The clock is ticking on Windows 10. With Microsoft ending support on October 14, 2025, many users and businesses are considering the Extended Security Updates (ESU) program as a stopgap measure. But what exactly does this program offer, and is it a safe long-term solution? The reality is more complex than it appears.
The Uncertain Promise of "Security Updates"
Microsoft's ESU program is designed to deliver "critical" and "important" security updates for up to three years after the end-of-life date. On the surface, this sounds like a comprehensive safety net. You pay a fee, and you get a continuous stream of security patches. However, the program's limitations are significant and aren't always made clear.
What You're Really Paying For (and What You're Missing)
The ESU program is not equivalent to the full security updates you've been receiving up until now. It is a strictly limited service. While it addresses the most severe vulnerabilities that could be exploited to compromise your system, it completely ignores a wide range of less critical but still significant security issues.
So, what kinds of patches will you be missing out on?
- Moderate and Low-Severity Vulnerabilities: The ESU program does not patch flaws that are considered less severe. This includes bugs that require a user to be tricked into clicking a malicious link, vulnerabilities that only work if an attacker already has some level of access to your machine, and minor information disclosure issues. While these bugs might seem harmless on their own, a skilled attacker can often chain them together to bypass security measures and escalate a low-risk bug into a much more serious exploit.
- Non-Security Bug Fixes: The ESU program is exclusively for security. You will no longer receive updates that fix general software bugs, performance issues, or stability problems. These seemingly unrelated updates can sometimes indirectly improve security by making the operating system more resilient to attack.
- Defense-in-Depth Improvements: Microsoft constantly releases "defense-in-depth" updates that aren't tied to a specific vulnerability but instead are meant to strengthen the overall security posture of the OS. These proactive improvements, such as changes to exploit mitigations, will also be excluded from the ESU program.
How to Get Your First Year of ESU
Recognizing the large number of users still on Windows 10, Microsoft has introduced two free options for consumers to get their first year of ESU, in addition to the paid plan.
- Free with Windows Backup: The easiest way to get a free year of updates is by using Windows Backup to sync your PC's settings to your Microsoft account with OneDrive. This option requires you to be signed in with a Microsoft account and to enable the backup feature.
- Free with Microsoft Rewards: Alternatively, you can redeem 1,000 Microsoft Rewards points to get a year of security updates. You accumulate these points by using Microsoft services like the Bing search engine or the Edge browser.
- Paid Option: For those who don't want to use the free methods, a one-year subscription can also be purchased for a fee.
After the first year, these free options are not renewable. For the second and third years of ESU, you will be required to pay the standard subscription fee.
The Bottom Line: ESU Is Not a Long-Term Solution
Think of the ESU program as a temporary, essential bandage. It's there to protect you from the most severe, life-threatening security issues as you prepare to move to a new operating system. It is not a replacement for the comprehensive, ongoing protection that a fully supported OS like Windows 11 offers.
For anyone considering the ESU program, it's crucial to understand that it is a compromise. Your computer will be more vulnerable than a machine on a fully supported OS, and over time, the risks will continue to grow as other software and hardware manufacturers also stop providing updates for Windows 10. The ESU program provides a security lifeline, but it's not a complete suit of armor.
Comments