Microsoft has formally drawn a line under Windows 10: the October 14, 2025 security update will be the last monthly patch for all mainstream consumer and business editions outside of paid or promotional extensions. The announcement, buried in a support document for the August 2025 cumulative update KB5063709, confirms that users who don't enroll in the freshly minted consumer Extended Security Updates (ESU) program will be left without critical vulnerability fixes from that date onward. For the hundreds of millions of devices still running Microsoft's older OS, the clock is now ticking loudly.

A Hard Deadline and a Broad Audience

The cutoff applies to Windows 10 version 22H2 across Home, Pro, Enterprise, Education, and IoT Enterprise editions, as well as earlier LTSB/IoT Enterprise releases where applicable. After October 14, 2025, none of these will receive the monthly security rollups that have been the backbone of Windows 10's defense against rapidly exploited flaws. While exact device counts are elusive—figures like “700 million” or “750 million” are estimates based on market-share data and older Microsoft statements—the practical truth is urgent: tens, if not hundreds, of millions of consumer and small-business PCs remain in daily use and will become high-value targets unless owners take action.

Microsoft's documentation for KB5063709 (OS Builds 19044.6216 and 19045.6216) includes a reminder that devices must be up to date to see the new ESU enrollment wizard. The same cumulative update also carries a note about Secure Boot certificate expiration starting in June 2026—a parallel security milestone that will require updated certificates delivered via Windows Update. So while the October deadline gets the headlines, it's part of a broader effort to steer users toward more modern, maintained software.

Extended Security Updates for Consumers – Three Paths to One More Year

Historically, Extended Security Updates were a commercial product reserved for enterprise volume-licensing contracts. This time, Microsoft is offering consumers a trio of enrollment options, all managed through a new wizard inside Settings > Windows Update after KB5063709 is installed:

  • Free with OneDrive sync: Turn on Windows Backup to sync your PC settings to the cloud using a Microsoft account and OneDrive. This ties your ESU license to that Microsoft Account at no extra cost.
  • Redeem 1,000 Microsoft Rewards points: If you've accumulated points, you can cash them in for one year of ESU without spending money.
  • A one-time $30 purchase: A single license covers up to 10 devices registered to the same Microsoft account. Local pricing may vary, but $30 is the official US price.

All paths require signing into the Windows device with a Microsoft account that has administrator privileges—local accounts are not eligible for enrollment. The wizard itself was rolled out via cumulative updates, and KB5063709 specifically addresses a bug that prevented some users from seeing the option. If you don't spot the ESU enrollment yet, updating to the latest build is the first step.

What you get: critical and important security updates as defined by Microsoft's Security Response Center (MSRC), delivered monthly through October 13, 2026. What you don't get: new features, quality-of-life improvements, or Microsoft's standard technical support. It's a pure security-patch bridge, nothing more.

Why ESU Matters in an Escalating Threat Landscape

The August 2025 Patch Tuesday, which delivered KB5063709 alongside other fixes, served as a stark reminder of the stakes. Independent trackers counted 107 to 111 common vulnerabilities and exposures (CVEs) patched that month, including a publicly disclosed Kerberos privilege-elevation flaw and at least one zero-day. Unpatched systems—particularly those connected to the internet—sit squarely in attackers' crosshairs. ESU preserves the monthly security update cadence for enrolled devices, but only for a single year and only if you act before the October cutoff.

For IT professionals, this means scoping the number of Windows 10 endpoints that will still be active after the deadline and factoring ESU into the migration budget. For home users, it's a relatively cheap insurance policy, but it's not a carte blanche to defer a Windows 11 upgrade indefinitely.

Windows 11 Upgrade: The AI Privacy Elephant in the Room

A non-trivial reason some users are clinging to Windows 10 isn't hardware incompatibility but discomfort with Windows 11's deepening AI integration. The Recall feature—a “photographic memory” that snapshots and indexes everything on screen—has drawn sustained fire since its preview. Microsoft says Recall processes data locally, encrypts snapshots, and requires Windows Hello to view them, but independent testers found gaps: sensitive information like credit card numbers and passwords appeared in plaintext snapshots, and proof-of-concept tools demonstrated extraction risks. Even with subsequent patches and filtering improvements, many users view Windows 11 as a surveillance-adjacent platform and prefer Windows 10's less AI-intrusive environment.

The ESU enrollment itself forces a Microsoft account onto the device, further eroding the local-account experience that privacy-focused users value. This account binding is mandatory—you cannot receive ESU without linking the OS to a Microsoft online identity. For some, this trade-off is worth the extra year of security; for others, it may push them toward alternative operating systems or an earlier hardware refresh.

The Microsoft Store Update Change: Less Control, More Patching

In parallel with OS lifecycle changes, Microsoft quietly removed the ability to turn off automatic app updates permanently in the Microsoft Store. Now, users can only pause updates for up to five weeks, after which they resume automatically. The security rationale is clear: outdated apps with known vulnerabilities are a common attack vector. But by removing the indefinite “off” switch, Microsoft takes away a level of user autonomy that some home users and IT admins relied on for compatibility testing or metered connections.

This change is policy-driven and not directly tied to Windows 10's support clock, but it underscores Microsoft's broader push toward automatic, security-first update behaviors—a pattern that will only accelerate once Windows 10 enters its ESU twilight.

Practical Guidance: What to Do Now

  1. Update immediately. Open Settings > Windows Update and install all pending updates, including KB5063709. This brings your build to 19044.6216 or 19045.6216 and surfaces the ESU enrollment wizard.
  2. Choose your ESU path. If you can't or won't move to Windows 11 right away, enable the free option by turning on Windows Backup to OneDrive, redeem Rewards points, or purchase the $30 license. Remember: one license covers up to 10 devices, making it economical for a household.
  3. If you must use a local account, plan ahead. Add a Microsoft account with administrator privileges to the device—the wizard won't work otherwise. Consider whether the privacy trade-off is acceptable for that extra year.
  4. Upgrade to Windows 11 if your hardware is compatible. This remains Microsoft's recommended long-term path and avoids the 2026 deadline altogether. Use the PC Health Check app to verify compatibility.
  5. Harden your environment. Even with ESU, keep third-party software up to date, run a reputable antivirus, use a firewall, and practice safe browsing. Layered defense is essential when the OS itself enters extended support.

Strengths and Weaknesses of Microsoft's Strategy

Microsoft's decision to offer a consumer ESU program at all is a pragmatic concession to the massive Windows 10 installed base. The free OneDrive-sync option and Rewards redemption are unusually consumer-friendly, lowering the barrier far below the enterprise ESU's per-device costs. And by tying enrollment to a Microsoft account, the company lays the foundation for tighter ecosystem integration down the road.

But the plan is not without friction. The Microsoft account requirement alienates privacy-conscious users and those in environments where cloud syncing is prohibited. The one-year window is short; manufacturers and independent software vendors will likely drop Windows 10 driver and app support rapidly after October 2025, regardless of ESU. And the Recall and AI concerns that keep users on Windows 10 won't vanish in 2026—they'll simply be deferred until the final cutoff forces a decision.

Critically, the headline user numbers circulating online (“700 million,” “750 million”) are not backed by a single, contemporary Microsoft census. They are market-share extrapolations that convey scale but lack auditability. The real risk isn't the exact figure; it's the sheer number of unpatched devices that will remain after support ends, many owned by users who are unaware of the deadline.

Conclusion: A Clear Deadline, a Short Bridge

October 14, 2025 is not a soft sunset; it's a hard stop for free Windows 10 security updates. The consumer ESU program offers a one-year safety net, but enrollment is not automatic and comes with identity and privacy strings attached. For anyone still running Windows 10 today, the choice is binary and time-sensitive: enroll in ESU after installing the August cumulative updates, or plan to move off the OS entirely. The cost of inaction is being locked out of critical monthly patches—and attackers are already cataloging the CVEs that will remain open on holdouts. Install KB5063709, pick your enrollment path, and use the coming months to chart a more permanent migration strategy. The bridge is narrow, and it won't last forever.