Microsoft has confirmed a measured — and expensive — safety net for organizations that are still running Windows 10 Enterprise LTSB 2016 and Windows 10 IoT Enterprise LTSB 2016, and it has signaled more clearly than ever that the time to migrate is now. The Extended Security Updates (ESU) program, which begins on October 14, 2025, will provide critical and important security patches for these aging Long-Term Servicing Branch releases for up to three additional years, but at a significant and escalating annual cost. This move underscores Microsoft's ongoing push to modernize the Windows ecosystem, urging enterprises to transition to newer, supported versions like Windows 11 or the cloud-based Windows 365.

The ESU Program: A Costly Lifeline for Legacy Systems

The Extended Security Updates program is not a new concept; Microsoft has employed it for previous Windows versions like Windows 7 and Windows Server 2008. For Windows 10 LTSB 2016, the program officially starts on October 14, 2025, the date mainstream support ended in October 2021 and extended support concludes. The ESU will be available for purchase for up to three years, through October 2028. However, this security blanket comes with a steep price tag designed to incentivize migration rather than long-term reliance.

According to Microsoft's official licensing documentation, the cost structure is progressive:
- Year 1 (Oct 2025–Oct 2026): The cost is 100% of the full on-premises license price per device, annually.
- Year 2 (Oct 2026–Oct 2027): The cost increases to 125% of the license price.
- Year 3 (Oct 2028–Oct 2028): The cost escalates further to 150% of the license price.

This pricing model means that over three years, an organization could pay the equivalent of 375% of a single license cost just for security updates, not including any potential implementation or management fees. For large enterprises with thousands of devices, this represents a multimillion-dollar proposition. The program is available only for organizations with a volume licensing agreement, such as an Enterprise Agreement (EA), Enterprise Subscription Agreement (EAS), or a Server and Cloud Enrollment (SCE). It is not available for individual consumers or through retail channels.

Windows Server 2016: A Parallel Path with Slightly Different Timing

The ESU story for Windows Server 2016 is closely related but on a slightly different timeline. Windows Server 2016's extended support end date is January 11, 2027. Microsoft has confirmed that ESUs will be available for Windows Server 2016 for up to three years after that date, through January 2030. The pricing structure is expected to follow a similar escalating model, though exact percentages may be confirmed closer to the date. This gives server administrators a critical, albeit costly, buffer for legacy applications that cannot be immediately migrated to newer server platforms like Windows Server 2022 or Azure.

The Imperative for Migration: Beyond Just Cost

While the financial burden of ESUs is a powerful motivator, the reasons to migrate from Windows 10 LTSB 2016 extend far beyond licensing fees. Technologically, these systems are frozen in time. LTSB/LTSC (Long-Term Servicing Channel) versions are designed for specialized devices that require extreme stability, like medical equipment, ATMs, or industrial control systems. They do not receive the feature updates that define the modern Windows experience. This means devices running the 2016 release are missing nearly a decade of security innovations, performance enhancements, and hardware compatibility updates.

Modern Windows 11 and Windows 10 (in its general availability channel) include foundational security features absent in the 2016 build, such as:
- Hardware-enforced Stack Protection and other Microsoft Pluton security processor integrations.
- Secured-core PC requirements for business devices.
- Advanced threat protection via Microsoft Defender for Endpoint.
- Windows Hello for Business with stronger biometric authentication.
- Regular Windows Feature Updates that deliver new security capabilities.

Continuing to operate on an unsupported, ESU-patched version leaves organizations vulnerable to security gaps that patches cannot address and increases compatibility risks with modern software and cloud services.

Migration Pathways and Strategic Considerations

For organizations facing this cliff, several migration paths exist, each with its own considerations:

1. Upgrade to Windows 10/11 General Availability Channel

This is the most direct path for standard workstations. However, a direct in-place upgrade from LTSB 2016 to Windows 11 is not supported due to hardware and software compatibility gaps. The typical process involves:
- Hardware Assessment: Many LTSB 2016 devices may be older than 5-6 years and likely lack the TPM 2.0, secure boot, and modern CPU requirements for Windows 11. A hardware refresh is often necessary.
- Data and Application Migration: A wipe-and-load deployment is frequently required, migrating user data and reinstalling applications on a new Windows 10 or 11 image.
- Testing: Rigorous testing of line-of-business applications on the new OS is critical.

2. Transition to a Newer LTSC Release

Microsoft offers newer LTSC versions, such as Windows 10 Enterprise LTSC 2021 (supported until Jan 2032) and the upcoming Windows 11 LTSC 2024. This may be suitable for devices that truly require the static nature of LTSC. However, this only postpones the eventual ESU decision, as each LTSC version has its own end-of-life date.

3. Move to Cloud PC Solutions (Windows 365)

For many, the most strategic long-term move is to Windows 365, Microsoft's Cloud PC service. This shifts the management and security burden to Microsoft, provides access to a always-up-to-date Windows 11 environment from any device, and eliminates end-of-support concerns for the local OS. It represents a shift from CapEx (hardware refresh) to OpEx (subscription).

4. Application Modernization and Server Migration

For Windows Server 2016 workloads, the paths include:
- Upgrading in-place to Windows Server 2022.
- Migrating workloads to Azure Virtual Machines or Azure Arc-enabled servers for hybrid management.
- Refactoring applications to be cloud-native using Azure App Services or containers (AKS).

Planning and Next Steps for IT Administrators

Time is the critical resource. With the ESU clock starting in October 2025 for Windows 10 LTSB 2016, organizations should immediately:

  1. Conduct a Comprehensive Inventory: Use tools like Microsoft Endpoint Configuration Manager, Intune, or third-party asset management software to identify all devices running Windows 10 LTSB/IoT LTSB 2016 and Windows Server 2016.
  2. Assess Application Dependencies: Catalog all business-critical applications running on these systems. Determine their compatibility with Windows 11/Server 2022 or if they require modernization.
  3. Evaluate Hardware Eligibility: For workstations, determine the percentage of devices that meet Windows 11 requirements. Plan for a phased hardware refresh if needed.
  4. Calculate the True Cost of Delay: Model the three-year cumulative cost of ESUs for your estate versus the capital investment in new hardware and the operational cost of migration projects. Include the risk cost of potential security incidents.
  5. Develop a Phased Migration Plan: Create a project plan with clear phases: pilot, early adopters, broad deployment, and legacy cleanup. Aim to complete migration well before the October 2025 deadline to avoid the first year of ESU costs.
  6. Engage with Microsoft or a Partner: Discuss licensing options, Cloud Solution Provider (CSP) programs for Windows 365, and potential migration support services.

Microsoft's message is unequivocal: the era of Windows 10 LTSB 2016 is concluding. The Extended Security Updates program is a testament to the real-world challenges of migration for specialized environments, but its prohibitive cost structure is a clear signal. For IT leaders, the task is no longer about if to migrate, but how and how quickly. The most forward-looking strategy involves using this deadline as a catalyst not just for an OS upgrade, but for a broader digital transformation—embracing modern hardware, cloud-based management with Intune, and the enhanced security posture that defines the current Windows landscape. The countdown to October 2025 has begun, and proactive planning is the only way to avoid being caught between the rock of escalating costs and the hard place of unsecured, obsolete systems.