Microsoft has quietly extended its consumer Extended Security Updates (ESU) program for Windows 10, giving millions of users two more years of critical security patches instead of the single year originally promised. The new end date is October 12, 2027, up from October 13, 2026. For anyone still clinging to the aging OS—whether by choice or because their hardware can’t run Windows 11—the extension turns a short-term emergency plan into a genuine migration runway. But don’t mistake it for a permanent stay. ESU remains a security-only safety net, and it comes with precise technical gates, privacy trade-offs, and a hard expiration that demands deliberate planning.

Microsoft ended official support for Windows 10 on October 14, 2025. That cutoff halted feature updates, quality fixes, and the regular stream of security patches for consumer editions (Home, Pro, Pro Education, Workstation). The ESU program was designed as a bridge—enterprise-style paid updates ported to consumers—to keep devices protected while households and small businesses slowly transition to modern hardware and software. In a surprise move, the company has now lengthened that bridge by more than a year, a tacit acknowledgment that the Windows 11 hardware bar remains too high for a large chunk of the installed base.

The New ESU Timeline: Two Years of Security, Zero Features

When the consumer ESU program first surfaced, Microsoft committed to covering Windows 10 version 22H2 from October 15, 2025, through October 13, 2026. The revised schedule pushes the hard stop to October 12, 2027. During those 24 months, enrolled devices receive only security patches designated Critical or Important. No new features, no design updates, no general bug fixes, and no technical support beyond the patches themselves. It is a strictly defensive measure, intended to thwart exploits while users figure out their next move.

Also playing into the urgency: Microsoft’s Secure Boot certificates are expiring imminently. The PCMag report highlights that outdated certificates could leave unprotected Windows 10 machines more vulnerable to low-level boot attacks. Enrolling in ESU delivers the updated certificates alongside regular security fixes, effectively restoring boot-layer protections that would otherwise degrade. This one-two punch—patch continuity plus certificate renewal—makes ESU enrollment far more critical than a simple patch extension.

Who Is Eligible (and Who Isn’t)

Eligibility is narrow by design. The program covers only Windows 10, version 22H2, on Home, Pro, Pro Education, and Workstation editions. Devices must have all cumulative updates installed, including a specific August 2025 rollup that fixes enrollment wizard visibility issues. If you’re not already on 22H2, applying that feature update is non-negotiable.

Ineligible devices include:
- Domain-joined enterprise machines (these rely on volume-licensing ESU programs managed by IT departments)
- Most MDM-managed or Azure AD-joined devices with enterprise configurations
- Kiosk-mode or other locked-down configurations

Crucially, the consumer ESU enrollment wizard requires a Microsoft Account (MSA). Local-account-only users must link a Microsoft Account or create one. That’s a non-starter for privacy-conscious households that have deliberately avoided Microsoft’s centralized login. For them, the security benefit comes bundled with a privacy trade-off.

How to Enroll: Three Paths, One Destination

Microsoft offers three enrollment routes, all accessible through Settings → Update & Security → Windows Update once the staged “Enroll now” wizard appears. Each delivers the same ESU coverage tied to your Microsoft Account, and a single license can cover up to 10 devices signed into that account. The routes differ in cost and mechanics.

1. OneDrive Backup (Free, with Storage Caveats)

  • How it works: You enable Windows Backup and sync your settings and files to OneDrive. The act of storing a backup on OneDrive qualifies you for ESU coverage.
  • Pros: No direct cash outlay for the ESU itself. Integrates with Microsoft’s cloud backup features and works across multiple devices with the same MSA.
  • Cons: The free OneDrive tier offers only 5 GB of storage. A full system image or large user profile will almost certainly require a paid OneDrive plan. You also hand your data and settings to Microsoft’s cloud, which may not sit well with privacy-sensitive users.

2. Microsoft Rewards Redemption (1,000 Points)

  • How it works: Redeem 1,000 Microsoft Rewards points to unlock ESU. Points are earned through activities like Bing searches, Edge browsing, Xbox tasks, or promotional installs.
  • Pros: Zero dollars if you already have the points. Rewards regulars may find this the easiest path.
  • Cons: Accumulating 1,000 points from scratch can take weeks of active use. Point-earning mechanics change frequently; a promotional example (e.g., 500 points for installing a mobile app) is not a guarantee. Treat this route as a convenience only if you’re already deep in the Microsoft ecosystem.

3. One-Time Purchase ($30)

  • How it works: Pay a flat $30 fee (tax may vary by region) for a one-year ESU license. The license is tied to your Microsoft Account and covers up to 10 devices.
  • Pros: Simple, immediate, no setup changes. No need to alter backup settings or engage with Rewards.
  • Cons: It’s a paid stopgap—$30 for one year, and you’ll need to re-evaluate when the new 2027 deadline approaches. For multi-device households, the per-device cost is negligible.

All three routes require the same prerequisites: Windows 10 22H2, latest cumulative updates, and a Microsoft Account. Once enrolled, security patches flow through Windows Update as they normally would for a supported OS, but only Critical and Important classifications.

What ESU Does—And Doesn’t—Do

Microsoft is explicit about the boundaries of ESU:
- It provides security-only updates. These address vulnerabilities that could allow remote code execution, elevation of privilege, or information disclosure.
- It does not include feature updates, quality-of-life improvements, or non-security bug fixes. Over time, third-party software and drivers may stop supporting Windows 10, even with ESU, because vendors follow the OS lifecycle.
- It updates Secure Boot certificates to maintain boot-time integrity.
- Office apps (Microsoft 365) will continue to receive security updates on Windows 10 through October 2028, but feature updates will taper off earlier depending on your update channel. Verify your specific licensing for exact dates.

ESU is a security life-support machine, not a fountain of youth. The OS will feel increasingly frozen in time.

Planning Your Migration: A Two-Year Roadmap

The newly extended timeline is a gift of breathing room, not an excuse to procrastinate. Use the next 24 months intentionally:

Now – Early 2026: Confirm your edition is 22H2 and install all pending updates. If you haven’t already, create a full disk image backup and an offsite copy of critical files. Decide which enrollment route fits your budget and privacy comfort. Enroll early to avoid last-minute rollout hiccups.

2026: Test your must-have applications on Windows 11 in a lab or spare machine. Identify hardware gaps—many older PCs lack TPM 2.0, Secure Boot, or supported CPUs. Budget for a new device or a motherboard/CPU refresh if feasible. If your hardware is truly incompatible, research supported alternatives like lightweight Linux distributions or ChromeOS Flex for non-gaming roles.

Early 2027: By this point, your migration should be in motion. ESU patches will still arrive, but the clock is ticking. If you’ve been on the fence about Windows 11, late 2026 should see a stable, mature OS (likely the 24H2 or 25H2 release) with most early-adopter kinks worked out. Start replacing or upgrading production machines first, leaving low-risk devices for last.

October 2027: The final patch arrives. After this date, no more security updates, no more Secure Boot certificate renewals. Your Windows 10 machine will become an unsupported target. If you haven’t moved by then, you’re gambling.

Decision Framework: Keep Windows 10 or Move On?

Use ESU if:
- Your PC cannot meet Windows 11’s hardware requirements (TPM 2.0, Secure Boot, supported CPU), and replacing it now is financially impractical.
- You need additional time to validate line-of-business applications or complex workflows that break on Windows 11.
- You want the simplest, cheapest way to buy 24 months of security while planning a hardware refresh.

Do not rely on ESU if:
- You expect new features, driver updates, or game compatibility improvements. ESU won’t deliver them.
- You refuse to use a Microsoft Account. The enrollment wizard requires an MSA; there is no workaround.
- You operate in a regulated industry that mandates a fully supported, modern OS for compliance. ESU’s limited scope and finite window won’t satisfy auditors.
- You believe the 2027 deadline will be extended again. There is zero public commitment beyond October 2027. Plan for the worst.

Privacy and Practical Pitfalls

The Microsoft Account requirement is a sore point. By enrolling, you link your OS license and security posture to a cloud identity. That linkage enables cross-device ESU licensing (up to 10 devices) but also funnels device activity through Microsoft’s ecosystem. If privacy is paramount, you’ll need to weigh the risk of running an unpatched machine against the data exposure. The OneDrive route amplifies this: turning on Windows Backup syncs browser data, passwords, and system settings to the cloud, often in a way that’s hard to fully reverse.

The “free” OneDrive path may also carry hidden costs. Windows Backup can quickly balloon beyond the 5 GB free tier, prompting upgrade prompts. A one-time $2 monthly OneDrive plan (100 GB) might suffice, but that turns a free ESU enrollment into a recurring expense over two years. The Rewards route avoids cash outlay but demands ongoing engagement with Microsoft services—again, a privacy consideration.

For households with multiple Windows 10 PCs, the $30 paid route is often the most pragmatic: it’s a fixed cost, covers all eligible devices under one account, and doesn’t require altering backup habits. But even that route forces you to manage a Microsoft Account if you don’t already have one.

The Unsupported Alternative: Windows 11 on Ineligible Hardware

Some users will be tempted to force-install Windows 11 on unsupported hardware using registry bypasses or third-party tools. Microsoft actively discourages this and has warned that those systems may not receive future updates, including security patches. The company could block these installs at any time via servicing stack updates. While the current state of unsupported installs is functional for many, it’s a fragile foundation. ESU is the safer, officially sanctioned bridge.

Frequently Asked Questions

Will Microsoft extend ESU again after 2027?
No public plans exist. Treat the 2027 endpoint as final.

Can I enroll after October 14, 2025?
Yes, enrollment remains open throughout the ESU window, but enrolling after the support end date leaves your device unprotected until the enrollment is processed. The wizard is rolled out in phases; early enrollment is more reliable.

Does ESU cover Windows 10 IoT or LTSC editions?
No. Those editions have separate lifecycle policies. Consumer ESU is strictly for version 22H2 Home/Pro/Pro Education/Workstation.

What about Secure Boot certificates?
ESU updates include new certificates that prevent boot-time attacks. Without them, unpatched machines may eventually fail to verify bootloaders, potentially causing boot failures or security holes. Enrolling in ESU is the only official way to get those renewed certificates on Windows 10.

Can I keep using Microsoft 365?
Yes, with caveats. Security updates for Office apps on Windows 10 continue through October 2028, but feature updates will diminish. Check your channel (Current Channel, Monthly Enterprise, etc.) for exact dates. After 2028, even security patches stop.

Bottom Line: Act Now, Plan Ahead

Microsoft’s extended ESU window is a pragmatic, if limited, response to a reality where millions of serviceable PCs can’t jump to Windows 11. The three-path enrollment—OneDrive backup, Rewards points, or $30 payment—accommodates different user profiles, though each demands a Microsoft Account. The addition of Secure Boot certificate renewal makes enrollment nearly essential for anyone staying on Windows 10.

What hasn’t changed is the clock. Two years might feel like forever in tech, but it passes quickly when you’re budgeting for new hardware or retesting your entire software stack. Start now: upgrade to 22H2, install the latest cumulative update, create a full backup, and decide how you’ll enroll. Use the renewed breathing room not to stall, but to plan a deliberate, unhurried exit from Windows 10 before the lights go out for good in October 2027.