Microsoft confirmed that Windows 10 reaches end of life on October 14, 2025. After that date, Microsoft will no longer issue security updates for Windows 10. Any vulnerability discovered in Windows 10 after October 2025 will remain permanently unpatched — on every device in your organization still running it.
This is not a hypothetical future risk. It is a scheduled date with a defined consequence: a growing, unaddressed attack surface on any device that hasn't been migrated.
October 14, 2025 is not a soft deadline. It is the date Microsoft stops issuing security patches for Windows 10. Every vulnerability discovered after that date will remain permanently unpatched on Windows 10 systems.
What "End of Life" Actually Means for Security
End of life doesn't mean Windows 10 stops working. It means it stops being defensible. The distinction matters:
- No more security patches. The attack surface grows with every new vulnerability disclosed after the EOL date — and none of them get fixed.
- Compliance frameworks require patched, supported operating systems. HIPAA, PCI DSS, CMMC, and SOC 2 all have controls that require systems to run supported software receiving security updates. Running an unsupported OS is a documented control failure.
- Cyber insurance underwriters are asking. An increasing number of commercial cyber insurance applications include questions about operating system support status. Unsupported OS versions are a known underwriting risk factor.
- The exposure compounds over time. The longer an organization continues running Windows 10 past the EOL date, the more unpatched vulnerabilities accumulate — and the more attractive those systems become as known-vulnerable targets.
Assessing Your Windows 10 Exposure
Before any migration plan can be built, the organization needs an accurate inventory. That means knowing:
- Total device count currently running Windows 10 across all locations and roles
- Hardware compatibility with Windows 11 — TPM 2.0 is the primary requirement and the most common blocker on older devices
- Business applications that may have compatibility issues on Windows 11 and require testing before migration
- Operational constraints on migration timing — devices tied to specific workflows, shift schedules, or production environments that can't tolerate unplanned downtime
Without this inventory, a migration plan is a guess. The inventory is the starting point, not an optional step.
The Hardware Compatibility Problem
Windows 11 requires TPM 2.0 (Trusted Platform Module version 2.0). This requirement is not negotiable and cannot be worked around through software configuration alone. Many business workstations and laptops manufactured before 2018 — and some manufactured after — either lack TPM 2.0 entirely or have it disabled in firmware.
The implication: a subset of devices running Windows 10 today cannot be upgraded to Windows 11. They must be replaced. This means the migration plan needs a hardware refresh budget alongside the OS migration plan — and organizations that haven't started scoping that budget are already behind the curve.
The split between upgradeable and non-upgradeable devices varies significantly by organization. Without running the hardware compatibility check, there's no way to know what percentage of the environment requires replacement vs. in-place upgrade.
Three Paths Forward
- Upgrade eligible devices to Windows 11 before the October 14, 2025 deadline. Devices that meet the hardware requirements can be upgraded in place. This is the preferred path for devices with remaining useful life.
- Replace hardware that can't run Windows 11. Devices that fail the TPM 2.0 requirement or other Windows 11 prerequisites need to be scheduled for replacement. Start sourcing and budgeting now — hardware procurement timelines are unpredictable.
- Purchase Extended Security Updates (ESU) from Microsoft as a bridge option for devices that can't be migrated by the deadline. ESU is available at increasing cost per year — year one costs approximately $61 per device for commercial organizations, doubling in subsequent years. ESU buys time, not a solution; it is appropriate for devices with a defined replacement schedule, not as a long-term posture.
What a Managed IT Engagement Covers
For organizations working with DOYB on managed IT, Windows migration is handled as a structured program — not a one-time event. The engagement covers:
- Full device inventory with OS version documentation across all endpoints
- Hardware compatibility assessment against Windows 11 requirements, with device-level results
- Application compatibility testing for business-critical software
- Migration sequencing — prioritizing devices by role, risk, and operational constraints
- Deployment execution with documented rollout tracking
- Post-migration verification and documentation for compliance records
The Ascend Infrastructure Assessment identifies every device in your environment, documents OS versions and hardware specifications, and produces a migration sequencing plan — before any service scope is defined.
[1] Microsoft Windows 10 end of support date — Microsoft Product Lifecycle documentation
[2] Windows 11 hardware requirements including TPM 2.0 — Microsoft Windows 11 Specifications