Microsoft stopped issuing free security updates for Windows 10 on 14 October 2025. If your business is still running it on even a handful of machines, those devices are no longer getting the monthly patches that close newly discovered holes, and every month that passes widens the gap. This is not a drill you can keep postponing, and it is not only an IT problem: an unpatched fleet is a compliance, insurance and reputational problem too. Here is a clear-headed account of what end of life actually means, the realistic options in front of you, and a sensible order to do them in.
What 'end of life' actually means for you
End of life does not mean your computers stop working on a given morning. Windows 10 still boots, your software still runs, and on the face of it nothing has changed. That is exactly what makes it dangerous. The change is invisible: Microsoft no longer ships the security updates that fix vulnerabilities as they are discovered, so each new flaw found in the operating system stays open on your machines indefinitely.
Attackers know these dates better than most businesses do. The period immediately after an operating system goes out of support is when exploitation of newly disclosed bugs rises, because the people running it are, by definition, no longer protected. For a UK business this also touches your obligations: an unsupported operating system makes a Cyber Essentials certification untenable, can breach the terms of a cyber-insurance policy, and weakens your position under data-protection rules if an incident follows.
Your three honest options
There are only three real responses, and most businesses will use a mix. The first is to upgrade eligible machines to Windows 11 in place, which is free if the hardware qualifies. The second is to replace machines that cannot run Windows 11, which is most older kit, with new ones. The third, a deliberate stopgap rather than a solution, is to pay for Extended Security Updates to buy time on a few machines you genuinely cannot move yet.
The reason replacement features so heavily is the hardware bar Windows 11 sets. It requires a reasonably modern processor, a TPM 2.0 security chip and Secure Boot. A laptop bought before roughly 2018 will usually fail the check, and no amount of effort makes it eligible. That is not Microsoft being awkward for its own sake; the security baseline genuinely depends on those hardware features.
- •Upgrade in place: free, fast, only for machines that pass the Windows 11 hardware check
- •Replace: required for older devices that lack TPM 2.0 or a supported processor
- •Extended Security Updates: a paid, time-limited bridge for the few machines you cannot move yet
Why a cheap 'just keep it running' plan backfires
The tempting path is to do nothing and hope. It is also the most expensive option once you account for risk. A single ransomware incident that enters through an unpatched endpoint can take a small business offline for days, and the recovery, lost trade and potential fines dwarf the cost of a planned refresh. We have written separately on the real cost of IT downtime, and an out-of-support fleet is one of the most reliable ways to invite it.
Extended Security Updates have their place, but read the design intent: Microsoft prices them to rise each year precisely so they are uncomfortable to live on. They are a bridge for a specific machine tied to a line-of-business application you cannot yet replace, not a strategy for a whole office. Treat them as a deadline extension with a meter running, not a reprieve.
A sensible 60-day plan
Start with an inventory: every Windows device, its age, and whether it passes the Windows 11 check. You cannot plan a refresh you have not measured. Group the results into upgrade-in-place, replace, and the small bridge-with-ESU set. Then sequence by exposure, dealing with internet-facing and remote-worker laptops first, because those are the machines an attacker reaches most easily.
Replacement is also an opportunity, not just a cost. Machines bought now will carry the business for the next four to five years, so it is worth specifying them properly rather than buying the cheapest box on a shelf, a trap we cover in the hidden cost of cheap business laptops. If you would rather not run this yourself, an outsourced partner can inventory, plan and roll out the whole fleet, which is one of the clearer cases for outsourcing IT versus hiring in-house. Browse current business laptops when you are ready to spec the replacements.