Microsoft’s Extended Security Updates (ESU) program for Windows 10 is now open to every consumer — not just Insiders — with two free enrollment paths that let you keep receiving Critical and Important security patches for one full year after the official end-of-support date on October 14, 2025. The move addresses a massive installed base of devices locked out of Windows 11 by hardware requirements, offering a short, strictly time-boxed safety net while users plan their next migration. But the enrollment window is already open, and waiting past the October cutoff will leave your PC completely unpatched until the process completes.

The consumer ESU is not a license to ignore the upgrade clock indefinitely. It delivers only monthly security fixes categorized as Critical or Important — nothing else. No feature updates, no non-security reliability improvements, no driver or firmware support, and no technical support outside of activation and update delivery. Microsoft explicitly positions it as a bridge, not a destination, and the bridge collapses on October 13, 2026.

With only months left before support evaporates, here is everything Windows 10 users must know about enrolling, the real trade-offs nobody is talking about, and the practical timeline for getting off the platform safely.

What exactly is the consumer ESU?

In April 2025, Microsoft laid out the program’s final shape for individuals, small businesses, and home users. The consumer ESU covers Windows 10 version 22H2 (Home, Pro, Pro Education, Pro for Workstations) with all current cumulative updates installed. Enrollment happens through a wizard in Settings → Update & Security → Windows Update that is rolling out in waves. After completing enrollment, Microsoft delivers monthly security-only cumulative updates carrying the same Critical and Important classifications assigned by its Security Response Center.

The scope is deliberately narrow. If you stay on an ESU-protected Windows 10 machine after October 14, 2025, you will:
- Continue receiving fixes for vulnerabilities rated Critical or Important.
- Lose all feature updates, including new capabilities, interface refinements, and under-the-hood platform improvements.
- Lose non-security bug fixes, meaning reliability quirks that don’t carry a CVE simply won’t be addressed.
- Remain dependent on OEM support windows for UEFI, firmware, and driver updates, which typically end sooner than OS support.

Three ways to enroll — two of them free

Microsoft initially planned to charge $30 for a one-year ESU license tied to a Microsoft Account (MSA). Under pressure from the sheer size of the Windows 10 holdout population, the company subsequently added two no-cost options:

  1. Enable Windows Backup and sync settings to OneDrive. This is presented as a cloud-backup first step — you turn on the backup feature in Windows and let it replicate your settings, preferences, and optionally files to OneDrive. Once the sync is active, the ESU enrollment wizard accepts it as a valid, free enrollment method.
  2. Redeem 1,000 Microsoft Rewards points. Available to users who have accumulated points through Bing searches, Xbox activities, Edge usage, or other Microsoft services. The 1,000-point threshold is relatively low; downloading the Bing app alone nets 500 points.
  3. Pay $30. The original paid path remains, and it carries one household-friendly perk: a single $30 purchase covers up to 10 eligible Windows 10 devices signed into the same Microsoft Account. For families juggling multiple aging laptops, that’s a compelling value.

All three paths tie the ESU entitlement to a Microsoft Account, not a traditional 25-character product key. The enrollment wizard walks you through whichever option you pick. Importantly, if you choose the free OneDrive route, your backup is subject to the default 5 GB of OneDrive storage — and Windows Backup plus personal files can quickly exceed that. You may need to either clean out old data or pay for additional OneDrive space, turning a “free” option into a soft upsell.

The Rewards path avoids the storage issue but assumes you already have points or are willing to earn them before the deadline. The $30 route sidesteps both constraints while still requiring an MSA, so there is no truly offline, local-account-only way to secure consumer ESU.

Step-by-step: How to enroll before the October 14 cutoff

Rolling the dice and enrolling after October 14, 2025 is possible, but it introduces a dangerous gap. Any vulnerability exploited between the end-of-support moment and your enrollment completion will remain unpatched forever. To guarantee uninterrupted protection, follow this sequence now — and do not wait.

1. Verify you are on Windows 10 22H2

Open Settings → System → About. The “Windows specifications” section must show version 22H2. If you’re on an older release (21H2 or earlier), run Windows Update and download all pending feature updates immediately. Older editions won’t surface the enrollment wizard.

2. Install every available cumulative update

Go to Settings → Update & Security → Windows Update and click “Check for updates.” Apply everything — including optional updates — until the screen says you’re current. Microsoft has shipped servicing stack patches that are prerequisites for the ESU wizard; some users saw the option only after the August 2025 cumulative update. Reboot after each batch and check again.

3. Create robust backups — plural

The ESU enrollment itself is low-risk, but the months ahead on an unsupported OS core are not. Make a full disk image with a tool like Macrium Reflect or Acronis, and separately copy your user folders (Documents, Pictures, Desktop, etc.) to an external drive or a cloud service of your choice. At minimum, test the restore by bringing back a few files. Never rely on a single backup copy — and do not confuse OneDrive sync with a proper backup. Sync propagates deletions and ransomware damage instantly; a real backup insulates you from those scenarios.

4. Sign in with a Microsoft Account with admin rights

ESU entitlements are bound to an MSA. If you currently use a local account, the wizard will prompt you to switch. That MSA must have administrator privileges on the PC — standard-user accounts won’t be able to complete enrollment.

5. Find and launch the ESU enrollment wizard

Open Settings → Update & Security → Windows Update. Look for a banner or notification about Windows 10 support ending and an “Enroll now” button, typically in the upper-right area of the page. Because the rollout is phased, you may not see it immediately even after installing all updates. If missing, check back daily, or run Windows Update again after a few days. Microsoft has acknowledged the staged nature of the rollout and advises patience.

6. Choose your free or paid option and finalize

Click “Enroll now” and select one of the three paths. If you pick OneDrive sync, the wizard will prompt you to sign into OneDrive and turn on Windows Backup. If you pick Rewards, it will verify your points balance. For the $30 option, you’ll be directed to the Microsoft Store to complete the purchase. After completion, the wizard will confirm your ESU entitlement, which you can double-check in your Microsoft Account’s device list.

Pro tip for multi-PC households

If you manage several devices — say, a family desktop, a laptop, and a media PC — the $30 license is the most economical choice because it extends to up to 10 machines on the same MSA. The free OneDrive path also ties multiple devices to the same account, though each device will independently sync its own backup set. Either way, sign all PCs into the same MSA before enrolling to avoid having to juggle multiple entitlements.

The privacy and storage calculus behind “free”

Enrolling via OneDrive sync or Rewards points isn’t truly free in a privacy-conscious sense. The OneDrive path explicitly requires cloud backups of your Windows settings, potentially including browsing data, passwords, and app configurations. While the data is encrypted in transit and at rest, it creates a persistent link between your machine and Microsoft’s cloud — exactly what some users have been avoiding by sticking with local accounts and offline workflows.

Additionally, if your backup exceeds the 5 GB free OneDrive allotment, Microsoft will prompt you to buy additional storage. This isn’t mandatory to complete ESU enrollment, but the wizard may nudge you toward a subscription. For users with large Documents or Desktop folders, $1.99/month for 100 GB quickly adds up over a year — close to the $30 paid ESU option itself, but with ongoing costs and no multi-device coverage.

The Rewards path sidesteps cloud storage but still ties your ESU to a Microsoft Account activity graph. And obviously, it only works if you already have — or are willing to quickly earn — 1,000 points. Accumulating them organically through searches can take weeks, so do not delay if this is your chosen route.

What ESU does not protect — the hidden gaps

Beyond the official limitation to security-only updates, several real-world gaps emerge once you remain on a deprecated OS:

  • Firmware and UEFI updates end on OEM schedules. Some systems flagged missing Secure Boot certificate updates in August 2025 patches. Without future UEFI patches, those vulnerabilities could persist even if Windows itself is patched. Check your motherboard or laptop vendor’s support page now for any available firmware and apply it while the machine is still actively supported.
  • Application compatibility will degrade. Software vendors — particularly those in regulated industries — will likely drop Windows 10 from their support matrices after mainstream support ends. Expect Office apps to stay patched for three more years (Microsoft 365 will receive only security updates on Windows 10 during that period), but other tools, anti-malware suites, and productivity software may quietly stop receiving updates or stop working altogether.
  • No driver updates through Windows Update. If a problematic driver causes blue screens or performance regressions in 2026, you’ll be on your own unless the OEM independently distributes a fix.
  • No bug fixes for Windows itself. Memory leaks, Explorer freezes, or odd Start menu behavior that Microsoft fixes in Windows 11 won’t trickle down to ESU-enrolled Windows 10 boxes. You get patches for CVEs and nothing else.

This last point is especially critical for power users. The longer you run Windows 10 past its end of support, the more the system diverges from the current codebase, increasing the risk of incompatibilities when you eventually do migrate.

Realistic migration timeline — ESU is your one-year runway

Microsoft’s messaging is clear: use the 12-month ESU window to get to a supported platform. Here is what that timeline should look like for a typical home or small-office user:

  • Now through September 2025: Update to 22H2, apply all patches, complete the ESU enrollment, and immediately begin testing Windows 11 compatibility on any eligible hardware. Use the PC Health Check app or Microsoft’s downloadable compatibility checker. For devices that fail, research alternative OSes (Ubuntu, Linux Mint, ChromeOS Flex) or start budgeting for new hardware.
  • Before October 14, 2025: Finish enrollment if you haven’t already. This is the hard stop for seamless protection.
  • October 15, 2025 – October 13, 2026 (ESU year): Migrate critical workloads. If you’re upgrading to Windows 11 on supported hardware, test your applications in a controlled fashion (dual-boot, virtual machine, or a separate test machine) and then deploy. For unsupported hardware, decide between a cloud-hosted Windows option (Windows 365 or Azure Virtual Desktop), a lightweight Linux distro, or purchasing a new PC. Do not leave the migration until the last month — hardware supply chains and personal schedules can slip.
  • After October 13, 2026: Windows 10 ESU coverage ends entirely. Any device still running Windows 10 at that point will stop receiving patches and will be increasingly vulnerable. Treat this date as your final migration deadline.

If you can’t upgrade — alternative long-term paths

For the millions of PCs that fail Windows 11’s TPM 2.0, CPU generation, and Secure Boot requirements, a few realistic options exist beyond simply buying new hardware:

  1. Lightweight Linux distributions: Modern distributions like Ubuntu 24.04 LTS, Linux Mint 22, or Fedora Workstation are user-friendly, receive security updates for years, and run well on older hardware. They support web browsing, office suites (LibreOffice or web-based Google/Office 365), media playback, and even some light gaming via Steam. For basic productivity and home use, this is a zero-cost, long-term path.
  2. ChromeOS Flex: Google’s official image turns aging PCs into Chromebook-like devices that auto-update and are manageable via the Google Admin console. It’s particularly suitable for education or kiosk scenarios, but it locks you into the Chrome ecosystem.
  3. Cloud desktop (Windows 365): For users who must run legacy Windows apps and have a reliable internet connection, a cloud-hosted Windows 11 instance shifts the hardware burden to Microsoft’s data centers. This is costlier ($20–$40/month for a basic SKU) but ensures your OS is always current without touching local hardware.
  4. Buy a new affordable PC: Entry-level Windows 11 laptops and mini PCs with full TPM 2.0 support now start around $300. When weighed against the $30 ESU fee plus potential OneDrive storage costs and the eventual forced upgrade anyway, a new machine often emerges as the more economical long-term choice.

Avoid unsupported Windows 11 installs achieved via registry bypasses, LabConfig tweaks, or modified ISOs. Microsoft has warned that such configurations may be blocked from receiving updates — even security ones — leaving you worse off than staying on an ESU-protected Windows 10. Community reports already indicate sporadic update failures on bypassed machines, and the risk will only grow.

Checklist — what to do this week

  • [ ] Confirm Windows 10 is on version 22H2 via Settings → System → About.
  • [ ] Run Windows Update repeatedly until no further updates are offered; install optional updates as well.
  • [ ] Make a verified full-disk image backup plus a separate file-level copy of personal data.
  • [ ] Sign into a Microsoft Account with administrator privileges on the target PC.
  • [ ] Open Windows Update and look for the “Enroll now” ESU banner; if absent, wait and check again.
  • [ ] Decide on a free route (OneDrive sync or Rewards points) or the $30 paid plan, and complete the wizard.
  • [ ] Document your ESU enrollment confirmation and save the receipt if you paid.
  • [ ] Inventory firmware and driver versions from your OEM’s support site; apply any available UEFI/BIOS updates now.
  • [ ] Start testing Windows 11 compatibility on any eligible hardware using PC Health Check.

The bottom line

The consumer ESU program is the only sanctioned way to keep Windows 10 secure past October 14, 2025 — and it’s more accessible than ever thanks to two free enrollment methods. But the one-year countdown is ticking, and the program’s narrow focus on Critical and Important security patches means daily reliability, feature stagnation, and ecosystem drift will steadily accumulate.

For most households, the optimal strategy is to enroll now (before the October cutoff), use the twelve months of ESU to methodically test and execute a migration, and treat October 13, 2026 as an absolute deadline. Delaying enrollment only creates an avoidable security gap that exploits will not hesitate to target. Enroll today, plan the upgrade tomorrow, and make sure you are not among the users scrambling the night support ends.