New Update Microsoft announces new ESU programs for more versions of Windows

[Parkinsond]

Windows 10 entered the Extended Security Update (ESU) program after it reached end of support in October 2025. Under this program, users can continue to leverage the OS while receiving security updates. Now, Microsoft has announced new ESU programs for some other, older versions of Windows as well.

For those unaware, three more SKUs of Windows are reaching end of support within the next few months. But before we go into further details, keep in mind that Long-Term Servicing Branch (LTSB), referenced below, is the old name for Long-Term Servicing Channel (LTSC), and can be used interchangeably. Without further ado, here are the Windows SKU reaching end of support:

• Windows 10 Enterprise LTSB 2016: October 13, 2026
• Windows 10 IoT Enterprise 2016 LTSB: October 13, 2026
• Windows Server 2016: January 12, 2027

Following the aforementioned dates, these versions will no longer receive monthly quality updates, security updates, or technical support. However, organizations do have the option to purchase ESUs to continue receiving security updates.

Microsoft announces new ESU programs for more versions of Windows

Microsoft puts a $61 price tag on extended Windows security as more aging versions race toward the end of support.

www.neowin.net

 

[Sampei.Nihira]

Either switch to Linux or even 0-patch has a lower cost.

 

[Parkinsond]

Either switch to Linux or even 0-patch has a lower cost.

Or swtich from W 10 LTSB to W 11 LTSC.

 

[Divergent]

Technical Analysis & Remediation

MITRE ATT&CK Mapping
N/A (Administrative/Lifecycle Intelligence). Future failure to patch maps to T1190 (Exploit Public-Facing Application).

CVE Profile
N/A (General EOS Risk)
CISA KEV Status: Inactive.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

The following actions are required to mitigate the systemic risk outlined in the provided intelligence.

GOVERN (GV) – Crisis Management & Oversight

Command
Initiate an enterprise-wide asset inventory audit to identify all instances of Windows 10 LTSB/IoT 2016 and Windows Server 2016.

Command
Secure budget allocation for either full OS migration or ESU enrollment (baseline $61/device/year, doubling annually).

DETECT (DE) – Monitoring & Analysis

Command
Configure SIEM to tag and highly monitor telemetry originating from legacy LTSC/Server 2016 endpoints as they approach the October 2026/January 2027 EOS dates.

RESPOND (RS) – Mitigation & Containment

Command
Isolate any legacy systems that cannot be upgraded or enrolled in the ESU program into strictly segmented network enclaves (VLANs) with zero internet access.

RECOVER (RC) – Restoration & Trust

Command
Execute a phased migration plan to supported operating systems (e.g., Windows 11 LTSC or Windows Server 2025) to return the environment to a secure, baseline state.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Update vulnerability management playbooks to account for the cumulative, multiplier-based cost structure of the Microsoft ESU program.

Remediation - THE HOME USER TRACK (Safety Focus)

Note
The Environmental Reality Check confirms this intelligence applies strictly to Enterprise/Server/IoT editions. Impact on standard Home users is theoretical.

Hardening & References

Baseline
CIS Benchmarks for Windows 10, Windows 11, and Windows Server.

Framework
NIST CSF 2.0 (Asset Management & Platform Security).

Source

Neowin.net

Official Microsoft FAQ