Microsoft will stop shipping free security patches for Windows 10 on October 14, 2025, leaving an estimated hundreds of millions of PCs exposed unless owners take action. For the first time, the company is throwing a lifeline to consumers that does not require a credit card: two no-cost paths into its Extended Security Updates (ESU) program—syncing settings to OneDrive or cashing in 1,000 Microsoft Rewards points. A third, $30 option covers up to 10 devices under one Microsoft account, giving households a one-year bridge to Windows 11 or a replacement machine.

Behind the headline, the program is narrower than many realize. ESU for consumers delivers only patches labeled Critical or Important—no feature updates, no general quality fixes, no technical support. It ends on October 13, 2026, and every enrollment route demands a Microsoft account, a striking shift for users who stick with local logins. The enrollment wizard itself is rolling out in phases and has tripped up early adopters with missing toggles and rewards-redemption failures.

The ESU Essentials: Dates, Editions, and Enrollment Paths

The end-of-support clock stops on October 14, 2025. After that, Windows 10 version 22H2—the final feature release—no longer receives monthly security updates, unless a device is enrolled in ESU. The consumer ESU window spans October 15, 2025, through October 13, 2026. Enterprise customers have separate, pricier multi-year options, but home users and unmanaged small-business PCs get this one-year track.

Eligibility is straightforward but non-negotiable: the device must be running Windows 10 22H2 Home, Pro, Pro Education, or Pro for Workstations, with all prerequisite cumulative updates installed. Domain-joined machines, those enrolled in mobile device management, and kiosk endpoints do not qualify. For those, Microsoft steers admins toward volume-licensing ESU.

Microsoft offers three consumer enrollment routes:
- Free via OneDrive Backup: Turn on Windows Backup, which syncs settings, apps credentials, and files to OneDrive, and sign in with a Microsoft account. The “free” label assumes your backup fits within the 5 GB of included OneDrive storage. Anything beyond that requires a paid storage plan, effectively turning the free path into a paid one for heavy users.
- Free via Microsoft Rewards: Redeem 1,000 Rewards points accumulated through Bing searches, Microsoft Store purchases, or Xbox activity. The points system has a known hiccup: some users report redemptions failing on first attempt, then clearing after retries or support intervention. Points are non-refundable once redeemed.
- Paid license: A one-time purchase of roughly $30 USD (regional pricing varies) that can be applied to up to 10 devices tied to the same Microsoft account. Compared with past enterprise ESU pricing, this is an unusually generous consumer offer—but it still requires a Microsoft account.

Step-by-Step: How to Enroll Before the Deadline

Community forums and Microsoft’s own documentation urge users not to wait until October. The enrollment wizard appears inside Settings > Update & Security > Windows Update, but only after a phased rollout and the installation of specific cumulative updates. Many early enrollees saw no “Enroll now” link until they had installed all available updates and rebooted.

Microsoft has documented that an August cumulative update fixed an enrollment crash. One cited KB is KB5063709, but verification on official release-health pages should confirm whether your device needs it. The pragmatic checklist:

  1. Confirm your build. Go to Settings > System > About. If you are not on version 22H2, upgrade now.
  2. Install every pending update. Check Windows Update repeatedly until no updates remain. Reboot and check again.
  3. Create a full local disk image. Don’t lean on OneDrive alone; a separate rescue disk is insurance against botched ESU enrollment.
  4. Sign into Windows with a Microsoft account. Local-account users will be prompted to switch. The account must have administrator rights on the device.
  5. Look for the Enroll now prompt in Windows Update and follow the wizard. Choose Windows Backup, Rewards, or the paid path. After enrolling, verify that future updates appear with “ESU” labels in your update history.

If the toggle is missing despite meeting prerequisites, the most common remedy is installing cumulative updates and waiting for the phased rollout to hit your region or ring. Microsoft has acknowledged that not all eligible devices will see the prompt immediately.

The Hidden Trade-Offs of “Free”

The no-cash paths are not simply a gift; they embed a Microsoft-account requirement and, in the case of OneDrive, a cloud-storage dependency. Privacy-conscious users who have deliberately avoided cloud sync must choose between breaking that stance and paying $30—or risking exposure after October 14. The Rewards route avoids cloud storage but still demands a Microsoft account and enough loyalty points. Rewards redemption errors documented on Microsoft Q&A threads add a layer of unpredictability: someone who relies on points might find themselves locked out on enrollment day if the system glitches.

For users with larger backups, the OneDrive path can quickly become a recurring cost. A Microsoft 365 subscription with extra storage starts at $1.99 per month; that annual cost sometimes eclipses the $30 flat fee. Households with multiple devices may find the paid ESU license a better deal if they can keep all ten devices under one Microsoft account, but mixing accounts or separating devices for privacy reasons erodes that advantage.

What ESU Does Not Include

Microsoft is explicit that ESU for consumers is a security-only bandage. After October 14, 2025:
- No feature updates or non-security fixes will be delivered, even as Windows 11 gains new capabilities.
- No general technical support; Microsoft’s assisted support channels will not troubleshoot Windows 10 issues.
- Drivers that break due to missing platform updates remain unfixed, potentially destabilizing older hardware.
- Enterprise management features are absent; the consumer ESU path cannot be used for domain-joined machines.

The narrow scope means organizations in regulated industries—healthcare, finance, critical infrastructure—should not rely on consumer ESU to satisfy compliance auditors. Enterprise ESU with documented support contracts is the compliant path.

Real-World Scenarios: When ESU Is Right—and When It’s Not

ESU makes sense for:
- A home user running legacy tax or accounting software that won’t be rewritten for Windows 11, who needs a year to find alternatives.
- A household with several older PCs that can’t be replaced simultaneously; the $30 license covers up to ten devices, buying time for a staggered hardware refresh.
- A small office with a handful of stand-alone Windows 10 Pro machines and no immediate budget for new computers.

ESU is a false comfort for:
- Anyone handling sensitive personal or business data who believes ESU provides the same safety as a fully supported OS. The lack of non-security patches can leave unaddressed reliability holes.
- Users whose hardware is already failing. ESU can’t fix dying drives, unsupported graphics drivers, or firmware bugs.
- Privacy absolutists who refuse to create a Microsoft account. Even the paid purchase demands one.

Enterprise vs. Consumer ESU: A Quick Comparison

Aspect Consumer ESU Commercial/Enterprise ESU
Duration 1 year (Oct 15, 2025 – Oct 13, 2026) Up to 3 years (annual renewals)
Updates Security-only (Critical/Important) Security updates, optionally broader
Enrollment On-device wizard via Windows Update Volume Licensing, CSP, or EA channels
Cost Free (Backup/Rewards) or ~$30 up to 10 devices Per-device, increasing yearly (e.g., $61 first year for Windows 7 ESU)
Eligibility Windows 10 22H2 Home/Pro; unmanaged devices Any covered Windows 10 version; managed fleets
Microsoft Account Required for all paths Not required; tied to organization’s agreement

Corporate IT teams should ignore consumer ESU mechanics. Their playbook involves volume-licensing ESU, hardware audits, and migration pilots. Mixing consumer enrollments into a business environment creates licensing and support gaps.

Security Implications: One Year of Breathing Room Isn’t a Cure

After October 14, 2025, every new zero-day vulnerability targeting Windows 10 will remain unpatched on non-ESU machines. Attackers often hoard exploits for the day support ends, knowing a large attack surface will appear overnight. ESU devices, by contrast, will receive Critical and Important patches, reducing immediate risk. But because feature updates stop, underlying architectural weaknesses—outdated kernel protections, deprecated TLS versions—persist.

ESU also cannot compensate for the loss of non-security quality updates. A driver that works in August 2025 might break after a peripheral firmware update in November 2025, and no fix will be offered. For older printers, scanners, and specialized hardware, even a patched OS can become a reliability headache. Security teams should segment ESU devices onto isolated networks, apply additional endpoint detection and response, and set firm decommissioning dates.

Wider Impact: Hardware Hurdles and E-Waste Concerns

Windows 11’s hardware requirements—TPM 2.0, Secure Boot, a compatible 64-bit CPU—exclude many perfectly functional PCs from a supported upgrade path. That has made ESU more of a necessity than a luxury. Critics, including public-interest groups and some lawmakers, argue Microsoft’s stance fuels electronic waste by pushing consumers toward new hardware before older devices have reached the end of their useful life. Recycling and trade-in programs exist, but they don’t eliminate the environmental cost of manufacturing replacements.

Third-party patch providers like 0patch offer an alternative for users who refuse both the upgrade and the Microsoft account requirement. These services deliver micro-patches for critical vulnerabilities, often for a flat annual fee, and can cover Windows 10 beyond 2026. However, they don’t provide official Microsoft patches, and their scope is limited to what independent researchers can reverse-engineer and patch. For regulatory compliance, they are generally not an acceptable substitute.

Common Enrollment Problems and How to Solve Them

Community threads and Microsoft Q&A archives reveal a handful of recurring trouble spots:

  • Missing “Enroll now” link: Verify you’re on 22H2 and that all updates are installed. Check for the specific cumulative update that gates the wizard. If still absent, wait 24-48 hours and recheck; the rollout is tenant-specific.
  • Rewards redemption failure: Redeem points at account.microsoft.com/rewards, not through the ESU wizard directly, to ensure the balance is accurate. If the ESU redemption fails, wait and retry—many users report success after a second or third attempt. Points are deducted only on a successful redemption.
  • OneDrive storage confusion: Before enabling Windows Backup, review your OneDrive storage usage at onedrive.live.com. If you’re over the free 5 GB limit, either free up space or budget for extra storage.
  • Local-account users: The wizard will prompt a switch to a Microsoft account. Do this before the enrollment step to avoid a mid-process interruption.

A One-Year Migration Playbook

Treat the ESU window as a countdown, not a renewable subscription. Use the time to:

  1. Inventory your devices and apps. Document which machines can run Windows 11, which need replacement, and which legacy apps require testing or alternatives.
  2. Pilot Windows 11 upgrades on a spare device. Validate drivers, line-of-business software, and peripheral compatibility.
  3. Evaluate cloud-hosted Windows 11 (Windows 365) as a stopgap for machines that can’t upgrade natively. Some cloud subscriptions include ESU at no extra cost for the underlying Windows 10 VM.
  4. Budget for hardware. Combine trade-in programs with recycling to offset costs and reduce e-waste.
  5. Harden remaining ESU devices. Isolate them from the main network, deploy application allow-listing, and set monitoring alerts. Document a hard cut-off date for decommissioning.

Critical Analysis: Strengths, Weaknesses, and Risks

Strengths

  • Accessibility: The free paths lower the barrier for casual users who might otherwise remain exposed. The $30-for-10-devices pricing is remarkably generous compared with historical enterprise ESU costs.
  • Predictable deadline: A hard one-year extension forces planning, eliminating the ambiguity that plagued Windows 7’s drawn-out retirement.

Weaknesses

  • Microsoft Account mandate: Tying security patches to account creation alienates a segment of users and reopens debates about forced cloud integration.
  • Phased rollout fragility: The staggered availability creates a last-minute scramble risk for procrastinators who may not see the enrollment option until days before the deadline.

Risks

  • E-waste acceleration: If millions of users interpret ESU as too temporary and rush to buy new Windows 11 PCs, the environmental toll will be measurable.
  • Complacency: The “one more year” reprieve can lull users into inaction, leaving them with the same unsupported OS problem in October 2026—only with fewer migration months available.

What to Watch Next

Monitor the official Windows release-health dashboard and the Windows Experience Blog for any changes to prerequisite updates or enrollment timing. If relying on Rewards, check the Microsoft Rewards community page for redemption status alerts. Enterprise IT buyers should track volume-licensing announcements for 2026 renewal pricing and multi-year options.

For technical verification, cross-reference the KB numbers in community reports with Microsoft’s update catalog and release-health pages. Independent coverage from BleepingComputer, Tom’s Hardware, and Windows Central provides additional visibility into rollout quirks and workarounds.

The Bottom Line

Windows 10’s end of support is a hard reality on October 14, 2025. Microsoft’s consumer ESU program is an uncharacteristically flexible buffer—free for those willing to sync to OneDrive or redeem Rewards points, and cheap for those who pay. But it is a buffer, not a solution. Use the 12 months of security patches to execute a concrete migration plan. Procrastinate, and you’ll face the same threat in 2026 with fewer options.

Enroll early, test upgrades, and don’t mistake a stopgap for a strategy.