Table of Contents
Is the Windows 10 December 2025 update mandatory for ESU users?
Microsoft has released the December 2025 Cumulative Update, labeled KB5071546, specifically for devices enrolled in the Extended Security Update (ESU) program. This update raises the operating system version to Build 19045.6691 (or 19044.6691). While this patch introduces no new visual features, it is a critical deployment for system integrity. It addresses active security threats that expose legacy Windows 10 systems to significant risk.
Security Analysis: Critical Vulnerabilities Patched
Despite empty official release notes, deep technical analysis confirms that KB5071546 resolves 57 distinct security vulnerabilities. While the total count is slightly lower than the November patch, the severity is higher.
This update patches two zero-day vulnerabilities, one of which attackers are actively exploiting in the wild. For any device connected to a network, applying this update is urgent. The patch covers the following specific threat vectors:
- Remote Execution: 19 flaws that allow attackers to run code on your machine from a distance.
- Privilege Escalation: 28 bugs that allow unauthorized users to gain administrative control.
- Spoofing: 2 vulnerabilities involving identity masking.
- Denial of Service: 3 issues capable of crashing system workflows.
Technical Change: PowerShell Security Hardening
The only functional modification users will notice involves Windows PowerShell. Microsoft identified a critical flaw where the Invoke-WebRequest command could execute malicious scripts embedded in webpages during parsing.
To mitigate this, the system now flags potential risks. When you run a script that parses web content, you will receive a warning advising you to use the -UseBasicParsing switch. This switch prevents the automatic execution of embedded code. This security behavior now aligns Windows 10 with the standards set in Windows 11 KB5072033.
Enrollment and Installation Protocols
Accessing KB5071546 requires active enrollment in the ESU program. The standard Windows Update channel will not deliver this patch to unenrolled devices.
Consumer Enrollment
Users can obtain one year of extended updates at no cost by signing in with a valid Microsoft account. The “Enroll now” wizard in the Windows Update settings handles this verification automatically.
Commercial/Local Accounts
Users preferring local accounts without Microsoft credentials must purchase the $29.99 ESU add-on.
Offline Installation
For systems with limited internet access or for bulk deployment, the offline installer (.msu) is available via the Microsoft Update Catalog. However, note that the installer verifies the machine’s ESU status before initializing. If the device lacks a valid ESU license, the offline installation will fail.