The context: Windows 10 has officially sunset
Microsoft ended support for Windows 10 on October 14, 2025, which means no more free security fixes, feature updates, or technical assistance. Devices will continue to run, but risk rises over time as new vulnerabilities appear. Microsoft recommends moving to Windows 11 or, if you need time, enrolling in ESU.
For organizations that rely heavily on Microsoft 365, note that Microsoft 365 Apps on Windows 10 will receive security updates (not features) for three extra years—until October 10, 2028—to help you bridge the transition. Support is limited and Microsoft will still steer you to Windows 11 if issues only occur on Windows 10.
And even if you remain on Windows 10, your browser won’t be stranded: Microsoft Edge and the WebView2 Runtime will be serviced on Windows 10 until at least October 2028—independent of ESU enrollment.
What are your realistic options?
1) Upgrade eligible devices to Windows 11 (preferred)
Windows 11’s minimums include a supported 64‑bit CPU, TPM 2.0, UEFI/Secure Boot, 4GB RAM, and 64GB storage. Use PC Health Check to validate readiness and plan an in‑place upgrade via Windows Update, installation media, Intune/Configuration Manager, or task sequence methods. This preserves apps, settings, and user data while giving you a modern, more secure baseline.
Why the stricter baseline? Microsoft ties Windows 11’s requirements to platform security (TPM-backed cryptography, Secure Boot, virtualization-based protections). If your fleet lacks those controls, risk and support challenges compound.
ProTelesis tip: Identify devices that pass PC Health Check and schedule pilot upgrades by business unit. Use task sequences for predictable rollouts and post‑upgrade validation.
2) Bridge with ESU for Windows 10 (time‑boxed)
If you cannot move immediately, ESU provides security-only patches for Windows 10. For businesses, ESU is an annual paid subscription (Year 1 listed at $61 per device, doubling each year, up to three years). Consumers get one year of ESU, with enrollment options and pricing that Microsoft and industry outlets have detailed.
Important caveats: ESU doesn’t deliver features, nonsecurity fixes, or full OS support. Devices must be on Windows 10, version 22H2 to enroll. Treat ESU as a temporary risk‑reduction measure while you execute your Windows 11 migration.
3) Replace or re-platform truly incompatible endpoints
If hardware can’t meet Windows 11’s requirements (no TPM 2.0/UEFI, unsupported CPU), evaluate refresh to secured‑core Windows 11 PCs or appropriate alternatives (VDI, Windows 365 Cloud PCs, or non‑Windows platforms where use cases allow). Several cloud scenarios include ESU coverage at no additional cost for Windows 10 VMs during the ESU window.
Why acting now matters (and how to justify budget)
From a controls perspective, running an unsupported OS violates common governance baselines. NIST SP 800‑53 SA‑22 explicitly calls for replacing unsupported components—or isolating them and contracting alternative support—because attackers target unpatched systems. Pair that with NIST CSF 2.0 guidance around Identify/Protect/Detect/Respond/Recover to frame risk in executive terms.
Pragmatically, every month on an end‑of‑life platform raises operational, compliance, and reputational exposure (PCI, HIPAA, SOC 2). Independent advisories highlight compatibility drift (drivers, apps) and widening exploit surface over time. Your board will understand a risk‑weighted ROI: ESU + browser servicing can buy time, but only a move to Windows 11 reduces systemic risk sustainably.
A ProTelesis 6‑step plan for a smooth exit
- Inventory & readiness scan
Run PC Health Check and your asset management tool to segment devices by upgrade feasibility (Pass, Fixable, Replace). Map to business criticality and compliance scope using CSF “Identify” profiles. - Define architecture & guardrails
Standardize Windows 11 images with the 24H2 security baseline (SMB signing, Kerberos hash agility, Defender hardening). Bake policies into Intune/ConfigMgr before pilot. - Pilot in‑place upgrades
Use Configuration Manager task sequences or Windows Update for Business rings. Validate authentication, app compatibility, drivers, and user experience. - Risk‑isolate holdouts
For systems awaiting ESU or replacement, implement network segmentation, heightened monitoring, browser hardening (Edge Extended Stable), and strict access controls. Edge will continue to update on Windows 10 through 2028—leverage that as a control while you complete migration. - Enroll ESU (only where needed)
Put ESU behind approvals. Confirm devices are on 22H2 and track the rising cost curve (Year 1 → Year 2 → Year 3). Use this cost to motivate modernization. - Communicate the business case
Tie timelines to compliance, productivity and supportability (e.g., limited Microsoft 365 support windows on Windows 10 → feature lock at Version 2608, security updates through 2028).
What about AI and Windows 11 for business?
While “Copilot+” experiences (Recall, Windows Studio Effects, on‑device semantic search) are gated behind NPU‑equipped hardware, Windows 11 24H2 delivers broader security baseline improvements and ongoing monthly servicing that benefit all enterprise builds. Plan AI features as incremental value on top of your core security-driven upgrade.
ProTelesis can help you baseline, plan, and execute: readiness assessments, pilot upgrades, ESU governance, and secured‑core hardware refresh recommendations. If you’re in a regulated industry or processing sensitive data, we can align the project to your NIST/ISO controls and compliance roadmap. Let’s schedule a 30‑minute migration strategy session and get your Windows 10 departure plan finalized.
FAQs
Q1: Will my Windows 10 PCs stop working after October 14, 2025?
No—Windows 10 still runs. But free security updates and support ended on Oct 14, 2025, increasing risk over time. Consider upgrading or using ESU temporarily.
Q2: How long will Office/Microsoft 365 Apps still get updates on Windows 10?
Security updates continue until Oct 10, 2028. Feature updates stop earlier (Current Channel feature freeze at Version 2608 in Aug 2026). Support is limited and Microsoft will redirect issues to Windows 11.
Q3: Do web browsers still get patches on Windows 10?
Microsoft Edge and WebView2 are serviced on Windows 10 until at least Oct 2028, without ESU. (Other browsers’ timelines may vary.)
Q4: What are the hard requirements for Windows 11?
Supported 64‑bit CPU, TPM 2.0, UEFI/Secure Boot, 4GB RAM, 64GB storage, DirectX 12/WDDM 2.x GPU. Use PC Health Check to verify.
Q5: Is ESU a long‑term solution?
No. ESU is security‑only and paid (business Year 1 ~$61/device, rising each year). It’s a bridge—use it to complete migration, not to defer indefinitely.
Q6: What risk frameworks support moving off unsupported OS versions?
NIST SP 800‑53 SA‑22 mandates replacing unsupported components or isolating them; use NIST CSF 2.0 functions to structure your migration and monitoring plan.