KB5068781: First Extended Security Update Released for Windows 10
Microsoft has officially released KB5068781, the inaugural Extended Security Update (ESU) for Windows 10, marking a significant milestone following the operating system’s end of mainstream support on October 14, 2025.
This crucial update ensures that enrolled devices continue to receive vital security patches, acting as a safety net for users and organizations who are not yet ready to migrate to Windows 11 or newer operating systems.
Understanding the Extended Security Update (ESU) Program
The Extended Security Updates (ESU) program is a paid subscription service designed to provide a bridge for users who need to continue operating Windows 10 devices beyond their official end-of-support date. It is not intended as a long-term solution but rather as a temporary measure to maintain security and mitigate risks while organizations plan their transition to a supported platform.
For individuals and organizations of all sizes, the ESU program offers a pathway to extend the use of Windows 10 devices securely. This program is particularly relevant given the large number of PCs still running Windows 10, estimated to be over 60% of all PCs worldwide as of late 2024.
The ESU program specifically provides access to “critical” and “important” security updates as defined by the Microsoft Security Response Center (MSRC). It is crucial to understand that ESU does not include new features, customer-requested non-security updates, or design change requests. General technical support for Windows versions past their end-of-support date is also not provided through the ESU program.
KB5068781: The First ESU Release
KB5068781, released on November 11, 2025, is the first cumulative security update delivered under the Windows 10 ESU program. This update is available to all devices that have been enrolled in the ESU program and are running Windows 10, version 22H2.
The update addresses a significant number of security vulnerabilities, including 63 in total. Among these are fixes for 29 elevation of privilege vulnerabilities and 16 remote code execution vulnerabilities. Notably, KB5068781 patches a critical zero-day vulnerability, CVE-2025-62215, which could have allowed attackers unauthorized access to a system, enabling them to perform actions as an administrator.
In addition to these critical security fixes, KB5068781 also resolves a bug that erroneously displayed an “end of support” message on some ESU-eligible and LTSC devices. This display issue was a known bug that Microsoft has now corrected through this update.
Eligibility and Enrollment for ESU
To be eligible for KB5068781 and subsequent ESU updates, devices must be running Windows 10, version 22H2. For consumer ESU, devices must be running Home, Professional, Pro Education, or Pro for Workstations editions. Commercial environments have specific prerequisites, including the installation of KB5066791 or a later update, and the Extended Security Updates (ESU) Licensing Preparation Package for Windows 10 (KB5072653) after KB5066791.
Enrollment for the consumer ESU program typically involves linking to a Microsoft account. There are several options for enrollment, including a no-cost option by syncing PC settings to a Microsoft account, redeeming Microsoft Rewards points, or a one-time purchase. A single ESU entitlement can cover up to 10 devices associated with the same Microsoft account.
It is important to note that devices enrolled in the consumer ESU program should not be joined to an Active Directory domain or managed by a Mobile Device Management (MDM) solution. However, Microsoft Entra registered devices are eligible.
Deployment and Installation of KB5068781
KB5068781 is designed to download and install automatically on PCs enrolled in the ESU program via Windows Update. The update size is approximately 200MB when delivered through Windows Update.
For administrators or users who prefer manual installation, the update is also available for download from the Microsoft Update Catalog. The standalone package from the Update Catalog is significantly larger, ranging from approximately 430MB to 776MB, depending on the system architecture. Installation can be performed interactively by running the downloaded .msu file as an administrator or silently using command-line tools like WUSA or DISM.
When installing the catalog package, it is essential to ensure that the device has a valid ESU entitlement or an applicable LTSC entitlement, as installation will fail otherwise. For commercial environments, administrators are advised to ensure that necessary servicing stack updates (SSUs) are installed, especially when staging packages for offline deployment.
Impact on Businesses and Organizations
The Extended Security Updates program, and specifically KB5068781, provides a critical security layer for businesses that are not yet ready to migrate from Windows 10. This is particularly relevant for organizations that rely on legacy applications or are facing delays in hardware upgrades, allowing them to maintain a secure posture while planning their transition.
For commercial customers, ESU is a paid subscription that can be purchased annually for up to three years. The pricing is structured to escalate each year, with Year 1 costing $61 USD per device, Year 2 at $122, and Year 3 at $244, totaling $427 over three years. This escalating cost is intended to strongly encourage organizations to migrate to newer operating systems.
ESU for organizations can be purchased through Microsoft’s Volume Licensing Program or via Cloud Solution Providers (CSPs). Certain virtualized scenarios, such as Windows 10 virtual machines in Azure or Windows 365 Cloud PCs, receive ESU at no additional cost for up to three years.
Limitations and Future Considerations
It is crucial to reiterate that the ESU program and KB5068781 are focused solely on security. No new features, performance improvements, or non-security bug fixes will be included in these updates. This means that Windows 10 will continue to lag behind Windows 11 in terms of capabilities and feature development.
The ESU program for Windows 10 is a temporary measure, with coverage for consumers ending on October 13, 2026, and for enterprise customers extending up to October 2028 with yearly renewals. Microsoft’s strategy with ESU is to provide a safety net while encouraging a transition to newer, more secure, and feature-rich operating systems like Windows 11.
Organizations and individuals still operating on Windows 10 should view the ESU program as a bounded window to execute a disciplined migration plan. This plan should prioritize security, compliance, and business continuity requirements to ensure a smooth and secure transition to a supported platform.