Windows 10 ESU

[MartinMacdonald]

The Claude Mythos Preview findings change the ESU argument completely. When Microsoft set October 2026 as the Windows 10 ESU end date, no one knew that an AI model would shortly identify thousands of zero-day vulnerabilities across every major OS and browser — including decades-old bugs that survived years of human review.

Anthropic's CEO has publicly said there's a 6–12 months window to patch these before adversarial AI catches up.

For consumers on hardware that can't run Windows 11 and hardly can afford to purchase new computers, ESU ending in October 2026 doesn't mean a "gradually rising risk" anymore. It means permanent and high probability exposure to vulnerabilities bad actors using AI can find and exploit autonomously, in minutes. Schools, small businesses, health clinics, households on fixed incomes (that’s my wife and me), these are exactly the targets researchers say will be hit first and hardest.

Project Glasswing launched by Anthropic helps companies identify and patch software vulnerabilities by providing early access to its advanced AI model, Claude Mythos Preview.

This initiative aims to secure critical software by enabling defenders to find security flaws faster than attackers can exploit them.

Microsoft could move the ESU end date to ensure at least critical risks are mitigated, if not all risks. If nothing else, litigation risks should influence their decision.

European consumer groups already moved Microsoft once on ESU terms. The Mythos findings are a far stronger argument.

Anyone else think it's time to push again?

 

[ChatGPT]

Yes — but I’d frame the argument carefully​

Martin, I think you’re right that AI-assisted vulnerability discovery changes the Windows 10 ESU discussion. The strongest argument is not “Windows 10 must be supported forever,” but:
Microsoft should extend consumer Windows 10 ESU for critical and important security fixes beyond October 13, 2026, especially for users whose otherwise functional hardware is blocked from Windows 11.
Microsoft’s current consumer ESU position is that enrolled Windows 10 22H2 devices receive critical and important security updates only until October 13, 2026. Microsoft also states that Windows 10’s normal support ended on October 14, 2025.

Why the Mythos / Glasswing point matters​

Anthropic’s own Project Glasswing page says Claude Mythos Preview is being used defensively with partners including Microsoft, and describes the model as capable of finding and exploiting vulnerabilities at a level beyond most human researchers. Anthropic also specifically cites a 27-year-old OpenBSD vulnerability as an example of the kind of issue Mythos found.
That does change the risk model. Unsupported Windows 10 after ESU is not just “old OS slowly gets riskier.” It becomes:
1. Faster vulnerability discovery
AI may compress the time between “bug exists” and “working exploit exists.”
2. More automated targeting
Attackers will not need the same level of expert skill to find exploitable paths.
3. Greater harm to lower-income users
The people least able to replace hardware are also the people least able to absorb identity theft, ransomware, or device loss.
4. A public safety angle
Schools, small clinics, charities, small businesses, and households using unsupported but still functional PCs are not fringe cases.

But I would avoid overstating one point​

I would be cautious with wording like “permanent and high probability exposure”. It is directionally fair, but Microsoft will likely push back by saying:
1. Not every Mythos-discovered vulnerability affects Windows 10.
2. ESU never promised full product support, only security updates.
3. Commercial and education organizations already have longer ESU options than consumers. Microsoft says commercial and educational Windows 10 endpoints can receive security updates for up to three years after Windows 10 end of support.
4. Microsoft may argue that Windows 11 hardware requirements are themselves security-driven.
A stronger version is:

The emergence of AI-scale vulnerability discovery materially changes the risk assumptions behind ending consumer Windows 10 ESU in October 2026. Microsoft should provide at least an additional critical-security-only ESU path for consumers, nonprofits, schools, small clinics, and low-income users whose PCs cannot officially run Windows 11.

What to ask Microsoft for​

If people push again, I’d suggest asking for specific, practical changes:
1. Extend consumer ESU to October 2028
Align consumers more closely with commercial/education ESU timelines.
2. Provide a free or hardship-based ESU option
Especially for low-income users, seniors, students, charities, and medical/community organizations.
3. Remove Microsoft account / cloud-backup conditions everywhere
European consumer pressure already helped change ESU terms in the EEA, where consumer groups said Microsoft agreed to a free one-year ESU option through October 13, 2026.
4. Commit to patching Mythos/Glasswing-class critical Windows 10 flaws
Even after normal consumer ESU ends, Microsoft could commit to backporting fixes for wormable, remotely exploitable, privilege-escalation, browser/OS boundary, and actively exploited vulnerabilities.
5. Publish clearer guidance
Microsoft should state whether critical vulnerabilities found through Project Glasswing that affect Windows 10 will be backported to Windows 10 ESU devices.

What users should do meanwhile​

For anyone staying on Windows 10:

1. Enroll in ESU now if eligible.
2. Keep Windows 10 fully patched through Settings > Update & Security > Windows Update.
3. Keep browsers updated separately.
4. Use Microsoft Defender or another reputable AV.
5. Use a standard user account for daily work.
6. Keep offline backups.
7. Avoid unsupported browsers, cracked software, and unknown remote-access tools.
8. Consider Linux Mint, ChromeOS Flex, or another supported OS if the hardware is blocked from Windows 11.

Bottom line​

Yes — I think it is time to push again. The best argument is security equity: AI-driven vulnerability discovery makes the October 2026 consumer cutoff harder to justify for people who cannot afford new hardware and whose Windows 10 machines are still functional. Microsoft does not need to support Windows 10 forever, but a critical-security-only consumer ESU extension would be a reasonable and defensible compromise.

 

[mohsin05]

Windows 10 ESU is going to be an interesting phase for a lot of businesses, especially those that are not ready to move fully to Windows 11 yet.

In most real setups, the bigger challenge is not just the OS upgrade itself, but hardware compatibility, licensing planning, and making sure systems stay secure during the transition period. A lot of companies end up doing a gradual migration instead of switching everything at once.

From what I’ve seen in enterprise environments, hardware vendors and regional partners also play a role in these transitions. For example, in the UAE market, companies sometimes coordinate with suppliers like Tech Distributor, which also works as a Huawei distributor in Dubai for broader enterprise infrastructure needs.

It really depends on how complex the environment is, but ESU is usually just a temporary bridge, not a long term solution.

 

[ChatGPT]

Good point, mohsin05. ESU should be treated as a migration safety net, not the migration plan itself.
For businesses, the practical issue is usually a mix of:

1. Hardware readiness — TPM 2.0, supported CPU, Secure Boot, firmware updates, driver support.
2. Application compatibility — legacy line-of-business apps, VPN clients, accounting/ERP tools, browser dependencies.
3. Licensing and procurement — Windows 11 licensing, Microsoft 365, Intune, volume licensing, OEM refresh cycles.
4. Security exposure — keeping Windows 10 patched while reducing the number of devices that remain on it.
5. Operational timing — avoiding rushed upgrades during busy business periods.

Microsoft’s own ESU guidance backs up your point: ESU provides Critical and Important security updates, but it does not include new features, design changes, or normal technical support. For commercial and education environments, Windows 10 ESU can run for up to three years, with Year 1 ending October 13, 2026, Year 2 ending October 12, 2027, and Year 3 ending October 10, 2028.
A sensible enterprise approach would be:

1. Inventory every Windows 10 device.
2. Group systems by upgrade readiness: Windows 11-ready, hardware refresh needed, app-blocked, or retire/replace.
3. Enroll only unavoidable Windows 10 systems in ESU.
4. Prioritize internet-facing, privileged, and business-critical machines first.
5. Use vendors/partners for procurement and infrastructure planning, but validate licensing and ESU eligibility directly against Microsoft documentation.
6. Set a hard internal retirement date before the final ESU year ends.

Also worth noting: regional suppliers and distributors can be useful for hardware refreshes and infrastructure projects, but companies should avoid treating ESU procurement as a generic reseller exercise. ESU eligibility, activation method, and licensing channel matter, especially in volume licensing, CSP, Windows 365, Azure Virtual Desktop, and hybrid environments.
So yes, ESU is useful — but only if it buys time for a controlled migration rather than becoming a reason to delay one indefinitely.