Microsoft has confirmed that the October 2025 Patch Tuesday will deliver the last regular security update for Windows 10, forcing hundreds of millions of users into a decisive moment. After October 14, 2025, devices that haven't enrolled in the new Consumer Extended Security Updates (ESU) program will stop receiving critical patches, leaving them exposed to new vulnerabilities. The stark message—"The October 2025 monthly security update will be the last update available for these versions"—leaves no room for ambiguity. The company is now pointing users toward a short list of post-deadline options: upgrade to Windows 11 if the hardware cooperates, pay $30 to extend security coverage through October 13, 2026, or embrace the risks of an unsupported OS.

The Consumer ESU program, a first for Microsoft's home-user base, has been built directly into Windows Update. It went live with three enrollment paths: a free tier that requires syncing PC settings to a Microsoft account, a Microsoft Rewards option redeemable for 1,000 points, and a one-time $30 purchase that covers up to 10 devices linked to the same account. While the program is operational, the rollout wasn't seamless—an August 2025 cumulative update (KB5063709) fixed a bug that broke the enrollment wizard for some users, underscoring the operational complexity of pushing enterprise-style lifecycle management to consumers.

The October 14 cut-off: what stops and what continues

Microsoft's formal end-of-support date for Windows 10 is October 14, 2025. On that day, the monthly security and preview updates that millions have relied on for years will cease for all consumer and most business editions that aren't enrolled in an extended security program. Devices will still function, and third-party software won't stop running overnight, but the operating system itself will no longer receive patches for newly discovered vulnerabilities. That transforms every Windows 10 PC into a static target—one that attackers can probe with impunity once a fresh exploit surfaces.

A crucial nuance is that supporting Microsoft products won't all vanish at once. Microsoft has committed to continuing security updates for Microsoft 365 Apps on Windows 10 for a limited period—three years beyond the OS end-of-support, ending October 10, 2028. The Edge browser and its underlying WebView2 runtime will also receive updates under separate policies. These partial reprieves help maintain productivity tools, but they do nothing to shield the OS kernel, networking stack, or other core components from attack.

Consumer ESU: how the program works

The consumer-oriented ESU resolves a long-standing pain point. Previously, Extended Security Updates were sold only through volume licensing agreements to enterprises, leaving individual users with no affordable bridge. Microsoft's new program, accessible directly from Settings → Update & Security → Windows Update, is open to devices running Windows 10 version 22H2 (Home, Pro, Pro Education, and Workstation editions) that have the latest cumulative updates installed. The enrollment choices are:

  • Free via cloud sync: The device must be signed in with a Microsoft account that has administrative rights, and PC settings backup (Windows Backup) must be enabled to sync to OneDrive. If that link already exists, enrollment is instant and cost-free.
  • Microsoft Rewards redemption: 1,000 Rewards points can be exchanged for enrollment, eliminating the need to hand over cloud-sync data if the user already participates in the Rewards program.
  • Paid purchase: A $30 (U.S.) one-time charge covers up to ten devices tied to a single Microsoft account. The purchase unlocks security updates for a full year, through October 13, 2026.

These paths give users flexibility, but they also reveal a trade-off: the free route is a deliberate nudge toward deeper Microsoft account integration. Privacy-conscious users who avoid cloud sign-in must either pay or forgo ESU altogether.

The KB5063709 fix and why it matters

When the ESU enrollment option first began rolling out, a significant number of users found the wizard failed to launch. Reports on Microsoft's own forums and community sites described blank windows or "ESU Enrollment" links that did nothing. Microsoft addressed this in the August 12, 2025 cumulative update (KB5063709, build 19044.6216/19045.6216), which "addressed an issue where the ESU enrollment wizard did not launch as expected."

For anyone still running Windows 10 22H2, installing KB5063709 or a later update is non-negotiable before attempting to enroll. If the link still isn't visible, the device must be signed into an administrator Microsoft account; local-only accounts won't see the option. The patch proves that Microsoft can—and does—tighten the plumbing on the fly, but the hiccup also shows how easily a mass consumer rollout can stumble, especially when millions need to take action in a compressed timeframe.

The hardware wall: why millions can't simply upgrade

The Consumer ESU exists largely because Windows 11's hardware requirements have stranded an enormous number of otherwise functional PCs. Windows 11 demands TPM 2.0, Secure Boot, and a supported 64-bit CPU (Intel 8th Gen or newer, AMD Ryzen 2000 series or newer). Many systems purchased in the Windows 10 era lack these features, and even some relatively modern machines fall outside Microsoft's CPU compatibility list.

Third-party market-share trackers underline the magnitude. StatCounter data from mid-2024 showed Windows 10 holding a dominant share of the global Windows install base, and while Windows 11 adoption has climbed through 2025, a substantial fraction of devices simply cannot make the jump. Press reports have circulated a "700 million users" figure, though that number appears to be an aggregation of estimates and older device counts rather than a current, audited statistic from Microsoft itself. Whatever the exact count, even conservative interpretations place the stuck population in the hundreds of millions.

For those users, the ESU program is the only official lifeline short of buying new hardware or switching operating systems entirely. Microsoft has been clear that there will be no last-minute relaxation of the hardware floor; the company views TPM 2.0 and Secure Boot as foundational security primitives for the modern threat landscape.

The security calculus: what’s at risk without ESU

An unpatched operating system is the digital equivalent of an unlocked house in a neighborhood of burglars. Every month that passes without security updates, the catalog of known exploits grows, and attackers become more incentivized to target the largest vulnerable populations. Windows 10 is likely to be that population for some time.

ESU delivers Critical and Important security updates as defined by Microsoft's security response center. It does not include feature updates, non-security reliability fixes, or full technical support. That means ESU reduces the blast radius but does not make the OS fully modern. Over time, third-party driver vendors, antivirus suites, and hardware manufacturers will prioritize Windows 11, potentially leaving ESU-protected PCs with degraded peripheral support or new compatibility gaps. The program buys time, not permanence.

Practical guide: what home users must do now

Confirm your starting point

  1. Open Settings → System → About and verify that you're on Windows 10, version 22H2. If not, install all available updates through Windows Update before proceeding.
  2. In Windows Update, install the latest cumulative update. As of this writing, that means KB5063709 or a later package; this ensures the ESU enrollment link appears correctly.
  3. Sign in with a Microsoft account that has administrator privileges on the device. A local account will not see the ESU option.

Choose your route

  • If your PC meets Windows 11 requirements: Use Microsoft's PC Health Check tool or the upgrade eligibility prompt in Windows Update to confirm. Back up your files, then initiate the free upgrade through Settings. Schedule a maintenance window and test critical software after the migration.
  • If your PC is not eligible and you need more time: Enroll in Consumer ESU before October 14, 2025. The least-effort path is to sign in with a Microsoft account and enable PC settings sync. Alternatively, redeem 1,000 Microsoft Rewards points or purchase the $30 license. Remember that a single consumer ESU license covers up to 10 devices linked to the same account, so families and small offices can consolidate.
  • If you can't or won't enroll: Prepare for a gradual degradation of security posture. Realistically, this path is only advisable if the machine is air-gapped from the internet or used for tasks where data sensitivity is minimal.

Plan for the future

Even with ESU, Windows 10's clock is ticking. The program expires October 13, 2026 for consumers, after which no further extensions are planned outside enterprise agreements. Use that year to budget for a Windows 11-capable device, explore alternative operating systems like ChromeOS Flex or Linux distros for compatible hardware, or begin a phased hardware refresh if you manage multiple machines.

Broader implications: Microsoft’s pragmatic bet with an expiration date

Microsoft's decision to offer consumer ESU is a pragmatic, if belated, acknowledgment that its installed base cannot be migrated overnight. The inclusion of a free path via cloud sync is clever: it lowers the barrier for the most casual users while simultaneously pulling them deeper into the Microsoft ecosystem. Critics have called this a trade of privacy for security, and for users who prefer a local-only experience, the $30 fee or the Rewards points route are the only alternatives that don't require handing over sync data.

The August enrollment bug and the necessity of KB5063709 also serve as a reminder that consumer-grade lifecycle management is still maturing. For an audience accustomed to automatic updates and minimal decision-making, the ESU enrollment process introduces a new set of interaction points that can confuse. Microsoft's support documentation and in-OS cues have improved, but many users will likely miss the enrollment window simply because they don't check Windows Update settings regularly—or because they dismiss the notifications as another push to upgrade.

For enterprises and organizations with larger fleets, the established paid ESU channels continue to offer multi-year options and volume licensing, distinct from the consumer plan. Those entities should continue working through Microsoft's commercial support lifecycle, which has its own timelines.

The bottom line

October 14, 2025, is not a suggestion. Microsoft's phrasing leaves no wiggle room: the October 2025 security update is the terminus for Windows 10's free monthly patching. The Consumer ESU program is a temporary bridge, not a new permanent home. It reduces the immediate threat of unpatched vulnerabilities for those who act in time, but it is explicitly limited to one year of critical fixes.

The smartest strategy for most users today is twofold: enroll in ESU if immediate migration isn't possible, and start the upgrade planning process now. Whether that means evaluating hardware for a Windows 11 jump, exploring alternative OSes for special-purpose devices, or simply budgeting for a new PC, the clock is already ticking. Microsoft has drawn the line; the responsibility to act now falls squarely on each Windows 10 user.