October 14, 2025, was the day Microsoft pulled the plug on mainstream Windows 10 support. For the millions of PCs still running the operating system, that meant no more free security updates, bug fixes, or technical assistance—unless you paid up. But in an unprecedented move, Microsoft’s consumer Extended Security Updates (ESU) program now offers a lifeline: security patches until October 12, 2027. This gives Windows 10 loyalists up to three additional years, but at a cost and with caveats that every user must understand.

When Microsoft first announced the end-of-support deadline, many assumed Windows 10 would become a security minefield overnight. Yet the consumer ESU, a program previously reserved only for businesses, changes the calculus. For a fee, you can keep receiving critical and important security updates that address newly discovered vulnerabilities. But this isn’t a long-term solution; it’s a bridge to either a new PC or a delayed upgrade to Windows 11. And with hardware requirements blocking many older systems from Microsoft’s latest OS, that bridge suddenly looks essential for a vast number of users.

The State of Windows 10 Support: What Ended and What Continues

As of October 14, 2025, Windows 10 version 22H2 entered its end-of-life phase. Microsoft no longer provides the following for free:
- Monthly security updates (the typical “Patch Tuesday” releases)
- Non-security bug fixes and stability improvements
- Technical support from Microsoft
- Feature updates or any new functionality

However, third-party software vendors may continue supporting Windows 10 for some time. Antivirus programs, browsers, and applications won’t stop working immediately. Google Chrome, for instance, has a pattern of supporting older Windows versions for a while after Microsoft drops them. But the core operating system itself will remain stagnant, a frozen target for attackers.

That’s where Extended Security Updates come in. For the first time, Microsoft is offering a consumer ESU plan that lets individuals purchase security patches year-by-year. Historically, ESU was an enterprise-only program, most notably used with Windows 7. This consumer offering signals just how large the Windows 10 installed base remains—and how many PCs can’t or won’t move to Windows 11.

What the Extended Security Updates Program Covers

Consumer ESU is not a free pass. It is a paid subscription that delivers only “critical” and “important” security bulletins rated by Microsoft’s severity scoring. Here’s exactly what you get and what you don’t:

Included:
- Monthly security updates that address known vulnerabilities
- Patches for flaws that could allow remote code execution, elevation of privilege, or information disclosure
- Any out-of-band emergency fixes Microsoft deems necessary

Not included:
- Non-security bug fixes, even if they affect usability
- New features or design changes
- Technical support from Microsoft (you can still rely on community forums)
- Updates for Windows 10 editions that are not eligible (more on that below)

The program covers Windows 10 Pro, Home, and Pro for Workstations. Enterprise and Education editions have their own ESU paths, often at different price points and with volume-licensing options. Importantly, the consumer ESU is tied to a specific device; you cannot transfer a subscription to a new PC.

How to Get ESU on Your Windows 10 PC

Microsoft plans to sell the ESU subscription through its online store. The exact enrollment process is still being finalized, but early documentation indicates the following steps:

  1. Ensure your Windows 10 device is running version 22H2 (the final feature update). Older versions won’t qualify.
  2. Visit the Microsoft Store app on your PC or a dedicated web portal.
  3. Purchase the one-year ESU plan for a price that Microsoft has hinted will be around $30 per device per year, though final pricing may vary.
  4. After purchase, the license activates automatically, and your PC will continue receiving security updates through Windows Update until the subscription expires.

Subscriptions can be renewed annually until October 2027. You must buy at least one year at a time; there’s no monthly option. If you let the subscription lapse, your PC immediately stops receiving patches, and you cannot purchase retroactive coverage for missed months.

One crucial detail: the initial purchase window opened shortly before October 14, 2025, but Microsoft kept sales available after the deadline to accommodate late adopters. So even if you missed the end-of-support date, you can still buy in now—your PC may simply have missed a few weeks of patches.

The Real Cost of Staying on Windows 10

On the surface, $30 per year sounds reasonable. For three years, you’d pay $90 to keep a single PC protected. Compare that to the cost of a new Windows 11-capable machine, which starts at around $400 for a budget laptop and soars upward from there. For a home user with a perfectly functional device, ESU seems like a bargain.

But hidden costs lurk. Third-party software support will gradually fade. Driver updates for aging hardware will cease. If a new peripheral requires a Windows 11-specific driver, you’re out of luck. And some modern security features—like virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI)—remain exclusive to Windows 11, leaving your ESU-patched Windows 10 less resistant to certain attack vectors.

Moreover, ESU does nothing to improve performance or compatibility. Windows 10’s underlying codebase is frozen in time. As web standards evolve and applications demand newer APIs, you may encounter slowdowns or incompatibilities that no security patch can fix. The ESU program buys time, not progress.

Security Without Updates: The Risk Landscape

Why is it so dangerous to run an unpatched OS? After October 2025, every Microsoft security update released for newer versions of Windows will effectively become a public blueprint for attacking Windows 10. Researchers and attackers can reverse-engineer patches to find the underlying vulnerabilities, then target the millions of unpatched Windows 10 machines. This “diffing” technique has been used successfully against Windows 7 and XP after their support ended.

Common attack vectors include:
- Remote code execution through network services like the Print Spooler or Remote Desktop
- Browser-based exploits that escape sandboxes and attack the kernel
- Phishing campaigns that deliver malware exploiting unpatched Office components
- Drive-by downloads from compromised websites

Without ESU, each month that passes increases the number of known, unpatched vulnerabilities on your PC. Even with robust third-party antivirus, the OS itself becomes the weakest link. And while defense-in-depth measures like firewalls and user education help, they aren’t foolproof.

Secure Boot and BitLocker: Your Last Line of Defense?

Hardware-based security features can partially mitigate the risk of running an outdated OS. Secure Boot, which verifies the integrity of the boot process, prevents many rootkits from embedding themselves. BitLocker full-drive encryption protects data at rest, so that a lost or stolen laptop doesn’t expose unencrypted files. These technologies are built into most modern Windows 10 PCs and remain functional even after support ends.

However, they are not panaceas. BitLocker recovery keys become critical if the TPM (Trusted Platform Module) fails or if a firmware update resets the keys. Users who stay on Windows 10 long-term must safeguard those recovery keys—often stored in a Microsoft account or printed out—because losing access could mean permanent data loss. Secure Boot, meanwhile, can be undermined if an attacker gains physical access and disables it in the firmware, though that requires a high level of sophistication.

Moreover, several classes of vulnerabilities can bypass these protections. For example, a kernel-mode exploit can read data from memory even if the disk is BitLocker-encrypted, because the decryption key resides in RAM while the system is running. And Secure Boot won’t stop malware that loads after the boot process completes. So while these features add friction for attackers, they are not substitutes for regular security patches.

Windows 11: The Upgrade Path and Its Challenges

Microsoft’s preferred solution to the Windows 10 end-of-life is simple: upgrade to Windows 11. The newer OS offers a modern interface, improved security defaults, and support for the latest hardware. It also receives all the security patches that Windows 10 ESU users will be paying for.

The sticking point is hardware compatibility. Windows 11 enforces strict requirements: a compatible 64-bit processor, TPM 2.0, Secure Boot-capable firmware, and at least 4 GB of RAM and 64 GB of storage. Millions of otherwise capable PCs from the early Windows 10 era lack TPM 2.0, or they run on Intel 7th-gen or AMD first-gen Ryzen processors that Microsoft deems unsupported.

Workarounds exist: you can install Windows 11 on unsupported hardware by bypassing the TPM and CPU checks through registry edits or modified installation media. But Microsoft warns that such systems may not receive updates and could experience driver issues. For many, the risk isn’t worth it, especially in a business setting.

If your PC qualifies, the upgrade from Windows 10 to 11 is free. You can kick off the process through Windows Update or the Installation Assistant. But before you leap, ensure your critical applications are compatible. Some legacy software, particularly custom business tools, may break on the new OS. And the user interface changes—the centered Start menu, redesigned taskbar, and new settings layout—can frustrate longtime users.

Future-Proofing: Planning for 2027 and Beyond

October 12, 2027, is the hard deadline. After that date, no amount of money will buy security updates for Windows 10. At that point, every Windows 10 machine—ESU or not—becomes a sitting duck. So what should you do with the extra time?

If your PC meets Windows 11 requirements:
- Use the ESU period to thoroughly test Windows 11 on a spare machine or in a dual-boot setup.
- Migrate your applications and data carefully. Plan the transition for a time when you can afford downtime.
- By 2027, Windows 12 (or whatever comes next) may already be on the horizon, but Windows 11 will be supported until at least 2031 based on Microsoft’s 10-year lifecycle. So moving to 11 is a safe long-term bet.

If your PC does NOT meet Windows 11 requirements:
- Start budgeting for a new device. The three-year ESU window gives you time to save up.
- Consider switching to an alternative OS like Linux if your workflow allows. Many distributions are user-friendly and can breathe new life into aging hardware, though this comes with its own learning curve and application compatibility challenges.
- Explore the refurbished market: a Windows 11-capable business laptop from 2020 or later can be found for under $300.

Businesses using Windows 10:
- Enterprise and education customers have separate ESU programs with volume licensing. Leverage those to maintain compliance while you plan a fleet-wide upgrade.
- Use the time to audit hardware, train employees on Windows 11, and deal with application compatibility issues.

The Bigger Picture: Why Microsoft Did This

Microsoft’s consumer ESU isn’t an act of charity. Windows 11 adoption has been sluggish compared to previous OS transitions. As of mid-2025, Windows 10 still commanded over 60% of the Windows market share. Cutting off security updates for that many users would create a global security crisis, exposing millions of individuals and businesses to ransomware and data theft. That kind of PR disaster would harm Microsoft’s reputation and potentially draw regulatory scrutiny.

Offering a paid ESU program both generates revenue and nudges users toward eventual migration. Each year, as the subscription price stacks up and as Windows 11’s advantages become clearer, the calculus shifts. It’s a smart, albeit lucrative, stopgap.

For consumers, the message is clear: the clock is ticking, but it hasn’t struck midnight just yet. Windows 10 remains viable through 2027, but only if you keep paying and stay vigilant. The ESU program is not a permanent home—it’s a well-lit waiting room. Use the time wisely to plan your next move, whether that’s upgrading hardware, migrating to Windows 11, or exploring new platforms entirely. When the updates stop for good, the ones left behind won’t just be unsupported—they’ll be undefended.