Microsoft retired mainstream support for Windows 10 on October 14, 2025, but the operating system continues to receive critical security updates through the Extended Security Update (ESU) program. This carefully managed transition period provides organizations with additional time to migrate to Windows 11 while maintaining security protections for their existing Windows 10 deployments.

The ESU Program Structure

The Extended Security Update program for Windows 10 follows a similar model to previous enterprise support extensions for Windows 7. Microsoft provides critical and important security updates for three additional years beyond the official end-of-support date. The program runs through October 2028, with pricing increasing each year to encourage migration.

Organizations can purchase ESU licenses through volume licensing agreements, including Enterprise Agreements, Microsoft Products and Services Agreements, and Cloud Solution Provider programs. The program covers Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Enterprise editions. Consumer versions of Windows 10, including Home and Pro editions for individual users, are not eligible for ESUs.

What ESUs Include and Exclude

Extended Security Updates focus exclusively on critical security vulnerabilities rated as Critical or Important according to Microsoft's severity classification. These updates address security flaws that could lead to remote code execution, elevation of privilege, or information disclosure. The updates are cumulative and released monthly as part of Microsoft's Patch Tuesday schedule.

Notably, ESUs do not include:
- New features or functionality
- Non-security updates
- Design change requests
- Technical support beyond security update installation issues
- Compliance with new regulatory requirements

This limited scope means organizations running Windows 10 under ESU will not receive the feature updates, quality improvements, or technical support they received during mainstream support. The operating system is effectively frozen in its final feature state, with only security patches applied.

Pricing and Licensing Details

Microsoft has implemented a tiered pricing structure for Windows 10 ESUs that increases significantly each year. First-year pricing starts at approximately $61 per device for Enterprise editions, doubling to around $122 in the second year, and reaching approximately $244 per device in the third and final year. These costs apply to devices covered by volume licensing agreements.

For organizations using Windows Virtual Desktop or Azure Virtual Desktop, ESUs are included at no additional cost for Windows 10 virtual machines running in Azure. This creates a financial incentive for moving workloads to the cloud during the migration period.

Educational institutions receive special pricing through their existing academic licensing agreements, with first-year costs approximately 25% lower than commercial rates. Government organizations also qualify for specific pricing through their procurement channels.

Technical Requirements and Limitations

To receive Extended Security Updates, devices must be running the final version of Windows 10 released in 2025 (version 22H2 or later). Earlier versions will not receive updates even with ESU licensing. Organizations must also have an active volume licensing agreement and apply a specific Key Management Service (KMS) key to enable update delivery.

The update delivery mechanism requires Windows Update for Business or Windows Server Update Services (WSUS) for enterprise environments. Consumer update channels will not deliver ESUs to eligible devices, ensuring only properly licensed installations receive the security patches.

Migration Considerations and Challenges

Microsoft designed the ESU program with clear migration incentives. The annual price increases encourage organizations to accelerate their transition to Windows 11 rather than maintaining Windows 10 deployments indefinitely. Many enterprise customers face significant challenges in this migration due to hardware compatibility issues with Windows 11's stricter system requirements.

The TPM 2.0 requirement, secure boot mandate, and specific processor generation requirements for Windows 11 have created a substantial hardware refresh burden for organizations. Industry analysts estimate that 30-40% of enterprise PCs currently running Windows 10 cannot upgrade to Windows 11 without hardware replacement. This reality has driven strong demand for ESUs as organizations budget for multi-year hardware refresh cycles.

Application compatibility represents another major migration hurdle. While Windows 11 maintains strong compatibility with most Windows 10 applications, some legacy business applications, particularly in manufacturing, healthcare, and financial services, require extensive testing and potential modification. The ESU program provides the necessary security coverage during these extended testing and deployment phases.

Security Implications of Extended Support

Security experts have expressed mixed opinions about the ESU approach. On one hand, maintaining security updates for critical vulnerabilities prevents organizations from running completely unprotected systems. On the other hand, the limited scope of ESUs means Windows 10 devices will become increasingly vulnerable to attacks targeting non-security flaws or utilizing techniques outside the Critical/Important severity classification.

The cybersecurity landscape continues to evolve rapidly, with attackers increasingly targeting supply chains, development tools, and configuration vulnerabilities. Windows 10 under ESU will not receive updates addressing these emerging threat vectors unless they qualify as Critical or Important security vulnerabilities.

Organizations using ESUs should implement additional security measures, including:
- Enhanced network segmentation for Windows 10 devices
- Application control policies to limit executable code
- Regular security configuration assessments
- Increased monitoring for anomalous behavior
- Strong identity and access management controls

Alternatives to ESU Licensing

For organizations seeking to avoid ESU costs, several alternatives exist. The most straightforward approach involves accelerating Windows 11 migration through hardware refresh programs and application modernization. Microsoft offers various tools to assist with this transition, including the Windows Assessment and Deployment Kit, Application Compatibility Toolkit, and readiness reports through Microsoft Endpoint Manager.

Cloud migration represents another alternative. Moving workloads to Azure Virtual Desktop or Windows 365 Cloud PC eliminates the need for ESUs while providing access to current Windows 11 environments. This approach can be particularly cost-effective for organizations with distributed workforces or seasonal staffing variations.

Some organizations are exploring third-party security solutions that claim to provide protection for unsupported operating systems. These tools typically use application control, behavioral monitoring, and network segmentation rather than patching vulnerabilities directly. While not equivalent to Microsoft's security updates, they can provide additional protection layers during migration periods.

Industry Impact and Adoption Patterns

Early adoption data suggests that approximately 60% of enterprise organizations have purchased first-year ESU licenses for at least some portion of their Windows 10 devices. The manufacturing, healthcare, and education sectors show the highest adoption rates, reflecting their typically longer hardware refresh cycles and greater dependency on legacy applications.

Small and medium businesses face particular challenges with the ESU program. Many lack volume licensing agreements and the IT resources to manage complex migration projects. Microsoft has faced criticism for not offering more accessible ESU options for smaller organizations, though third-party managed service providers are filling this gap with bundled migration and security services.

The PC hardware industry has experienced increased demand for Windows 11-compatible devices since the ESU announcement. Major manufacturers report 20-30% increases in commercial PC sales as organizations begin their refresh cycles. This hardware upgrade cycle represents a significant economic opportunity for the technology sector while creating budget pressures for IT departments.

Looking Beyond 2028

With the final ESU year ending in October 2028, organizations must complete their Windows 10 migrations within the next three years. Microsoft has not indicated any plans to extend the program beyond this date, making 2028 the absolute deadline for Windows 10 retirement in enterprise environments.

The current transition period provides valuable lessons for future Windows lifecycle management. Many organizations are implementing more proactive upgrade strategies, including continuous compatibility testing, regular hardware refresh budgeting, and cloud migration planning. These practices will become increasingly important as Microsoft moves toward more frequent Windows releases and potentially shorter support timelines.

For IT decision-makers, the key takeaway is clear: begin Windows 11 migration planning immediately if you haven't already. The ESU program provides essential breathing room, but the clock is ticking toward 2028. Successful organizations will use this time not just to upgrade operating systems, but to modernize their entire device management, security, and application delivery approaches for the cloud-first era.