As most of you are already aware, Windows 10 is nearing its end of life (EOL). Starting October 14, 2025, Microsoft will stop supporting updates for Windows 10. This means that Windows 10 users will no longer receive bug fixes, security updates, or new functionalities for this version of the OS.

Endpoint Central supports Windows 10 ESU patches. ESU patches appear as missing on all devices, regardless of license status. Patches install only if the device's ESU license is activated and validated. If not activated, deployment fails or is rolled back. ESU activation must be done manually via Microsoft (MAK or Azure Arc).

 

What can you do?

The best way to stay ahead of this change is to migrate to Windows 11 (you can use Endpoint Central and follow our detailed guide to migrate with ease). However, for those of you who either cannot migrate or are reluctant to upgrade, there are still things you can do to keep your endpoints secure from cyberattacks.

Purchase Extended Security Updates (ESUs) from Microsoft

The Windows 10 ESUs will include security updates for an additional three years after Windows 10 reaches EOL on October 14, 2025. ESUs can be purchased directly from volume licensing

Who can avail these ESUs?

Windows 10 Enterprise, Education, Pro, Home, Pro Education, and Pro for Workstations editions user. To be eligible to install updates from the ESU program, devices must be running Windows 10, version 22H2.

When are these update offers available?

The ESU program will begin immediately after end of support:

  • Year 1: October 15, 2025 – October 13, 2026
  • Year 2: October 14, 2026 – October 12, 2027
  • Year 3: October 13, 2027 – October 10, 2028

Windows 10 ESU licenses are available to purchase in volume licensing.

The cost of ESUs

Extended Security Updates for organizations and businesses on Windows 10 can be purchased today through the Microsoft Volume Licensing Program, at $61 USD per device for Year One. The price doubles every consecutive year, for a maximum of three years. ESU is available at no additional cost for Windows 10 virtual machines in the following services:

  • Windows 365
  • Azure Virtual Desktop
  • Azure virtual machines
  • Azure Dedicated Host
  • Azure VMware Solution (includes Citrix and Omnissa Horizon on Azure VMware Solution)
  • Nutanix Cloud Clusters on Azure
  • Azure Local (Azure Local is the new name for Azure Stack HCI)
  • Azure Stack Hub
  • Azure Stack Edge

Additionally, Windows 10 endpoints connecting to Windows 365 Cloud PCs will be entitled to the ESU for up to three years, with an active Windows 365 subscription license.

For individuals or Windows 10 Home customers, Extended Security Updates for Windows 10 will be available for purchase at $30 for one year and Redeem 1,000 Microsoft Rewards points if you have them.

Microsoft's approach to deploying ESUs

On-premises organizations that purchase Windows 10 ESUs will receive a Multiple Activation Key (MAK) from Microsoft. The MAK can be deployed to all applicable machines in the organization, along with the prerequisite servicing stack updates. Once this is done, the ESUs can be deployed through the organization's preferred patch management solutions.

How to deploy ESUs using ManageEngine's patch management solutions

Once you have applied the ESU Multiple Activation Key (MAK) purchased from Microsoft and activated it on the target machine, you can deploy ESU patches to your Windows 10 endpoints using any of ManageEngine’s patch management solutions, such as Patch Manager Plus, Endpoint Central, or Vulnerability Manager Plus.