Enterprises that hold on to Windows 10 past its October 14, 2025 end-of-support deadline could collectively face a first-year bill of roughly $7.3 billion for Extended Security Updates (ESU), according to new analysis from digital employee experience specialist Nexthink. The figure is a macro-level alarm — not a per‑organisation invoice — but it underscores the financial gravity of delaying migration to Windows 11 or a modern cloud‑based desktop strategy.

The calculation, built on publicly available device counts and Microsoft’s published ESU list pricing, arrives as many IT leaders are still weighing the cost of staying versus moving. Microsoft’s commercial ESU pricing starts at $61 per device for Year One, then doubles each subsequent year: $122 in Year Two and $244 in Year Three. With an estimated 121 million commercial Windows 10 devices still expected to be in service by the October cutoff, the arithmetic becomes stark.

The Nexthink Math: A Sector-Level Stress Test

Nexthink’s public model follows a transparent chain of assumptions:

  • Starting with Microsoft’s widely cited base of 1.4 billion monthly active Windows devices, the firm assumes about 30% are in commercial or public‑sector use — approximately 420 million enterprise devices.
  • Using StatCounter-like market‑share snapshots and its own telemetry, Nexthink estimated 181 million of those enterprise devices were still running Windows 10 at a mid‑2025 snapshot, a figure expected to decline to about 121 million by the October deadline.
  • Multiply 121 million by $61, and you get $7.3 billion for Year One alone.

The model is deliberately simple, designed to communicate scale. It is not a procurement invoice. Inputs are sensitive to market‑share tracking variations — StatCounter charts can show Windows 10 and 11 flipping between the mid‑40s and low‑50s percentage points month to month, so absolute device counts are estimates, not fixed inventories. Nevertheless, the collective exposure is large, and the figure serves as a sector‑level stress test for planning.

What Extended Security Updates Actually Cover

Before signing up for ESU, IT leaders must understand exactly what they are buying — and what they are not. Microsoft frames ESU as a temporary bridge, not a long‑term maintenance model.

ESU provides:
- Critical and important security updates for eligible Windows 10 releases, primarily version 22H2.
- Monthly security patches to reduce immediate exploit risk after end‑of‑support.

ESU does not include:
- New feature updates, performance or quality fixes, or general technical support beyond activation assistance.
- Compatibility fixes, driver updates, or back‑ported functionality beyond the security patch set.
- A permanent replacement for a migration plan.

Activation options vary. The traditional per‑device 5×5 activation key is the baseline, but Microsoft offers cloud‑activation discounts (roughly 25% in some communications) for customers using Intune or Windows Autopatch. Additionally, Windows 365 and Azure Virtual Desktop configurations can include ESU at no extra cost. Education customers see drastically lower pricing — as little as $1, $2, and $4 over three years — while a limited consumer ESU option, with its own rules and lower price point, is also available.

ESU vs. Migration: The Real‑World Financial Picture

For operational planning, the headline $7.3 billion figure must be translated into per‑organisation scenarios. Consider a fleet of 100,000 devices remaining on Windows 10 at the deadline:

  • Year‑One ESU cost: 100,000 × $61 = $6.1 million.
  • Full three‑year cumulative ESU cost (if continued): $61 + $122 + $244 = $427 per device, totaling $42.7 million.
  • A typical hardware refresh amortized at $900 per device would cost $90 million upfront — a higher one‑off expense, but one that may prove cheaper when factoring in productivity gains, updated hardware support, and avoidance of compounding ESU fees.

The equation changes dramatically with scale. For a handful of immovable legacy devices, Year‑One ESU is relatively cheap compared to replacement capex. For large estates, multiple years of ESU quickly exceed the cost of phased hardware refreshes and application modernisation. Organisations that enter ESU late — in Year Two or Three — often face cumulative purchase models that require paying prior years retroactively, further inflating the bill.

The Hidden Risks of Staying on Windows 10

Paying for ESU reduces immediate patching risk, but it does not eliminate broader operational and strategic dangers. Those include:

  • Security posture erosion. ESU patches close known attack vectors, but as vendors stop testing and certifying endpoint security tools against Windows 10, the platform’s security surface degrades. Threat actors rapidly weaponise unsupported environments.
  • Application and driver compatibility decay. Independent software vendors and peripheral manufacturers increasingly optimise for Windows 11. Older drivers and line‑of‑business apps risk losing vendor support, creating compatibility holes and patching friction.
  • Compliance and audit exposure. In regulated industries, running an unsupported OS — even with ESU — may violate mandates that require vendor‑supported platforms.
  • Operational complexity. Mixed estates of Windows 10 and 11 create inconsistent user experiences. Nexthink’s own telemetry has shown higher crash and hard‑reset rates in some early Windows 11 deployments, often traceable to hardware, driver, or deployment‑process mismatches rather than the OS itself. Bad pilots and rushed rollouts multiply help‑desk tickets and lost productivity.
  • Supply‑chain bottlenecks. A simultaneous rush to refresh hardware or hire migration services can push procurement lead times, pricing, and resourcing to breaking points.

A Practical Migration Playbook

For IT teams deciding between ESU and immediate migration, a measured approach balances risk, cost, and employee experience.

1. Rapid inventory and telemetry (Week 0–2)

Build an accurate device inventory: OS version, hardware compatibility (TPM, Secure Boot), application inventory, critical peripherals. Use digital experience telemetry to identify high‑risk users, high‑value devices, and mission‑critical apps.

2. Prioritise by risk and business impact (Week 2–4)

Define tiers: mission‑critical systems that cannot be touched (consider targeted ESU), high‑value knowledge workers (prioritise fast migration), and peripheral‑sensitive or legacy hardware (consider virtualization or cloud options). Align with quarterly budgets and refresh cycles.

3. Pilot, validate, repeat (Month 1–3)

Run small, representative pilots mirroring the diversity of roles and hardware. Validate driver stacks, VPNs, videoconferencing, and line‑of‑business apps. Refine imaging, driver packs, and support runbooks. DEX tools can pre‑empt user impact.

4. Use hybrid techniques to reduce ESU scope (Month 2–9)

Offload legacy workloads to virtual desktops, Windows 365 Cloud PCs, or Azure Virtual Desktop — many of these scenarios include ESU at no extra charge. Retire or contain isolated OT/industrial devices via network segmentation. For stubborn LOB apps, investigate containerisation, app remodelling, or vendor upgrades.

5. Negotiate supplier deals and staged procurement (Ongoing)

Negotiate volume discounts, trade‑in credits, warranty, and depot support with OEMs. Where ESU is unavoidable, target it narrowly for the smallest possible set of devices and buy Year‑One only as a bridge. Factor in cloud‑activation discounts if you use Intune/Autopatch.

6. Measure post‑migration experience

Use DEX metrics and SLA figures to measure before‑and‑after experience. Treat migration as a digital experience improvement, not a compliance chore.

Strengths and Weaknesses of Buying ESU

Strengths:
- Rapid risk reduction for a narrow set of unmovable devices.
- Operational breathing room to plan complex migrations without forcing rushed rollouts.
- Predictable short‑term cost if purchased early for a tightly scoped estate.

Weaknesses/Risks:
- High cumulative cost if used broadly over multiple years — Microsoft’s doubling pricing is deliberately punitive.
- Limited coverage — security only, no compatibility or feature fixes.
- Compliance blind spots — some regulatory frameworks and third‑party vendors may treat an ESU‑protected installation differently from a fully supported OS.
- Opportunity cost — prolonged postponement delays productivity, security, and manageability gains from modern hardware and Windows 11’s virtualization‑based security features.

Executive Checklist: 30–90 Days to Action

For IT and business leaders, the window to act is closing. Immediate steps should include:

  • Convene a cross‑functional migration steering group (CIO, CISO, Head of Desktop, Procurement, Application Owners).
  • Run a three‑week discovery sprint: inventory, application compatibility scan, device readiness (TPM/Secure Boot).
  • If absolutely necessary, buy ESU only for the smallest, mission‑critical cohort as a one‑year bridge — not as a default plan for the entire estate. Negotiate cloud‑activation discounts where possible.
  • Launch representative pilots with strong telemetry and rollback plans; iterate on driver packs and imaging automation.
  • Where hardware is incompatible or apps cannot migrate, prioritise virtualization or Windows 365 Cloud PCs to reduce per‑device ESU exposure.
  • Track migration KPIs: time‑to‑upgrade, help‑desk tickets per 1,000 users, DEX health scores, and post‑migration crash rates.

The Path Forward

Nexthink’s $7.3 billion headline is a necessary conversation starter. The arithmetic is credible at scale, but for individual organisations the choice is not binary — it is a portfolio decision across devices, users, and applications. ESU is a short‑term insurance policy for truly immovable workloads, not a long‑term business model. The winning organisations will be those that translate the headline into disciplined, measurable programs: immediate inventorying, narrowly scoped ESU purchases when unavoidable, and aggressive but careful migration plans that safeguard productivity while removing unsupported software from the attack surface. The path is neither simple nor painless, but with accurate data, a prioritised plan, and diligent execution, it is eminently manageable.