Microsoft’s August 2025 Patch Tuesday delivered KB5063709, a cumulative security update that finally repairs the crashing Extended Security Updates enrollment wizard—a bug that had locked users out of the paid or free extended support path just weeks before Windows 10’s October 14 end-of-support deadline. The update pushes Windows 10 22H2 to build 19045.6216 and 21H2 to 19041.6216, but its headline act is a working ‘Enroll now’ button that opens the door to an extra two years of critical patches.
For the millions still running Windows 10, this fix couldn’t come at a more critical moment. Without the wizard fix, affected devices couldn’t sign up for the consumer ESU program—leaving them stranded after October 14, 2025. Now, with KB5063709 installed, the enrollment flow loads correctly, presenting the three options Microsoft has outlined: free enrollment via settings sync, a 1,000-Microsoft Rewards redemption, or a one-time $30 payment.
The update itself is a mandatory security rollup with no consumer-facing features beyond the fix and a handful of input-related repairs. Yet it bundles a servicing stack update, Secure Boot anti-rollback protections, and a crucial advisory on upcoming firmware certificate expirations. Together, these changes extend well beyond a simple patch—they shape the experience for anyone still on Windows 10 as the platform enters its final supported phase.
ESU Enrollment Revived: The Wizard Works Again
KB5063709 directly addresses a regression where the ‘Enroll now’ wizard in Settings > Update & Security > Windows Update would flash open and immediately close, making enrollment impossible. Microsoft’s release notes confirm the fix, and community reports—including from AskWoody and Pureinfotech—validate that the August update restores a working ESU enrollment experience.
The timing is tight. Windows 10’s mainstream security updates stop on October 14, 2025. The consumer ESU program, which Microsoft now says runs until October 12, 2027 (an extension from earlier expectations of a one-year window), gives users a transitional lifeline. However, devices must enroll to receive any security patches after the cut-off. A non-functional wizard meant a dead end—so this fix removes a critical roadblock.
Once enrolled, users get access to all critical and important security updates defined by the Microsoft Security Response Center, delivered via Windows Update. No new features, no design changes—just security. And crucially, enrollment doesn’t block a later upgrade to Windows 11 if the hardware qualifies.
What Else KB5063709 Changes
Beyond the ESU headline, the update includes several quality-of-life fixes and platform protections.
- Input and emoji fixes: The patch resolves issues with Changjie input method selection in certain regions and restores emoji panel search behavior that broke after a prior July update. These may seem minor, but for users in affected locales or those who rely on the emoji panel, the fixes eliminate daily friction.
- Servicing stack update (SSU): The package ships with an updated servicing stack to improve update reliability. Because the SSU and LCU are combined, standard
wusa /uninstallwon’t work; administrators must use DISM-based removal for the LCU portion if rollback becomes necessary. - SKUSiPolicy anti-rollback: The update includes Secure Boot policy hooks that prevent downgrading protected system components—a proactive defense against malware that tries to revert secure files.
- Secure Boot certificate advisory: The KB notes warn that Secure Boot certificates begin expiring mid-2026. Organizations should coordinate firmware updates with hardware vendors to avoid boot failures, especially on older devices that may never receive updated firmware.
Field reports note that Windows Update delivers a relatively small differential download for already-patched systems, while the standalone .msu package on the Microsoft Update Catalog can be significantly larger—often in the high hundreds of megabytes. This is typical behavior for cumulative updates with a combined SSU.
The Microsoft Account Mandate: ESU’s Privacy Flashpoint
KB5063709 doesn’t change policy, but it surfaces the most contentious aspect of Microsoft’s consumer ESU offering: a Microsoft account is now required to enroll—even if you pay the $30 fee. This requirement, confirmed in Microsoft’s own ESU program documentation and highlighted by Windows Central, marks a shift for users who have long operated with local accounts.
Microsoft frames the account linkage as necessary for license management. A single $30 purchase covers up to 10 devices under one account, and the account serves as the entitlement anchor. For the free enrollment path, users must also enable settings sync via OneDrive, which effectively links the device to a Microsoft account anyway.
For privacy-conscious users, the imposition is not trivial. Local-only accounts have been a hallmark of Windows for decades, and while the account requirement is operationally understandable, it forces a choice: create a Microsoft account, switch to Windows 11 on compatible hardware, or remain unpatched after October 14. That narrative is already fueling a broader debate about platform stewardship, with a lawsuit alleging Microsoft is ending Windows 10 support to push AI-capable PCs.
From a practical standpoint, the enrollment process works as follows:
1. Install KB5063709 and ensure you’re on build 19045.6216.
2. Go to Settings > Update & Security > Windows Update; the ‘Enroll now’ link appears if the device is eligible.
3. The wizard prompts for a Microsoft account sign-in if you’re on a local account. After signing in, you choose from the three enrollment options.
4. If purchasing, the Microsoft Store checkout flow completes the transaction and binds the license to your account.
Deployment Considerations and Pitfalls
For most home users, KB5063709 arrives automatically via Windows Update. Power users and IT administrators, however, should weigh the following when rolling out the update:
- Combined SSU+LCU package: This makes rollback more complex. Test the update in a pilot ring, and ensure you have system images or restore points before deploying broadly.
- File size variability: The Microsoft Update Catalog .msu may be several hundred megabytes, while Windows Update might pull a smaller delta. Plan bandwidth and storage accordingly for offline deployments.
- Offline imaging: If slipstreaming the update into a Windows image, follow Microsoft’s guidance to integrate the SSU first, then the LCU.
- Secure Boot readiness: Inventory devices with Secure Boot enabled and check for firmware updates from OEMs to handle the 2026 certificate expirations noted in the advisory.
Analysis: Strengths, Limits, and What Comes Next
KB5063709 succeeds in its immediate mission: it unblocks ESU enrollment with a targeted fix. The input and emoji repairs address real usability regressions, and the servicing stack improvements strengthen the foundation for subsequent monthly updates. The Secure Boot anti-rollback and certificate advisory are prudent, forward-looking protections.
Yet the update also underscores the ticking clock for Windows 10 users. The consumer ESU program is explicitly temporary—Microsoft’s FAQ encourages users to “explore Windows 11 and Copilot+ PCs.” While two extra years of security updates is generous compared to many past ESU programs, it’s not a permanent solution. Devices that don’t meet Windows 11 hardware requirements will be left insecure once the program ends in 2027.
The Microsoft account requirement, while manageable for most, injects a policy friction point that could slow adoption among reluctant users. For enterprises that fall outside the consumer ESU scope (domain-joined or MDM-managed devices), separate commercial ESU licensing must be pursued.
Looking ahead, the Secure Boot certificate lifecycle adds an operational layer that all Windows 10 owners must track. The advisory in KB5063709 is an early warning; ignoring it could lead to boot failures in 2026 for machines whose firmware isn’t updated.
What You Should Do Now
- If you plan to stay on Windows 10: Install KB5063709 immediately. Then open Settings and enroll in ESU before October 14, 2025. Decide which enrollment method suits you—settings sync, Rewards, or the $30 purchase. Even if you pay, you’ll need a Microsoft account.
- If you’re on a local account: Weigh the trade-offs. The $30 fee is modest, but account linkage is mandatory. If privacy is a hard line, investigate Windows 11 eligibility on your current hardware or consider alternative operating systems.
- For IT pros: Push KB5063709 through your pilot rings. Validate critical workloads, especially custom drivers and virtualization setups. Test Secure Boot scenarios and plan firmware updates. Document rollback procedures using DISM or system images.
- Troubleshoot enrollment failures: If the wizard still crashes after installing KB5063709, run
wsresetto repair Windows Store components, check CBS logs for servicing stack errors, and ensure no prior SSU is missing. The $30 license covers up to 10 devices; make sure you use the same Microsoft account on each additional PC.
KB5063709 doesn’t bring new features, but it removes a critical barrier to extended security coverage. For Windows 10 users staring down the October 14 end-of-support date, that fix is everything. Install it, choose your ESU path, and keep a close eye on that firmware update list—2026 will be here sooner than you think.