Full Report
With the first Patch Tuesday following Windows 10's end of support approaching next week, users who continue to run the operating system should enroll in the Extended Security Updates (ESU) program to remain protected against newly discovered security vulnerabilities. [...]
Analysis Summary
# Best Practices: Securing Legacy Windows 10 Systems via Extended Security Updates (ESU)
## Overview
These practices focus on mitigating the elevated risk associated with running Windows 10 past its official end-of-support (October 14, 2025) by enrolling affected systems in the Extended Security Updates (ESU) program to ensure continued reception of critical security patches.
## Key Recommendations
### Immediate Actions
1. **Enroll in ESU:** All users running Windows 10 (Home, Pro, Pro Education, or Workstations edition, version 22H2) must immediately enroll in the ESU program to receive security updates starting with the next Patch Tuesday following the end of support.
2. **Complete Pre-requisites Check:** Before enrolling, ensure all currently published non-ESU updates via Windows Update are fully installed to mitigate potential bugs causing incorrect end-of-support warnings.
3. **Verify Account Status (Consumers):** For consumers, ensure you are logged into Windows 10 with a Microsoft Account, as this is a prerequisite for the free ESU options or subsidized payment paths.
### Short-term Improvements (1-3 months)
1. **Consumer Enrollment Path Execution:** Complete the enrollment process, selecting the most cost-effective option:
* **Free Eligibility:** If using a Microsoft Account and Windows settings are backed up, enroll for free (or specific conditions apply, especially for EEA users).
* **Payment/Points:** If backups are not enabled, enable backups, redeem 1,000 Microsoft Rewards points, or submit the required $30 payment to secure the first year of updates.
2. **Enterprise Enrollment Initiation:** For enterprise customers, begin the process of acquiring the necessary ESU keys through Microsoft Volume Licensing Service Center (VLSC) or Solution Provider partners.
3. **Configuration Validation:** After enrollment or key activation, verify that the system is correctly registered for ESU protection through the Windows Update interface.
### Long-term Strategy (3+ months)
1. **Managed Key Activation (Enterprise):** Implement centralized management and activation of unique ESU keys across all remaining Windows 10 enterprise endpoints using tools like Configuration Manager, WSUS, or Intune.
2. **Migration Planning:** Develop and execute a strategic plan to migrate all endpoints off Windows 10 to a supported operating system (e.g., Windows 11) before the end of the ESU coverage period, as ESU is a temporary measure.
3. **Cloud PC Utilization (If applicable):** For organizations utilizing Windows 365 Enterprise or Frontline Cloud PCs, confirm that these specific instances are receiving the free ESU enrollment benefit as announced by Microsoft.
## Implementation Guidance
### For Small Organizations
* **Focus on Consumer Path (if applicable):** If using Pro or Home editions, leverage the consumer (or small business) subscription model ($30/year per device initially) or utilize the free path via Microsoft Account login and settings backup to minimize immediate expenditure.
* **Manual Verification:** Given limited management tooling, perform manual spot checks via **Settings > Update & Security > Windows Update** to confirm ESU enrollment status on critical endpoints.
### For Medium Organizations
* **Leverage Existing Management Tools:** Use existing management infrastructure (e.g., WSUS, basic Intune deployment capabilities) to facilitate key deployment and activation for volume ESU licensing arrangements.
* **Budget Allocation:** Allocate an estimated $427 per device for the full three years of enterprise ESU coverage if migration is not immediately feasible.
### For Large Enterprises
* **Centralized Deployment:** Utilize robust centralized tools such as **Microsoft Configuration Manager or Microsoft Intune** to deploy, manage, and ensure activation of the required unique ESU key for every remaining Windows 10 device.
* **Procurement Channel:** Coordinate with VLSC or Solution Provider partners to procure the necessary volume licenses required for the multi-year ESU agreement.
* **Review Documentation:** Follow official Microsoft FastTrack or support documentation specifically for enrolling Windows 10 devices into ESU within a large-scale managed environment.
## Configuration Examples
The guidance specifies the following navigation path within the operating system for manual consumer enrollment:
1. Navigate to **Settings**.
2. Select **Update & Security**.
3. Click on **Windows Update**.
4. Look for the warning message stating "Your version of Windows has reached the end of the support."
5. Under the "Enroll in Extended Security Updates to help keep your device secure" section (visible in the sidebar or by scrolling), click **"Enroll now"**.
6. Follow the wizard steps, selecting the appropriate authentication/payment method (Microsoft Account verification, Reward Points redemption, or $30 payment).
## Compliance Alignment
* **NIST CSF (Protect Function):** Enrollment in ESU directly addresses the need to maintain **PR.IP** (Information Protection Processes and Procedures) and ensure **PR.MA** (Maintenance) by applying necessary patches that address actively exploited vulnerabilities (e.g., the elevation of privilege vulnerability cited).
* **ISO 27001 (A.12.6.1):** Adhering to ESU ensures the timely implementation of correction and preventive actions by installing security updates, aligning with the requirement for effective management of technical vulnerabilities.
* **CIS Controls (Control 3: Secure Configuration of Mobile Devices and Workstations):** Continues to enforce required security updates (patching) on a legacy, unsupported platform pending migration, helping to maintain a secure baseline configuration.
## Common Pitfalls to Avoid
* **Assuming Free ESU for All:** Do not assume all entities receive free ESU. Consumers without backed-up settings or non-EEA users may face immediate costs ($30) or require the use of reward points. Enterprises must license coverage beyond the first year.
* **Ignoring Pre-ESU Patching:** Failing to install all available standard updates *before* enrolling in ESU may prevent successful enrollment or lead to immediate vulnerability exposure.
* **Reliance on ESU as a Permanent Solution:** Treating ESU as a indefinite extension. ESU is time-boxed (up to three years for enterprise) and requires a firm migration commitment to a supported OS.
* **Mismanaging Enterprise Keys:** In large environments, failing to activate each device with a *unique* ESU key or improperly managing these keys via deployment tools will result in a device not receiving critical updates.
## Resources
* **Microsoft Extended Security Updates (ESU) Program General Information:** (Refer to official Microsoft documentation for current pricing and multi-year enterprise details.)
* **Enterprise ESU Enrollment Guidance:** (Refer to specific Microsoft support articles regarding enrolling Windows 10 devices via Intune, WSUS, or Configuration Manager.)
* **Windows 10 Version Status:** (Verify that your system is running Windows 10, version 22H2, before attempting enrollment.)