Updated: September 29, 2025
You may have heard or read. Microsoft blinked. With only weeks before Windows 10 goes out of mainstream support, the company has added an amendment, a concession to their software patching offering, whereby the Windows 10 Extended Security Updates (ESU) will become available free of charge for the users in the European Economic Area (EEA). Sounds nice, except, it isn't.
I read about a dozen articles on this topic, and all them call this a "no strings option", or at the very least a good thing. Requirements? You still need a Microsoft account. Blimey. And so, I decided to write this article and tell you not to consider this ESU even if you may geopolitically qualify, unless it changes again, and Microsoft drops the online account clause. The ramifications are long-reaching, and in your nerdy naivety, you may ignore them until it's too late. Commence to read.
Windows 11 is a failure
With weeks to go, Windows 10 still holds about 50% market share. That tells you everything you need to know. Part of the reason why so many people refuse to use the new and shiny Windows 11 is Microsoft's fault, beyond creating a silly release, that is. Windows 11 has "strict" software requirements, although they only apply to peasant versions (Home and Pro); enterprise editions actually have lower requirements, believe it or not. These requirements include a relatively "new" CPU, but more importantly, your motherboard needs to have a TPM 2.0 chip (more later). This is what prevents billions of machines from being upgraded, even if their users wanted to do so (which they most likely don't, anyway).
Now, Microsoft could technically fix the problem today. They could simply remove the TPM requirement, which indeed isn't as stringent for enterprise users, hi hi. Instead, they are willing to offer ESU to Windows 10 users, seemingly a lose-lose scenario. An interesting situation, isn't. Apparently, it makes more sense for Microsoft to support an older operating system for several more years than let people upgrade to a new version. You will soon understand why I think this is.
Microsoft account is your Hotel California
The insistence of having a Microsoft account in your Windows as the "only" hard requirement for continued updates tells you everything you need to know about this circus. It's very simple. Security is either all or nothing. If you stratify it by arbitrary requirements, it's a game of humiliation and conditioning. A Windows system could have a local account or it could have an online account or both. The security patches are identical. Punishing users who refuse to play the cloud game means the security problem isn't such a big deal. Indeed, it isn't, as I outlined in my Windows 10 EOL guide. Typical noise and huff.
Right now, out there, you have BILLIONS of Windows 10 systems. Most users won't be aware of the possibility of utilizing the ESU, or if they are, they won't know how to set it up. In the end, there will be hundreds of millions of Windows 10 machines without patches, probably because their users cannot or refuse to set up online accounts. If Microsoft is okay with this state of affairs, you should be, too. After all, if a possibility of several hundred million machines not receiving any patches isn't a big deal, then it isn't a big deal. Indeed, when Windows 7 came out of support, it still held about 25% market share. There was no ESU. Thus, history tells us that 25% EOL no-patching systems is fine. So you can relax. Statistics FTW.
This means that Microsoft really really wants you to use online accounts in Windows. In my perspective, in my opinion, this seems to be the driving force behind the ESU. Get people into the cloud and hook them on forever.
Think about it for a moment, will you:
- A local account lasts forever. An online account is controlled by the company that provides the infrastructure, in this case, Microsoft. For all practical purposes, Microsoft can disable or delete an online account registered in their platform. They cannot do anything with a local account.
- You can keep a Windows machine offline forever. Set it up with a local account, disable networking, and you're golden. As I wrote in my Windows 10 EOL guide, this is exactly what I'm going to do soon. I have a Windows 10 machine with Microsoft Office 2010 installed in it, specially for writing. This system will not have Internet access. I can keep using it offline for 20 years if necessary, and there's nothing that requires online functionality or will need a periodic online check to keep working. I retain 100% control.
- With the cloud setup, with an online account, you have exactly 0% control.
Once you create an online account and use it as your primary method to log into your Windows host, you no longer have control over that system. Perhaps Microsoft will never exercise its remote rights over your (their) account, but that possibility exists, and it's now part of your setup.
Furthermore, even if EEA users don't need to "sync" their settings into the cloud once they create a Microsoft account, in reality this is what will happen:
- The account setup is mostly opt out, not opt in. Most crappy toggles will be set to on, as I've shown you multiple times, EVEN for local accounts. Take a look at my Windows 11 usability guide for all the things one needs to disable - not enable, disable - to have a quiet local system that does not "phone home". Practically, an online account means lots of stuff synced into the cloud automatically. You can delete stuff later, but that's post-fact. Look at the CDP article, too, if you will.
- Most people won't know or care about their defaults, so the syncing will occur.
- Once in the cloud, people will have hard time leaving the ecosystem.
- Long term, Windows 10 goes out of support, and people now sort of "have to upgrade", and Microsoft has a whole bunch of "committed" users who can't easily log off the cloud platform. Win Microsoft, lose user's control over their own hardware.
And the online account is only the beginning
I don't want to sound like some conspiracist loony. I'm merely looking at the state of affairs. Ask yourself, why is Windows 11 TPM requirement so important? The simple answer is: security. This is what Microsoft has been saying. TPM is necessary for modern security. Supposedly. Ignore the fact YOUR data will be leaked and hacked and stolen from a hundred different online (cloud) systems with crappy IT security. Your laptop will be secure, but your online data will be peddled to the highest bidder. Along the way, except healthcare providers, EV charging companies, airports, or car manufacturers to end up compromised. But TPM!
But then ... even if you play along with Microsoft's logic, TPM wise, how do you reconcile the above with Windows 10 local account systems getting no ESU?
- If security is important, everything should get it, right?
- If it's not that critical, then why insist on the TPM requirement, right?
I struggle finding an explanation that can wed these two possibilities. Well, there's one, and it's pure conjecture, but it ties nicely into the TPM nonsense.
TPM stands for Trusted Platform Module. The idea is, there's a special chip on your motherboard, where you keep all sorts of secrets and keys. This is to ensure the integrity of the system boot process, from the moment you turn the power on, through BIOS, startup, and into the operating system. In other words, TPM makes a system harder to subvert. Useful for enterprises, meaningless and totally overblown for home users.
On its own, this isn't bad. Even the TPM specification is open source. Except ... with TPM in place, you as the end user have ZERO control over your machine. If you need convincing, think about Secure Boot (another would-be security feature).
- Secure Boot was added (on platforms with UEFI) as a, well, secure boot mechanism.
- Only "verified" bootloaders and kernels can run on systems with Secure Boot. Technically, this shouldn't be a limitation, but guess who controls the Secure Boot signing? Indeed, if you have a Linux distribution that does not support this technology, it cannot boot on a machine with active Secure Boot.
- Even if platform specifications are open source, implementations by vendors aren't. Indeed, there are laptops and such where the user cannot access the BIOS/UEFI or make certain modifications. The best example of locked down systems are smartphones. Most smartphones cannot be easily modified to run non-vendor ROMs. On custom-build desktops, you can disable easily Secure Boot and run anything you like. Indeed, desktop wise, I most warmly recommend you disable Secure Boot with all and any operating systems, if possible.
- Thus, there's already a mechanism that can potentially prevent you from using your hardware any which way you want, in the name of security. It's always security, one way or another, used as the banner for taking away freedoms and privacy and such, and keeping the sheep docile. Technology hasn't really changed this simple anthropological fact. In fact, it made it that much easier.
Back to TPM ...
TPM is Secure Boot on steroids. Better yet, with TPM, you sort of must also use Secure Boot, whatever the implementation, whereas previously you didn't really. Windows 11 requires all these security thingies turned on (one day, disk encryption may be added to the must-have bundle). Thus, effectively, if you're to buy a new rig today, you are getting a machine that's designed to only run "trusted" operating systems and programs. Not explicitly. Implicitly. That effectively means whatever Microsoft deigns useful. Not enforced. Yet. Again, the company may never exercise its de-facto veto rights on execution, but the technology allows that, and for all practical purposes, most implementations actively support that.
Yes, you could have your own system with a "free" implementation of TPM, plus a "free" BIOS. Yes. Now, please, show me one laptop that does that, and is actually useful. For all practical purposes, you will buy a system with proprietary firmware all the way up, and if you want to run something else other than a "pre-approved" operating system, it's only through whim and luck that you get to have this. To be fair, this has been the case for the past forever. Pretty much every laptop or desktop you have today is composed mostly of proprietary blobs except maybe the operating system. So far, the end user mostly has freedom in doing whatever they like. But until now, desktop/laptop operating systems did not mandate any sort of hardware-level security.
TPM wouldn't be an issue if it were possible to decouple Microsoft from the chain of authority, and make it an equal player to all others (except there aren't any other viable or important players in the desktop space). Practically, Microsoft rules this space, and is also the main if not the only decision maker. Thus, Microsoft has the luxury of playing the long game of patience. All they need to do is outlast the stubborn boomers and nerds who refuse the cloud Utopia.
I am also aware that this wasn't the "plan" from the start. If you ever attended any meeting in any sort of tech company, you know there's no plan. Only confused micro-manager running circles around buzzwords. No one is that smart or visionary, despite everyone claiming retrospective genius. So you can drop the Dr. Evil clause from your vocabulary.
But slowly, surely, step by step, Windows went from no activation (only a serial key) to "Genuine Advantage" to your keys are in the BIOS to your keys are in the cloud (or TPM). So if you want to relocate your Windows license, there's that mandatory online ping, just to keep the boomers in check. And let's be real, who does all these checks stop or inconvenience? Only the legit users or people who need to replace a fried motherboard. Those who want to run pirated software have no trouble whatsoever. Funnily, nowadays, Microsoft doesn't seem to really care about your serial key anymore. That's no longer interesting in the larger scheme of things.
Now, there's a golden opportunity. Finally! Bundle ESU with online accounts, get a few dozen if not hundred million people into the Borg enclave. People start using their systems with little to no separation from the cloud ecosystems, they get used to it, they get dependent on it. Boom! Mission accomplished.
A few years from now, Microsoft will have the ability to force upgrades - if you don't upgrade, your cloud thingie won't work anymore on "unsupported" hardware or software - just like on smartphones or IoT turdlings. This happens all the time with all sorts of apps. Best example: crappy "smart home" speakers and bells and such whereby the parent company decides not to bother anymore, and you lose access, functionality or both. With local, offline programs, you have the full control, and you always will. With anything that relies on the cloud infrastructure even in some small way, you have no control. You're at the financial mercy and benevolence of whoever controls the hardware.
You decide to rebel. But then ... your options are limited. Now, all systems run with TPM 2.0 or higher, Secure Boot, encryption (BitLocker no less), some future security mechanism you didn't think about, passkeys so you must also use your smartphone in this whole circus, and only approved programs are allowed to run. No one says no to you. Never directly. You can do whatever you want. It's just the cost of signing your program with all the keys needed to get into the trusted circle is so prohibitive that only the big players can do that, and thus, effectively, you only use the software the big companies want you to use.
You wanna run Linux? Oops, your distro kernel isn't signed, sorry. You wanna disable TPM and Secure Boot? Maybe the hardware platform will let you (due to anti-competitiveness laws and such, maybe), but then you cannot run Windows anymore, and you have all that data in the cloud, and you totally depend on it, because you're using an online account, and you never bothered with those recovery keys and such.
The best part, no one will ever say no, because that's naughty and regulators don't like that. It's just the rules and price of admission into the elite will be such that you won't be allowed to participate, and you will have to remain a poor, obedient peasant that you are.
You think I'm being cynical or crazy. Take your smartphone. Look at it. Now tell me how much freedom you have when it comes to what runs, when it runs and such. Can you block ads in all of the browsers on your Android? Hi hi. How easy is it to run Android without Google Play integration? How easy it is to obtain root on your phone and block whatever you like? Grab your iPhone, and tell me what you can enable or disable. Now, imagine your desktop or laptop 10-20 years from now, once all the dinosaurs from before the Internet era have died out or retired beyond caring. That's your beautiful computing future.
Don't want it? Don't use online accounts on your desktop. Duh!
Conclusion
I really think you shouldn't use the ESU unless you're already running a Microsoft account or unless Microsoft relaxes the requirements some more. Also, the ESU page still doesn't tell you what happens with Home versus Pro. Based on that text, commercial use is nyet with ESU, which means you would effectively "downgrade" your Pro license if you were to use it. Not sure, but there's no clear explanation. Thus, I would err on the side of caution rather than be in violation of license agreements and such.
But yeah, online account, nope. Not a good idea. The problem isn't today. It's 10 years from now. Once you submit yourself a little, you will submit yourself a little more, until you lose all control over your computing estate. If you don't mind that, bon voyage. If you're not keen on this idiocracy experiment, don't do it. I've been hearing about TPM since around 2004. Now, it seems to be finally happening. Small steps, so no one protests too much.
The worst thing is, there's no alternative. You can get a Macbook out of pure spite, but you won't gain any tinkering freedom. Linux remains a joke in the desktop space, through a series of self-defeating projects. So you simply need to choose what bothers you the least. I've been using Windows for 30 years or so, and I have no intention of using Windows 11. It's a peasantly cry of protest, an illusion of free will and control, but at least it's something I can do, so I'm doing it.
Actually, if you think about it, Microsoft DID blink. The Windows users did exercise their power, and it still counts for something. If 50% of users keep saying NO, then Microsoft won't really have much choice. And even if a fraction of those users leave the pasture for Mac, you will suddenly see Windows 12 with all sorts of rosy, friendly settings. Thus, I say, cling on to your local accounts, don't let go off Windows 10 for as long as possible, and maybe, just maybe, the future of computing won't be as crappy as it currently seems.
Cheers.