Windows 10 support has ended: what UK businesses still running it need to do

What "end of support" actually means

When Microsoft ends support for an operating system, it stops releasing security patches, bug fixes and feature updates for it. The software doesn't stop working on that date – your machines will boot and run as normal the next morning – but from that point forward, any vulnerability discovered in Windows 10 will remain unpatched permanently.

This is a fundamentally different situation from running an old but still-supported OS. Supported software has a known, predictable security posture: vulnerabilities get found, patches get released, you apply them. Unsupported software has an open-ended, growing attack surface. Every new vulnerability researchers or attackers discover becomes a permanent weakness, because Microsoft has no obligation to fix it.

The end-of-support date for Windows 10 was 14 October 2025. Microsoft announced this years in advance. The NCSC explicitly recommended upgrading before that date. For businesses still running it now, the deadline has already passed – the question is what to do next.

Why so many businesses haven't upgraded yet

The scale of the upgrade problem is significant. StatCounter data from early 2026 suggests Windows 10 still accounts for roughly 60% of the Windows device market globally – meaning the majority of Windows machines in use worldwide haven't yet moved to Windows 11. That figure reflects a mix of consumer and business devices, but the business share is substantial.

Several factors explain the lag. Windows 11 introduced a hardware requirement – TPM 2.0 (Trusted Platform Module 2.0) – that many older PCs don't meet. Devices manufactured before approximately 2018 are particularly likely to lack TPM 2.0 support, which means an in-place OS upgrade isn't possible. Upgrading those machines means replacing hardware, not just updating software – a much more significant project in terms of cost, planning and disruption.

Beyond hardware, there's the question of application compatibility. Some businesses run line-of-business software – bespoke applications, older ERP systems, specialist tools – that hasn't been tested on Windows 11, or where the vendor hasn't confirmed support. Upgrading the OS without first confirming that business-critical applications will function correctly is a risk most IT teams are rightly cautious about.

Neither of these is an excuse to stay on Windows 10 indefinitely. They're reasons why the upgrade requires planning – not reasons to avoid it.

The security risk of staying on Windows 10

The practical security risk is straightforward: any vulnerability discovered in Windows 10 after 14 October 2025 will never receive a patch from Microsoft. Attackers know this. Historically, the period following an OS end-of-support date sees increased targeting of that OS, because researchers publish vulnerability details openly once the vendor has no obligation to respond – and because the devices running it represent an attractive, growing pool of permanently exposed targets.

Windows XP's end of life in 2014 and Windows 7's in 2020 both resulted in sustained attack campaigns against businesses that hadn't upgraded. The pattern is consistent. Businesses that delay upgrades become the easier targets once the security community's attention moves on.

For businesses holding sensitive customer data, the risk isn't just operational – it's regulatory. Running unsupported software that suffers a breach is difficult to defend under UK GDPR, where organisations are required to implement appropriate technical measures to protect personal data. "We were still on Windows 10" isn't a defence the ICO is likely to find compelling.

Windows 10 and Cyber Essentials – the compliance problem

The Cyber Essentials scheme requires that software within scope receives security updates. Running software that is no longer supported – and therefore no longer receiving patches – is grounds for failing certification. This isn't a grey area or an interpretation question: unsupported software fails the patch management control.

If your business holds Cyber Essentials certification and is still running Windows 10 on devices within the assessment scope, your certification is at risk. When you come to renew, assessors will check that your operating systems are supported and patched. Windows 10, from October 2025 onwards, doesn't meet that test.

The upcoming Cyber Essentials v3.3 update – due in April 2026 under the codename Danzell – tightens the patching requirements further and makes unsupported software harder to exclude from scope. Businesses that wait until their renewal to address this will find themselves remediation under stricter conditions than exist today.

If Cyber Essentials certification is relevant to your business – because you supply government contracts, because clients require it or because cyber insurers ask for it – resolving the Windows 10 situation before your next renewal isn't optional.

Extended Security Updates: a sticking plaster, not a solution

Microsoft offers a paid programme called Extended Security Updates (ESU) for businesses that cannot upgrade immediately. ESU provides continued security patches beyond the end-of-support date – but it comes with significant caveats.

Year one of ESU costs approximately $61 per device per year. The cost doubles each year: year two is approximately $122 per device, year three approximately $244 per device. ESU is available for a maximum of three years, which takes Windows 10 devices to October 2028 at most. After that, there is no further support mechanism – devices must be upgraded or replaced.

ESU does not resolve the Cyber Essentials problem cleanly. Some certifying bodies may accept ESU-enrolled devices as meeting the patch management control; others may not. The scheme wasn't designed with Cyber Essentials compliance in mind, and the interpretation isn't uniform.

More fundamentally, ESU is expensive relative to the cost of hardware replacement when you factor in the three-year cumulative cost, and it doesn't address the underlying issue – which is that these devices need to be on a supported, modern operating system. Using ESU to buy time while you plan a proper migration is reasonable. Using it as a permanent strategy is not.

Hardware compatibility and the upgrade path

The first step in any Windows 11 migration is understanding which devices in your fleet can upgrade and which can't. Windows 11 requires TPM 2.0, a 64-bit processor, at least 4GB of RAM and 64GB of storage. In practice, TPM 2.0 is the most common blocker for older hardware.

Microsoft provides a PC Health Check tool that assesses whether a device meets Windows 11 requirements. For a managed estate, running this assessment across all devices – and collating the results into a clear inventory – is the starting point. This gives you three distinct groups: devices that can upgrade today, devices that can't upgrade and need to be replaced, and devices where compatibility requires investigation (older hardware where TPM 2.0 might be available but needs enabling in firmware settings).

For devices that need hardware replacement, this is an opportunity to plan refresh cycles sensibly rather than reactively. Businesses that have been running hardware past its natural refresh point often find that replacing it in an organised migration is considerably less disruptive than emergency replacement following a security incident or hardware failure.

Application compatibility testing should run in parallel with hardware assessment. Identify your business-critical applications, check vendor support statements for Windows 11, and test in a non-production environment before rolling out to users. Most modern applications work without issue; older or bespoke software needs explicit verification.

How to plan a managed upgrade

A managed Windows 11 migration for a small or medium-sized business typically runs in four stages: assess, plan, deploy and verify.

Assess. Inventory every device in scope. Identify which meet Windows 11 requirements, which need hardware replacement and which require further investigation. Document your business-critical applications and check compatibility. This stage produces a clear picture of the work involved and the costs.

Plan. Sequence the rollout. Prioritise devices that are most exposed – those used for internet-facing tasks, those holding sensitive data, those used by staff who are high-value targets for phishing or credential theft. Identify the hardware procurement and lead times for devices that need replacement. Set a realistic timeline that doesn't create excessive disruption to operations.

Deploy. For devices that can upgrade in place, deploy Windows 11 through your standard software management tooling – whether that's Microsoft Intune, Windows Server Update Services or a managed service provider's platform. For devices that need replacing, provision new hardware with Windows 11 pre-installed and migrate user data and settings. Test business-critical applications on upgraded or new devices before decommissioning old ones.

Verify. Confirm that all devices in scope are running a supported OS, that patches are being applied and that your Cyber Essentials posture is restored. Update your asset inventory to reflect the new state. If you're renewing Cyber Essentials, this verification stage feeds directly into your certification evidence.

The scale of this project varies considerably by organisation. A business with 20 devices and a relatively modern fleet can complete this in weeks. A business with 200 mixed-age devices, several line-of-business applications and no existing MDM tooling is looking at a more significant project. Either way, the sooner the assessment starts, the clearer the picture becomes – and the less likely you are to be scrambling when a renewal deadline or a security incident forces the issue.