Windows 10 Support Has Ended. Here Is What To Do Next

On October 14, 2025, Microsoft ended support for Windows 10. That date closed a successful ten year run and began a new risk period for organizations that still have Windows 10 endpoints in production. After end of support, Microsoft no longer provides free monthly security updates, new features, or routine fixes for Windows 10. Businesses now face a choice. Migrate to a supported platform, enroll qualifying devices in the Extended Security Updates program, or accept growing risk and operational drag.

This guide explains what changed on October 14, 2025, why unsupported software increases business risk, which options you have in the next 12 to 36 months, and a practical migration plan that PivIT Strategy can execute with you.

What changed on October 14, 2025

Microsoft’s Windows lifecycle documentation states that Windows 10 version 22H2 is the final Windows 10 release and that all mainstream support ended on October 14, 2025. That means no more free monthly security updates, no new features, and no standard product support. Microsoft’s lifecycle pages and end of support notice confirm these points and list the affected editions across Home, Pro, Enterprise, and Education.

Microsoft has introduced paths to sustain security coverage temporarily. For commercial customers, Windows 10 Extended Security Updates, often called ESU, can provide critical and important security fixes for up to three years after end of support. ESU is a paid subscription for most organizations and is designed as a bridge, not a permanent solution.

For personal devices, Microsoft provides a one year ESU option that runs through October 13, 2026. This is separate from enterprise programs and is not a substitute for a long term plan in a business network.

Microsoft 365 Apps will continue to run on Windows 10 for a period, but Microsoft notes that support for those apps on Windows 10 ended when the operating system reached end of support. Microsoft has said it will continue providing security updates for Microsoft 365 on Windows 10 for a limited time to reduce risk while organizations transition, which is not a reason to delay plans, only a short term safety net.

Why running an unsupported OS increases risk

Security teams have warned for years that end of life software raises the likelihood and impact of incidents. The Cybersecurity and Infrastructure Security Agency explains that continued use of end of life software allows attackers to exploit unpatched vulnerabilities and that updating or replacing unsupported products is a core defensive practice. CISA’s guidance for businesses reinforces that keeping software current and retiring end of life technology reduces exposure.

NIST’s Guide to Enterprise Patch Management Planning sets a clear expectation for modern environments. Patch management is the process of identifying, prioritizing, acquiring, installing, and verifying patches across operating systems, applications, firmware, and more. Once a product is out of support, this process breaks because no vendor patches arrive. That leaves compensating controls as your only lever, which raises cost and lowers assurance over time.

In short, staying on Windows 10 without a plan carries growing risk and cost. Attack surface expands as new vulnerabilities are discovered. Detection and response teams spend more time managing exceptions. Compliance reviews become harder to pass. Insurance questionnaires become tougher to complete. All of this diverts budget and staff time away from your core business.

Your options for Windows 10 Support Ending, at a glance

Option 1. Upgrade devices to Windows 11.
This is the best security and productivity path. It restores monthly security updates, aligns you with Microsoft’s platform roadmap, and unlocks modern features and management capabilities. Some older PCs do not meet Windows 11 requirements, so you will pair in place upgrades with a hardware refresh cycle.

Option 2. Enroll qualifying Windows 10 devices in Extended Security Updates.
ESU buys time. Commercial ESU provides critical and important updates for up to three years after October 14, 2025. It is a subscription by year, with cumulative rules that require purchase of prior years if you join late. You still need a migration plan, since ESU ends on a fixed schedule.

Option 3. Isolate and harden systems that must remain on Windows 10.
Some industrial, laboratory, or legacy application systems cannot be upgraded on a business friendly timeline. For these cases, use a strict isolation model. Segment networks, restrict outbound traffic, apply application allowlisting, and monitor closely. Treat these assets as exceptions with explicit business owner sign off and documented compensating controls that align to your risk framework. CISA’s advice to replace end of life software still applies, but isolation reduces blast radius while you stage the replacement.

Timelines and planning windows

Understanding timelines will help you set priorities.

1. Now through Q4 2025.
   Windows 10 is out of support. Enroll qualifying commercial devices in ESU if you cannot upgrade quickly. Confirm hardware compatibility for Windows 11 and begin device mapping.
2. Through October 13, 2026.
   Consumer ESU runs for one year. This matters mainly for smaller businesses with personal devices that touch work data. It is not a commercial strategy.
3. Through the next three fiscal years for commercial ESU.
   Commercial ESU is renewable annually for up to three years. Use this period to complete application remediation, hardware refresh, and user training. Treat ESU as a countdown clock, not a comfort blanket.

A practical migration playbook from PivIT Strategy

A successful transition balances risk, cost, and continuity. Here is the approach our team uses with clients.

1. Inventory and categorize every endpoint.
   Pull a complete list from your RMM and MDM tools. Tag each device with business owner, department, hardware specs, warranty status, critical applications, and last patch date. Place devices into one of three buckets. Upgrade now. Upgrade after app remediation. Hold and isolate due to business constraints.
2. Validate Windows 11 readiness.
   Automate hardware checks for TPM, memory, CPU, and storage. For devices that qualify, schedule an in place upgrade pilot. For devices that do not qualify and are within 12 months of refresh, plan a purchase and imaging cycle that aligns with budget windows.
3. Map your application landscape.
   List core line of business apps, versions, and support statements. Contact vendors that have not documented Windows 11 support. For homegrown or niche apps, set up a test group with user acceptance criteria. Create an issue backlog for compatibility problems and track owners and fix strategies.
4. Decide where ESU fits.
   Enroll only the devices that have a clear and time bound reason to stay on Windows 10. Document the business reason and the target exit date. Track ESU renewal dates and cumulative purchase rules so you do not get surprised later. Microsoft’s ESU guidance makes clear that it is a temporary bridge, not a permanent state.
5. Strengthen compensating controls for exceptions.
   Segment networks so that legacy devices cannot reach the open internet or lateral movement targets. Enforce least privilege on local admins. Add application allowlisting, strict firewall rules, and enhanced logging. Validate backup coverage and recovery tests. These steps align with CISA’s guidance to reduce risk when software cannot be updated.
6. Communicate with users and stakeholders.
   Explain why the change is necessary. Share timelines and what users should expect during upgrades. Provide short guides for new features and changes in Windows 11 to reduce support tickets after rollout.
7. Measure progress.
   Use a weekly scorecard that shows total Windows 10 devices, devices upgraded to Windows 11, devices covered by ESU, and devices approved for isolation. Add a risk column that flags devices with sensitive data access or internet exposure.

Budget and licensing notes

For commercial customers, ESU is available as a yearly subscription. Microsoft documentation outlines that the commitment can be renewed for up to three years after end of support. The program delivers critical and important security fixes, not features. If you join in year two, you must pay for year one as well, since ESU is cumulative by design. This rule encourages early planning and avoids lingering in a semi supported state.

Consumer ESU is a separate track that covers one year through October 2026 and is not appropriate for most business scenarios. It can help employees who own personal devices that still run Windows 10, but those devices should not store or process sensitive company data without strong controls.

Why act now rather than later

Delaying an upgrade often appears cheaper in the current quarter, but costs accumulate quickly. Security incidents are more likely on unsupported platforms. Compliance and insurance pressures grow. Vendor support for drivers and applications continues to drift away from Windows 10. Your service desk spends more time on exceptions and workarounds. Studies and guidance from NIST and CISA support the conclusion that timely patching and modernization reduce total cost and risk over time.

How PivIT Strategy helps

PivIT Strategy guides clients through the full transition. We build the asset inventory, validate Windows 11 readiness, plan ESU enrollment for the right devices, and remediate applications that need attention. We design segmentation and compensating controls for any systems that must remain on Windows 10 for a period. We manage the rollout with a change window that fits your business, then measure progress until the last Windows 10 endpoint is retired.

If your organization is still on Windows 10 today, you are not alone. The key is to replace uncertainty with a clear plan and to start the work now.

Ready to move forward?
Contact PivIT Strategy for a short assessment and a migration plan you can put in motion this quarter.