October 14, 2025, marks the definitive end of free security updates, feature patches, and technical support for Windows 10—but with barely months to go, up to 60% of corporate devices and 53% of all monitored endpoints remain on the decade-old operating system, according to new telemetry from cybersecurity firm Kaspersky. The data, drawn from anonymized endpoint metadata of consenting users in its security network, paints a stark picture of an enterprise world that, by many measures, isn’t ready for the cutoff. While Microsoft’s Extended Security Updates (ESU) program offers a temporary safety net, the clock is ticking for IT leaders to execute a migration strategy that avoids crippling security exposure.

The numbers—and the caveats behind them—demand immediate attention. Kaspersky’s analysis shows that only 33% of devices in its sample have made the jump to Windows 11. Among business-class systems, the Windows 10 footprint is even larger: roughly 59.5% of corporate devices and 51% of small-business machines still rely on the older OS. A stubborn 4.5% of all monitored devices even cling to Windows 7, which exited support five years ago. “A system not receiving security updates is like a house with a rotting fence that can be knocked down with just a single kick,” Oleg Gorobets, a Kaspersky security expert, said in a statement. “The risk for both general and corporate business users far outweighs any minor inconveniences of moving to a new OS version.”

Yet these figures are not a global census. Kaspersky’s dataset reflects endpoints where its software is installed and telemetry consented to, introducing regional and customer-type biases. Other web-based trackers like StatCounter often show different shares depending on methodology. Treat the Kaspersky data as a critical operational warning about real fleets, not an absolute worldwide proportion. Even with that nuance, the core message is unambiguous: a massive installed base faces a hard security precipice in a matter of weeks unless action is taken.

Why so many organizations are behind

Hardware eligibility is the single biggest roadblock. Windows 11 mandates TPM 2.0, UEFI Secure Boot, and a narrow list of supported CPUs—requirements that eliminate millions of otherwise functional business desktops and laptops from in-place upgrades. For large enterprises, this translates into multi-quarter procurement cycles, capital budget battles, and supply chain delays that simply cannot resolve before October.

Application compatibility further slows the process. Banks, hospitals, and government agencies often run bespoke line-of-business software that demands rigorous regression testing before any OS change. “Migrating to a newer OS may be misguidedly perceived as an unnecessary and even disruptive action offering only minor new features,” Gorobets noted, capturing the inertia that IT teams feel when stability is paramount. The fear of disrupting workflows or breaking legacy integrations leads many to defer, even as the calendar slips away.

Budget cycles and procurement friction compound the delay. Upgrading thousands of endpoints is a capital-intensive project that must compete with every other IT priority. Small and midsize businesses (SMBs) are particularly exposed; they often lack dedicated security staff and believe Windows 10 remains “good enough,” unaware of the ticking time bomb.

Perception and human factors play a role, too. After years of uneventful patching, a “if it isn’t broke, don’t fix it” mentality has settled in. IT teams may underestimate how quickly the threat landscape will shift once Microsoft stops issuing free patches.

The real-world risks of staying on Windows 10 past EOL

The attacker economics are grim. Once vendor patches cease, every new vulnerability discovered in Windows 11 becomes a blueprint for exploiting the identical flaw in Windows 10—a flaw that will never be officially fixed. Security researchers and criminal groups will reverse-engineer Windows 11 updates to identify the underlying code flaws, converting what would have been a short-lived zero-day into a permanent attack vector. History shows that mass-impact incidents like WannaCry and NotPetya were fueled by unpatched, end-of-life systems.

Compliance and contractual exposure follow immediately. Regulated industries that hold personal data, process payments, or operate under strict SLAs will find unsupported operating systems a violation of mandated security baselines. Auditors and regulators expect documented, patched systems; failure can trigger fines, insurance disputes, and reputational ruin. Even cyber-insurance policies increasingly require evidence that all endpoints are running supported software.

Third-party support erosion is another silent risk. Browser vendors, security suites, and productivity tools will eventually drop testing and support for Windows 10. Enterprise applications that depend on specific .NET versions or kernel-mode drivers may break without warning, leaving IT with no vendor to call.

The Extended Security Updates program: what it is and isn’t

Microsoft’s ESU program offers a bridge, but it’s narrow and temporary. For consumers, there is a one‑year option through October 13, 2026. Enrollment paths include syncing settings to a Microsoft account or redeeming Microsoft Rewards points for free, or purchasing a one‑time license for roughly US$30 per device. For commercial customers, the paid plan starts at $61 per device for the first year and escalates annually over a maximum of three years. Devices accessing Windows 11 Cloud PCs through Windows 365 or Azure Virtual Desktop will automatically receive ESU coverage at no extra cost—a subtle nudge toward Microsoft’s cloud desktop ecosystem.

Yet ESU is not a long‑term solution. It provides only security updates; there are no new features, no non‑security quality fixes, and no general technical support. It does nothing to maintain application compatibility or driver support. For enterprises, the cost triples each year, making it economically unsustainable as a permanent posture. Any organization that enrolls should document decommission dates and treat each device as a controlled risk, not a settled matter.

A practical migration playbook for IT teams

Moving from panic to plan requires a structured approach. Here is a four‑phase playbook that can help any organization—whether a 50‑seat law firm or a global manufacturer—navigate the transition.

Phase 1: Inventory and risk triage (Days 1–30)
Create an authoritative database of every endpoint: make, model, Windows build, TPM status, and critical application dependencies. Categorize devices by business criticality—high (clinical workstations, financial trading desks), medium (knowledge workers), low (kiosks, lab machines). Flag devices ineligible for Windows 11 and decide immediately whether they will be replaced, repurposed, or secured with ESU. Without this inventory, migration is guesswork.

Phase 2: Pilot and compatibility testing (Days 30–90)
Deploy Windows 11 to a representative sample of each device family and application stack. Run smoke tests on line‑of‑business software, validate printer and peripheral drivers, and test core workflows. Involve business owners early and document rollback procedures. Pilots expose hidden dependencies that automated tools miss, reducing the risk of a mass outage during broad deployment.

Phase 3: Deployment and procurement (Days 90–270)
For eligible devices, roll out in‑place upgrades using Autopilot, Configuration Manager, Intune, or your chosen deployment pipeline. For ineligible hardware, execute the procurement, leasing, or cloud migration plan. Enroll a scoped set of high‑criticality devices in ESU only with a firm sunset date. If you are using Windows 365 Cloud PCs, activate auto‑enrollment to offload patching concerns.

Phase 4: Harden and monitor (Ongoing)
Any Windows 10 endpoint retained after October 14 must be treated as a high‑risk asset. Implement network segmentation, strict access controls, endpoint detection and response (EDR) agents, multifactor authentication, and elevated logging. Correlate new Windows 11 patch releases with potential exploit intelligence and apply compensating mitigations to Windows 10 hosts immediately.

Beyond the in-place upgrade: alternative paths

A straight migration to Windows 11 isn’t the only way off the cliff. Cloud desktops offer a compelling middle ground. Windows 365 and Azure Virtual Desktop allow organizations to run Windows 11 instances in Microsoft’s cloud and stream them to older client hardware that cannot support the OS locally. Users keep their familiar endpoints while IT gains a fully supported, centrally managed OS layer. Licensing details matter—devices connecting to Windows 11 Cloud PCs automatically receive ESU for the local Windows 10 OS—but the approach decouples hardware lifecycle from software support, potentially saving millions in refresh costs.

For non‑Windows workloads, Linux is a viable alternative for kiosks, lab devices, and thin clients. Distributions like Ubuntu LTS or ChromeOS Flex can resurrect aging hardware without licensing fees, provided the required applications can run in a browser or are Web‑based. This path requires revalidation but eliminates exposure to Windows‑specific threats.

Thin‑client architectures paired with virtual desktop infrastructure (VDI) also reduce local attack surface. When the endpoint is little more than a display terminal, the patching burden shifts to the server side, which can be rigorously managed. Combined with zero‑trust networking and identity controls, this model materially shrinks the risk of running unsupported hardware on the edge.

Counting the true cost: budgets, e‑waste, and hidden burdens

Hardware refresh isn’t cheap, but breach recovery is pricier. IT leaders must model the total cost of ownership: capital for new devices versus annual ESU subscriptions, factoring in the expected cost of a security incident. A single ransomware attack on an unpatched fleet can dwarf a year’s ESU spend. Encourage finance departments to view the migration not as an expense but as insurance against a known catastrophic risk.

Hidden costs are easy to overlook. Application testing, user retraining, driver remediation, and help‑desk surge all consume time and budget. Plan for them explicitly. Many organizations find that the “free” in-place upgrade from Windows 10 to 11 actually costs more in disruption than a fresh deployment on new hardware.

Environmental impact is a growing boardroom concern. Mass replacement of functioning devices generates e‑waste and carbon footprint. Where possible, pursue refurbishment, trade‑in programs, or repurposing older machines for low‑risk, segmented roles. Cloud‑desktop strategies also keep physical churn to a minimum. Microsoft and major OEMs offer take‑back and recycling programs that can soften the sustainability blow.

What boards and C‑suites should demand right now

Senior leaders must move beyond asking “Are we upgraded?” and instead demand:
- A validated, time‑bound inventory linked to risk metrics (attack surface, compliance exposure, potential business impact).
- A documented decision matrix for every device category: upgrade, replace, ESU (with end date), or retire.
- Evidence of compensating controls—network segmentation, EDR, MFA, heightened logging—for any Windows 10 endpoint that will remain post‑deadline.
- A single‑page executive dashboard tracking progress against the migration plan, updated at least monthly.

The path forward

October 14, 2025, is not a symbolic date; it is an operational pivot. The Kaspersky telemetry, however imperfect as a global census, corroborates what myriad regional and sectoral snapshots have been signaling: a huge portion of the world’s endpoints still run Windows 10. That reality changes the economics for attackers and the risk calculus for every organization.

The steps are clear, if compressed. Inventory everything. Pilot relentlessly. Deploy deliberately. Use ESU only as a time-boxed bridge. Investigate cloud desktops and alternative OS options where appropriate. Harden what you cannot immediately replace. The organizations that move now—with plans grounded in actual device data—will cross the threshold with minimal disruption. Those that wait will face not just a scramble, but potentially crippling security incidents, regulatory penalties, and spiraling remediation costs. The decisions made in the coming weeks will define the security posture for years to come.