The clock is ticking louder than ever. On October 14, 2025, Microsoft will pull the plug on free security updates for Windows 10, leaving millions of business PCs exposed—and billable. An analysis by Nexthink, based on real-time endpoint telemetry, paints a stark picture: even accounting for frantic migration efforts, roughly 121 million corporate devices will still be running the decade-old OS when the deadline strikes. At $61 per device for the first year of Extended Security Updates (ESU), that translates to a collective invoice exceeding $7.3 billion. And that’s just Year One. The real kicker? Microsoft’s pricing model doubles the fee each subsequent year—$122 in Year Two, $244 in Year Three—turning a short-term bridge into a financial sinkhole for any organization that dawdles.
The numbers land as many IT leaders are still wrestling with inventory audits, hardware compatibility roadblocks, and tight budget cycles. Windows 11 has been available since October 2021, yet adoption has lagged, often because enterprises align OS refreshes with hardware rollouts. Now the two cycles are colliding head-on, and the cost of doing nothing—or of trying to buy time—is coming into razor-sharp focus.
A Decade of Windows 10 Comes to an End
Windows 10 arrived in July 2015 with an audacious promise: it would be the last major version of Windows, with Microsoft shifting to a continuously updated “Windows as a Service” model. That story changed in 2021 with the launch of Windows 11, and the company officially set the 10-year lifecycle clock ticking. Now, version 22H2 and related editions are heading for end of support, after which no more free security patches, bug fixes, or feature updates will land.
The lifeline Microsoft offers is the Extended Security Update program, originally crafted for organizations that need extra time to complete migrations. It’s available for up to three years after End of Life, but the cost structure is deliberately punitive. “ESU is intended as a temporary, per-device subscription,” notes Microsoft’s lifecycle policy. Commercial pricing starts at $61 for Year One, then escalates steeply. For a 100,000-device estate, Year One alone would cost $6.1 million; if those devices were kept on ESU through Year Three, cumulative fees would surpass $40 million.
The $7.3 Billion Warning Shot
Nexthink’s projection injects urgency into boardroom conversations. Between May and August 2024, the vendor observed a 33% drop in Windows 10 devices among its customer base—a sign that many organizations are moving, albeit gradually. Assuming a similar pace of migration by the October 2025 cutoff, the remaining pool sits at roughly 121 million enterprise endpoints. Multiplied by the Year One ESU price tag, that’s $7.3 billion collectively—and that figure doesn’t include the consumer market, where Microsoft is offering a one-year paid extension at a lower price, or a limited free enrollment option for some scenarios.
Gartner senior director analyst Ranjt Atwal places the number in context: “Businesses can buy an ESU, but I expect only a small number of organizations will pay for this—to provide a support bridge enabling them to continue to receive support from Microsoft when they complete the migration.” In other words, most firms won’t willingly write a blank check to Microsoft; they’ll scramble to get off Windows 10 before the bills pile up. But for legacy workloads tethered to unsupported hardware or untested applications, ESU becomes the lesser evil—an expensive Band-Aid while a permanent fix is engineered.
Hardware and Security: The Twin Blockers
Why hasn’t migration been faster? The answer often lies inside the device. Windows 11 enforces a strict security baseline: TPM 2.0, Secure Boot enabled in UEFI, and a processor that appears on Microsoft’s approved list. Many business PCs purchased as recently as 2018 lack TPM 2.0, and CPUs like Intel’s 7th-gen Core or older AMD Ryzen chips are flatly unsupported. This creates a forced hardware refresh concurrent with the OS upgrade, spiking capital expenditure at a time when many IT budgets are still recovering from pandemic-era splurges.
Secure Boot itself is a double-edged sword. While it significantly reduces the attack surface by blocking unsigned drivers and rootkits, it can also break compatibility with legacy peripherals and specialized software. “The Secure Boot feature is enabled by default in Windows 11, but is optional on Windows 10, which means older pieces of software and device drivers that need to be digitally signed cannot be installed on the newer operating system,” Atwal explains. Industrial scanners, lab instruments, and custom line-of-business apps often fall into this trap, forcing organizations to either pay for vendor-signed updates—if they exist—or isolate those workloads on virtual machines or cloud PCs.
The Security Imperative: Why “Wait and See” Is Not an Option
Leaving Windows 10 unpatched after October 14 is a recipe for disaster. History shows that attackers closely monitor end-of-support dates. When Windows 7 exited the stage in January 2020, exploit kits rapidly targeted fresh vulnerabilities, knowing that no more patches would arrive. With Windows 10’s massive install base—still hovering around 60% of all Windows PCs globally, by some estimates—the incentive for criminals is enormous. An unpatched OS becomes a conduit for ransomware, credential theft, and lateral movement across a corporate network.
Regulated industries face an additional headache. HIPAA, PCI DSS, and similar frameworks mandate that systems receive regular security updates. Running an unsupported OS can trigger audit findings, compliance breaches, and even litigation exposure. For financial services, healthcare, and critical infrastructure, the ESU fee may be the cost of staying compliant, not a voluntary choice.
Building a Migration Playbook That Works
For IT leaders staring down a fleet of aging laptops, a pragmatic, phased approach is the only sane path. Here’s a distilled action plan drawn from real-world consulting and Microsoft’s own deployment guidance:
-
Inventory with Granularity – You can’t fix what you don’t measure. Use tools like Microsoft Intune, Configuration Manager, or third-party asset management to capture OS version, CPU generation, TPM status, Secure Boot state, and attached peripherals. Flag machines that can’t be upgraded because of missing TPM or unsupported processors.
-
Segment by Risk – Internet-facing devices, C-suite laptops, and machines accessing sensitive data should be Tier One. Migrate these first or, if migration is impossible before EOL, earmark them for immediate ESU enrollment. Shop-floor kiosks, lab VMs, or isolated test beds fall into lower tiers and can wait for a hardware refresh.
-
Test, Test, Test – Deploy an automated application compatibility toolchain (Microsoft’s App Assure program can help). Identify regressions early. For apps that break, explore MSIX packaging, App-V virtualization, or Azure Virtual Desktop. Reach out to peripheral vendors now for signed Windows 11 drivers.
-
Pilot and Automate – Run two pilots: an in-place upgrade on eligible hardware and a clean image deployment. Use modern management (Intune Autopatch, Windows Autopilot) to scale. Define clear rollback criteria and support SLAs.
-
Talk to Finance Early – Model the cost of full ESU for one, two, and three years against a hardware refresh program. Often, the one-off capex of new devices amortized over three to five years is cheaper than cumulative ESU payments—and you get better performance, battery life, and security out of the deal.
ESU as a Bridge, Not a Destination
“Accept ESU only as a tactical bridge where migration risk or vendor constraints make immediate migration impractical,” the earlier forum analysis advises, and it’s spot on. Use ESU to buy a few extra months for those 10,000 non- upgradeable lab PCs, not as a blanket excuse to postpone fleet modernization. The doubling price curve is meant to hurt; leaning on it for a full three years turns a temporary safety net into a profit center for Microsoft at your expense.
Cloud-hosted desktops offer an elegant off-ramp. Windows 365 Cloud PC and Azure Virtual Desktop can deliver Windows 11 to any modern endpoint, even an underpowered thin client or a personal laptop with no TPM. For the price of a per-user monthly subscription, you shift the support burden to Microsoft, sidestep on-prem hardware lifecycle issues, and gain a secure, managed desktop that scales with your needs. It’s a particularly attractive option for contractors, BYOD scenarios, or departments that have ditched traditional PC refresh cycles altogether.
The Bigger Picture: Procurement, Sustainability, and Governance
Synchronizing OS migration with a hardware refresh isn’t just about technology; it requires CEO and CFO buy-in. Present the risk in financial terms: a single ransomware incident far exceeds the cost of a hundred laptops. Align the migration with existing refresh programs to smooth out cash flow. Negotiate volume discounts on devices and extended warranties. And hold OEMs accountable for delivering systems with TPM 2.0, Secure Boot, and signed driver roadmaps for any peripherals you’ll continue to use.
Sustainability also enters the conversation. Decommissioning a million PCs creates e-waste. Smart IT leaders will partner with certified recyclers and factor disposition costs into their refresh business case. It’s a reputational and regulatory concern that can no longer be an afterthought.
The Path Forward
The October 14, 2025, deadline is fixed. Microsoft’s ESU terms are published. The Nexthink analysis, while based on estimates, underscores the sheer scale of the challenge. For most organizations, the answer is clear: move to Windows 11 now, using a mix of in-place upgrades, targeted hardware refreshes, and cloud desktops. ESU should cover only the stubborn edges—legacy factory-floor systems, locked-down lab instruments, or apps awaiting a rewrite.
Delaying only makes the math worse. Each month that passes after EOL increases security exposure, compounds the ESU bill, and tightens the window for a controlled rollout. The organizations that treat this moment as a strategic inflection—aligning security, finance, procurement, and end-user experience—will emerge with a modern, defensible fleet. Those that don’t will pay Microsoft dearly for a dead OS, and even that won’t protect them forever.