Consumer Reports has formally asked Microsoft to provide free security updates for Windows 10 beyond its October 14, 2025 end-of-support date, warning that the company’s current plans will leave hundreds of millions of PCs vulnerable and unfairly burden low-income households. The nonprofit consumer watchdog sent a letter to CEO Satya Nadella this week, calling on Microsoft to extend security patches at no cost for users who cannot upgrade their hardware, while also removing what it sees as coercive enrollment mechanics tied to Microsoft accounts and Rewards points. With Windows 10 still running on roughly 46% of the world's Windows PCs just weeks before the cutoff, the stakes are enormous.

What Consumer Reports Is Demanding

In its letter to Nadella, Consumer Reports urged three concrete actions:

  • Free security updates for all Windows 10 users who cannot upgrade. The organization argues that a paywall around essential security patches is unfair, especially when an estimated 200 to 400 million PCs worldwide are ineligible for Windows 11 due to strict hardware requirements like TPM 2.0 and supported CPU lists.
  • Privacy-respecting activation pathways. Currently, the only free route to obtain Extended Security Updates (ESU) for consumers requires either backing up settings to a Microsoft account via Windows Backup, or redeeming Microsoft Rewards points earned through Bing searches or Xbox gaming. Consumer Reports contends that tying critical security to unrelated Microsoft services is an unnecessary hoop that compromises privacy and user choice.
  • Clearer, more equitable support for schools and low-income households. The group emphasizes that many public institutions lack budget for sudden hardware refreshes, and that forcing functional PCs into premature retirement creates an environmental crisis.

The letter also criticized Microsoft and its hardware partners for selling Windows 10 PCs well into 2023 that were never eligible for the Windows 11 upgrade, a point that adds accountability to the vendor’s push for newer hardware.

The Hard Numbers: Why This Matters Now

Data from web-analytics services shows Windows 10 still commands a 46.2% share of desktop Windows installs as of August 2025, translating to roughly 646.8 million users based on Microsoft’s own estimate of 1.4 billion total Windows devices. After October 14, those machines will stop receiving routine security patches, feature updates, and technical assistance—unless owners enroll in an ESU program or switch operating systems.

Microsoft has offered a consumer ESU option for a single year beyond the deadline, costing a reported $30 for the full 12 months. Users can also get it “free” by syncing settings to a Microsoft account (which ties the entitlement to that account) or by spending 1,000 Microsoft Rewards points. The free pathway has drawn sharp criticism for encouraging data collection and nudging users into the Microsoft ecosystem for a security necessity. Moreover, the consumer ESU is capped at 10 devices per Microsoft account and delivers only critical and important security fixes—no feature drops or general support.

For organizations, Microsoft offers up to three years of ESU coverage, a disparity that leaves home users and small schools on a much shorter leash.

Your Options Before the October Deadline

If you’re one of the hundreds of millions still on Windows 10, time is running out. Your core choices:

  • Upgrade to Windows 11 if your PC meets the requirements. Run Microsoft’s PC Health Check tool to verify TPM 2.0, Secure Boot, and a compatible CPU. This is the most future-proof path and keeps you in the mainstream support stream.
  • Enroll in the Windows 10 Consumer ESU. For many older machines, this is the only official way to keep getting security updates after October 14. Weigh the trade-offs: about $30 out of pocket, or free with account linkage and backups to OneDrive. Activation must happen before or shortly after the end-of-support date.
  • Replace the device with a Windows 11 PC, a Chromebook, or a Mac. Consider trade-in and recycling programs—Microsoft and many OEMs offer them, though values vary. Schools and nonprofits may qualify for discounted or donated hardware.
  • Switch to an alternative OS. Tech-savvy users can install a Linux distribution like Ubuntu or Linux Mint, or Google’s ChromeOS Flex, which can breathe new life into older hardware without security dead ends.
  • Isolate critical machines. If none of the above are feasible immediately, move sensitive workloads to cloud services or restrict the PC to offline use behind a robust firewall until a permanent solution is in place.

The Bigger Picture: Fairness, Privacy, and E-Waste

Consumer Reports’ appeal isn’t just about a few extra patches. It frames the end-of-support cliff as a public-safety and consumer-protection issue. Unpatched Windows 10 boxes are prime targets for botnets, ransomware, and credential theft, turning them into attack launchpads that hurt everyone online. The organization’s public-health analogy is persuasive: the collective risk grows with every unprotected node.

Privacy advocates point out that conditioning free security on Microsoft account sign-in and data syncing is a troubling pattern. The Windows Backup route silently funnels settings and files into OneDrive, while Rewards redemptions require active use of Bing or Xbox services. Critics say no one should have to hand over identifiable telemetry or adopt unrelated products just to stay safe.

Environmental groups have also sounded alarms. “Forcing millions of functional PCs into landfills because they lack a TPM chip is a staggering waste,” one report noted. The 200–400 million ineligible PCs represent not just a financial hit but a massive e-waste surge if replacement is the only option. Organizations like PIRG have petitioned Microsoft for better trade-in incentives and extended support to mitigate that damage.

On the other side, Microsoft has engineering realities to manage. Backporting security fixes to a decade-old OS across an immense mix of hardware is expensive and error-prone. The company has long argued that a modern security baseline—TPM 2.0, Secure Boot, virtualization-based integrity—is essential to thwart sophisticated firmware attacks. Its consumer ESU is meant as a temporary, paid bridge to nudge the ecosystem forward without abandoning users completely on day one.

How to Secure Your Windows 10 PC Right Now

Whatever long-term path you choose, immediate steps can reduce risk:

  1. Inventory your devices. List every Windows 10 machine you own or manage, and flag those used for banking, work, or other sensitive tasks.
  2. Check Windows 11 eligibility. Download the PC Health Check app from Microsoft’s website. If your PC fails due to TPM or CPU, check if a firmware update or a TPM header on your motherboard (for custom builds) can remedy it.
  3. Decide on ESU enrollment. If your machine won't upgrade, enroll in the consumer ESU before the deadline. Test the activation method now—whether that means linking a Microsoft account, earning Rewards points, or purchasing the license. Note: the ESU license is per device, not per person, and covers only the 12 months ending October 2026.
  4. Explore trade-in programs. If you’re leaning toward replacement, check current promotions on Microsoft Store, Amazon, or Best Buy. Some vendors offer recycling vouchers or discounts for trading in old laptops.
  5. Consider open-source alternatives. For secondary or non-critical machines, try a Linux live USB to test compatibility. ChromeOS Flex is another free, auto-updating option for older Intel-based PCs.
  6. Implement network isolation. On devices you cannot patch or replace, use a dedicated guest network, disable Wi-Fi if possible, and avoid using them for sensitive logins. A good endpoint antivirus can add a layer of defense, but don’t rely on it alone.

What to Watch Next

All eyes are on Microsoft’s response to Consumer Reports. The company has historically adjusted lifecycle policies under pressure—for instance, extending Windows XP support years ago amid enterprise entreaties. A limited free extension for demonstrably ineligible devices, coupled with privacy-friendly activation, would defuse much of the criticism without undoing Microsoft’s security-first architecture push. Look for announcements during upcoming Microsoft events or via its support lifecycle pages. In the meantime, the October countdown ticks on, and the decisions users make in the coming weeks will determine whether the post-support landscape is a managed transition or a security disaster.