Guide IT Management

Windows 10 end of life: what your business needs to do now

On 14 October 2025, Microsoft stopped issuing security patches for Windows 10. Every vulnerability found after that date stays open on any machine still running it. Around 30% of business machines in the UK and EU have had no security updates since. This guide covers what that means and what to do about it.

CT
Cyvra Team
IT Management
29 May 2026
6 min read
Key takeaways
  • Microsoft stopped all security patches for Windows 10 on 14 October 2025; every CVE found after that date is permanently open on unpatched machines
  • Around 28% of Windows machines in the UK and 26% in the Netherlands were still on Windows 10 in early 2026
  • Windows 11 requires TPM 2.0, which is the most common blocker for machines from 2016–2018; check BIOS before assuming replacement is needed
  • Extended Security Updates (ESU) are available at cost and buy up to three years of patches, but are not a substitute for migration
  • Cyber Essentials, ISO 27001 Annex A.8.8, and NIS2 Article 21 all require supported, patched operating systems

What end of life means in practice

End of life does not mean Windows 10 stops working. It means Microsoft stops fixing it. Patch Tuesday updates ceased on 14 October 2025. Any vulnerability discovered after that date, whether a zero-day exploited by ransomware groups or a disclosed CVE published in the National Vulnerability Database, stays open on Windows 10 machines indefinitely. No patch will come.

The comparison with Windows 7 end of life in January 2020 is instructive. Within months, exploit activity targeting unpatched Windows 7 machines rose sharply. Threat actors maintain lists of end-of-life operating systems precisely because the attack surface is known, permanent, and grows with every new CVE disclosure.

Beyond security, Windows 10 progressively loses third-party support. Software vendors update their compatibility matrices when a new version ships. Applications will continue to work in the short term, but vendor-supported configurations, driver updates for new hardware, and browser security improvements will stop being available on Windows 10 over the next one to two years.

The scale of the problem

Statcounter data from early 2026 puts Windows 10's share of Windows machines at approximately 28% in the UK and 26% in the Netherlands. For a 100-machine business estate, that is 26–28 devices that have had no security patches for over six months.

The concentration is higher in businesses that bought hardware in 2017–2019, either because those machines do not meet Windows 11's hardware requirements or because no migration was planned when Windows 11 released in 2021. Many organisations only discovered the problem when Cyber Essentials assessors or ISO 27001 auditors flagged it.

28%
of Windows machines in the UK still running Windows 10, early 2026 (Statcounter)
Oct 2025
date Microsoft stopped all security patches for Windows 10
3 years
maximum extension available through Extended Security Updates, until October 2028

Your three options

Option 1: Upgrade in place (free)

If the machine meets Windows 11 hardware requirements, the upgrade is free through Windows Update or the Windows 11 Installation Assistant. The process takes 45–90 minutes, preserves existing applications and files, and requires no licence purchase. For machines that qualify, this is the lowest-friction path.

The common blocker is TPM 2.0. Windows 11 requires a Trusted Platform Module at version 2.0. Many machines from 2016–2018 shipped with TPM 1.2 or with TPM 2.0 present but disabled in BIOS settings. Before deciding a machine cannot be upgraded, check the BIOS firmware settings. A TPM 2.0 chip that is disabled can be enabled in minutes and makes the machine eligible for a free upgrade. Run the Microsoft PC Health Check application on each device to confirm its eligibility status before planning anything else.

Option 2: Replace hardware

Machines that fail compatibility checks after BIOS inspection are candidates for replacement. A laptop on a 4–5 year refresh cycle would normally be due for replacement around this period anyway. The Windows 10 deadline accelerates a hardware refresh that was already on the horizon.

If replacing, standardise on a hardware specification. Consistent hardware reduces support complexity and makes imaging, deployment, and troubleshooting faster. Document the minimum spec for new purchases going forward so procurement decisions do not recreate the same problem in four years.

Option 3: Extended Security Updates (ESU)

Microsoft sells extended security patches for Windows 10 at £25–45 per device in year one, rising in years two and three. ESU is available until October 2028 through volume licensing agreements or, for Microsoft 365 Business Premium subscribers, at no additional cost for the first year.

ESU keeps machines patched against disclosed vulnerabilities, but does not restore feature updates, driver support for new hardware, or compatibility with future software releases. It is a bridge while planning and executing migration, not a permanent alternative. If your plan is ESU now and migration later, set the migration deadline before the ESU period expires.

ESU does not satisfy Cyber Essentials

Cyber Essentials requires that operating systems are supported and receive security updates from the vendor. Microsoft's published guidance states that ESU provides security updates, but assessors differ on whether ESU-covered machines count as fully supported. Consult your certifying body before relying on ESU as your compliance posture for Cyber Essentials assessments.

Auditing your estate

Before planning any migration, you need an accurate inventory of every device, its OS version, and its Windows 11 compatibility status.

If your organisation uses Microsoft Intune, run a device compliance report filtered by OS version. Intune can also run PC Health Check results at scale through a compliance policy. If you use another RMM platform, generate an OS inventory report from the management console. Where you have no remote management tooling, the Microsoft PC Health Check application can be run locally on each machine.

Export results to a spreadsheet and group devices into three categories: eligible for in-place upgrade, requires hardware replacement, and covered by ESU pending replacement. Create a prioritised remediation order: admin accounts and machines accessing finance systems, privileged data, or VPN-connected resources first.

Windows 11 hardware requirements

1
Processor
64-bit, 1GHz or faster, at least two cores. Compatible processors list published by Microsoft. Most processors from 2018 onwards qualify.
2
RAM
4GB minimum. 8GB recommended for business use under current application loads.
3
Storage
64GB minimum free space. Most business machines from the past six years have at least 128GB, so this is rarely the blocker.
4
Firmware
UEFI with Secure Boot capability. Legacy BIOS machines cannot run Windows 11. Check BIOS mode in System Information (msinfo32).
5
TPM 2.0
The most common blocker. Check whether TPM is present but disabled in BIOS before assuming the machine requires replacement. Enable it, then re-run PC Health Check.

Compliance implications

Cyber Essentials requires that all software receives security updates from its vendor and is covered by a supported version. Windows 10 after October 2025 does not receive security updates. Any Cyber Essentials assessment will flag Windows 10 machines in scope as non-compliant with the patching and software requirements.

ISO 27001:2022, Annex A.8.8 (Management of Technical Vulnerabilities) requires that organisations identify vulnerabilities in their information assets and address them within a defined timescale. An operating system that permanently accumulates unpatched CVEs is a documented technical vulnerability that an auditor will require a written remediation plan for.

NIS2 (EU, Article 21) requires essential and important entities to maintain their systems in a secure state, including applying patches and updates. Dutch entities supervised by the NCSC-NL are expected to operate on supported software stacks. Unpatched, unsupported operating systems on in-scope systems are a control failure that supervising authorities will document.

Windows 10 did not become insecure on 14 October 2025. It stopped getting fixed.

Frequently asked questions

We have machines that fail the Windows 11 check but still work fine. Do we have to replace them?

From a performance perspective, no. From a security and compliance perspective, yes. A machine running Windows 10 after October 2025 receives no security patches. Every CVE disclosed after that date stays open permanently. If the machine handles business data, connects to your network, or can access email or cloud services, it represents an unpatched attack surface. Before assuming replacement is needed, check whether TPM 2.0 is present but disabled in BIOS. Enabling it may qualify the machine for a free in-place upgrade.

Can we just buy ESU and stay on Windows 10?

ESU keeps machines patched against disclosed vulnerabilities until October 2028, but does not restore full vendor support. Third-party software vendors will drop Windows 10 compatibility during the ESU period. Browser updates and hardware drivers for newer peripherals may stop being available. ESU is a valid short-term measure while you plan migration, not a long-term alternative. Set a migration deadline before the ESU window closes in 2028.

How long does an upgrade from Windows 10 to Windows 11 take per machine?

An in-place upgrade via Windows Update takes 45 to 90 minutes per machine, including two restarts. For a managed upgrade across a fleet using Intune or a deployment tool, you can stage and schedule the process during out-of-hours windows so it does not affect the working day. Confirm with key users that the machine can be unavailable for the required window before scheduling.

Will Windows 11 affect our existing business software?

Most business software that runs on Windows 10 runs on Windows 11 without change. The main exceptions are very old applications built for 32-bit Windows or applications that call OS components Microsoft changed in Windows 11. Before a fleet-wide upgrade, test your most business-critical applications on a Windows 11 machine. Where an application fails, check the vendor's compatibility statement. In most cases, updating to the current application version resolves the issue.

Talk to Cyvra

Get your Windows 10 estate assessed and migrated

We audit device fleets, identify upgrade eligibility, and plan Windows 11 migrations for businesses in the Netherlands and UK. Contact us to scope the work.

Get in Touch IT Management Services

Disclaimer: This article is for general informational purposes only and does not constitute legal, regulatory, or professional advice. Cyvra makes no warranty as to the accuracy or completeness of this content, which may not reflect the most current regulatory developments. Readers should seek independent legal and regulatory advice appropriate to their specific circumstances. Cyvra accepts no liability for any loss arising from reliance on this content.