Windows 10 users can keep their Edge browsers and web‑based applications secure for three more years than expected. Microsoft has confirmed that both Microsoft Edge and the WebView2 Runtime will continue receiving updates on Windows 10 version 22H2 through at least October 2028—well past the operating system’s own end‑of‑support date on October 14, 2025. The commitment, detailed in Microsoft’s Edge support lifecycle documentation, also clarifies that enrollment in the Windows 10 Extended Security Updates (ESU) program is not required to receive these browser and runtime patches.
This announcement creates a clear separation between operating system support and browser/runtime support, a distinction that will shape enterprise migration strategies and consumer decisions in the coming months. While Windows 10 itself will stop receiving routine security updates next October, the web rendering engine that powers countless applications will remain patched for an additional three years.
The Decoupled Lifecycle: OS vs. Browser Support
Windows 10’s mainstream support is ending on October 14, 2025. After that date, Microsoft will no longer provide general technical assistance, feature updates, or routine security fixes for the operating system itself. Consumers and businesses are encouraged to upgrade to Windows 11 or enroll in the Extended Security Updates (ESU) program, which for consumers runs through October 12, 2027. Businesses have their own ESU options extending to 2028.
However, Microsoft Edge and WebView2 march to a different rhythm. The official lifecycle page for Edge states: “Microsoft Edge and the Microsoft WebView2 Runtime will continue to receive updates on Windows 10 22H2 until at least October 2028, coinciding with the end of the Extended Security Updates (ESU) program.” This means that even after Windows 10 stops receiving platform‑level patches, the Chromium‑based browser and the embedded web runtime will get security and quality updates for three additional years.
The same page explicitly notes that devices do not need to be enrolled in any ESU program to keep receiving Edge or WebView2 updates. That decoupling is significant: it reduces friction for consumers and small businesses that might otherwise assume paid ESU access is necessary to keep Edge secure.
What’s Covered: Edge, WebView2, and PWAs
The scope of this commitment is broad. Microsoft Edge—the default browser on Windows 10—will stay up to date with the same Chromium security patches delivered to Edge on Windows 11. Behind the scenes, the WebView2 runtime will also be serviced. WebView2 is an embedded control that allows native Windows applications to display web content, and it has become a critical dependency for many modern apps.
Progressive Web Apps (PWAs) installed from the Microsoft Store or via Edge rely on the same rendering engine. If the runtime is patched, those PWAs inherit the protections. Likewise, any line‑of‑business application that uses WebView2 to host web‑based user interfaces will continue to receive upstream security fixes for its embedded browser component.
Microsoft’s own Copilot experience uses WebView2 for certain fallback scenarios when the native Windows 11 integration isn’t available. On Windows 10, Copilot often falls back to a Page/Canvas rendering that relies on WebView2. Keeping that runtime updated ensures these Copilot experiences remain functional and secure throughout the extended window.
No ESU Required: The Surprise Detail
One of the most important clarifications in Microsoft’s documentation is that ESU enrollment is not a prerequisite for Edge or WebView2 updates. When the company first announced paid Extended Security Updates for consumers, many assumed that access to any Microsoft‑maintained component would require that enrollment. The Edge lifecycle page directly refutes that notion: devices will receive Edge and WebView2 updates regardless of ESU status.
This decision makes the extended browser support far more accessible. For organizations that were planning to pay only for their most critical systems, the browser runtime remains protected without additional cost. For home users, it removes a layer of anxiety: even if they choose not to pay for ESU, their web browsing and embedded web apps won’t be left exposed.
Why It Matters: Security and Application Compatibility
Browsers and embedded runtimes are among the most attacked pieces of software on any endpoint. A fully patched browser engine closes off a constant stream of zero‑day and known vulnerabilities. The Chromium project typically fixes over a thousand security issues each year, and Microsoft’s own Edge‑specific mitigations add another layer of defense.
By extending Edge and WebView2 support through 2028, Microsoft is effectively shielding a large portion of the Windows 10 installed base from the most common internet‑facing threats for an additional three years. This is not a theoretical benefit: many organizations depend on PWAs or WebView2‑based line‑of‑business apps that would become dangerous to use if the underlying engine stopped receiving patches.
Consider a hospital running a clinical application that embeds WebView2 to render lab results. If that runtime went unpatched after October 2025, a vulnerability in the rendering engine could allow an attacker to compromise the entire application—and potentially the device—simply by tricking a user into viewing a malicious web page. With the extended support, that scenario remains protected until at least 2028.
For ISVs and enterprise developers, the commitment provides a stable target. They can certify their applications against WebView2 on Windows 10 22H2 and know that the runtime will receive security updates for years to come. This reduces the pressure to immediately rewrite applications or force hardware upgrades just to keep web components safe.
The Limits: OS‑Level Risks Remain
Crucially, Microsoft’s pledge does not cover the entire attack surface. Windows 10 itself will stop receiving platform‑level security patches after October 14, 2025. Kernel bugs, driver exploits, firmware vulnerabilities, and unsupported system services will no longer be fixed. A patched browser is important, but it cannot protect against a privilege‑escalation attack that uses a local vulnerability to gain system access before even touching the browser.
Organizations that continue running Windows 10 after end of support must still address these risks through other means: network segmentation, zero‑trust access controls, advanced endpoint detection and response (EDR), and, where possible, hardware or software isolation. Edge and WebView2 updates should be seen as one layer of defence, not a replacement for full OS support.
Third‑party browsers are another variable. Google Chrome, Mozilla Firefox, and other vendors set their own support timelines. While it is plausible that Chrome will extend Windows 10 support for a similar period, no formal commitment has been published. Enterprises relying on Chrome or Firefox on Windows 10 should not assume parity with Microsoft’s lifecycle statement.
IT Planning: A Three‑Year Window for Migration
For IT leaders, the extended Edge/WebView2 support buys meaningful time—but it should be used deliberately. Microsoft is essentially giving organizations a grace period to plan and execute their Windows 11 migrations without the immediate pressure of an unpatched browser.
A phased approach makes sense:
- Short‑term (0–12 months): Inventory all applications that depend on WebView2 or Edge PWAs. Map these to critical endpoints. Ensure Edge and WebView2 updates are deployed rapidly through enterprise update channels like Intune, WSUS, or SCCM.
- Medium‑term (12–36 months): Migrate eligible devices to Windows 11 to reduce the overall attack surface. For machines that cannot be upgraded, implement network segmentation, strict identity controls, and robust EDR monitoring.
- Long‑term (beyond 2026–2028): Replace hardware that is incompatible with Windows 11. Align capital expenditure cycles to have all critical endpoints off Windows 10 before October 2028.
This timeline also aligns with Microsoft 365 support. Microsoft has stated that Microsoft 365 Apps will receive security updates on Windows 10 through October 10, 2028, though feature updates for those apps will end earlier, staggered by channel. The extended Edge/WebView2 commitment matches that 2028 horizon, creating a cohesive support envelope for web‑centric productivity.
Beyond Microsoft: Third‑Party Browsers and Copilot
While Edge is the default browser on Windows 10, many organizations standardize on Chrome or Firefox. These vendors have not yet published formal announcements regarding Windows 10 support post‑2025. Google has historically followed a pattern of supporting Chrome on Windows for as long as the OS receives Microsoft’s own security updates, but the decoupling of Edge from OS support could influence that calculus.
For Copilot users, the picture is mixed. Microsoft has indicated that Copilot will continue to function on Windows 10 where it relies on WebView2 fallbacks, but not all Copilot features will be available. Full Copilot integration—such as the native taskbar experience—is tightly bound to Windows 11 APIs and will not be backported. Organizations that heavily depend on Copilot for productivity should consider that feature parity will drift over time.
The Bottom Line
Microsoft’s commitment to update Edge and WebView2 on Windows 10 through October 2028 is a measured, pragmatic move. It protects hundreds of millions of devices from the most immediate web‑borne threats and gives organizations breathing room to execute orderly migrations. But it is not a license to ignore the underlying OS. Windows 10 will still reach end of support next year, and the security posture of any device running an unsupported operating system degrades over time.
The real value lies in the decoupling itself: Microsoft is acknowledging that the browser and embedded runtimes have become separate, critical products that cannot simply be left to expire with the OS. That clarity lets IT teams plan with confidence, knowing exactly which components will remain patched through 2028 and which will not. Use the time wisely, and start the migration clock today.