Windows 10 end-of-life: your migration timeline

Article · 8 min · For Owners

What actually changed on October 14, 2025

Microsoft ended free security updates for Windows 10 Home, Pro, Enterprise, and Education editions on October 14, 2025. The operating system still runs. Programs still open. The desktop still looks the same. What changed is invisible: Microsoft no longer ships security patches for newly-discovered vulnerabilities. Every new CVE in Windows 10 is permanent on those machines unless they're enrolled in the paid Extended Security Updates (ESU) program.

The practical effect compounds over months, not days. The first month after EOL, the gap is small. By month six, the count of unpatched, weaponizable vulnerabilities has crept up. By the end of year one, a Windows 10 endpoint is meaningfully more exposed than a Windows 11 endpoint sitting next to it.

The short answer: if you're a small business in Western Kentucky or Southern Illinois still running Windows 10 in production, plan the migration now and execute it within the next 6 months. ESU is a bridge, not a destination.

The three paths forward, in order of preference

Path 1 — In-place upgrade to Windows 11 (cheapest, fastest)

If the hardware meets the Windows 11 requirements, an in-place upgrade preserves files, apps, and settings while moving the OS forward. The minimum spec is: 1 GHz dual-core 64-bit CPU on the supported list, 4 GB RAM, 64 GB storage, UEFI/Secure Boot, and TPM 2.0. Most Intel 8th-gen / AMD Ryzen 2000-series and newer machines qualify; most pre-2018 machines do not. Microsoft's PC Health Check tool gives a definitive answer per device. Cost: zero in licensing, a couple hours per machine in technician time.

Path 2 — Hardware refresh (Windows 10 → new Windows 11 device)

For machines that fail the Windows 11 hardware check — older CPUs, missing TPM, no UEFI — refresh the hardware. A reasonable mid-tier business laptop runs $900–$1,400, comes preinstalled with Windows 11 Pro, and is the right call for any device older than four years regardless of OS, because the rest of the hardware is aging out too. Plan the refresh as a phased rollout: oldest and most-exposed machines first, the rest on the natural replacement cycle.

Path 3 — Extended Security Updates (ESU) — bridge only

ESU buys time. For 2026, it's roughly $30 per device for the first year for consumer/Pro editions; commercial pricing scales up and doubles each subsequent year. Use it as a bridge for a specific machine that has a one-off blocker (a legacy app, a pending hardware order). Don't use it as a multi-year strategy — the cost rises, and the underlying technical-debt problem only gets worse.

The 90-day migration plan for a small business

Days 1–14: Inventory and assessment

Pull a full list of every Windows machine, OS version, age, and assigned user. If you don't have one already, your MSP can run it from the RMM agent in under an hour.
Run PC Health Check (or the RMM equivalent) on every Windows 10 device. Group results into: upgrade in place, refresh required, and bridge with ESU.
For each "refresh required" machine, document the user, role, and any role-specific software requirements (CAD, accounting, EHR, POS).

Days 15–30: Procurement and scheduling

Order the refresh hardware in batches that align with budget cycles. Microsoft Surface, Lenovo ThinkPad, Dell Latitude, and HP EliteBook are all reasonable defaults for a small-business fleet.
Build a deployment image: company apps preinstalled, Microsoft 365 enrolled, EDR agent baked in, conditional-access policy applied. Image once, deploy many times.
Schedule the rollout to avoid critical business windows — not the week of an audit, not month-end close.

Days 31–75: Phased rollout

Start with the highest-risk users: anyone who handles finance, anyone with admin privileges, anyone in a HIPAA / PCI-regulated role.
Refresh in groups of 5–10 per week so the help desk can support the inevitable "where did my bookmarks go" questions without queueing.
Decommission the old Windows 10 hardware: wipe the drive (DOD-grade if you handle regulated data), remove from the asset register, and physically dispose or donate through a vendor that issues certificates of destruction.

Days 76–90: Validate and document

Confirm 100% of production endpoints are Windows 11 (or ESU-enrolled if there's a documented exception).
Update the asset register and the cyber-insurance attestation — carriers ask about supported-OS posture explicitly.
Schedule the next quarterly review to confirm no Windows 10 machines have crept back in via personal-device use or a forgotten kiosk.

Edge cases worth flagging

Industry-specific software — some EHRs, ERPs, and CAD packages have lagged on Windows 11 support. Check the vendor compatibility matrix before assuming the migration is a clean in-place upgrade.
Domain-joined machines — an in-place upgrade preserves the domain join, but it's the right time to validate the user is in the correct OU and the correct conditional-access policy.
Loose Windows 10 machines — the receptionist's spare laptop, the conference-room PC, the lobby kiosk. These are the ones that get forgotten. Inventory them explicitly.
Windows 11 hardware that just barely qualifies — older 8th-gen i3 machines technically pass the check but perform poorly. Consider replacement on age grounds even if the OS will run.

What this looks like on a Micro-IT managed plan

Managed Endpoint clients have OS-version inventory baked in — we ran the Windows 10 EOL roster the week of the announcement and have been tracking it since. Migration projects are quoted as fixed-price up front, scheduled around your business calendar, and documented end-to-end. The endpoint hardening (EDR, MFA, DNS filtering, image-level backup) runs on Windows 10 and Windows 11 identically, so security posture stays consistent through the transition.

If you're not on a managed plan and want a one-shot Windows 10 EOL project — inventory, plan, execute — we'll quote that too. Get in touch or call 270.816.5726.

Frequently asked questions

When did Windows 10 reach end-of-life?

Microsoft ended free security updates for Windows 10 on October 14, 2025. The operating system still runs and apps still open, but Microsoft no longer ships security patches for newly-discovered vulnerabilities unless the device is enrolled in the paid Extended Security Updates (ESU) program.

Is it dangerous to keep running Windows 10 after EOL?

The danger compounds over time. In the first weeks after EOL, the gap between Windows 10 and Windows 11 risk is small. By six months in, the count of unpatched, weaponizable vulnerabilities in Windows 10 climbs. Cyber-insurance carriers are increasingly explicit about asking which OS versions are in production, and an unsupported OS is a common policy exclusion.

Can I upgrade my Windows 10 PC to Windows 11 for free?

Yes, if the hardware meets the Windows 11 minimum spec: 1 GHz dual-core 64-bit CPU on the supported list, 4 GB RAM, 64 GB storage, UEFI/Secure Boot, and TPM 2.0. Use Microsoft's PC Health Check tool to confirm per device. Most machines from 2018 onward qualify; most older ones don't.

How much does Windows 10 Extended Security Updates (ESU) cost in 2026?

For 2026, ESU is roughly $30 per device for the first year on consumer and Pro editions; commercial pricing scales up and the price doubles each subsequent year. ESU is a bridge for a specific machine that has a blocker — not a multi-year replacement for upgrading or refreshing.

How long should a small-business Windows 10 → 11 migration take?

For a typical 10–30-person business with a mix of in-place upgrades and hardware refreshes, plan on 90 days end-to-end: two weeks of inventory and assessment, two weeks of procurement and image-building, six weeks of phased rollout in groups of 5–10 per week, and two weeks to validate and document.