Microsoft has officially opened the consumer Extended Security Updates (ESU) program for Windows 10, giving holdouts one more year of critical security patches for either a free OneDrive backup or a $30 fee—a lifeline that arrives with strict prerequisites, privacy trade-offs, and a non-negotiable expiration date of October 13, 2026.

Staring down the October 14, 2025 end-of-support deadline, millions of PCs still running Windows 10 can now enroll in a last-resort plan that buys time but not a permanent solution. The program, once exclusive to enterprises, now extends to individual users with a single year of security-only updates. Enrollment is phased, tied to a Microsoft Account, and requires careful attention to update prerequisites—including the critical August 12, 2025 cumulative update KB5063709.

Background: Why Microsoft Launched Consumer ESU

Windows 10 reaches its official end of support on October 14, 2025. After that date, Microsoft will stop delivering routine feature updates, quality fixes, and general technical support. For organizations, the ESU program has long offered up to three additional years of security patches at escalating per-device costs. The consumer version, however, is far more limited: one year, one purchase, and a maximum of ten devices tied to a single Microsoft Account.

The move acknowledges that a large installed base either cannot or will not upgrade to Windows 11. Hardware compatibility requirements—TPM 2.0, Secure Boot, and specific CPU generations—lock many users out of the newer OS. For those who need more time, ESU is a tightly scoped stopgap.

Strict Eligibility: What You Need Before Enrollment

Not every Windows 10 machine qualifies. Microsoft’s requirements are narrow and non-negotiable:

  • Windows 10 version 22H2 only. Home, Pro, Pro Education, and Workstation editions are eligible. Enterprise, domain-joined, MDM-managed, kiosk, and Entra-joined devices are excluded—those must use the separate enterprise ESU program.
  • All latest cumulative updates installed. The most critical is KB5063709, the August 12, 2025 cumulative update (build 19045.6216 for 22H2). It fixes early wizard crashes and adds ESU enrollment fixes. Without it, the enrollment UI may not appear or may fail.
  • Microsoft Account (MSA) with administrator rights. The enrollment is tied to the MSA, not the device. Local accounts won’t work. However, after enrollment, you can switch back to a local account and retain the ESU entitlement.

These requirements are absolute. If your PC doesn’t run 22H2 or is managed by enterprise IT, the consumer path is closed. Check Windows Update repeatedly until no pending updates remain, confirm build 19045.6216 or later, and sign in with an MSA that has admin privileges.

What ESU Delivers—and What It Doesn’t

ESU provides security-only updates rated Critical or Important by the Microsoft Security Response Center (MSRC). That means:

  • Yes: Patches for actively exploited vulnerabilities, malware defense updates, and threat response.
  • No: Feature updates, non-security reliability fixes, driver updates, firmware updates, or general product support.

Two separate continuations soften the blow but do not replace OS-level patches:

  • Microsoft 365 Apps: Security updates for Office on Windows 10 will continue through October 10, 2028.
  • Microsoft Defender: Security intelligence and definition updates will be available through at least October 2028.

These are independent of Windows Update and do not extend the OS lifecycle. They ensure that Office documents and antivirus detection remain protected, but kernel-level vulnerabilities and platform exploits will worsen without ESU.

Three Enrollment Paths: Free, Rewards, or Paid

The wizard inside Windows Update presents three options, each tied to the same Microsoft Account:

1. Free via OneDrive Backup

This route requires enabling Windows Backup (settings sync) to OneDrive. If your PC settings backup fits within the free 5 GB tier, you pay nothing. Many users will sail through, but heavy OneDrive users may hit the limit and be forced to buy more storage or switch to another method. Privacy-conscious users should note that selecting this option temporarily syncs account data and settings to Microsoft’s cloud.

2. Microsoft Rewards (1,000 points)

If you’re a Rewards member with sufficient points, you can redeem 1,000 points to activate the ESU entitlement. Early rollout saw intermittent redemption failures, but Microsoft’s August cumulative addressed many of those glitches.

3. Paid ($30 USD one-time)

The straightforward purchase covers one year of security updates and applies to up to ten eligible devices on the same MSA. Microsoft lists the value as $30, though pricing may vary by market. The payment processes through the Microsoft Store inside the wizard, and once completed, the entitlement attaches to your account.

All three methods ultimately do the same thing: mark your MSA as an ESU holder, allowing up to ten associated devices to receive ESU patches through Windows Update.

Step-by-Step Enrollment Guide

Before starting, install KB5063709 and sign in with an MSA that is an administrator on the PC.

  1. Open Settings → Update & Security → Windows Update. Click “Check for updates” and install everything pending. Reboot and repeat until no updates remain.
  2. Look for the ESU notification. Under the “Windows 10 support ending in October 2025” banner, an “Enroll now” link should appear. If it’s missing, the rollout is phased—wait or re-check after a reboot.
  3. Click “Enroll now” and follow the wizard. Choose your enrollment method: “Back up your PC settings” (free), “Redeem Microsoft Rewards points,” or “One-time purchase.”
  4. Complete the on-screen steps. For the free option, enable Windows Backup if prompted. For paid, you’ll be taken to a Store purchase flow. After success, the wizard will show a confirmation.
  5. Verify enrollment. In Windows Update settings, you should see “Your PC is enrolled to get Extended Security Updates.” Future ESU patches will carry that label in update history.

Troubleshooting Common Hiccups

  • Enrollment option not appearing: The rollout is staged, with Insiders and some channels getting it earlier. Installing KB5063709 is the single most effective step. If still missing, patience is required—but don’t wait until October 14 to try.
  • Wizard crashes or errors: KB5063709 specifically addresses enrollment wizard crashes. If you installed that update and still see issues, run the Windows Update Troubleshooter and re-check prerequisites.
  • MSA reluctance: You can sign in with an MSA solely for enrollment, activate ESU, and then revert to a local account. The entitlement stays with the MSA, and patches will continue to install. However, any settings synced during the free enrollment process will have been uploaded to OneDrive; consider manually disconnecting or clearing that data afterward if privacy is a concern.

Privacy, Storage, and Account Binding Trade-offs

The mandatory MSA requirement is a significant shift. For the first time, an otherwise local-account-driven workflow must connect to a Microsoft Account to receive security updates. Even the paid option demands an MSA. This means:

  • Your ESU entitlement is now a cloud-bound license, not a local device property.
  • If you use the free OneDrive path, your PC settings and potentially some app data are synced to Microsoft’s servers. The 5 GB free tier is usually sufficient for settings backups, but large credential stores or profile data could force a paid storage upgrade.
  • Microsoft’s ability to tie the entitlement to an account raises questions about ecosystem lock-in. However, the entitlement is portable: if you replace a device, you can sign in with the same MSA and activate ESU on the new machine (up to the 10-device limit).

For truly privacy-averse users, the only “clean” path is to pay the $30, complete enrollment, and immediately revert to a local account while ensuring OneDrive backup was never enabled. Even then, the MSA linkage for entitlement verification remains in the background.

Pricing and Alternatives to ESU

While the consumer ESU is valued at $30 for one year across ten devices, enterprise customers pay more for multi-year coverage. For organizations, the old ESU model started at about $61 per device for the first year, $122 for the second, and $244 for the third—a steep ladder designed to encourage migration.

Consumers have essentially three long-term options:

  • Upgrade to Windows 11. If your PC meets the hardware requirements (TPM 2.0, Secure Boot, compatible CPU), this is the only path that restores full OS servicing, feature updates, and free support. The upgrade is still free for existing licenses.
  • Replace the device. For hardware that can’t run Windows 11, a new PC that comes with Windows 11 preinstalled is the safest bet for continued full support.
  • Switch operating systems. Linux distributions or ChromeOS Flex can breathe new life into older hardware, but application compatibility, data migration, and learning curves demand careful planning.

ESU is explicitly not a long-term solution; Microsoft designed it as a one-year bridge for those who need more time to migrate.

Risks, Limitations, and Things to Watch

  • One-year timebox is absolute. On October 14, 2026, patches stop. There is no renewal for consumers. You must have a migration plan in place by then.
  • No feature or quality fixes. If a non-security bug breaks something, you’re on your own. Driver and firmware support will gradually degrade for older hardware.
  • Phased enrollment could catch procrastinators off guard. Rollout delays or last-minute glitches could leave a device unprotected on the EOL date. Enrolling in August or September 2025 is far safer than waiting until October 13.
  • Defender and Office extensions create a false sense of security. While Microsoft 365 Apps and Defender definitions continue through 2028, they do not address OS-level vulnerabilities. Attackers will increasingly target Windows 10 kernel or service exploits after October 2025.

Practical Checklist Before You Enroll

  1. Confirm Windows 10 version 22H2 (Settings → System → About).
  2. Run Windows Update until no pending updates remain; verify KB5063709 (build 19045.6216 or later) is installed.
  3. Sign in with a Microsoft Account that has administrator rights on the device.
  4. Back up your files independently to an external drive or alternative cloud—do not rely solely on OneDrive settings sync.
  5. Open Windows Update and click “Enroll now” when it appears. Follow the wizard.
  6. Verify enrollment in update history for ESU-labeled patches.

Critical Analysis: Strengths and Concerns

Strengths

  • Pragmatic stopgap. Recognizes the reality that millions of PCs won’t move by the deadline and gives consumers a simple, affordable way to stay secure for one more cycle.
  • Household-friendly licensing. One MSA covers up to ten devices, making it cheap for families.
  • Extended app and Defender coverage. Microsoft 365 and Defender updates out to 2028 reduce immediate exposure on the application and antivirus fronts.

Concerns

  • MSA mandate erodes local account privacy. Even with a paid plan, the account binding introduces new data collection and cloud dependence that some users resent.
  • One-year limit forces a hard deadline. Unlike the enterprise three-year option, consumers get no reprieve. This could leave slower adopters in the lurch again in 2026.
  • Rollout fragility. Early bugs and phased availability created uncertainty. Relying on a smooth enrollment in the final days is risky.
  • OS decay will accelerate. Without driver or firmware updates, hardware performance and compatibility may degrade faster than expected, especially on older machines.

Bottom Line

If you cannot upgrade to Windows 11 and need to keep your PC protected immediately after October 14, 2025, enroll in the consumer ESU program now. Install KB5063709, sign in with a Microsoft Account you control, back up your data independently, and choose the enrollment method that fits your privacy and budget needs. Then, immediately map out a migration path to a supported platform—whether that’s a Windows 11 upgrade, new hardware, or an alternative OS—because on October 14, 2026, the patch funding runs dry.