Microsoft’s Secure Boot certificates for Windows will expire in June 2026, the company warned this week, adding a new layer of urgency for the millions of PCs still running Windows 10 after its October 14, 2025 end-of-support deadline. The warning underscores that staying on Windows 10 without enrolling in the Extended Security Updates (ESU) program could leave devices not only without security patches but also vulnerable to firmware-level trust failures.

As of the end of 2025, nearly 1 billion computers were still on Windows 10, many ineligible for Windows 11 due to hardware requirements. Microsoft’s free security updates for the OS ceased on October 14, 2025. The ESU program—a one-year stopgap—is the only official way to receive Critical and Important security patches through October 13, 2026. With the Secure Boot certificate expiration looming, that stopgap is now even more critical.

What the ESU Program Actually Delivers

Enrollment in the consumer ESU program provides monthly security-only updates for Windows 10 version 22H2 Home, Pro, Pro Education, and Workstation editions. It does not include new features, non-security fixes, or general technical support. The updates are classified as Critical or Important by Microsoft’s Security Response Center.

The coverage runs from October 15, 2025 to October 13, 2026. A consumer ESU license is tied to a Microsoft account and can be applied to up to 10 eligible devices. Importantly, domain-joined, MDM-enrolled, or kiosk-mode devices cannot use the consumer ESU program—those are covered by separate enterprise plans.

Enrollment can cost you nothing, $30, or 1,000 Microsoft Rewards points. Europeans, however, can enroll for free without strings attached, according to Microsoft’s policy for the region. For everyone else, the free paths require either enabling Windows Backup to sync settings to OneDrive or redeeming 1,000 Rewards points. A one-time $30 purchase (plus tax) is also available if you prefer not to link a Microsoft account to OneDrive or lack Rewards points.

Why the Secure Boot Certificate Expiration Raises the Stakes

Secure Boot ensures that a PC boots only with software trusted by the PC manufacturer and Microsoft. The certificates that underpin this security have a finite lifespan, and Microsoft’s original Windows certificates will expire in June 2026. Without fresh certificates, a PC may fail to boot or be unable to verify the integrity of firmware and bootloaders. While Microsoft has not detailed the exact consequences, the risk of boot failures and weakened security on unpatched Windows 10 machines is real.

This development effectively shortens the runway for Windows 10 users who planned to hold out past the ESU window. Even with ESU enrollment, post-June 2026, the platform will become increasingly fragile without a supported OS. Microsoft’s warning is clear: the Secure Boot certificate expiration is a hard deadline that no ESU program can circumvent.

How to Enroll in ESU—Step by Step

Before you can enroll, confirm your device runs Windows 10 version 22H2 and has all latest updates installed. Check via Settings > System > About and then Settings > Update & Security > Check for updates. You need administrative privileges and a Microsoft account for most paths (local accounts will be prompted to sign in during enrollment).

Then, navigate to Settings > Update & Security > Windows Update. Eligible devices should display an “Enroll now” link or banner. Click it to launch the enrollment wizard. You’ll see three options:

  • Free with Windows Backup: Sync your PC settings to OneDrive using your Microsoft account. This option is straightforward but ties your ESU license to cloud sync. Free OneDrive accounts include only 5 GB of storage—if you’re near the limit, you may need to free space or upgrade your storage plan.
  • Redeem 1,000 Microsoft Rewards Points: Select this if you have accumulated points. Several users have reported intermittent redemption failures; if you encounter an error, retry later or fall back to another method.
  • Pay $30 (plus tax): This one-time purchase grants ESU for up to 10 devices linked to your Microsoft account. It avoids any OneDrive sync requirement and is the most privacy-friendly option if you want to keep your account activity minimal.

Europeans may see additional free options; Microsoft has extended free ESU in the region without requiring OneDrive or Rewards.

After completing the wizard, verify enrollment by checking Windows Update history for ESU-labeled updates. You should receive security patches as they are released.

What If the Enrollment Wizard Isn’t Showing?

The ESU enrollment feature is rolling out in phases. Many users, including CNET’s test lab, did not see the “Enroll now” link even after installing the required August 2025 cumulative update KB5063709. Microsoft acknowledged the delay: “We’re working to restore the availability of the Windows 10 Extended Security Updates program in a subset of markets,” a spokesperson said.

If the link is absent, install all pending updates, reboot, and check again. Keep Windows Update refreshed periodically. If the wizard still doesn’t appear, monitor Microsoft’s release health dashboard and tech news outlets—the company has deployed out-of-band fixes for previous enrollment bugs and should have the feature broadly available before October 14.

Common Enrollment Hiccups and Workarounds

  • Rewards point failures: Redemption glitches are common. If your points aren’t accepted, try again later or switch to the backup/paid route.
  • OneDrive storage limits: Syncing settings may fail if your free 5 GB is full. Clear some OneDrive space, purchase extra storage, or use the paid ESU path.
  • Update-related regressions: The same KB5063709 that enabled ESU features also introduced issues with system recovery and reset functions. Microsoft has released subsequent patches to address these. When troubleshooting, consider pausing optional updates if you rely heavily on these tools.

The Real Costs of Skipping ESU

Without ESU, Windows 10 PCs become increasingly exposed to actively exploited vulnerabilities. Threat actors often target unpatched systems, and a widely deployed OS like Windows 10 will remain an attractive target long after support ends. Beyond direct security risks, application and driver compatibility can degrade as vendors shift focus to Windows 11. Microsoft 365 Apps may offer only reduced support on unsupported Windows 10 versions. For small businesses or regulated users, running an unsupported OS can violate compliance mandates like PCI DSS or HIPAA.

The ESU program is a temporary bridge, not a substitute for a long-term migration plan. Microsoft explicitly states it is “not intended as a long-term solution” and recommends using the year to upgrade or replace hardware.

Privacy and Data Implications of the Free Paths

Choosing the free OneDrive sync path means your PC settings and some profile data are stored in Microsoft’s cloud. While it doesn’t automatically back up all user folders, it does create a stronger link between your device and your Microsoft account—potentially increasing telemetry. For privacy-conscious users, the $30 payment or credit card/Redemption option avoids that. Regardless of path, maintain an independent offline backup of critical data, not just a cloud sync.

Long-Term Alternatives: Upgrade or Replace

While ESU buys time, migration to Windows 11 remains the safest long-term choice. Use the PC Health Check app to determine hardware eligibility. Many older PCs lack TPM 2.0 or a supported CPU, making an in-place upgrade impossible without unsupported workarounds. Installing Windows 11 on unsupported hardware—via registry hacks or modified ISOs—may block future updates and create instability. If you go that route, treat it as a temporary experiment with no safety net.

Purchasing a new Windows 11 PC is often more straightforward, especially for machines over five years old. New hardware also brings modern security features like Secure Boot, TPM, and virtualization-based security. For users who cannot stomach hardware replacement, Linux distributions or ChromeOS Flex can extend aging hardware for basic tasks, though they won’t run legacy Windows software without virtualized solutions.

Immediate Action Checklist

  1. Verify your OS version: Ensure you are on Windows 10 22H2 and install all pending updates.
  2. Create a full backup: Copy important files to an external drive or a non-Microsoft cloud service.
  3. Prepare a Microsoft account: You’ll need one for most ESU paths. Keep it under your control.
  4. Check for the enrollment wizard: Open Windows Update and look for the “Enroll now” link. If it’s missing, keep checking back.
  5. Pick your enrollment method: Choose based on your privacy preference, storage availability, and willingness to spend $30.
  6. Verify ESU updates: After enrollment, confirm that ESU patches appear in your update history.
  7. Plan your migration: Use the ESU year to test Windows 11 on your hardware (or a spare machine), budget for a new PC, or explore alternative OS options.

The Clock Is Ticking

The double deadline of October 14, 2025 (end of free support) and June 2026 (Secure Boot certificate expiration) means Windows 10 users must act decisively. Enrolling in ESU secures the immediate security gap but does not solve the longer-term platform viability. The program is deliberately narrow and temporary—use it deliberately to orchestrate a clean exit to Windows 11 or a new device. Waiting until the last minute risks hitting a brick wall without a safety net.