wizard by enabling the telemetry service + applying a documented feature override and running the built‑in ESU evaluator tool. Community and Microsoft guidance uses this exact sequence.
If you’re comfortable trying commands, follow these steps (read all steps first). I’ll mark where to stop and report back if you prefer.
A. Check basics (do these first)
  1. Open Start → type winver → press Enter. Tell me the full version/build (example: Windows 10 Version 22H2 (OS Build 19045.6216)).
  2. Open Settings → Update & Security → Windows Update → View update history. Look for any line that references “Extended Security Updates” or any recent failed updates and note any error codes.
  3. Confirm you are signed in with an Admin Microsoft account: Settings → Accounts → Your info (should show Microsoft account and “Administrator”).
B. Re-evaluate ESU eligibility (safe, reversible)
(Perform from an Administrator Command Prompt. To open: Start → type cmd → right‑click → Run as administrator.)
  1. Enable & start telemetry (Connected User Experiences) — only needed temporarily for the eligibility check:
    • sc.exe config DiagTrack start=auto
    • sc.exe start DiagTrack
  2. Add the FeatureManagement override that forces the ESU UI to evaluate:
    • reg.exe add "HKLM\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides" /v 4011992206 /t REG_DWORD /d 2 /f
  3. Reboot the PC.
  4. After reboot, open Admin Command Prompt again and run the consumer ESU evaluator:
    • cmd /c ClipESUConsumer.exe -evaluateEligibility
  5. Reboot again, then open Settings → Update & Security → Windows Update and check for the Enroll/ESU message or try to enroll again.
Why this helps: the sequence (enable DiagTrack, add override, run ClipESUConsumer) is the documented community workaround to force a fresh eligibility check and re‑show the enrollment UI after interrupted enrollments. If the device meets prerequisites the wizard should appear.
C. If Windows Update itself is not working (general repair)
If the Update page shows “not working” or updates fail to download/install, try these Windows Update repair steps (Admin Command Prompt):
  1. Run SFC and DISM (checks and repairs system files):
    • DISM /Online /Cleanup-Image /RestoreHealth
    • sfc /scannow
  2. Reset Windows Update components:
    • net stop wuauserv
    • net stop bits
    • net stop cryptsvc
    • rename %systemroot%\SoftwareDistribution SoftwareDistribution.old
    • rename %systemroot%\system32\catroot2 catroot2.old
    • net start wuauserv
    • net start bits
    • net start cryptsvc
  3. Reboot and try Settings → Update & Security → Check for updates.
D. Windows Update Troubleshooter and logs
  • Try Settings → Troubleshoot → Additional troubleshooters → Windows Update → Run the troubleshooter.
  • If updates still fail, open Event Viewer → Windows Logs → System and look for recent entries from “WindowsUpdateClient” or service errors; copy any error code numbers here.
E. If the Enrollment shows “enrolled” but updates aren’t installing
  • Verify ESU evaluation result (run in Admin cmd):
    • reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ConsumerESU"
    • If you see ESUEligibilityResult = 1 it means the local check succeeded; if not, paste the output here and I’ll interpret it. (This is a community‑documented verification step after running the ClipESUConsumer tool.)
Safety notes and rollback
  • Back up important files before making changes. The registry override and enabling DiagTrack are reversible: to remove the override use reg delete on the same key (I can give the exact command when needed); DiagTrack can be disabled again with sc.exe config DiagTrack start=disabled.
  • Don’t paste commands you don’t understand — ask and I’ll explain each one.
If the above doesn’t fix it
  • Tell me the outputs of:
    1. winver text,
    2. the reg query result for the ConsumerESU key,
    3. results of DISM/SFC (if run), and
    4. any Windows Update error codes you saw in Update history or Event Viewer.
If you’d rather I give a shorter set of steps you can try first (e.g., run troubleshooter → run the ClipESUConsumer evaluate → reboot), tell me which laptop (make/model) and I’ll tailor the commands.
References: the steps above (KB prerequisites and the DiagTrack + registry + ClipESUConsumer sequence to force eligibility/re-enroll) come from the community and Microsoft guidance used to recover interrupted ESU enrollments.
If you want, start with A (winver and whether the Update page still shows “enrolled”), paste those results here, and I’ll walk you through the exact commands step‑by‑step.
 

Hi here are the answers
1, 19045.6456
2, Yes
3, It say "Your PC is enroll to get Extended Security Updates" on the right hand bar.
No error codes.

Thanks
 

Thanks — good info, JR. Seeing “Your PC is enrolled to get Extended Security Updates” is a positive sign. That means the enrollment UI finished, but the updates themselves may not be arriving because the local eligibility state, update components, or a staged rollout/prerequisite patch is interfering. A few targeted checks will pin this down.
Quick summary of next steps (pick one path below and paste the outputs here if you want me to read them):
1) Verify the local ESU eligibility state (easy, one command)
  • Open Command Prompt as Administrator and run:
    reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ConsumerESU"
  • Expected helpful output: an ESUEligibilityResult value (1 = eligible). If you see ESUEligibilityResult = 1, the local check succeeded; if not, paste the full output. This is a known verification step after running the ESU evaluator.
2) Force a fresh ESU eligibility evaluation (safe)
If the registry doesn’t show eligibility or you want to force Windows to re‑check:
  • Open Admin Command Prompt and run these (one at a time):
    sc.exe config DiagTrack start=auto
    sc.exe start DiagTrack
    reg.exe add "HKLM\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides" /v 4011992206 /t REG_DWORD /d 2 /f
    (Reboot)
    cmd /c ClipESUConsumer.exe -evaluateEligibility
    (Reboot and check Settings → Update & Security → Windows Update again)
    This sequence (enable Connected User Experiences, add the FeatureManagement override, then run ClipESUConsumer) is the documented community/Microsoft recovery path to force the ESU enrollment/eligibility UI and checks to re-run after interruptions. fileciteturn0file6turn0file11
3) If Windows Update is “not working” (repair Windows Update components)
Run these in an Admin Command Prompt (they’re the standard repair steps):
  • DISM /Online /Cleanup-Image /RestoreHealth
  • sfc /scannow
    If updates still fail, reset Update components:
  • net stop wuauserv
  • net stop bits
  • net stop cryptsvc
  • rename %systemroot%\SoftwareDistribution SoftwareDistribution.old
  • rename %systemroot%\system32\catroot2 catroot2.old
  • net start wuauserv
  • net start bits
  • net start cryptsvc
    Reboot and Check for updates. Community guidance recommends ensuring you also have the August 2025 cumulative/SSU (KB5063709 or later) installed because that patch fixed known enrollment wizard issues; if you don’t have it, download it from Microsoft Update Catalog and install. fileciteturn0file1turn0file15
4) Quick non-command checks (do these first if you prefer)
  • Settings → Update & Security → Windows Update → View update history: any ESU‑labeled updates listed? Any recent failures?
  • Settings → Network & Internet: confirm connection is not metered (metered can block some updates).
  • Settings → Accounts: confirm the same Microsoft Account you used for enrollment is still signed in.
  • Settings → Troubleshoot → Additional troubleshooters → Windows Update → Run the troubleshooter.
5) If updates still don’t appear after the re-evaluation
  • Run gpresult /r (Admin Command Prompt) and paste the output — it will show any group policy or MDM policies that might block consumer ESU or Windows Update. Consumer ESU is blocked on domain‑joined or MDM‑managed devices.
  • Generate readable Windows Update logs (Admin PowerShell): Get-WindowsUpdateLog and paste the last 50–100 lines that show WindowsUpdateClient or errors — that helps identify download/install failures.
What to paste here so I can help next
  • Output of reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ConsumerESU" (from step 1).
  • If you ran ClipESUConsumer, tell me whether Settings now shows any change and paste any messages.
  • Output of DISM /RestoreHealth and sfc /scannow if you run them (they’ll say repaired / no issues / or show errors).
  • Anything shown under Update History (names and dates of recent successful or failed updates).
If you prefer I give just the shortest set to try now:
1) Run the reg query for ConsumerESU and paste output.
2) If ESUEligibilityResult is not 1, run the DiagTrack + override + ClipESUConsumer sequence from step 2 and then check Windows Update.
I’ll walk you through any command and explain how to undo changes (the override and DiagTrack can be removed). Good job so far — the enrollment message shows you’re close. Paste the reg output and any update-history lines and I’ll take the next step. fileciteturn0file11turn0file6
 

Started off well but hit a few problems here some of them, hope it helps.

C:\WINDOWS\system32>reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ConsumerESU"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ConsumerESU
ESUEligibility REG_DWORD 0x3
ESUEligibilityResult REG_DWORD 0x1


C:\WINDOWS\system32>


2) Force a fresh ESU eligibility evaluation (safe)
didn't work.

This was the anwser to the 3rd part after running the folling commend.

C:\WINDOWS\system32>net stop cryptsvc
The following services are dependent on the Cryptographic Services service.
Stopping the Cryptographic Services service will also stop these services.

Avast Tools
Avast Antivirus

Do you want to continue this operation? (Y/N) [N]: Y
The requested pause, continue, or stop is not valid for this service.

More help is available by typing NET HELPMSG 2191.


C:\WINDOWS\system32>

C:\WINDOWS\system32>stop cryptsvc
'stop' is not recognized as an internal or external command,
operable program or batch file.

C:\WINDOWS\system32>

C:\WINDOWS\system32>rename %systemroot%\SoftwareDistribution SoftwareDistribution.old
A duplicate file name exists, or the file
cannot be found.

C:\WINDOWS\system32>rename %systemroot%\system32\catroot2 catroot2.old
Access is denied.

C:\WINDOWS\system32>net start wuauserv
The Windows Update service is starting.
The Windows Update service was started successfully.


C:\WINDOWS\system32>net start bits
The Background Intelligent Transfer Service service is starting.
The Background Intelligent Transfer Service service was started successfully.


C:\WINDOWS\system32>net start cryptsvc
The requested service has already been started.

More help is available by typing NET HELPMSG 2182.


C:\WINDOWS\system32>


I have August updates August 2025 cumulative/SSU (KB5063709 + KB5063842 + KB5064794 + KB5065429 + KB5068164 + KB5066791) Last update received

Still checking the Reg. very slow unless I've did it wrong
 

Thanks — that’s very helpful info, JR. Good news first: the registry output shows ESUEligibilityResult = 1, which means the local ESU eligibility check succeeded — your PC really is enrolled.
The remaining problem looks to be Windows Update itself (downloads/install), and your Avast AV is blocking a clean stop of Cryptographic Services which is needed for a full Windows Update component reset. Below I’ll give a safe, ordered set of options you can follow depending on how comfortable you are stopping/uninstalling Avast. I’ll also give short commands to list things so you don’t have to guess service names.
Before we start — quick safety reminders
  • Back up any important files before making big changes.
  • You can do these steps one at a time and report results; I’ll guide you through each command.
  • Everything I suggest is reversible; I’ll include undo steps where appropriate.
Summary of plan
  1. Confirm ESU eligibility (already done — ESUEligibilityResult=1).
  2. Repair / reset Windows Update components properly (stop dependent services first).
  3. Rename SoftwareDistribution and catroot2 (these force Windows Update to re-create clean state).
  4. Force a re-check for updates and examine logs if updates still fail.
    If stopping cryptsvc continues to fail because Avast depends on it, temporarily disable Avast shields or stop/uninstall Avast, then continue. Community guidance recommends confirming you have the mid‑2025 cumulative/SSU installed (you said you do) and then resetting the update components if Update is broken. fileciteturn0file15turn0file1
Step A — quick checks to paste back (small / safe)
  1. Open an elevated Command Prompt (Start → type cmd → right‑click → Run as administrator) and paste the output of:
    reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ConsumerESU"
    (You already did that — shows result = 1, OK.)
  2. Check Update History: Settings → Update & Security → Windows Update → View update history — do you see any ESU‑labeled updates or recent failures? If yes, tell me the names/dates.
Step B — list Avast services so we can stop them cleanly
Run PowerShell (Admin) or an elevated cmd and paste the output of this (PowerShell recommended):
  • PowerShell (Admin): Get-Service avast | Format-Table -AutoSize
This will list the Avast service names (they’re often display names, the real service names may differ). Paste the output and I’ll tell you the exact service names to stop.
If you prefer to stop Avast from its UI:
  • Open the Avast UI and temporarily disable shields (shield icon → pause protection) for 10 minutes. Or open Settings → Apps and uninstall Avast temporarily (you can reinstall later). Either action will allow Cryptographic Services to stop.
Step C — (after Avast is paused/stopped) Reset Windows Update components — exact sequence
Run each command in an Administrator Command Prompt, in order. If a command errors, paste the exact error.
1) Stop services
  • net stop wuauserv
  • net stop bits
  • net stop cryptsvc
(If cryptsvc still refuses to stop, ensure Avast services are stopped/uninstalled first — see Step B.)
2) Rename problem folders (forces clean re-creation)
  • rename %systemroot%\SoftwareDistribution SoftwareDistribution.old
  • rename %systemroot%\system32\catroot2 catroot2.old
(If "Access is denied" occurs on catroot2, we can take ownership first — I give commands below.)
3) Start services again
  • net start cryptsvc
  • net start bits
  • net start wuauserv
4) Force a scan
  • UsoClient.exe StartScan
    (or if not present: wuauclt /detectnow — newer Windows uses UsoClient)
5) Reboot and check Settings → Update & Security → Check for updates.
If you get errors renaming catroot2 ("Access is denied"), run these (Admin cmd) before renaming:
  • takeown /f %systemroot%\system32\catroot2 /r /d y
  • icacls %systemroot%\system32\catroot2 /grant Administrators:F /t
    Then retry the rename command.
Step D — If you don’t want to uninstall Avast: stop Avast services by name
After you run Get-Service avast and paste the output, I’ll give the sc stop exact name(s), for example:
  • sc stop "Avast Antivirus"
  • sc stop "Avast Tools"
Then retry net stop cryptsvc and continue Step C.
Step E — Run SFC and DISM (repairs system files)
From Admin cmd:
  • DISM /Online /Cleanup-Image /RestoreHealth
  • sfc /scannow
    Paste results if they find/repair anything. These are standard repair steps when Update is misbehaving. fileciteturn0file11turn0file15
Step F — If updates still don’t install, capture update logs
  1. Run Windows Update troubleshooter: Settings → Troubleshoot → Additional troubleshooters → Windows Update → Run the troubleshooter. Tell me what it reports.
  2. Generate a readable WindowsUpdate log (Admin PowerShell):
    • Get-WindowsUpdateLog
      This produces WindowsUpdate.log on your desktop — open and paste the last ~50 lines (or any lines with error codes). That helps diagnose failed downloads/installs.
What to paste here so I can take the next step
  • Output of Get-Service avast (PowerShell Admin).
  • If you tried the stop/rename sequence, paste any error text exactly (you already pasted some — good).
  • Output of DISM /RestoreHealth and sfc /scannow if you run them.
  • Last ~20–50 lines of WindowsUpdate.log if the Reset/Restart didn’t fix it.
One more note about the registry values you saw
  • ESUEligibilityResult = 1 means local eligibility check succeeded. ESUEligibility = 3 is an internal value; the key point is Result = 1. That tells us the enrollment side is OK and the issue is Windows Update failing to download/apply updates.
If you want the shortest path now
  • Open Avast UI and temporarily disable shields (10 minutes).
  • Then open Admin cmd and run the Reset Windows Update components sequence under Step C (stop services → rename folders → restart services → UsoClient scan).
  • Reboot and check for updates.
If you prefer, paste the Get-Service avast output and I’ll give the exact sc stop commands (or the takeown/icacls commands) to use. I’ll stay with you through each step.
 

Step A.2 : Nothing after last update before enlisting ESU.
Step B
PS C:\WINDOWS\system32> Get-Service avast
Get-Service : Cannot find any service with service name 'avast'.
At line:1 char:1
+ Get-Service avast
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (avast:String) [Get-Service], ServiceCommandException
+ FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand

After turning Avast off in the UI something must still be running I can't get Powershell to run those commands

Thing I found it put Avast back on then I ran Powershell ISE and tried again
PS C:\WINDOWS\system32> Get-Service avast*

Status Name DisplayName
------ ---- -----------
Running avast! Antivirus Avast Antivirus
Running avast! Tools Avast Tools
Running AvastWscReporter AvastWscReporter ??? not sure how to disable this one



PS C:\WINDOWS\system32>


C:\WINDOWS\system32>net stop wuauserv
The Windows Update service is stopping...
The Windows Update service was stopped successfully.


C:\WINDOWS\system32>net stop bits
The Background Intelligent Transfer Service service is not started.

More help is available by typing NET HELPMSG 3521.


C:\WINDOWS\system32>net stop wuauserv
The Windows Update service is stopping.
The Windows Update service was stopped successfully.


C:\WINDOWS\system32>net stop bits
The Background Intelligent Transfer Service service is not started.

More help is available by typing NET HELPMSG 3521.


C:\WINDOWS\system32>net stop cryptsvc
The following services are dependent on the Cryptographic Services service.
Stopping the Cryptographic Services service will also stop these services.

Avast Tools
Avast Antivirus

Do you want to continue this operation? (Y/N) [N]: y
The requested pause, continue, or stop is not valid for this service.

More help is available by typing NET HELPMSG 2191.


C:\WINDOWS\system32>

Not getting any ware fast :(
 

Nice work, JR — that reg output confirms ESU eligibility (ESUEligibilityResult = 1) so enrollment succeeded. The remaining problem is that Windows Update isn’t actually delivering updates because the Update client/cache or services are stuck — and Avast is still protecting services so the usual cache reset commands can’t complete. Below are two safe ways to finish the repair (pick the one you prefer). I’ll give exact commands and explain how to undo anything.
Why this will work
  • When third‑party AV (Avast) blocks stopping Cryptographic Services, WindowsUpdate can’t clear catroot2/SoftwareDistribution; resetting those folders and restarting the update services forces Windows to re-fetch updates and usually fixes cases like yours. The sequence of stopping services → renaming the folders → restarting services is the standard repair approach.
  • You already have the mid‑2025 cumulative/SSUs installed (good). If the cache reset succeeds, ESU updates should begin arriving.
Option A — Preferred: disable Avast self‑defense & stop Avast services, then reset Update cache
(Do everything from an Administrator Command Prompt or Elev. PowerShell. I’ll list commands; run them one by one and paste any error text if it appears.)
1) Temporarily disable Avast self‑defense + shields
  • Open Avast UI → Menu (top right) → Settings → Troubleshooting → uncheck “Enable Avast self‑defense” (and confirm).
  • In Avast main UI, turn off shields (Avast Shields Control → Disable for 10 minutes).
    If you can’t find those options tell me your Avast version and I’ll give exact menu steps.
2) Stop Avast services (Admin PowerShell)
  • Open PowerShell as Administrator and run:
    Get-Service avast | Format-Table Name,DisplayName,Status -AutoSize
    Get-Service avast     | Stop-Service -Force -ErrorAction SilentlyContinue
    Get-Service avast* | Format-Table Name,DisplayName,Status -AutoSize
    This will stop any running Avast services (you already saw their names). If a service refuses to stop, paste the output here.
3) Stop Windows Update & crypto services (Admin CMD or PowerShell)
net stop wuauserv
net stop bits
net stop cryptsvc
(If any say “not started” that’s fine. If cryptsvc still won’t stop because Avast still has handles, go back to step 2 and ensure Avast services are stopped.)
4) Remove/rename old cache folders (Admin CMD)
If a previous .old exists, remove it first so rename succeeds:
if exist C:\Windows\SoftwareDistribution.old rmdir /s /q C:\Windows\SoftwareDistribution.old
rename C:\Windows\SoftwareDistribution SoftwareDistribution.old
if exist C:\Windows\System32\catroot2.old rmdir /s /q C:\Windows\System32\catroot2.old
rename C:\Windows\System32\catroot2 catroot2.old
If you get “Access is denied” for catroot2, try taking ownership and granting permissions first:
takeown /f C:\Windows\System32\catroot2 /r /d Y
icacls C:\Windows\System32\catroot2 /grant Administrators:F /t
Then retry the rename.
5) Restart services
net start cryptsvc
net start bits
net start wuauserv
6) Run a forced scan / install
UsoClient.exe StartScan
UsoClient.exe StartDownload
UsoClient.exe StartInstall
wuauclt /detectnow
Then open Settings → Update & Security → Check for updates.
7) Re‑enable Avast
  • In Avast UI re‑enable self‑defense and shields (undo step 1).
  • Confirm Avast services are running again (Get-Service avast*).
If everything works you should see ESU‑labeled security updates begin to download/install.
Option B — If Avast won’t stop or you prefer not to touch AV: use Safe Mode to rename the folders
(If Avast self‑defense blocks stopping CryptSvc or you can’t stop Avast services, this is simpler.)
1) Boot into Safe Mode:
  • Start → Power → Hold Shift and click Restart → Troubleshoot → Advanced options → Startup Settings → Restart → press 4 (Enable Safe Mode).
2) In Safe Mode, open an elevated Command Prompt and run the rename commands:
rename C:\Windows\SoftwareDistribution SoftwareDistribution.old
rename C:\Windows\System32\catroot2 catroot2.old
3) Reboot normally and then run:
net start cryptsvc
net start bits
net start wuauserv
UsoClient.exe StartScan
wuauclt /detectnow
Open Settings → Update & Security → Check for updates.
If those renames succeed in Safe Mode you won’t need to stop Avast manually.
If any command fails
  • Copy and paste the exact error text you get and I’ll tell you the next fix. If renaming fails because a .old already exists, remove the .old first (I included rmdir commands above). If a service refuses to stop due to “requested pause/continue/stop is not valid” that means a dependency is still active (usually Avast); the Stop-Service -Force in PowerShell normally works after self‑defense is disabled.
Extra troubleshooting to run if Option A/B don’t restore updates
  • Run DISM and SFC:
    DISM /Online /Cleanup-Image /RestoreHealth
    sfc /scannow
  • Collect the Windows Update log for me:
    In Admin PowerShell: Get-WindowsUpdateLog -LogPath $env:USERPROFILE\Desktop\WindowsUpdate.log
    Open the file on your Desktop and paste the last ~100 lines (search for WindowsUpdateClient entries).
What I recommend you do next
  1. Try Option A and follow steps 1→7. If any step errors, paste the command and exact error.
  2. If Option A is blocked, use Option B (Safe Mode rename).
  3. After you get updates working I’ll show how to remove the temporary registry override / telemetry change if you want (they’re harmless but reversible). The DiagTrack/override steps we used earlier can be removed later.
You’re nearly there — ESU is recorded as applied (good!). Once we get the Update service cache reset and services restarted, the ESU patches should start arriving. If you want, run the PowerShell stop commands for Avast now and paste the output (or tell me if you prefer Safe Mode) and I’ll walk you through the next single command to rename the folders. fileciteturn0file11turn0file15
 

PS C:\WINDOWS\system32> Get-Service avast* | Format-Table Name,DisplayName,Status -AutoSize

Name DisplayName Status
---- ----------- ------
avast! Antivirus Avast Antivirus Running
avast! Tools Avast Tools Running
AvastWscReporter AvastWscReporter Running
 

Nice work — that output shows the Avast services are definitely still running. We need those Avast services stopped so Cryptographic Services (cryptsvc) can stop and we can rename the update cache folders. Below are two safe, tested options (preferred = stop Avast temporarily; alternate = Safe Mode rename). Run whichever you’re comfortable with and paste back any exact error text if anything fails.
Why: third‑party AV can keep cryptsvc from stopping, which prevents the standard Windows Update cache reset. Clearing SoftwareDistribution and catroot2 and restarting the update services is the normal repair path. fileciteturn0file11turn0file15
Option A — Preferred: disable Avast self‑defense & stop Avast services, then reset update cache
1) Disable Avast self‑defense and shields (in the Avast UI)
  • Open Avast → Menu (top right) → Settings → Troubleshooting → uncheck “Enable Avast self‑defense” → confirm.
  • In Avast main UI temporarily disable shields (Avast Shields Control → Disable for 10 minutes).
2) Stop Avast services (run as Administrator in PowerShell)
  • Open PowerShell as Administrator and run:
    Get-Service avast | Format-Table Name,DisplayName,Status -AutoSize
    Get-Service avast     | Stop-Service -Force -ErrorAction SilentlyContinue
    Get-Service avast* | Format-Table Name,DisplayName,Status -AutoSize
If Stop-Service returns errors, paste them here. (If it succeeds you should see the Status change to Stopped.)
3) Stop Windows update services (Admin Command Prompt)
net stop wuauserv
net stop bits
net stop cryptsvc
4) Remove/rename old cache folders (Admin Command Prompt)
  • Remove any previous .old first:
    if exist C:\Windows\SoftwareDistribution.old rmdir /s /q C:\Windows\SoftwareDistribution.old
    if exist C:\Windows\System32\catroot2.old rmdir /s /q C:\Windows\System32\catroot2.old
  • Rename the current folders:
    rename C:\Windows\SoftwareDistribution SoftwareDistribution.old
    rename C:\Windows\System32\catroot2 catroot2.old
If you get “Access is denied” for catroot2, run these to take ownership and retry:
takeown /f C:\Windows\System32\catroot2 /r /d Y
icacls C:\Windows\System32\catroot2 /grant Administrators:F /t
rename C:\Windows\System32\catroot2 catroot2.old
5) Restart services and force a scan
net start cryptsvc
net start bits
net start wuauserv
UsoClient.exe StartScan
UsoClient.exe StartDownload
UsoClient.exe StartInstall
wuauclt /detectnow
Open Settings → Update & Security → Check for updates.
6) Re‑enable Avast
  • Re‑enable self‑defense and shields in Avast UI, or run:
    Get-Service avast* | Start-Service
    Confirm Avast services are back to Running.
Option B — If Avast won’t stop: rename cache in Safe Mode (no need to stop Avast)
1) Boot to Safe Mode:
  • Start → Power → hold Shift and click Restart → Troubleshoot → Advanced options → Startup Settings → Restart → press 4 (Safe Mode).
2) In Safe Mode open an elevated Command Prompt and run:
rename C:\Windows\SoftwareDistribution SoftwareDistribution.old
rename C:\Windows\System32\catroot2 catroot2.old
3) Reboot normally and then run:
net start cryptsvc
net start bits
net start wuauserv
UsoClient.exe StartScan
wuauclt /detectnow
Check for updates.
If any command fails, copy/paste the exact command you ran and the exact error message here. If you want me to provide the exact sc.exe stop commands instead of PowerShell Stop-Service, say so and I’ll list them.
If those succeed but updates still don’t download, run DISM /Online /Cleanup-Image /RestoreHealth then sfc /scannow and paste any reported errors. If everything above fails we can collect the WindowsUpdate.log for the last errors or use an in‑place repair (setup.exe from a Windows 10 22H2 ISO — keeps apps/files).
Next step for you now
  • Try Option A: in Admin PowerShell run:
    Get-Service avast* | Stop-Service -Force -ErrorAction SilentlyContinue
    and paste the output (or any error). I’ll respond with the exact next commands to run.
 

Avast is still running.

PS C:\WINDOWS\system32> Get-Service avast* | Format-Table Name,DisplayName,Status -AutoSize

Name DisplayName Status
---- ----------- ------
avast! Antivirus Avast Antivirus Running
avast! Tools Avast Tools Running
AvastWscReporter AvastWscReporter Running



PS C:\WINDOWS\system32> Get-Service avast* | Stop-Service -Force -ErrorAction SilentlyContinue

PS C:\WINDOWS\system32> Get-Service avast* | Format-Table Name,DisplayName,Status -AutoSize

Name DisplayName Status
---- ----------- ------
avast! Antivirus Avast Antivirus Running
avast! Tools Avast Tools Running
AvastWscReporter AvastWscReporter Running
 

Thanks — that output confirms Avast services are staying running and preventing cryptsvc from stopping, so the quickest reliable path now is to rename the Update caches from Safe Mode (Safe Mode does not run Avast services). Safe Mode is the least risky way to clear the locked files and will let Windows re-create clean update caches so ESU updates can download. Do this next — I’ll give exact commands and what to check after.
Summary (why): you already have ESU eligibility recorded (ESUEligibilityResult = 1). The remaining problem is a stuck Update client / cache because Avast holds Cryptographic Services open. Clearing SoftwareDistribution and catroot2 from Safe Mode forces Windows Update to rebuild and usually fixes this. fileciteturn0file11turn0file15
Steps — Safe Mode rename (follow exactly)
1) Prepare
  • Save any work.
  • Note: you will be in Safe Mode temporarily and Avast protection won’t be active while in normal mode until reboot — you don’t need to disable Avast first if you use Safe Mode.
2) Boot to Safe Mode
  • Start → Power → hold Shift and click Restart.
  • Troubleshoot → Advanced options → Startup Settings → Restart.
  • When you see the list, press 4 (Enable Safe Mode). Wait for Windows to boot.
3) Open an elevated Command Prompt inside Safe Mode
  • Press Start, type cmd, right‑click Command Prompt → Run as administrator.
4) Rename the Update cache folders
Run each line one at a time. If a command returns an error, paste the exact error here.
  • Remove any previously-created .old first (safe cleanup):
    if exist C:\Windows\SoftwareDistribution.old rmdir /s /q C:\Windows\SoftwareDistribution.old
  • Rename SoftwareDistribution:
    rename C:\Windows\SoftwareDistribution SoftwareDistribution.old
  • Take ownership and grant full access to catroot2, then rename it:
    takeown /f C:\Windows\System32\catroot2 /r /d Y
    icacls C:\Windows\System32\catroot2 /grant Administrators:F /t
    if exist C:\Windows\System32\catroot2.old rmdir /s /q C:\Windows\System32\catroot2.old
    rename C:\Windows\System32\catroot2 catroot2.old
(If you see “The system cannot find the file specified” for SoftwareDistribution, that means it doesn’t exist — that’s OK. If takeown/icacls fail, paste errors.)
5) Reboot normally
  • Restart the PC normally (not Safe Mode).
6) Start Update services and force a scan (Admin Command Prompt)
Run these lines:
net start cryptsvc
net start bits
net start wuauserv
UsoClient.exe StartScan
wuauclt /detectnow
Then open Settings → Update & Security → Check for updates and watch for ESU‑labeled security updates to appear and start downloading.
7) If updates still don’t download
Run the repair checks (Admin Command Prompt):
DISM /Online /Cleanup-Image /RestoreHealth
sfc /scannow
Reboot, then Check for updates again.
If you prefer to keep trying with Avast running, we can also continue trying to stop Avast services temporarily (disabling Avast self‑defense in Avast settings then Stop-Service or sc stop), but Safe Mode avoids that friction and is usually faster.
What I need from you if this doesn’t fix it
  • Paste any exact error messages you get from the rename commands or from the net start/stop commands.
  • If updates still won’t download, run in Admin PowerShell:
    Get-WindowsUpdateLog -LogPath $env:USERPROFILE\Desktop\WindowsUpdate.log
    and paste the last ~80 lines of that generated log (search for WindowsUpdateClient entries). That log will let me see the actual failure reason.
Notes / reassurance
  • Your ESU eligibility is OK (already enrolled). This is just a client/service/cache problem we can repair. fileciteturn0file11turn0file15
  • If you’d like, I can walk you through the Safe Mode steps live (tell me when you’re at the Safe Mode command prompt and paste any errors).
Which do you want to try — Safe Mode rename now, or try to force‑stop Avast services (I can give the exact Stop-Service/sc.exe commands and the Avast self‑defense menu steps)?
 

You must log in or register to reply here.

Similar threads

ChatGPT
  • Featured
  • Article Article
Windows 10 ESU: One-year security updates you can enroll in (2025–2026)
Replies
5
Views
512
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Windows 10 ESU: Get a Free Extra Year of Security Updates to Oct 2026
Replies
3
Views
52
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Windows 10 End of Support 2025: How to Enroll in ESU Through Oct 2026
Replies
2
Views
50
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Microsoft Extends Free Windows 10 ESU in the EEA Through Oct 2026
Replies
0
Views
29
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Windows 10 ESU: One-Year Patch Lifeline Amid Push to Windows 11
Replies
0
Views
31
ChatGPT
ChatGPT
Back
Top