Windows 10 reached windows 10 end of life on 14 October 2025. Microsoft has stopped shipping security updates, bug fixes and technical support for it. Every Windows 10 machine still running in your business is now an unpatched, slowly widening hole in your defences — and the clock has already passed midnight.
This isn’t a future problem to schedule for next quarter. If you’ve been telling yourself “we’ll deal with it later”, later arrived in October 2025. The good news: the path forward is well understood, and you have more options than panic-buying a truckload of new laptops. The bad news: every month you wait, the risk and the cost both climb.
What “end of support” actually means
End of support is not a switch that bricks your machines. Windows 10 still boots, your line-of-business apps still run, and your staff probably won’t notice anything different on the surface. That’s exactly what makes it dangerous. The operating system keeps working while the protection underneath it quietly rots.
From 14 October 2025, Microsoft no longer issues:
- Security updates for newly discovered vulnerabilities. When a critical flaw is found — and they are found constantly — Windows 11 gets a patch and Windows 10 does not.
- Reliability and bug fixes, so problems compound over time rather than getting resolved.
- Technical support from Microsoft, including for Microsoft 365 apps running on Windows 10. Office will keep functioning, but you’re on your own when something breaks.
An unpatched OS is the single softest target in most networks. Attackers don’t need to be clever; they just scan for known vulnerabilities that will never be fixed. Within months of an OS going end of life, exploit kits start treating it as low-hanging fruit.
The real risks of running an unsupported OS
The exposure here goes well beyond “you might get a virus”. For an Australian business, four distinct problems stack on top of each other.
Cyber security
Every month after October 2025 widens the gap between the threats in the wild and the defences on your endpoints. A single unpatched workstation can be the foothold an attacker uses to move laterally, harvest credentials and deploy ransomware across your whole environment. Endpoint detection helps, but it’s compensating for a structural weakness, not fixing it.
Compliance and the Essential Eight
The Australian Cyber Security Centre (ACSC) Essential Eight lists patch operating systems as one of its eight core mitigation strategies. The mitigation explicitly requires using an operating system that is still receiving vendor support. Run Windows 10 past end of life and you fail that control outright — you cannot reach even Maturity Level One. If you’re a government supplier, tendering for work, or contractually bound to Essential Eight alignment, an unsupported OS is a straight non-compliance. Our 90-day Essential Eight guide walks through how the patching controls are actually assessed.
Cyber insurance
Insurers have tightened their proposal forms considerably. Most now ask directly whether you run supported, patched operating systems and apply security updates within defined timeframes. Running an end-of-life OS can breach a policy condition, and if a claim arises from a vulnerability on an unsupported machine, you’re handing the insurer a clean reason to reduce or decline the payout. We cover this trap in detail in our cyber insurance guide for Australian SMEs. The premium you’ve paid for years may be worth far less than you think.
Privacy obligations
If a breach traced to an unsupported system exposes personal information, the Office of the Australian Information Commissioner (OAIC) Notifiable Data Breaches scheme can require you to notify affected individuals and the regulator. “We knew the OS was unsupported and kept using it” is not a position you want to defend to the OAIC, your customers, or your board.
Extended Security Updates — a stopgap, not a strategy
Microsoft offers Extended Security Updates (ESU) to keep critical and important security patches flowing after end of life. It is a deliberate bridge, not a destination, and it’s priced to make sure you treat it that way.
For consumers, Microsoft made a one-year ESU option available, including a free route for individuals who enable certain settings. That consumer path is genuinely a stopgap for a home PC — it is not a business strategy.
For business and enterprise, ESU is sold per device and the price escalates every year — Microsoft’s commercial ESU programme roughly doubles the per-device cost in year two and doubles again in year three. The model is intentional: it buys you breathing room while making procrastination progressively more painful. Pay for three years of ESU across a fleet and you’ll usually have spent more than it would have cost to simply replace or upgrade the machines.
Use ESU when you have a genuine, time-boxed reason — a legacy application that won’t run on Windows 11 yet, or a hardware refresh you can’t physically complete before the deadline. Do not use it as a way to avoid making a decision. Budget for ESU as a one-year bridge with a hard exit date, not a recurring line item.
Is your fleet ready for Windows 11?
Windows 11 is the obvious destination, but it has stricter hardware requirements than Windows 10, and that’s where most businesses get caught. A machine that runs Windows 10 perfectly well may be ineligible for an in-place upgrade.
The two requirements that trip people up most:
- TPM 2.0 — a Trusted Platform Module security chip. Many machines from the mid-2010s either lack it or have it disabled in the firmware. Sometimes it’s present and just needs enabling in the BIOS; sometimes it isn’t there at all.
- CPU compatibility — Microsoft only supports a defined list of processors, broadly Intel 8th generation and newer, and equivalent AMD Ryzen chips. Older CPUs are unsupported even if everything else checks out.
You can’t eyeball this across a fleet. A proper readiness assessment inventories every device, checks TPM status, CPU model, RAM and storage, and sorts each machine into one of three buckets: upgrade in place, replace, or bridge with ESU. That inventory is the foundation of every decision that follows. If you don’t have a current picture of what’s actually on people’s desks, that’s step one — and it’s something our managed IT services team handles as standard.
Your four options compared
There’s no single right answer for a whole business. Most Melbourne SMEs end up with a mix, machine by machine. Here’s how the four realistic paths stack up.
| Option | Best for | Upfront cost | Watch out for |
|---|---|---|---|
| Upgrade in place | Machines that already meet Windows 11 requirements (TPM 2.0, supported CPU) | Low — labour only | Confirm app compatibility; allow time per device |
| Replace hardware | Older machines that fail the CPU or TPM check | High — new device per user | Lead times; staged budget; secure disposal of old units |
| Cloud PC / Windows 365 | Shift/hybrid workers, thin-client setups, fast scaling | Ongoing per-user subscription | Needs reliable internet; recurring cost vs one-off |
| ESU bridge | A small number of machines tied to legacy apps, time-boxed | Per-device, escalating yearly | Stopgap only; set a hard exit date |
Cloud PC and Windows 365 deserve a closer look if you’re already invested in Microsoft 365. They run a full Windows 11 desktop from Microsoft’s cloud, streamed to whatever device the user has — which can extend the useful life of older hardware that’s no longer fit to run Windows 11 locally. It’s not right for everyone, but for the right workforce it sidesteps the hardware problem entirely. We can map this against your existing Microsoft 365 licensing so you’re not paying twice for the same capability.
A Melbourne scenario
A construction firm in Box Hill we work with came to us in early 2025 with about forty workstations, a mix of site-office desktops and project-manager laptops. A readiness scan put roughly half on supported hardware that could upgrade in place, a quarter on machines too old to meet the CPU requirement, and the rest as borderline. Two estimating PCs were locked to an older take-off application the vendor hadn’t yet certified for Windows 11.
The plan wrote itself once we had the data: upgrade the compliant half over a few weekends, replace the oldest quarter in two budgeted waves across two quarters, and put just those two estimating PCs on a one-year ESU bridge with a firm cut-off once the software vendor shipped its update. No big-bang spend, no scramble, and every machine accounted for. The difference between that and a panicked December rush was simply starting with an inventory.
Building the migration plan and budget
A workable migration plan is mostly about sequencing and money, not heroics. The pattern we use across Melbourne metro businesses:
- Inventory everything. Every device, its Windows 11 eligibility, and the apps it depends on.
- Triage into the three buckets — upgrade, replace, bridge — and flag any legacy-app blockers early.
- Stage the spend. Spread hardware replacement across two or three budget periods so it doesn’t land as one brutal capital hit.
- Prioritise by risk. Machines handling sensitive data or facing the internet move first; back-office spares can wait.
- Set hard dates for any ESU-bridged devices so the stopgap doesn’t quietly become permanent.
This is the kind of forward planning a virtual CIO engagement is built for — turning a looming deadline into a costed, scheduled programme your board can actually sign off. TechAssist has been doing exactly this for Melbourne SMEs since 2014, and our thirteen Australian-based engineers handle the rollout end to end rather than leaving you a spreadsheet and good luck.
Why “we’ll deal with it later” is now overdue
The deadline has passed. Every Windows 10 machine on your network today is unsupported, unpatched against new threats, and counting against your Essential Eight posture, your insurance position and your privacy obligations. None of that is alarmist — it’s just where the calendar sits as of June 2026.
The fix is straightforward once you’ve got an inventory and a plan, and it’s far cheaper to do deliberately over a quarter or two than as an emergency. The businesses that started early are already done. The ones still running Windows 10 are carrying risk every day they wait.
Frequently asked questions
Can I still use Windows 10 after October 2025?
Technically yes — the machines keep working. But they no longer receive security updates, so each one becomes a growing vulnerability. For a business, continuing on Windows 10 without ESU means accepting cyber, compliance and insurance risk that compounds month by month.
How much does business ESU cost?
Microsoft prices commercial ESU per device, and the cost escalates each year — roughly doubling in year two and again in year three. Over three years it typically exceeds the cost of upgrading or replacing the machine, which is by design. Treat ESU as a one-year bridge, not an ongoing plan.
How do I know if my computers can run Windows 11?
The common blockers are TPM 2.0 and CPU compatibility — broadly Intel 8th generation or newer and equivalent AMD chips. A fleet-wide readiness assessment checks every device automatically and sorts them into upgrade, replace or bridge. Guessing device-by-device isn’t reliable at scale.
Is Windows 365 a good alternative to buying new PCs?
For shift, hybrid or thin-client workforces it can be, because it streams a full Windows 11 desktop from the cloud and extends the life of older hardware. It’s a recurring per-user cost rather than a one-off purchase, so it suits some teams and not others. It’s worth modelling against your existing Microsoft 365 licensing.
Get a Windows 11 readiness assessment
If you’re still running Windows 10 anywhere in your business, the first move is an honest inventory: what you have, what can upgrade, what needs replacing, and what genuinely needs a short ESU bridge. Get in touch and we’ll scope it for you, then turn it into a staged, budgeted plan — so this gets sorted properly rather than hanging over you into another quarter.
