Windows 10’s consumer Extended Security Updates (ESU) program is finally here, but the road to enrollment is proving bumpier than Microsoft’s July announcement suggested. The one-year security patch lifeline—designed for the hundreds of millions of PCs that can’t or won’t move to Windows 11 by October 14, 2025—started rolling out through Windows Update in August. Yet many eligible devices still don’t show the “Enroll now” button, and an early bug in the enrollment wizard forced Microsoft to issue an emergency fix via a cumulative update. If your Settings app still looks the same as it did last month, you aren’t alone: Microsoft confirms the new UI is arriving in waves, and patience—plus a specific patch—is the price of admission.

The fix, which arrived on August 12 in the form of KB5063709, raises Windows 10 22H2 to OS Build 19045.6216 (and 19044.6216 for Enterprise/Education SKUs). According to the official support document, KB5063709 includes “servicing stack updates that improve the reliability of Windows Update,” and crucially, it “addresses an issue that causes the Extended Security Updates enrollment window to close unexpectedly or not open at all.” In plain English, Microsoft shipped a crash fix. For the subset of users who managed to see the ESU banner but then watched it vanish when they clicked, this update should resolve the problem outright. But the patched wizard is only half the story; the rollout of the banner itself remains gated behind a phased deployment that Microsoft has not publicly scheduled.

The staged nature of the rollout was acknowledged by the company to multiple tech outlets in late August. A spokesperson told Windows Latest that the “Enroll now” link “will be visible for all eligible Windows 10 devices before the end of support date,” but declined to specify incremental release dates. This pattern mirrors typical Windows feature rollouts: Insiders get first access, then a gradual expansion through production rings. Community reports suggest that machines enrolled in the Release Preview Insider ring tend to see the option sooner, while devices on standard monthly updates may not spot the link for weeks. “I finally got the ESU banner last night after checking for updates,” one user wrote on a forum. “I’d already installed KB5063709 two days earlier. Coincidence? Maybe.”

For those still waiting, the practical checklist is short: install every available patch, reboot, sign in with a Microsoft account that has administrator rights, and check Windows Update again. If the banner doesn’t appear, the single most likely explanation is that your Region or device ring hasn’t been lifted yet. Microsoft has not provided a self-service diagnostic to confirm staging status, leaving users to guess. “Why can’t they just tell us when our turn is?” another frustrated user posted. “I’ve done all the steps, and it’s still missing. It feels like they’re pressuring us to just buy a new PC.”

What the program actually delivers
Let’s be clear about what ESU is and isn’t. For a consumer, ESU means security-only updates—patches rated Critical or Important by the Microsoft Security Response Center—delivered through the standard Windows Update channel. There are no feature updates, no driver enhancements, no quality-of-life fixes, and no technical support beyond the security bulletins themselves. The one-year clock starts ticking on October 14, 2025, and ends October 13, 2026. Devices must be running Windows 10, version 22H2 (Home, Pro, Pro Education, or Pro for Workstations) and be properly activated. Domain-joined PCs, kiosks, and machines already covered by volume-licensing ESU programs are excluded from the consumer flow.

Microsoft offers three payment methods: free enrollment by enabling “Windows Backup” settings sync (which shunts your settings, passwords, and credentials to OneDrive); redemption of 1,000 Microsoft Rewards points; or a one-time purchase priced at roughly $30 USD. That $30 license is surprisingly generous: it covers up to 10 devices tied to the same Microsoft account. In multi-PC households, a single payment could theoretically protect every aging laptop and desktop. Microsoft confirmed that the license is per-account, not per-machine, and the enrollment UI will prompt you to select which of your linked devices should receive updates.

Privacy tradeoffs and the real cost of “free”
The no-charge route is seductive, but it comes with a data-cost that many users are only now noticing. To enroll for free, you must turn on Windows Backup, which syncs your sign-in credentials, browser data, app settings, and more to your Microsoft account in OneDrive. For users who have spent years avoiding cloud integration on principle, this is a bitter pill. “I don’t want Microsoft hoovering up my settings just to get security patches I should arguably receive for free anyway,” a commenter wrote on gHacks. The $30 payment avoids forced sync, but still requires a Microsoft account sign-in for license validation. There is no path for purely local accounts. That design choice simplifies Microsoft’s licensing enforcement—ESU entitlement is stored in the Microsoft account backend, not on the device itself—but it cements the account tether that the company has been pushing since Windows 8.

Privacy advocates have pointed out that the free path essentially converts a security program into a cloud-adoption incentive. You exchange behavioral data (by virtue of syncing settings that reveal device usage patterns) for patches that prevent ransomware. Microsoft’s messaging frames this as a convenience play—“turn on backup and never worry about losing your settings again”—but the subtext is unmistakable: the company wants more OneDrive accounts. Whether that’s a fair trade is a judgment call each household must make.

Who should (and shouldn’t) enroll
ESU is a bridge, not a destination. It is meant for two groups: people whose hardware genuinely cannot run Windows 11 (lacking TPM 2.0, Secure Boot, or a compatible CPU) and small offices that need an extra 12 months to budget for replacement hardware or application migration. If your PC can upgrade to Windows 11, even with modest performance, experts recommend biting the bullet now rather than stretching Windows 10 another year. The security architecture of Windows 11—hardware-enforced stack protection, virtualization-based security, and more frequent Defender updates—offers a fundamentally different threat model that will only matter more as attackers focus on an end-of-life OS.

That said, upgrading isn’t always a clean path. Microsoft’s hardware requirements have been controversial since launch, and millions of perfectly capable PCs—some as young as three or four years old—are blocked by the TPM or CPU floor. This has spawned a thriving ecosystem of third-party tools that bypass those checks. Two in particular have gained fresh prominence during the ESU rollout discussion.

Beyond ESU: FlyBy11 and Rufus open the upgrade door for “incompatible” PCs
For the stubborn segment of Windows 10 diehards who would rather upgrade to 11 than pay for patches but can’t get past Microsoft’s compatibility gate, tools like FlyBy11 and Rufus have evolved into mature, user-friendly solutions. FlyBy11, covered extensively on gHacks, automates the in-place upgrade from Windows 10 to 11 by applying a series of compatibility workarounds and offering to download the latest ISO directly. It checks prerequisites, handles driver compatibility warnings, and preserves installed applications and files. The latest version added better handling for unsupported CPUs and a more granular control panel for choosing which bypasses to apply.

Rufus, the venerable USB bootable drive creator, has taken a different approach. Its recent builds can download a Windows 11 ISO and create an installation media that automatically disables TPM, Secure Boot, and memory checks during setup. This allows both clean installations and in-place upgrades on hardware that Microsoft deems ineligible. The Rufus method carries more risk—once you’re on an unsupported configuration, future feature updates may fail or require you to repeat the bypass process manually—but it remains the go-to for tech-savvy users willing to accept that tradeoff.

Both tools are unsupported by Microsoft. Using them means you’re on your own for feature updates, and while security patches will likely continue to install, there’s no guarantee. “I used Rufus to put 11 on my old ThinkPad T470,” a Reddit user recounted. “It runs perfectly, but I have a full backup on an external SSD just in case the next major update bricks it.” That paranoia is well-founded: Microsoft has, in the past, actively blocked some hardware from receiving insider builds, and the line between “unsupported but functional” and “blocked entirely” can shift without warning.

Risks of running Windows 10 without ESU after October 2025
For those who plan to do nothing—no ESU, no upgrade, no new PC—the risk profile is grim. Unsupported operating systems become prime targets for zero-day exploitation because there is no patch pipeline. After support ends, every newly discovered vulnerability remains open. For an OS as widely deployed as Windows 10, the attacker incentive is enormous. Browsers, email clients, and any application that processes untrusted network data could become entry points. Even devices used solely for light browsing may be compromised via drive-by downloads or malvertising. “If you handle financial transactions or have sensitive personal files on a Windows 10 machine after October, you are gambling,” security researcher Kevin Beaumont noted in a Mastodon thread. “ESU at least gives you a year of breathing room. Without it, you’re a sitting duck.”

Businesses face additional compliance headaches. Many regulatory frameworks require that systems run supported software. Failure to apply security patches can trigger audit findings, insurance complications, or worse. The consumer ESU path is explicitly not for domain-joined devices, so small offices with unmanaged workgroups can use it, but any machine touching Active Directory needs the enterprise ESU program instead.

What Microsoft got right—and where it stumbled
Microsoft deserves credit for the rapid KB5063709 fix. The engineering team moved from bug report to shipping a corrective patch in less than a month, which is a solid response time. The multi-route payment model is also more accommodating than the old Windows 7 ESU (which was enterprise-only and astronomically priced per-device). A $30 household license covering ten machines is, by any historical measure, a steal.

But the communication strategy around the rollout has been poor. Announcing a critical post-support option and then delivering it piecemeal without a transparency dashboard breeds confusion and conspiracy theories. Users who relied on early blog posts to understand timelines assumed the button would appear immediately after installing the August Patch Tuesday updates. When it didn’t, many concluded the feature was broken or that their device was somehow ineligible. A simple banner in Windows Update that says “ESU enrollment is coming; you’re in group B and should see it by September 12” would have dispelled much of the noise.

The privacy tradeoff was also poorly messaged. Microsoft could have offered a one-time enrollment code system that verified account ownership without ongoing sync, preserving the licensing model while respecting user choice. Instead, they tied free enrollment to OneDrive adoption, which feels less like a security program and more like a product upsell. For a company that has spent years trying to rebuild trust post-Windows 10 telemetry controversies, this was a missed opportunity to demonstrate user-centric design.

What to do now: a decision tree

  • If you see the “Enroll now” link: Check which route makes sense. If you’re already syncing with OneDrive, the free path is frictionless. If you value privacy, spend the $30. Either way, enroll before October 14 to maintain patch continuity.
  • If you don’t see the link but have installed all updates including KB5063709: Wait. Staging could take weeks. Check once a week after Patch Tuesday.
  • If your PC supports Windows 11: Upgrade now. Use the official Installation Assistant or Media Creation Tool for the smoothest experience. Back up first.
  • If your PC fails Windows 11 compatibility checks but you want to upgrade anyway: Evaluate FlyBy11 or Rufus after creating a complete disk image. Accept the risk of unsupported future updates.
  • If none of the above applies: Start budgeting for new hardware. The Windows 11 hardware ecosystem is mature, and even entry-level laptops now ship with TPM 2.0 and Secure Boot enabled by default.

Final analysis
Windows 10’s consumer ESU is a functional, if imperfect, safety net. The KB5063709 fix proves Microsoft can react quickly when enrollment breaks. The staged rollout, while aggravating, is standard operating procedure for Windows feature releases. The real friction lies in the program’s design tension between security pragmatism and ecosystem lock-in. By forcing Microsoft account sign-in, soft-mandating OneDrive sync for free enrollment, and leaving upgrade-hesitant users to navigate unsupported third-party tools, Microsoft has made a security extension feel like a concession, not a commitment to its installed base. As the October deadline approaches, millions of users will weigh flawed options: pay $30, sync to the cloud, or forge ahead with bypassed Windows 11 installs. The safest path is to act deliberately and soon, because in cybersecurity, indecision is a vulnerability all its own.