Windows 10 approaching end of life: What it means and what you need to do

In cyber risk management, staying up to date is non-negotiable. And one critical deadline is fast approaching: October 14, 2025 — the official end of life (EOL) for Microsoft Windows 10.

After that date, Microsoft will stop releasing updates and security patches for the OS, leaving any systems still running it increasingly vulnerable to attack. That’s a problem, because as of August 2025, 43% of all Windows users are still on Windows 10.

If unmanaged, this creates a widespread, easily exploited weakness across many organisations’ environments, one that threat actors are all too ready to target.

But what does that really mean in practice? And how should businesses prepare?

Let’s break it down.

What is Windows 10's end-of-life?

After October 14, 2025, Windows 10 will no longer receive feature updates or security patches. In other words, any new vulnerabilities found after that date will go unpatched — leaving systems wide open to exploitation.

Microsoft will offer ‘Extended Security Updates’ (ESUs) for all Windows 10 users until October 13, 2026. After that, organisations will have the option to extend their coverage – by one or two additional years – to support their migration to Windows 11, but this is a temporary fix. The real solution? Upgrade to Windows 11, or stop using the system altogether. It’s worth emphasising that ESUs aren’t a goodwill gesture, they’re a deliberate bridge for organisations that need more time to transition to a stable, supported operating system.

Why this matters: A history of consequences

This isn’t the first time we’ve seen unsupported systems become cybercriminal playgrounds.

One of the most notorious examples? WannaCry.

In 2017, attackers exploited a vulnerability in Microsoft’s Server Message Block (SMB) protocol using tools like EternalBlue. These tools allowed attackers to remotely install ransomware on unpatched systems, including many running older, unsupported versions of Windows. Despite Microsoft issuing emergency patches, it came too late for many.

In the UK, the NHS was hit hard, incurring an estimated £92 million in disruption as part of the wider fallout from the breach, with hospitals forced to delay care and divert ambulances.

By the end of 2017, WannaCry had impacted more than 300,000 computers across 150 countries.

The lesson is clear: unsupported doesn’t just mean outdated, it means vulnerable.

Where we stand now

Nearly 43% of Windows systems still run Windows 10 (as of August 2025), according to Statcounter. That’s approaching half of all Windows machines, compared to 53% running Windows 11.

Why the hesitation? Windows 11 has stricter hardware requirements, which has slowed adoption. But with only a few months to go, many organisations will need to accelerate their transition or risk being left exposed.

What you need to do now

If your organisation is still running Windows 10, here’s what you should be doing:

1. Upgrade to Windows 11
Microsoft’s primary recommendation is simple: upgrade to Windows 11. If your hardware supports it, begin testing and rolling out upgrades now. Starting early gives your IT team time to address compatibility issues, adjust policies, and ensure a smooth, secure deployment before the deadline.

2. Assess your hardware
Not all devices can run Windows 11 due to its stricter hardware requirements, including TPM 2.0 (a security chip) and Secure Boot (a security feature designed to prevent malicious software from loading when your PC starts up).

Conduct a network-wide audit to identify non-compliant machines. In practice, you can use Microsoft’s PC Health Check Tool or Endpoint Analytics to identify unsupported endpoints. For these, build a plan to retire, replace, or isolate legacy systems before support ends.

3. Consider Extended Security Updates
If you can't upgrade everything in time, Microsoft will offer Extended Security Updates (ESUs) — but only for a limited time and at a cost. ESUs provide critical security patches for up to three years (until October 2028), and will be available on a subscription basis.

⚠️ Important: ESUs are a short-term crutch — not a replacement for proper upgrades or patching. They also don't include feature updates or performance fixes.

4. Segment and monitor legacy systems
If you absolutely must keep any machines on Windows 10 for now, make sure they don’t put the rest of your network at risk. Here’s how:

• Keep them isolated: Don’t let them connect freely to your core systems or sensitive data.

• Limit who can access them: Only approved users should have access, with strict permissions.

• Monitor them closely: If possible, use security tools to track their activity 24/7.

• Mark them as high risk: So everyone in your organisation knows they need extra care.

Think of these machines like unlocked doors: keep them locked down, in plain sight, and away from the rest of the house.

What this means for cyber insurers and risk managers

For cyber underwriters, the EOL of Windows 10 represents a key risk signal. Unsupported operating systems significantly increase the chance of breach and ransomware incidents — particularly in sectors with high Windows 10 usage and slower upgrade cycles.

Whether you're assessing a client's cyber risk or managing your own, the presence of EOL software should trigger further scrutiny, risk loading, or conditional coverage terms.

Windows 10’s end of life isn’t just a technical milestone. It’s a cybersecurity inflection point that will test the preparedness and resilience of organisations worldwide.

Just like with WannaCry, you can rest assured that threat actors will be ready for it.

If you’re concerned about legacy risks or unsure how exposed your systems (or your insureds’) might be, KYND can help.

Get in touch to explore how our cyber risk intelligence can shine a light on hidden vulnerabilities and support better risk decisions.