Windows 10 Is Dead. Is Your Business Still Running It?
On 14 October 2025, Microsoft stopped issuing security updates for Windows 10.
That was five and a half months ago. If your business has any machines still running standard Windows 10 without paid Extended Security Updates, those machines are operating without security patches. Every vulnerability discovered in the operating system after that date stays open permanently. Microsoft is not coming to fix it.
Let’s talk about how serious that is, and what you should do about it.
The Scale of the Problem
Windows 10 was, for years, the most widely used operating system in the world. Microsoft previously reported 1.4 billion active Windows devices globally. Industry analysts at Omdia estimated that around 550 million of those were running in corporate environments, and that roughly half would not complete the migration to Windows 11 in time for the October 2025 deadline.
In the UK specifically, consumer group Which? estimated that around 21 million people still owned or used a Windows 10 computer at the time support ended. A survey conducted in September 2025 found that 26 per cent of those users planned to keep using Windows 10 after support ended, fully aware it would no longer receive security updates.
That is tens of millions of devices, many of them in small business environments, running an operating system that is no longer receiving patches.
Why This Is Not a Minor Issue
When an operating system reaches end of support, two things happen simultaneously.
First, the vendor stops issuing security patches. Any new vulnerability found in the software stays permanently unaddressed. Attackers do not respect retirement notices. If anything, the end of support date is a green light: they now know that anything they find in the OS will never be fixed.
Second, and this is the part people miss, the final months of support tend to see a burst of publicly documented vulnerabilities as researchers and vendors rush to close known issues before the deadline. That documentation is now publicly available. Attackers have a catalogue of known weaknesses in Windows 10 with no corresponding patches.
The NCSC, in its guidance on obsolete products, is explicit: “Weaknesses found in unsupported products will remain unpatched and will be exploitable by relatively low-skilled attackers.” The emphasis on “relatively low-skilled” is significant. You do not need a sophisticated threat actor to exploit a known, unpatched vulnerability in an out-of-support operating system.
Research from end-of-life software specialists HeroDev found that end-of-life or end-of-support systems are four times more likely to be targeted than current, maintained applications.
The Windows 10 to Windows 11 Hardware Problem
Windows 11 has stricter hardware requirements than Windows 10. Notably, it requires a Trusted Platform Module (TPM) version 2.0 and a compatible processor. Many machines that ran Windows 10 perfectly well cannot run Windows 11. Omdia estimated that around 20 per cent of corporate machines that would not upgrade in time simply could not, because the hardware does not meet Windows 11’s minimum requirements.
That is a real problem with a real cost. For a business with 10 or 15 machines, hardware refresh is a meaningful capital expense.
Microsoft does offer a temporary escape valve: the Windows 10 Extended Security Updates (ESU) programme. For businesses, the cost is $61 per device in the first year, doubling to $122 in the second year and $244 in the third. It is designed as a short-term bridge, not a permanent solution. The consumer ESU programme runs for one year only, until October 2026.
If you are currently on Windows 10 with no ESU enrolment and no migration plan, you are in the worst possible position: unpatched, unprotected, and with no clear exit strategy.
The Compliance Dimension
Running out-of-support software is not just a security risk. It creates specific legal and contractual exposures.
UK GDPR. Article 32 requires organisations to implement “appropriate technical and organisational measures” to protect personal data. If you handle personal data on Windows 10 machines that are no longer receiving security updates, and you suffer a breach caused by an unpatched vulnerability, “appropriate technical measures” is going to be very difficult to defend. The Information Commissioner’s Office has consistently found against organisations that failed to maintain basic security hygiene.
Cyber Essentials. The UK government-backed scheme requires that all software is kept up to date and receives security patches from the vendor. An assessor finding Windows 10 machines without valid ESU enrolment will fail the assessment. For anyone supplying to central government or local authorities, Cyber Essentials is increasingly a commercial requirement.
Cyber insurance. Many cyber insurance policies now include explicit exclusions for incidents arising from out-of-support software. If you file a claim following a breach and the insurer’s forensics establish that the entry point was an unpatched Windows 10 machine, you may face a coverage denial. Check your policy wording. Ask your broker directly.
What to Do Right Now
Option one: Migrate to Windows 11. If your hardware meets the requirements, this is the right answer. Windows 11 is a free upgrade from Windows 10 on compatible devices. Check compatibility via Settings, then Update and Security, then Windows Update.
Option two: Enrol in ESU and plan the hardware refresh. If your hardware cannot run Windows 11, enrol in the Extended Security Updates programme as a temporary bridge and set a firm hardware replacement date within the next 12 months. ESU is not a long-term answer.
Option three: Replace the hardware. A machine that cannot meet Windows 11’s requirements is likely running hardware that is five or more years old. Budget for replacement as part of a planned refresh cycle, not as an emergency response.
Option four: Isolate and reduce the attack surface. If you genuinely cannot replace a machine immediately, take it off the main network, restrict its internet access, and ensure it does not store or process personal data. Set a hard replacement date.
What is not an option is doing nothing.
The “It Still Works” Trap
Windows 10 does still work. Your files open. Your applications run. Nothing has visibly broken.
But “working” and “secure” are not the same thing. A lock that opens with a copied key is still a lock. It still works. It’s just not protecting anything.
The vulnerabilities that accumulate in an unpatched OS are invisible until they are exploited. You won’t see them on the screen. You’ll see them in the ransom note, or in the ICO notification letter, or in the phone call from your bank.
How to Turn This Into a Competitive Advantage
Smaller businesses can move faster than larger ones. A 10-person business can audit its machines, identify the risk, and begin migration in a week. A large enterprise takes months.
If you complete your Windows 11 migration and can demonstrate it to clients, you have a concrete, verifiable answer to “how do you protect our data?” Adding “all devices run supported, patched operating systems” to your data protection documentation costs nothing once the migration is done. It differentiates you from competitors still making excuses.
How to Sell This to Your Board
Quantified risk. The cost of a cyber incident for a UK small business, factoring in downtime, recovery, legal notification, and regulatory exposure, is not trivial. Running out-of-support machines on known, unpatched vulnerabilities is the definition of preventable risk.
Specific liability. UK GDPR Article 32 and the ICO’s enforcement record are concrete regulatory hooks. A breach traced to an unpatched Windows 10 machine, on a company that was aware of the end-of-support date, is an extremely difficult enforcement conversation.
Costed solution. Come to the conversation with numbers. How many machines? Can they run Windows 11? What does ESU cost per device? What does hardware replacement cost? A specific, costed proposal is far more persuasive than a general warning.
What This Means for Your Business
- Audit your machines today. Check the Windows version on every device: Settings, System, About, Windows Specifications.
- Check Windows 11 compatibility. Use the free Microsoft PC Health Check app. It tells you definitively whether a machine can upgrade.
- Enrol in ESU if you cannot migrate immediately. This is a bridge, not a solution. Set a migration date while you are doing it.
- Replace hardware that cannot run Windows 11. Plan and budget for it. Do not defer indefinitely.
- Talk to your insurer and your IT provider. Your insurer needs to know your mitigation plan. Your IT provider needs to be accountable for the migration timeline.
Sources
| Source | Article |
|---|---|
| Microsoft Support | Windows 10 support has ended on October 14, 2025 |
| Microsoft Learn | Windows 10 release information |
| NCSC | Obsolete products: guidance for organisations |
| NCSC | Getting your organisation ready for Windows 11 upgrade before autumn 2025 |
| The Register | Millions of business PCs still on Windows 10 as D-Day nears |
| GCIS Information Solutions (citing Which? / StatCounter) | Support Ends But Hundreds of Millions Still on Windows 10 |
| IT Pro | Applications and the afterlife: how businesses can manage software end of life |
| ICO | A guide to data security under UK GDPR |
Related Posts:
- The Milk Carton Test: Does Your Tech Have an Expiry Date?
- Cyber Insurance Claims Are Being Denied — And It’s Your Fault