The clock is ticking louder for Windows 10 users. Microsoft has set a hard deadline of October 14, 2025, for ordinary security patches, but it’s offering a narrowly scoped escape hatch: the consumer Extended Security Updates (ESU) program. For the first time, home users can purchase—or even get for free—an additional year of “critical and important” security fixes, stretching Windows 10’s safe life to October 13, 2026. This is not a feature upgrade or a reprieve from migration; it’s a time-bound safety net for the nearly 1 billion PCs still running the decade-old OS. With Secure Boot certificates set to expire in June 2026 and enrollment hurdles already frustrating early adopters, we break down exactly who qualifies, how to sign up, the hidden privacy tradeoffs, and the concrete steps you must take this week.
Why Windows 10’s End of Life Demands Immediate Action
Running an unpatched operating system after October 14, 2025, isn’t just a bad idea—it’s a material security risk. Attackers weaponize disclosures rapidly, and businesses with compliance obligations could face legal or financial consequences for keeping vulnerable machines in production. ESU is security-only: no new features, no non-security bug fixes, and no broad technical support. Yet it dramatically reduces immediate exposure for those who simply need more time to migrate.
Compounding the urgency, Microsoft confirmed that the original Secure Boot certificates—which guarantee that Windows only runs trusted software—will expire in June 2026. Without updating the certificate store (delivered via ESU or a Windows 11 upgrade), machines could become unbootable or vulnerable to sophisticated attacks. That makes enrollment not just about patching CVEs but about maintaining fundamental platform integrity.
Community reports and independent testing have already surfaced rollout friction: some users in Europe and elsewhere still don’t see the enrollment wizard, even after installing the prerequisite August 2025 cumulative update KB5063709. Microsoft told CNET it is “restoring the availability” in certain markets, but the staged rollout means procrastination could leave you unprotected on day one. The message is clear: update now, verify your build, and enroll as soon as the option appears.
What the Consumer ESU Covers—and What It Doesn’t
The program is laser-focused on safety. For one year, enrolled devices receive only those security patches Microsoft classifies as “critical” or “important.” You won’t get driver improvements, interface tweaks, or support for new hardware standards. Technical assistance is limited to ESU activation and update installation issues—everything else is out of scope. Think of it as a bridge, not a destination.
Crucially, consumer ESU is distinct from the commercial offering. Home, Pro, Pro Education, and Workstation editions running version 22H2 are the only eligible SKUs. Domain-joined machines, those managed by enterprise MDM, or anything in kiosk mode must use the separate (and far pricier) commercial channel. That channel, available through Volume Licensing or cloud providers, starts at $61 per device for Year 1, doubling annually, and can stretch to three years for organizations with deep migration cycles.
Eligibility: Five Non-Negotiable Requirements
Don’t assume your PC qualifies. Microsoft has explicitly scoped eligibility, and missing any one item will block enrollment:
- Windows 10, version 22H2 (Home, Pro, Pro Education, Workstation). Earlier builds or other editions aren’t supported.
- All pending updates installed, specifically the August 2025 cumulative update KB5063709. This patch fixes an early enrollment wizard crash and adds the “Enroll now” flow to Settings → Windows Update.
- A Microsoft account (MSA) with administrator privileges on the device. Local-only accounts won’t work; the ESU license is bound to the MSA used during enrollment.
- The device must not be domain-joined (Active Directory), Entra-joined in enterprise modes, in kiosk mode, or managed by enterprise mobility tools.
- Timing: Enrollment must happen during the support window—ideally before October 14, 2025, to avoid any gap.
One crucial nuance: the ESU license is account-based, not machine-based. That means a single $30 purchase (or a free/rewards enrollment) can cover up to 10 devices signed into the same Microsoft account. For families or small non-domain environments, this is a surprisingly consumer-friendly hook.
Three Paths to Enroll: Free, Rewards, or $30
The enrollment wizard presents three choices:
- Free via OneDrive backup: Sync your PC settings (passwords, language preferences, etc.) to your Microsoft account’s OneDrive. This effectively ties ESU coverage to using Windows Backup. It’s a one-click deal, but privacy-conscious users should note that setting sync touches more data than a simple sign-in.
- Free via 1,000 Microsoft Rewards points: If you’ve accumulated points through Bing searches or the Microsoft Store, you can redeem them. Availability may vary by region.
- Paid: $30 one-time purchase: A flat fee that licenses ESU for up to 10 devices on the same MSA. In some regions, the free path isn’t offered, but the paid option remains universal.
The OneDrive route deserves scrutiny. Microsoft provides only 5 GB of free storage; a hefty settings backup might push you over, forcing a paid OneDrive subscription—potentially making the “free” path more expensive than the $30 alternative. And because the backup ties your ESU license to that MSA, divorcing the two later might be messy. If privacy is paramount, weigh the $30 option; you still sign in with an MSA during enrollment, but you’re not compelled to sync everything.
Step-by-Step: How to Enroll Before the Deadline
Follow these steps in order to lock in continuous protection:
- Verify your Windows 10 version. Go to Settings → System → About. It must say “Windows 10, version 22H2.” If not, run Windows Update to get it.
- Install every pending update. Head to Settings → Update & Security → Windows Update and click “Check for updates.” Confirm that KB5063709 (or a later rollup) is listed in your update history. Reboot when prompted.
- Create a verified backup. This isn’t optional. Make a full disk image and copy critical files to at least one independent destination (external drive or a second cloud). Test restoring a few files. Enrolling in ESU isn’t risky, but the period around major transitions is when data loss accidents spike.
- Sign in with a Microsoft account that has admin rights on the PC. If you’re on a local account, the wizard will prompt for sign-in.
- Open Settings → Update & Security → Windows Update. Look for a banner reading “Windows 10 support ends in October 2025” and a link saying “Enroll in Extended Security Updates.” Click it to launch the wizard.
- Choose your enrollment method: Windows Backup sync (free), Redeem Rewards (free), or Purchase for $30. Follow the prompts. Once complete, you’ll see confirmation that your device is covered until October 13, 2026.
If you don’t see the enrollment link despite meeting prerequisites, the rollout is still underway. Microsoft started with Windows Insiders and is expanding gradually. Check your build number against the expected value for August’s patched 22H2 (e.g., Build 19045.xxxx), install any newer updates, and try again after a few days.
The Hidden Gotchas: Secure Boot, Firmware, and Rollout Reliability
KB5063709 doesn’t just enable ESU; it also includes a release-health note about Secure Boot certificate lifecycles. Many older PCs rely on firmware-level certificates that will expire in mid-2026. Once expired, those machines could fail security checks, leaving them either unbootable or unable to verify driver authenticity. Microsoft urges users to inventory and apply OEM firmware updates now—particularly for devices that will remain on Windows 10 into 2026. If your manufacturer no longer ships firmware updates, the only long-term fix may be a hardware replacement or OS migration.
Early ESU testers encountered a crashing enrollment wizard, which KB5063709 fixed. But the staggered rollout means that even patched machines might not show the link immediately. This friction underscores the danger of last-minute enrollment: if the UI isn’t ready on October 13, you’ll be exposed. Enroll as soon as you see the option.
Additionally, third-party software vendors often align their support with Microsoft’s lifecycle. Over time, you may find drivers, antivirus suites, or line-of-business applications no longer tested on Windows 10. ESU won’t prevent that fragmentation. Treat this year as a countdown to a supported platform.
Enterprise Customers Play by Different Rules
Businesses and organizations cannot piggyback on the consumer ESU. Commercial ESU is purchased through Volume Licensing, CSPs, or as part of Windows 365 and Azure Virtual Desktop subscriptions. Year 1 pricing starts at $61 per device, with Year 2 doubling to $122 and Year 3 to $244—a deliberate escalation to accelerate migration. Cloud-based activation may offer discounts or inclusion for eligible tenants. If you manage a fleet, contact your licensing partner immediately; procurement and deployment cycles are measured in months, not weeks.
Alternatives: Upgrade, Replace, or Migrate
ESU is not your only path. Evaluate three other options:
- Upgrade to Windows 11: Run the PC Health Check tool to see if your hardware qualifies (TPM 2.0, UEFI Secure Boot, supported CPU, 4 GB RAM, 64 GB storage). An in-place upgrade preserves apps and files, but test critical software first. Microsoft’s phased rollout of Windows 11 itself means even eligible devices may not see the upgrade offer immediately, so plan ahead.
- Replace the hardware: For aging machines with spinning disks or unsupported processors, a modern Windows 11 PC (with SSDs, NPUs, and the latest security hardware) is the most future-proof choice. Trade-in programs can lower net cost, and refurbished options abound.
- Switch to a non-Windows OS: Linux distributions or ChromeOS Flex can breathe life into older hardware for users whose workflows are entirely browser-based. This eliminates the licensing and account entanglement questions entirely, but may require lifestyle adjustments.
A hybrid approach: use ESU to buy one year, then migrate to Windows 11 or a new device during that window. The key is to have a plan, not to drift.
Practical Checklist for the Next Seven Days
- [ ] Confirm Windows 10 22H2 is installed (Settings → About).
- [ ] Install all pending updates, especially KB5063709, and reboot.
- [ ] Create a verified backup (disk image plus critical files to an independent medium).
- [ ] Decide on a migration path: upgrade to Windows 11, buy new hardware, switch OS, or enroll in ESU.
- [ ] Sign into the PC with a Microsoft account (if not already).
- [ ] Open Settings → Windows Update and look for the ESU enrollment banner.
- [ ] Enroll as soon as possible—don’t wait for October.
- [ ] Document which machines are enrolled, upgraded, or retired.
The Bottom Line
Microsoft’s consumer ESU program is a pragmatic, short-term safety valve. It substantially lowers the systemic risk of a billion unpatched Windows 10 PCs, and the enrollment options—free via backup or Rewards, or a modest $30—are surprisingly accessible. But it binds you to a Microsoft account, offers only security fixes, and expires in one year. The real play is to use this borrowed time to move to a supported platform. Update, back up, enroll early, and start planning your next machine. The bridge is solid, but it isn’t a destination.