Windows 10’s official end-of-support date lands on October 14, 2025. After that Tuesday patch run, Microsoft will stop shipping free security patches, bug fixes, and technical support for the operating system that still powers more than 60 percent of the world’s Windows PCs. For millions of machines that cannot or will not move to Windows 11, the alternative is a paid lifeline called Extended Security Updates (ESU).
First introduced for Windows 7 in 2020, the ESU program grants post-retirement access to critical and important-rated security patches. For the first time, Microsoft is opening ESU to everyday consumers, not just volume-licensing businesses. The offer spans three years — October 2025 to October 2028 — but the clock ticks in a very specific way, and the “mid-2026” milestone matters more than most users realise.
What Extended Security Updates Actually Deliver
ESU is not a service pack. It is a narrowly scoped security maintenance stream. Subscribers receive monthly security-only updates, typically the same fixes delivered to Windows 11 and Windows Server patches where vulnerabilities overlap. There are no new features, no driver enhancements, no design refreshes, and no technical support incidents included.
Microsoft labels each update as “Security Update for Windows 10 (ESU)” and delivers it through the standard Windows Update channel once the ESU key is activated on the machine. The company reserves the right to skip low-severity bulletins, meaning a vulnerable Windows 10 system might still be exposed to moderate-rated flaws that Microsoft decides not to backport.
The crucial line to draw: ESU keeps the operating system safe from publicly exploited zero-days and known critical remote-code-execution bugs. It does not keep third-party software patched, nor does it extend support for browsers, productivity suites, or drivers. Antivirus engines will continue to receive definition updates as long as vendors support the platform, but the onus shifts to the user.
The Mid‑2026 Enrollment Reality
Microsoft’s model for consumer ESU differs from the enterprise program. Rather than requiring a key before October 14, 2025, the consumer path allows users to purchase ESU annually through the Microsoft Store. However, the catch is timing: the “mid‑2026” window is when you must have enrolled to stay securely patched. If you wait until the fall of 2025, you purchase Year 1 coverage. If you delay until 2026, you must still buy Year 1 and then Year 2 back-to-back to receive any update at all, because coverage is cumulative. Skipping a year means forfeiting that year’s patches entirely, which can leave gaps that attackers exploit.
This arrangement echoes the Windows 7 ESU program, where enrollment had to be completed within a prescribed window after end of support. Some users mistakenly assumed they could buy ESU at any time and instantly catch up on all missed updates; Microsoft’s documentation makes clear that is not the case. The company expects the first batch of consumer ESU licenses to appear in the Microsoft Store around November 2025, shortly after the final free Patch Tuesday round.
Who Is Eligible — And Who Is Not
ESU for Windows 10 covers specific editions:
- Windows 10 Pro
- Windows 10 Pro for Workstations
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 IoT Enterprise
Windows 10 Home is conspicuously absent from the consumer ESU plan. That means the hundreds of millions of Home edition PCs will not have an official Microsoft security-net unless the owner performs an edition upgrade to Pro first. The upgrade itself is a one-time purchase, but it must be completed before or shortly after the end-of-support date to benefit from ESU. Microsoft has not indicated that a special ESU SKU will ever be offered for Home users.
For businesses, the ESU program runs through the Volume Licensing Service Center or a Cloud Solution Provider. Enterprise customers can also take advantage of the Windows 10 ESU through Windows 365 or Azure Virtual Desktop, where the update is included in the subscription cost for Windows 10 virtual machines. That option effectively allows a business to keep a managed Windows 10 desktop in the cloud while transitioning local hardware to Windows 11.
Pricing: What We Know So Far
Microsoft has not published the final consumer price, but historical precedent sets expectations. For Windows 7, businesses paid roughly $25 per device for Year 1, $50 for Year 2, and $100 for Year 3, doubling each year. Consumer pricing for Windows 10 ESU is rumored to be significantly lower — perhaps around $30 per year for a single PC — but Microsoft’s official silence means any figure is speculative. What is certain is that the cost compounds if a user waits: buying Year 2 only is not possible without having bought Year 1, and Year 3 requires all three years.
Enterprise pricing follows the traditional doubling model. A Windows 10 device already enrolled in a Microsoft 365 E5 subscription may have ESU included as a benefit, though details depend on contract terms. Education customers consistently receive the steepest discount, often paying a flat $1 per device for Year 1, then $2 and $4 for subsequent years. Microsoft uses that pricing to ease sticker shock for school districts with tight budgets and large fleets of aging hardware.
Practical Steps to Lock Down a Post‑ESU Windows 10 Machine
Simply paying for ESU does not equal security. The updates address the operating system kernel, platform components, and built-in applications, but the broader attack surface demands active hardening.
1. Enable Secure Boot and TPM 2.0. Even though Windows 10 does not mandate TPM 2.0 for installation, the hardware security it provides is essential after support ends. Secure Boot ensures that only trusted code executes during startup, preventing bootkits that bypass OS-level defences. If your PC supports it, turn on Memory Integrity (also called Hypervisor-protected Code Integrity) under Windows Security Device Security.
2. Keep browsers and extensions current. After October 2025, Google Chrome, Mozilla Firefox, and Microsoft Edge will continue releasing updates that run on Windows 10. Disable or remove unnecessary browser extensions, and enforce automatic updates. The browser remains the primary entry point for phishing and drive-by downloads, and no OS patch will save a user who clicks through a well-crafted social-engineering attack.
3. Use a minimally-privileged account. Run day-to-day tasks under a standard user account, not an administrator. The UAC prompt that appears when a process needs elevation is a last line of defence; malware that can’t escalate privileges is severely limited in the damage it can cause.
4. Apply application control or whitelisting. Windows has built-in tools like AppLocker (Windows 10 Enterprise and Education) and Windows Defender Application Control. For Pro editions, the free Microsoft tool “WDAC Wizard” can create a baseline policy that blocks untrusted executables. It is an advanced step, but one that markedly reduces the risk from unknown binaries.
5. Harden network-facing services. Remote Desktop Protocol (RDP) should never be exposed directly to the internet without a VPN or Azure Bastion. Network Level Authentication must be enforced, and if possible, restrict RDP access to specific IP ranges. The same principle applies to any internal services — file shares, printer services — that might be listening on the network.
6. Deploy a layered endpoint detection stack. Microsoft Defender will continue receiving security intelligence updates through 2028 on ESU machines, but its effectiveness against zero-day exploits diminishes as mitigations such as Control Flow Guard and Arbitrary Code Guard are no longer improved on the platform. Complementary solutions, such as a hardware firewall, DNS filtering, and application sandboxing via Windows Sandbox (if available), add depth to the defence.
7. Isolate legacy systems. If a Windows 10 machine must remain connected, place it on a separate VLAN with strict firewall rules. Limit its communication to essential internal servers and block direct internet access where possible, routing through a proxy that inspects traffic.
The Clock Beyond the ESU Program
ESU ends completely in October 2028. At that point, no further security updates of any kind will be provided for Windows 10, even for paying customers. Microsoft sometimes offers a one-year last-minute extension under extraordinary circumstances — it did so for Windows 7 and for Windows Server 2008 — but organiszations should plan as if 2028 is final.
For consumers, the end of ESU means a forced upgrade to Windows 11 or a migration to an alternative operating system. Used PCs that are too old to run Windows 11 officially will be left unprotected, accelerating e-waste concerns. Environmental groups have already pressured Microsoft to extend support or soften hardware requirements, but so far the company has only reiterated its commitment to the October 2025 deadline.
Windows 11 as the Obvious Successor — With Caveats
Microsoft designed Windows 11 around stricter hardware requirements: TPM 2.0, Secure Boot, and an 8th-generation Intel Core or AMD Ryzen 2000 processor at minimum. That cutoff leaves many capable quad-core i7‑7700 systems from 2017 out of the official upgrade path. Unofficial workarounds exist, but they remove the support contract and potentially expose users to compliance issues in regulated industries.
For hardware that meets the bar, Windows 11 delivers always-on security features that Windows 10 simply cannot match. These include VBS-backed credential isolation, hardware-enforced stack protection, and Pluton security processors on newer devices. The migration is the most straightforward path to long-term security, but IT teams managing thousands of endpoints face heavy logistical costs in application compatibility testing and user training.
Microsoft’s own extended lifecycle policy allows Windows 10 Enterprise LTSC 2021 editions to receive mainstream support until 2027, but those are locked to specific channels and are not available to consumers. The 2019 LTSC release reaches end of support in 2029, still leaving a gap for standard Pro and Home users.
Real‑World Decision Points
A small business running a legacy point-of-sale system on Windows 10 IoT Enterprise might find ESU a cost-effective bridge while the software vendor validates Windows 11. A school district with thousands of shared laptops may budget for Year 1 ESU and use the time to accelerate a Chromebook or thin-client rollout. A home user with a single PC that checks email and browses the web may decide that $30 a year is acceptable insurance, provided they follow the hardening steps above.
Conversely, organisations holding sensitive data — law firms, healthcare providers, financial services — will likely be pushed by their cyber-insurance carriers to move off an unsupported operating system as quickly as possible. Many cyber-insurance policies now require that all endpoints run a supported OS; ESU may satisfy that clause, but carriers write their own definitions and may still penalise the perceived risk.
The choice is no longer academic. As the October 2025 date approaches, the window for orderly migration narrows. Microsoft’s final free updates for Windows 10 will ship in September 2025, with the last rollup in October. After that Tuesday, the meter starts running.