Windows 10 end of support: what actually happens on 14 October 2025

Windows 10 support ends on Tuesday, 14 October 2025. That switch does not power off devices; it changes the risk. Security updates for Windows 10 stop, which means exploits widen, and insurers, auditors, and procurement officers will ask more complex questions. Microsoft is clear about what ends, and that clarity needs a leadership response.

 

While Windows 10 will continue to operate effectively, with printers and line-of-business applications still functioning, it's important to note that Microsoft will halt security updates and feature enhancements for Windows 10 Home, Pro, Enterprise, and Education. This change affects all versions except for specific long-term servicing channels that have their own update schedules. Starting in October, users will need to be proactive about security, especially on internet-connected devices and laptops, to mitigate potential risks. Embracing newer versions or exploring alternative solutions can help ensure continued support and protection.

For UK organisations, there are two key aspects to consider regarding Microsoft's Extended Security Updates (ESU) for Windows 10. Firstly, Microsoft provides two enrollment options tailored to different needs. Consumers and very small businesses can register a device directly with Microsoft for a fee per device, while also benefiting from limited incentives that may offer no-cost options in specific situations. For larger organisations, ESU can be acquired through volume licensing, with pricing per device that increases annually over a maximum of three years. It's important to note that while ESU offers valuable transition time, it does not introduce new features. This can be a helpful strategy for maintaining security during the transition to newer systems.

Microsoft 365 Apps on Windows 10 will continue to receive security updates until Thursday, 10 October 2028. This extension addresses concerns regarding Office security during a phased migration. However, it is essential to note that the release of new features will slow down significantly before this date. Properly managing this timeline allows organisations the flexibility to plan pilots, prepare packages, and facilitate user transitions without feeling pressured to rush the process.

Recent reports indicate that millions of Windows 10 users are likely to continue using unsupported devices after the official deadline in the UK. This situation heightens national cybersecurity risks and prompts meaningful discussions among corporate boards and insurance companies. It's crucial to recognise that this is not just speculation; it highlights a critical reality that attackers will have a wide range of vulnerable targets and are expected to apply the same techniques across different sectors.

Your real options, with trade-offs and budget paths

Move to Windows 11 on supported hardware.

This is the cleanest route for security and manageability. Devices must meet Microsoft's baseline, including UEFI with Secure Boot and Trusted Platform Module 2.0. Many devices shipped in the last five years already have TPM 2.0, though it may be turned off in firmware. A focused readiness sweep quickly closes that gap.

Refresh hardware that does not meet requirements.

Where CPUs fall outside Microsoft's lists, or boards lack TPM 2.0, replacement is the right call. Treat refreshes as an opportunity to standardise models, enable Windows Autopilot, and bake in zero-trust controls at build. Finance leaders will ask about cost smoothing. Use lifecycle data to phase procurement across quarters and reclaim residual value through certified disposal. The environmental angle matters too, so ensure devices are sanitised, recycled, or donated through accredited routes.

Use Extended Security Updates as a time-box.

ESU is a legitimate control for estates that have application blockers or budget constraints. It should sit under a written risk acceptance, with precise exit dates by cohort. For organisations under volume licensing, factor in year-on-year ESU price rises against the total cost of delay, including potential insurance premiums linked to unsupported systems.

Isolate niche legacy use cases.

Some workloads will not move cleanly. Options include virtualising legacy apps, assigning virtual desktops, or ring-fencing specific Windows 10 devices behind strict network segmentation, application allow-listing, and privileged access controls. If Windows 10 must stay for a period, pair ESU with aggressive hardening, enhanced monitoring, and clear owner accountability.

Tighten the security net during transition.

Microsoft Defender Vulnerability Management gives a live asset inventory, risk-based prioritisation, and remediation guidance across devices. Decision makers get a credible view of exposure, not a spreadsheet guess. Pair this with Managed Detection and Response to watch the estate while teams migrate users in waves.

Deferrals often hide higher costs later, especially when ESU renewals, emergency replacements, and incident response are counted. The sensible path is a staged migration that aligns to cash flow, uses ESU only where needed, and locks in quick security wins first.

Your action plan

In the initial two weeks of your action plan, it's crucial to establish a comprehensive baseline for your organisation's devices and operating systems. Conducting a thorough inventory will help you identify all devices currently in use and confirm their eligibility for Windows 11. This inventory should also include mapping applications to their respective owners, allowing for clear accountability. By utilising Defender Vulnerability Management, you can prioritise addressing high-risk devices and ensure that business-critical users are adequately supported. Additionally, it's essential to determine which groups within your organisation require Extended Security Updates (ESU), which can be seamlessly upgraded in place, and which will need device refreshes.

As you move into weeks three and four, the focus should shift towards validating your upgrade path. Building a Windows 11 reference image that incorporates security defaults is essential. It's advisable to enable Secure Boot and TPM wherever possible, as these features enhance the security of the new operating system. During this phase, you should conduct application compatibility testing within a pilot group that includes representatives from finance, sales, and operations. Documenting any exceptions encountered, assigning an owner, and defining compensating controls and exit dates will ensure you have processes in place to address potential issues.

During weeks five and six, aim to lock in the necessary logistics for your device refresh strategy. Agreement on the volumes of devices to be refreshed, including suppliers and environmentally responsible disposal routes, is key to a smooth transition. Finalising the number of old devices requiring ESU will help manage expectations and timelines efficiently. A thorough review of your Microsoft licensing — covering Windows, Microsoft 365, and security add-ons — is vital to eliminate any unnecessary duplication and to identify new funding opportunities. It's equally important to confirm the coverage of Managed Detection and Response (MDR) services and ensure that alert routing is well established throughout the rollout process.

Weeks seven and eight should see the commencement of the first wave of Windows 11 deployments. Implementing Windows Autopilot will facilitate a zero-touch deployment experience, significantly minimising disruption. Consider scheduling launches by department to create a more organised transition and reduce the potential for confusion. Clearly communicate with users by providing straightforward guidance and known-issue workarounds to help them navigate any challenges. Tracking success rates and time-to-productivity will provide valuable insights, enabling you to make data-driven adjustments to your flight strategy.

Finally, in weeks nine and ten, you should focus on scaling your deployment efforts and reinforcing security measures. Start by increasing the size of deployment waves, ensuring the organisation can effectively accommodate this growth. Activate the advanced security features that Windows 11 provides by default; this will fortify your organisation's defences from the outset. As devices stabilise, take the opportunity to clean up permissions, remove outdated agents, and retire old Group Policy objects. Continuous measurement of cyber exposure and addressing exceptions will help secure your environment as you pivot to more robust operational capabilities.

Windows 10 still works after the deadline; that is true. The risk profile does not. A short, disciplined plan keeps the business productive while shrinking the attack surface. Conosco helps clients take a budget-conscious approach, with Microsoft licensing clarity, hardware lifecycle support, Defender Vulnerability Management, and 24x7 Managed Detection and Response. Book a Windows readiness call to leave guesswork behind and move on a schedule that suits cash flow and risk appetite.