Windows 10 Extended Security Upgrades (ESU)
Day One, Dead on
Arrival
Just when you thought it was safe to stay on Windows 10, Microsoft reminded us why it isn’t.
For anyone who follows the ups and downs of Microsoft patch problems, it should come as no surprise that the Windows 10 Extended Security Updates (ESU) program started off with a major failure. Although the issue was widely reported on November 11, 2025 — with BleepingComputer first publishing its article, “Microsoft: Emergency Windows 10 update fixes ESU enrollment bug” — it was Microsoft itself that initially acknowledged the failure of its Not Quite Ready for Prime Time ESU rollout. Notably, November 11, 2025, was the very first day the Extended Updates were scheduled to take effect.
So what was the problem? Machines that were fully eligible for ESU were being blocked from enrolling. As a result, users who had paid for or expected to receive extended security updates were left exposed — no updates, no protection, despite meeting all the requirements.
Microsoft did promptly issue a patch to fix the problem (KB5071959). However, the fix came as an Out-of-Band (OOB) update that had to be manually installed via Windows Update. And there’s the rub.
Many Windows users have never run — and may never wish to run — Windows Update manually. In my experience, users unfamiliar with manual updating often lack awareness of the broader need to keep their systems secure. When working with a new client, I’ll say, “Let’s make sure you’re up to date.” The response is often, “Oh, it updates automatically.” But in reality, the machine hadn’t updated in months for any number of reasons.
Most Windows 10 users who enrolled in ESU prior to November 11 did receive the November updates as scheduled. But not all were so lucky. The bug also affected some of the more responsible users who enrolled early. They, too, had to run Windows Update manually — often for the first time on November 11, 2025.
Another barrier to ESU enrollment: Microsoft requires that Windows 10 version 22H2 be installed beforehand. While Microsoft still offers 22H2 via the Update Assistant and Media Creation Tool, many users are unaware of these options or are uncomfortable navigating the updates page. They don’t know which path to take, and they’re unlikely to try. These unpatched systems pose a real risk — not just to themselves, but to other devices they connect with across shared networks, including the Internet.
When Microsoft releases security patches, as it did on November 11, it also publishes detailed technical specifications about the vulnerabilities it fixed. Security Boulevard offered a breakdown of the functions and procedures addressed in the November patches. But this information doesn’t just help defenders. It also serves as a roadmap for vultures — those opportunistic attackers ready to pounce on any unpatched, Internet-connected PC. And yes, that includes millions of Windows 10 machines owned by people who know little about cybersecurity and probably don’t care. Do you?
Just when you thought Windows 10 could coast into retirement, the vultures started circling.
Gerald Reiff