ES-Who? 10 Things You Need to Know About Windows 10 ESU - TrustedTech

Windows

ES-Who? 10 Things You Need to Know About Windows 10 ESU

Written by: Thomas Rosquin

Need Help Figuring Out the Licensing You Need? Save Up to 20% by Chatting with our Experts!

Get Expert Licensing Help

The End of an Era: Microsoft officially ended support for Windows 10 on October 14, 2025, marking the end of a decade of one of the most widely used operating systems. As of late 2024, over 60% of PCs worldwide were still running Windows 10. This means millions of devices face losing security patch support overnight. To address this gap, Microsoft has introduced Extended Security Updates (ESU) – a paid “lifeline” that provides critical security patches for a limited time after the end of support.

This list of ten important things breaks down everything you need to know about Windows 10 ESU, including what it is, how it works, costs, coverage limitations, enrollment steps, and how it compares to upgrading to Windows 11. The goal is to help you make informed decisions about Windows lifecycle management and security planning as Windows 10’s end-of-life approaches.

Key Take-a-ways:

Windows 10 End-of-Support is Here 

All editions of Windows 10 stopped receiving free updates and support after Oct 14, 2025. Running Windows 10 beyond this date without ESU means no new patches and an increased vulnerability.

ESU Bridge

Extended Security Updates offer critical security fixes through 2026 (and up to 2028 for enterprises). ESU provides security patches only, with no new features or technical support, allowing organizations to buy time for their transition.

Upgrade vs. ESU – Cost & Security Trade-offs

Upgrading to Windows 11 is free for licensed Windows 10 users and delivers ongoing improvements. By contrast, sticking with Windows 10 + ESU incurs yearly fees (e.g. ~$30 per PC for consumers; $61 and rising for enterprises) and forgoes modern security features.

1. What Is Windows 10 ESU? 

Extended Security Updates (ESU) for Windows 10 is a Microsoft program that provides a limited extension of critical security updates beyond the official end-of-support date. In essence, ESU is a paid bridge that allows customers to continue receiving critical security patches for Windows 10 version 22H2 after October 14, 2025. This helps reduce the risk of malware and cyberattacks on devices that cannot be immediately upgraded to a newer OS. Importantly, ESU does not include any feature updates, performance improvements, or non-security bug fixes. It also does not provide general technical support beyond update assistance. In other words, ESU is a safety net for security only; it keeps your Windows 10 devices safe from newly discovered vulnerabilities for a while longer. Still, it won’t make them functionally “grow” in features or receive quality updates.

2. The Windows 10 End-of-Life Timeline 

Windows 10’s lifecycle is drawing to a close, and it’s essential to understand key dates and milestones. Here’s a timeline of the Windows 10 end-of-life and the ESU program:

  • July 29, 2015: Windows 10 Released - Microsoft launches Windows 10, kicking off a 10-year support lifecycle for the OS. 
  • October 5, 2021: Windows 11 Released Windows 11 debuts as the next-generation OS, giving Windows 10 users a new upgrade path ahead of Windows 10’s retirement.
  • October 14, 2025: Windows 10 End of Support (EOS) - Official end-of-life date for Windows 10. After this date, Microsoft ceases all free security updates, bug fixes, and technical support for Windows 10. PCs running Windows 10 will continue to work, but become increasingly vulnerable to new threats. 
  • October 15, 2025: ESU Program Begins -  The day after Windows 10 EOS, the Extended Security Updates program becomes active. Eligible users can enroll to receive critical security patches going forward, via either free or paid ESU options (see enrollment section below).
  •  October 13, 2026: ESU Year 1 Ends - The first year of extended security coverage ends on this date. For consumer Windows 10 devices, this is the final supported date under ESU. Devices enrolled in ESU receive security patches up to this day. After this, no further updates will be provided unless the device is covered under an enterprise ESU extension. 
  • October 13, 2027: ESU Year 2 (Enterprise) - For organizations that purchased a second year of ESU (enterprise program), critical updates continue through late 2027. Year 2 coverage is available at an increased cost (doubling from year 1). This date marks the end of the second extended year for those who renewed the ESU subscription. 
  • October 13, 2028: Final Windows 10 Security Updates - This is the last possible date on which any Windows 10 device can receive an official security update. With the third year of enterprise ESU (if purchased) concluding in October 2028, Windows 10’s extended support window closes entirely. Beyond this point, Windows 10 will no longer receive any further patches or support from Microsoft.

As shown above, October 14, 2025, is the critical cutoff date when standard support ends. After that date, only systems enrolled in the ESU program will continue to get patches, and even those are limited to security fixes. For most individual users, ESU buys one extra year (until Oct 2026). For businesses willing to pay annual, escalating fees, ESU can be extended to a total of three years post-EOS (until October 2028).

IT departments need to mark these dates on their roadmaps. Each passing year after 2025 will see more Windows 10 PCs phased out of support. The sooner you plan your transition, the better – waiting until 2026 or 2027 to migrate means working under the pressure of expiring security coverage. Microsoft’s clear intent is that ESU is a temporary bridge, not a permanent solution, to span the gap between Windows 10’s end-of-life and your organization’s transition to a supported OS.

3. Who is ESU for?

It’s intended for individuals and organizations that need more time to transition away from Windows 10. For example, businesses running legacy applications or facing hardware upgrade delays may use ESU to secure their Windows 10 systems while they prepare for Windows 11. Even home users with PCs that cannot meet Windows 11’s requirements may opt for ESU as a temporary solution. Microsoft has, for the first time, extended this program to consumers as well as enterprises (previous ESUs were primarily for business customers of Windows 7). The Windows 10 ESU program ends on October 13, 2026, for consumers, and can be extended up to October 2028 for enterprise customers with yearly renewals. After that, no further patches will be available. 

In summary, Windows 10 ESU is “the last lifeline” for those still on Windows 10 post-2025: it offers a bit more time under the shelter of security updates, but it’s a temporary measure meant to buy time for migration, not to prolong the life of Windows 10 indefinitely.

4. How Much Does ESU Cost?

One of the most pressing questions for organizations is the cost of enrolling in Extended Security Updates. Microsoft has set up different ESU pricing models for consumer vs. commercial customers:

Consumer ESU (Home/Pro editions)

Microsoft offers three ways to enroll a personal or small-business Windows 10 PC in ESU, all of which cover security updates through October 13, 2026:

  1. No-cost option: Enable Windows 10’s cloud backup of your PC settings (via the Windows Backup feature while signed into a Microsoft Account). This essentially “trades” telemetry/backup for security updates, allowing you to enroll in ESU at no additional cost.
  2. Microsoft Rewards option: Redeem 1,000 Microsoft Rewards points for an ESU enrollment. Microsoft set this option as an alternative currency; 1,000 points can typically be earned via Bing searches and other activities.
  3. One-time purchase: Pay $30 USD per device (or local currency equivalent) plus tax for one year of ESU coverage. This fee covers updates for a single device until October 13, 2026. One purchase covers one device (though up to 10 devices can share a single Microsoft account’s license, see below).

All of the above consumer options result in the same outcome: the device gets critical security patches for an additional year (through late 2026). The license is tied to your Microsoft account, and one account’s ESU license can cover up to 10 devices on Windows 10 (helpful for families or small offices) – beyond that, another account or purchase would be needed.

Enterprise/Business ESU

For organizations, Windows 10 ESU is offered as a paid subscription via volume licensing channels. The pricing is per device per year, and increases each year you extend:

  • Year 1 (Nov 2025 – Oct 2026): $61 USD per device.
  • Year 2 (Oct 2026 – Oct 2027): $122 per device (price doubles in the second year).
  • Year 3 (Oct 2027 – Oct 2028): $244 per device (doubles again in the third year).

In other words, if a business were to keep a Windows 10 machine on ESU for the maximum three years, the total cost would be $61 + $122 + $244 = $427 per device over that period. This escalating pricing is by design – it strongly incentivizes organizations to migrate off Windows 10 sooner rather than later. Microsoft essentially makes ESU more expensive each year to reflect the increasing risk (and to encourage upgrades). It’s also worth noting that if a company skips a year (e.g. decides in Year 2 that they now want ESU), they must pay for the prior years as well because ESU licenses are cumulative. For instance, enrolling only in Year 2 would typically require purchasing Year 1 retroactively.


Buy Windows 10 ESU Year 1 (2025-2026)

 

Volume license details: Enterprise ESU is purchased through Microsoft’s Volume Licensing Service Center or a Cloud Solution Provider. The minimum purchase is one license (so even small businesses can buy just one), and there is no large minimum order requirement. After purchase, organizations receive activation keys (multiple activation keys or MAK) to apply to their PCs (more on the enrollment process later).

Additionally, Microsoft has made ESU free for certain virtualized scenarios: Windows 10 VMs in Azure or Windows 365 Cloud PCs receive ESU at no additional cost for up to three years, a benefit for cloud customers. 

5. What ESU Covers

The Windows 10 ESU program is strictly limited to security updates. Specifically, it covers Critical and Important security updates, as classified by the Microsoft Security Response Center (MSRC), for Windows 10 version 22H2. In practical terms, once you’re enrolled in ESU, your Windows 10 machine will continue to receive patches via Windows Update (or your enterprise update management system) for newly discovered vulnerabilities that meet a severity threshold.

These patches will typically arrive on the cadence of Patch Tuesday or out-of-band if a particularly urgent threat emerges, just as Windows 10 updates did before EOS, but limited to security fixes only. Key points on what is included under ESU coverage:

  • Security patches for the OS: Any critical vulnerability in the Windows 10 OS (kernel, system libraries, components) disclosed after end-of-support will be patched for ESU-enrolled devices. This includes vulnerabilities such as remote code execution flaws and privilege escalation bugs, which could compromise the system's security.
  • Supported editions: ESU covers Windows 10 Home, Pro, Pro Education, Pro Workstation, and Enterprise/Education (for enterprise program) as long as they are updated to version 22H2. Essentially, the last versions of Windows 10 are supported. (Long-Term Servicing Channel editions have their own separate timeline and aren’t part of the consumer ESU program).
  • Security updates delivered normally: Once enrolled, the device gets these updates via the usual channels (Windows Update, WSUS, or Configuration Manager, depending on setup). For users or admins, patch installation works the same way as before; the difference is that, after 2025, only those in ESU will receive them.
  • Update frequency: Microsoft will likely continue the monthly “Patch Tuesday” cycle for ESU patches. You might see monthly cumulative security-only updates. There may also be occasional emergency updates (out-of-band) if a worm or active exploit emerges, just as they do for supported OS versions.

It’s essential to understand that ESU’s coverage is limited: it protects your OS from known security threats by applying fixes to Windows 10’s existing code. If you enroll in ESU, your Windows Update history will show entries for “Extended Security Updates” after October 2025, indicating the security fixes applied. 

6. What ESU Doesn’t Cover

While ESU provides an essential lifeline for security, it does not cover the vast majority of updates and support that were available before Windows 10’s end-of-life. IT professionals should be aware of these limitations:

  • No Feature Updates or Improvements: ESU includes zero new features or enhancements to Windows 10. After October 2025, Windows 10 is frozen in terms of functionality. There will be no new OS features, UI changes, performance improvements, or design tweaks delivered to Windows 10 through ESU. For example, you won’t suddenly get Windows 11 features or anything like that; Windows 10 will not gain new capabilities, even minor ones.
  • No Bug Fixes or Quality Updates: Aside from security vulnerabilities, general bug fixes (quality updates) are not provided. If there’s a non-security issue in Windows 10 (say, a minor glitch in File Explorer or a driver compatibility issue), Microsoft will not be issuing patches for those after EOS. Only security flaws that meet the MSRC criteria get patched. Windows 10 ESU machines may accumulate some quirks or unresolved non-security bugs over time.
  • No Technical Support: Enrolling in ESU does not come with Microsoft technical support for Windows. Typically, when a product is in support, enterprise customers can contact Microsoft Support or open support tickets for issues. Post-EOS, even if you paid for ESU, Microsoft’s stance is that general support is ended. The only “support” included is the delivery of the security updates themselves and ensuring they can be activated. If you need help troubleshooting an issue on Windows 10 after 2025, you will need to have a separate support agreement or pay per incident; ESU doesn’t change that. 
  • No New Device Driver Updates via Windows Update: After Windows 10 EOS, Microsoft will stop distributing driver updates through Windows Update for Windows 10. ESU does not cover driver/firmware updates. Device manufacturers will focus their driver releases on Windows 11 (or later). If you have hardware on Windows 10, you can still obtain drivers from OEM websites; however, the Windows Update catalog for Windows 10 will be largely static. (Many OEMs also will stop certifying new drivers for Windows 10 over time.) 
  • No Office/Other Microsoft Product Updates: ESU explicitly covers the Windows 10 operating system. It does not automatically extend support for other Microsoft products installed on that OS. For example, Microsoft Office has its own support lifecycle; Office 2021 will receive security updates on Windows 10, possibly until 2026, but after that, Office apps may also drop support on Windows 10. The ESU program doesn’t include Office or other software – those are separate. (Microsoft 365 Apps will continue on Windows 10 only until 2028 in a limited support mode, according to Microsoft’s documentation.)
  • No guarantee for third-party software: Obviously, ESU won’t cover third-party application updates. Over time, software vendors may also cease to support Windows 10. Web browsers are a key example: Microsoft Edge on Windows 10 is promised to receive updates through at least 2026-2028, but eventually, even browsers may drop Windows 10 support. Google Chrome and Mozilla Firefox are likely to continue supporting Windows 10 for a year or two beyond 2025, but not much longer. ESU can’t force third-party apps to keep supporting Windows 10; it only ensures the OS is patched for security. 

To put it plainly: ESU keeps your Windows 10 secure, but it doesn’t keep it evolving. Your OS will remain feature-static and potentially increasingly outdated in terms of software ecosystem. There’s also a potential compliance issue – many industry regulations (PCI-DSS, HIPAA, etc.) require systems to be on supported software. Even with ESU, some auditors might consider an OS past its official EOL as a risk. Microsoft itself notes that after 2025, it will no longer provide any quality updates or feature updates, and without ESU, a Windows 10 PC is fully exposed. With ESU, you reduce the exposure, but you’re still not getting improvements or assurances beyond security patching. 

7. Security Risks of Ignoring ESU

What happens if you do nothing after Windows 10’s end-of-life? In short, your PCs will operate, but they will rapidly become vulnerable and non-compliant. Let’s specify a few of the risks of not enrolling in ESU (and not upgrading to a newer OS): 

  • No Protection from New Threats
  • High Risk of Ransomware and Exploits
  • Compliance and Regulatory Failures
  • Loss of Software Support Sooner
  • Network Infection Risks:

In essence, ignoring ESU is equivalent to leaving the door wide open after October 2025. Your systems may function normally on a day-to-day basis, but each passing week increases the likelihood of a security incident. Microsoft itself “strongly recommends” upgrading to Windows 11 and uses ESU to cover only those who absolutely need it, precisely because of these risks.

Bottom line: If you plan to continue running Windows 10 past the EOL date without ESU, you should assume that the machine will become increasingly vulnerable to security risks. The safer approaches are either to enroll in ESU (to mitigate risk temporarily) or to migrate to a supported OS. Ignoring the issue is likely to result in a security incident sooner or later. 

8. ESU vs. Windows 11: Which Should You Choose?

With Windows 10’s end-of-support approaching, IT decision-makers face a crucial question: Do we enroll in ESU and stay on Windows 10 for a bit longer, or migrate to Windows 11 as soon as possible? The answer will depend on your environment, but generally, ESU is intended as a last resort and temporary measure. Let’s compare the two paths across several dimensions:

Feature Area Stay on Windows 10 with ESU Upgrade to Windows 11
Security Updates Critical security patches provided post-2025, but only until Oct 13, 2026 for consumers (up to 2028 for enterprises with renewals). No fixes for medium/low issues. Security coverage ends entirely after ESU period. Ongoing security and quality updates as part of the normal support lifecycle. Continuous protection against new threats without extra fees.
Feature Updates None. After 2025, no new features or improvements will be introduced, and the OS will remain frozen, missing out on new functionality and software innovations. Regular feature updates (annual/semi-annual). Access to the latest UI, productivity, and performance enhancements.
Technical Support No standard Microsoft support. ESU doesn’t include tech assistance, so troubleshooting depends on IT staff or paid support. Many vendors will drop support after EOL. Full Microsoft support per lifecycle policy. Vendors continue supporting products since it’s a current OS.
Security Features Limited to existing Windows 10 protections. Lacks newer safeguards, such as VBS or exploit mitigations. May fail compliance standards by 2026. Modern security defaults (TPM 2.0, Secure Boot, VBS, memory integrity). Built for current threats and compliance standards.
Hardware & Compatibility Runs on older hardware, eliminating the need for immediate PC replacement. However, compatibility with new apps/hardware will erode over time. Requires modern hardware (TPM 2.0, newer CPU). A hardware refresh may be necessary, but there is strong backward compatibility for the software. New devices target Win11.
Cost ESU subscriptions are costly (~$30 per device for consumers; $61→$122→$244 per device across 3 years for enterprises). Indirect costs include maintaining legacy systems and risk exposure. Upgrade is free for licensed Windows 10 users. Costs mainly result from potential hardware refreshes or migrations. Avoiding ESU fees saves money long-term.
Time Horizon Temporary: buys 1–3 years of security coverage at most. Ends completely by 2028. Essentially delays migration. Future-ready: supported well into the late 2020s or beyond (potentially up to “Windows 12”). A proactive, long-term move.

 

Which should you choose? In almost all cases, upgrading to Windows 11 (or a supported OS) is the recommended course. ESU is best viewed as a fallback for scenarios where an immediate upgrade is not feasible. Some example use-cases for ESU: an enterprise has a critical piece of software that isn’t yet compatible with Windows 11; they use ESU to secure Windows 10 for a year while the vendor updates the software. Or if a hospital has medical equipment tied to a Windows 10 machine that can’t be replaced until 2027, they’d use ESU to cover that interim. 

9. Pros and Cons of Windows 10 ESU

Consider the pros of staying on Windows 10 with ESU:

  • No disruption or retraining needed for users (they continue with the familiar Windows 10 interface and apps).
  • Can defer hardware purchases if current PCs don’t meet Win11 requirements, spreading out capital expenditure.
  • Maintains stability for legacy workflows that might be sensitive to change.

And the cons of staying on Windows 10 with ESU:

  • Direct and indirect costs (ESU fees, and potentially needing extended support agreements for other software).
  • Growing security risk after ESU ends (or if something falls outside ESU’s scope).
  • Missing out on productivity improvements and new features that competitors or peers might be leveraging on Windows 11 (for example, Windows 11 has better support for hybrid work features, integrations with cloud services, and upcoming AI-driven features like Windows Copilot).

Recommendation: Use Windows 10 ESU as a temporary mitigation, not a long-term strategy. If your organization can move to Windows 11 by or soon after October 2025, that is ideal. If not, use ESU to cover the gap while actively working on your Windows 11 migration plan. Each year of ESU should see fewer Windows 10 machines in your fleet as you upgrade in phases. By the final ESU year, you ideally should have only a handful of exceptions left, if any. Ultimately, Windows 11 provides a more secure and modern operating environment, and the upgrade is free in terms of licensing. Many IT pros view ESU as buying insurance: you pay for one more year of safety, but you don’t want to keep paying forever. The ROI of upgrading becomes very clear by Year 2 or 3 of ESU when the costs double. As noted, staying on the old OS can become more expensive (in ESU fees and potential breaches) than biting the bullet and migrating. 

10. The Future Beyond Windows 10

What lies beyond Windows 10 for organizations? In a word: modernization. Windows 10’s chapter is closing, and Microsoft’s focus has fully shifted to Windows 11 and beyond. Here are key points to consider as you plan for the post–Windows 10 era:

  • Windows 11 and “What's Next”: Windows 11 is the current flagship, and Microsoft will continue to evolve it with new features, likely some powered by cloud integration and AI (for example, Windows 11 introduces the Windows Copilot AI assistant built into the OS). By adopting Windows 11, you position your organization to take advantage of these innovations early. Looking further ahead, there are already discussions about the next Windows version (unofficially referred to as “Windows 12” by some in the tech press), which may arrive in a couple of years. Microsoft has shifted back to more frequent major releases (rumors suggest a new version every 3 years or so). The key is that all future Windows development will target the Windows 11 codebase and beyond. Windows 10 will be left behind entirely. So, moving beyond Windows 10 means not just upgrading to Windows 11, but embracing a model where you can continue to adopt new OS releases as they become available, in a controlled yet regular fashion.
  • Hardware Refresh and Modern Management: Many organizations use OS end-of-life as a trigger for hardware refresh cycles. PCs that ran Windows 7 were largely replaced around 2020; now, PCs bought in the Windows 8/10 era (2015-2017) are due for replacement by 2025-2026. Investing in new hardware brings benefits: new CPUs, longer battery life on laptops, better security chips, etc., and obviously compatibility with Windows 11 and future OSes. Also, consider deploying modern device management if you haven’t (like Microsoft Intune/autopilot) to streamline future upgrades. The future is not just a new OS, but new ways of managing endpoints (for example, cloud-based updates, Windows Update for Business, etc., which can reduce the effort of future version changes).
  • Cloud and Hybrid Options: Microsoft is increasingly offering cloud-driven alternatives. For instance, Windows 365 Cloud PC lets you stream a Windows desktop from Azure. In some scenarios, instead of upgrading old physical PCs, a company could move users to cloud PCs (particularly for remote work or specialized needs). Similarly, Azure Virtual Desktop can run a virtualized Windows 11 or even allow legacy apps to run on a server while users are on a modern client. These might not replace all desktops, but they are part of the “future beyond Windows 10” conversation, especially if you have apps that won’t run on new OS/hardware – virtualization can be a bridge.
  • Extended Security Beyond OS: Think also about supplementary security layers since OS alone isn’t everything. For instance, if you do keep some Windows 10 systems around (with ESU), ensure you have robust endpoint security (EDR/XDR solutions, such as Microsoft Defender for Endpoint or others) to detect any threats on those machines. After 2028, no updates will be available, so those systems should be decommissioned or isolated by then. The future strategy should be to have no Windows 10 devices left when ESU ends. This means planning how to handle systems that, for some reason, cannot be moved to Windows 11 (the answer might be to retire them, or if needed, move the workload to a supported server OS or containerize the legacy app, etc.). 
  • User Considerations and Training: A forward-looking plan also addresses user acceptance. Windows 11 introduced changes that, while not drastic, can affect workflows (e.g., a centered Start Menu, different right-click menu behaviors). Use the lead time to familiarize your user base with the changes. Early adopters and pilot groups can provide feedback. By the time Windows 10 ESU expires, your users should be well-acclimated to the new environment.
  • Lifecycles and Next EOLs: It might feel like we just went through this with Windows 7’s EOL in 2020, now Windows 10 in 2025 – indeed, technology lifecycles keep moving. To avoid future crunches, try to institutionalize a lifecycle management policy: keep track of when OS (and other software) goes out of support and plan your budget and time accordingly. Windows 11’s support will one day end as well (likely not until the 2030s for some editions, but still). Microsoft now has an official end date of Oct 8, 2024, for Windows 11 21H2 (since that was a specific release), but the Windows 11 OS family itself will eventually be succeeded. By embracing an evergreen IT mindset (continuous updates, regular training), the “big bang” migrations like Windows 10 to 11 can be smoother or more incremental. 

In conclusion, the future beyond Windows 10 is about being proactive rather than reactive. Windows 10 ESU offers extra time, but it’s clear that Microsoft’s development energy is invested elsewhere. New features, enhanced security, and improved user experiences will be available on Windows 11 and future Windows versions. For IT pros, aligning with Microsoft’s roadmap means less technical debt and fewer security worries down the line. 

“The Last Lifeline Before the Leap”

Windows 10 Extended Security Updates is a valuable program if you absolutely need it – it can buy you time, but not immortality. It’s the last lifeline for an aging OS. IT leaders should use this grace period wisely: shore up security for the remaining Windows 10 devices and simultaneously expedite plans to move forward (whether that’s Windows 11 or other solutions). The clock is ticking. By October 2025, the Windows 10 era will effectively come to an end, and by 2026–2028, even the post-support grace period will be discontinued. The best strategy is to enroll in ESU if needed, but plan your migration today. Don’t wait until the final deadline. By acting now, you can ensure your organization makes a smooth, secure leap into the next generation of Windows.