October 14, 2025 came and went, and most businesses running Windows 10 noticed exactly nothing. The machines booted, the software ran, the work got done. That's precisely what makes Windows 10 end of support dangerous: nothing visibly breaks. What changed is invisible — Microsoft stopped shipping free security updates — and the gap between "still works" and "still safe" now widens with every patch Tuesday that passes those machines by. If part of your fleet is still on Windows 10, this is the decision guide: what end of support actually means, how to see what you've got, and the four honest options in front of you.

What "End of Support" Actually Means

End of support doesn't switch anything off. Windows 10 machines keep running, keep signing in, keep printing. What ends is the flow of fixes:

  • No security updates. New vulnerabilities in Windows 10 no longer get free patches. Every month, security researchers and attackers alike study the fixes Microsoft ships for Windows 11 — many of which reveal flaws that exist, unpatched, in Windows 10's shared code.
  • No technical support. Microsoft support won't troubleshoot Windows 10 issues.
  • A shrinking software umbrella. Microsoft 365 Apps, browsers, and third-party vendors are stepping down support on their own schedules. Chrome and Edge still update today; line-of-business vendors are already using "unsupported OS" to close tickets.

The risk compounds quietly. An unpatched operating system doesn't get breached on day one — it gets breached the month a wormable vulnerability lands and your machines are the ones that never got the fix. That's not hypothetical; it's exactly the WannaCry pattern, which feasted on end-of-life Windows in 2017.

The Compliance and Insurance Angle

For regulated businesses, the deadline has teeth beyond security. HIPAA's security rule, the FTC Safeguards Rule, PCI DSS, and CMMC all require — explicitly or through their risk-analysis obligations — that systems receive security patches. An unsupported OS handling regulated data is a finding waiting to be written. Cyber-insurance applications now routinely ask whether all systems are supported and patched; answering "yes" with a Windows 10 fleet on the books is the kind of misstatement that surfaces during claim review, which is the worst possible time. If an auditor, assessor, or underwriter touches your business, unsupported endpoints are no longer a technical detail — they're an exposure on paper.

First: Find Out What You Actually Have

Every good decision here starts with an inventory. You need three lists:

  • Windows 10 machines that meet Windows 11 hardware requirements (TPM 2.0, a supported CPU, Secure Boot) — these upgrade in place for free.
  • Windows 10 machines that don't qualify — typically anything shipped before ~2018. These need replacement or a paid bridge.
  • The special cases — the PC wired to the CNC machine, the workstation running the ancient dispatch software, the box the vendor says must never change. These need individual plans, not a blanket policy.

If you're running an endpoint management platform, this inventory is a report, not a project. If you can't produce it in an afternoon, that's a separate and arguably bigger finding — you can't secure a fleet you can't see. Our unified endpoint management guide covers closing that gap.

Your Four Options, Honestly

1. Upgrade in place (free, where hardware allows)

Qualifying machines take Windows 11 as a free upgrade, keeping apps and data. Plan it like any OS rollout: pilot group first, application compatibility checked, one department at a time. For most fleets bought since 2019, this covers the majority.

2. Replace the hardware

Machines that can't run Windows 11 are, almost by definition, six-plus years old — at or past sensible replacement age anyway. Fold the forced replacements into a managed refresh rather than an emergency buy: prioritize the machines handling sensitive data, stagger the spend, and consider whether a hardware-as-a-service model turns the capital spike into a predictable subscription.

3. Buy time with Extended Security Updates

Microsoft sells ESU for Windows 10 — continued critical and important security patches for up to three years, at a per-device price that increases each year by design. ESU is a legitimate bridge for machines that genuinely can't move yet (the vendor-locked workstation, the hardware controller). It is a terrible strategy for a whole fleet: you'd be paying escalating rates to stand still on a platform whose ecosystem is moving on. Buy it narrowly, with an exit date attached to each device.

4. Accept the risk — explicitly, in writing, for almost nothing

Some devices may earn a documented exception: fully isolated from the network and the internet, touching no sensitive data, doing one job. The key word is documented — a risk someone senior signed, with compensating controls (network segmentation, no browsing, no email) written down. "We never got around to it" is not this option, however much it resembles it from a distance.

Don't Waste the Forced Migration

A fleet-wide OS move is disruptive, so extract the full value: enforce disk encryption and modern authentication as machines are touched, standardize the build, enroll everything in endpoint management, and retire the local-admin sprawl. Businesses that treat this as pure cost tend to do it twice; the ones that fold it into patch and lifecycle discipline come out with a healthier fleet than they started with.

The Bottom Line

Windows 10's deadline already passed; what's left is how long your business carries the widening gap. Inventory the fleet, upgrade what qualifies, schedule replacement for what doesn't, use ESU as a narrow bridge with an end date, and write down any exception you genuinely mean to keep. If you'd like the inventory, the compatibility check, and the rollout handled as one managed project, our managed IT team does this every quarter. Get in touch and we'll get your fleet onto supported ground.