Microsoft Reverses Windows 10 ESU Policy in Europe Following Consumer Advocacy

In a significant policy shift, Microsoft has announced it will provide free, unconditional Extended Security Updates (ESU) for Windows 10 users within the European Economic Area (EEA) for one year following the operating system’s end-of-support date^{1, 2}. This decision, effective as of September 25, 2025, removes the previously mandated requirement to enable the Windows Backup feature, a condition that had drawn criticism from consumer advocacy groups^{1, 7}. The change directly impacts users in the 27 EU member states, plus Iceland, Liechtenstein, and Norway, creating a distinct security update landscape compared to the rest of the world. For security professionals, this development highlights the growing influence of regional regulations like the Digital Markets Act (DMA) on software lifecycle management and the tangible outcomes of coordinated consumer advocacy on corporate policy.

The core of the policy reversal centers on the removal of a specific technical prerequisite. Initially, to qualify for the free one-year ESU program, which extends security patches until October 13, 2026, users globally were required to enable Windows Backup, a feature that saves settings and data to Microsoft’s OneDrive cloud service¹. The updated policy for the EEA eliminates this condition, making the enrollment process for ESU genuinely free and without any service tie-ins. Microsoft confirmed the change, with a spokesperson stating the company is “making updates to the enrollment process to ensure it meets local expectations and delivers a secure, streamlined experience”². This streamlined process is expected to simplify access for millions of users in the region.

Pressure from Advocacy Groups and Regulatory Context

The policy change is not an isolated corporate decision but a direct result of sustained pressure from European consumer organizations. Groups led by Euroconsumers and its Belgian member, Testaankoop, conducted a two-year campaign arguing that Microsoft’s initial terms were anti-competitive^{1, 8}. Their primary contention was that tying essential security updates to the use of a specific Microsoft service, like OneDrive, violated the principles of the Digital Markets Act. The advocacy groups viewed this as an unfair practice that leveraged Microsoft’s dominant market position to drive adoption of its cloud services.

Euroconsumers acknowledged Microsoft’s reversal, stating they are “pleased to learn that Microsoft will provide a no-cost Extended Security Updates (ESU) option… We are also glad this option will not require users to back up settings, apps, or credentials, or use Microsoft Rewards”¹. This statement underscores the specific grievances that were addressed by the policy update. The successful campaign demonstrates how consumer rights frameworks in Europe can be effectively used to challenge the terms of service for critical software security provisions.

Global Disparity in Windows 10 Security Update Access

While the update is a win for European users, it creates a clear disparity in how Windows 10 security is managed globally after the end-of-support date of October 14, 2025⁹. For individuals and organizations outside the EEA, the original three options for obtaining the one-year ESU remain in effect. These options include enabling Windows Backup for free, paying a fee—reportedly around $30 for consumers—or redeeming Microsoft Rewards points^{1, 9}. This bifurcated approach means that security postures for identical software will now be contingent on geographic location and the applicable regulatory environment.

The scale of this issue is substantial, with an estimated 650 million PCs worldwide still running Windows 10 as of August 2025⁵. For enterprise environments, the ESU program is a paid annual subscription, with costs starting at $61 per device for the first year and doubling each subsequent year, available for up to three years⁹. This cost structure presents a significant budgetary consideration for businesses with large fleets of older PCs that cannot be upgraded to Windows 11 due to hardware incompatibilities. Microsoft’s official guidance continues to strongly advocate for upgrading to a new Windows 11 PC, framing it as the path to better security and performance⁶.

Relevance and Implications for Security Professionals

This policy shift has immediate and practical implications for security operations. The primary concern remains the vast number of systems that will eventually lose support. Consumer groups have rightly characterized the one-year free ESU as an “interim solution” and not a “definitive” one^{1, 8}. After October 2026, these millions of EEA-based devices will face the same security risks as systems elsewhere, potentially creating a massive pool of vulnerable endpoints that could be exploited in targeted attacks or leveraged for botnet activity.

From a strategic perspective, this event underscores the increasing impact of regional legislation on global technology governance. Security teams operating in multinational organizations must now account for differing software support lifecycles based on jurisdiction. Asset management and inventory systems may need to be adapted to track and enforce compliance based on the physical location of assets. Furthermore, the success of the consumer advocacy campaign highlights the potential for similar actions in other regions, which could lead to further fragmentation of software support policies.

For system administrators, the key takeaway is the necessity of maintaining accurate and detailed asset inventories. Knowing precisely which devices are running Windows 10, their hardware capabilities, and their physical or operational jurisdiction is critical for planning upgrade paths or ESU enrollment. Security teams should also monitor for any technical implementation details regarding the new EEA enrollment process to ensure a smooth transition for eligible systems before the October 2025 deadline.

Conclusion and Future Outlook

Microsoft’s decision to offer free, unconditional Windows 10 ESU in Europe represents a notable victory for consumer advocacy and a clear example of regulatory influence on technology policy. However, it is a temporary reprieve rather than a long-term solution. The fundamental issue of planned software obsolescence, which advocacy groups argue contradicts sustainability goals by forcing the replacement of functional hardware, remains unresolved⁸.

The landscape for operating system security is becoming increasingly complex, shaped by a combination of technical constraints, commercial strategies, and regulatory interventions. Security professionals must navigate this complexity by prioritizing comprehensive asset management, advocating for sustainable security practices within their organizations, and staying informed on policy developments that may affect their security posture. The Windows 10 ESU saga in Europe is likely a precursor to more debates about the responsibility of software vendors to support products throughout a device’s functional lifespan, especially in an era focused on reducing electronic waste.