Why a $30 ESU for Consumers Is Bad for Enterprises

Michael analyzed and wrote about Microsoft's operating systems, including the Windows client OS, as well as compliance and governance. Michael... more

Window 10 leaves support on Oct. 25, 2025. That’s less than one year. After this date it will be necessary to obtain Extended Security Updates (ESUs) to continue to receive critical and important security updates. All of which sounds good until you do some analysis.

One year ahead of the end of support for Windows 10, Global Stats StatCounter estimates that Windows 10 comprises approximately 61% of all Windows client versions. Estimates are that Windows 10 and 11 are running on 1.4 billion devices. It is not clear what percentage of these devices are running in enterprises and what percentage are being used by consumers, but it appears that both categories mostly use Windows 10.

Assume that enterprises — the largest businesses — plan to get to Windows 11 before the end of support for Windows 10.

That still leaves a significant number of small and medium businesses, government entities and NGOs, and an immense number of consumers still running Windows 10. Many of them have no intention of migrating to 11 unless their existing Windows 10 PC breaks (any replacement will have Windows 11 preinstalled). But devices are more reliable than the operating systems that run on them so Windows 10, like Windows 7, and Windows XP before it, will be around for a long time.

However, for the first time ever, Microsoft is making ESUs available to consumers. Only available for one year, this extends support out until 2026 – unless Microsoft decides it’s important to extend this offer for another year or two —but only for those people willing to give Microsoft USD$30.

Will Consumers Bite?

It appears Microsoft believes people who have resisted all the previous enticements to move to Windows 11 will decide to send Microsoft money for the additional updates. These people have already shown they are unwilling to purchase Windows 11 compatible hardware or are unhappy with the changes to Windows 11 that seem just arbitrary and capricious. There is already resistance to installing updates given the view many Windows users have that Microsoft’s updates, including security updates, often have problems that range from annoyances to blue screens of death.

All of this means that adoption of ESUs by consumers will be very low. And this means that the Windows ecosystem, as Microsoft likes to call it, will be filled with devices just waiting to be turned into bots capable of wreaking havoc on those of us who keep their devices up-to-date and hopefully adequately protected against vulnerabilities in the OS.

This isn’t a hypothetical scenario; there is precedent for this concern. Ars Technica recently reported that thousands of hacked TP-Link routers were used in years-long account takeover attacks. Microsoft acknowledges it has “observed intrusion activity targeting and successfully stealing credentials from multiple Microsoft customers that is enabled by highly evasive password spray attacks.” Small Office Home Office (SOHO) “routers manufactured by TP-Link make up most of this network”. The vast numbers of vulnerable devices mean the bad actor can continually move between compromised devices to avoid detection.

Now Microsoft is poised to add millions of unpatched Windows 10 devices to the mix — devices that will be capable of being compromised and turned against all the users of the Internet, not just the Windows ecosystem.

But What About Those Tempting ESU Revenues?

The money Microsoft will make on ESUs from consumers will likely be a rounding error on its annual report. But by not providing a compelling reason to upgrade to Windows 11 and charging for ESUs for Windows 10, it is leaving the potential for bad actors to create attacking botnets. Botnets attacking Microsoft’s enterprise customers and others.

Enterprises are another story. Microsoft could make some real money by charging businesses for Windows 10 ESUs. In year one, Microsoft is charging commercial customers USD $61 per device for Windows 10 ESUs for the first year, with the price doubling Years 2 and 3. Microsoft is charging educational institutions USD$1 per device for Windows 10 ESUs for Year 1, with the price doubling Years 2 and 3.

Microsoft asserts its Secure Future Initiative is about doing the right thing for security. But I fail to see how charging consumers who won’t pay additional monies to support an OS they feel they have the right to use in perpetuity helps create a secure future at all. The best thing for everyone’s security and peace of mind is to just make the updates available for free, via Windows Update.