Security and compliance issues for Windows 10 End of Life

On 14th October, 2025, Microsoft officially ended support for Windows 10. It’s been with us since 2015, but now the time has come for it to be retired in favour of Windows 11. While systems running Windows 10 will continue to function, the end of updates and vendor support means those businesses still using it will face significant security vulnerabilities and compliance challenges.

What does End of Life (EOL) mean?

When an operating system reaches EOL, the vendor stops providing:

• security updates for newly discovered vulnerabilities;

• bug fixes and performance improvements;

• technical support and compatibility updates for new hardware/software.

For Windows 10, this means monthly security patches or feature enhancements will stop.

Why is this such a security risk?

Unsupported systems are prime targets for cybercriminals. Once support ends, any new security flaw won’t be patched. Cyber attackers know this and actively monitor EOL milestones because they know those systems will no longer receive fixes and will therefore become increasingly vulnerable to exploits, including ransomware and remote code execution attacks - where an attacker can run malicious code on an organisation’s computers or network. This can be used to deploy additional malware or steal sensitive data.

Rising breach costs

The global average cost of a data breach reached $4.88 million in 2024, with the average cost per compromised record being $160; there was a slight drop in 2025 to $4.45 million. It’s clear that a single successful attack on an outdated Windows 10 machine - a key point of vulnerability - could cost millions in downtime, lost data and reputational damage.

Advanced threats

Modern attackers take advantage of firmware-level vulnerabilities and employ AI-driven tools which can scan for systems that aren’t running the latest applications and programs.

Firmware vulnerabilities are weaknesses in a device's low-level software; attackers can exploit them to get high-level control, steal data or install malware.

They can arise from outdated software, poor coding practices, insecure update mechanisms or design flaws.

Unsupported endpoints (physical devices that connect to and exchange information with a computer network) often become the first foothold for lateral movement across networks, compromising systems that might otherwise be secure.

Compliance implications

Running Windows 10 post-EOL is a technical risk and brings in a host of compliance issues as well. Many regulatory frameworks require systems to be supported and patched where necessary.

Article 32 UK GDPR Section 2 - Security of personal data says:

Security of processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk

Operating on an unpatched operating system can be counted as negligent and therefore anyone doing it could be found liable for regulatory action.

ISO 27001 puts the emphasis on strong internal controls and risk mitigation. If a system is unsupported, it can undermine those controls and put certification at risk.

But it’s not just fines that organisations can face. When suppliers, customers and other business partners hear about non-compliance, they may well conclude that it’s not worth their security dealing with such an organisation. Reputations can be damaged, income will be lost and in certain situations, the directors of the business may find themselves personally liable.

Operational and strategic risks

As we’ve seen, using unsupported systems can lead to security and compliance issues. They can also create operational inefficiencies. If you’re running apps, the developers and vendors of those apps will most likely have stopped testing them for Windows 10. That can mean failures in your business-critical tools. New devices that you buy for your business won’t support Windows 10, meaning that you’ll have to devise workarounds, costing time and money.

If you’re running legacy systems, their lack of modernity means that you’re going to find your ability to innovate blocked or stifled; cloud adoption and AI integration are two areas where forward thinking business are moving ahead. You could find that you’re quickly left behind if you can’t keep up.

What should businesses do?

1. Upgrade to Windows 11

This is the most obvious and effective solution. Windows 11 introduces Zero Trust security architecture, TPM 2.0 / Secure Boot requirements and enhanced integration with Microsoft 365 and cloud services.

2. Enrol in ESU

If, for whatever reason, you can’t immediately migrate over, Microsoft’s Extended Security Updates (ESU) programme gives you one extra year of security updates. However, it’s important to remember that this is not a permanent fix to the end of Windows 10. It’s been designed as a stopgap to cover organisations and users who can’t make the move now. We cover ESU in more detail below.

3. Plan your migration strategically

Technological issues can be complex and rarely easy to fix quickly or cheaply. It’s therefore important to start planning your migration at a strategic level

Some best practice for this process includes:

• Carry out an inventory assessment. You will likely have a lot of devices in your organisation, many of which will have been acquired at different times and may be running different programs and applications. Some may be able to run Window 11; some won’t be compatible and will need to be replaced. Draw up a list and price up the cost of upgrading.

  
  

• Application compatibility testing will let you know whether apps that are critical to your business will work on Windows 11. A tool such as Microsoft Test Base will make this easier. If those apps don’t work, it’s time to revisit them and take remedial action.

  
  

• It’s not a good idea to try and roll out everything at once; if something doesn’t work or if it goes wrong, your entire organisation may be disrupted. Carry out a phased rollout, starting with pilot groups so you can identify any teething troubles as the rollout proceeds.

4. Budget and timeline

It’s important, when planning your migration, that you start early and are aware of how long it will take and how much it will cost. Both these metrics can be significantly underestimated. Depending on the size of your organisation and its complexity, a migration can take months or even years, so starting early will pay dividends in the long run. Last minute thinking is clearly not an option.

What is Microsoft ESU?

Extended Security Updates (ESU) for Windows 10 is a paid subscription service providing critical security updates for devices running Windows 10 after the end of support. It’s a temporary solution and does not include new features or other fixes. Individuals can enrol for a one-time purchase or for free, while organisations can also enrol through a subscription.

What it is:

• ESU provides critical and important security updates to protect against malware and cybersecurity attacks.

  
  

• ESU is a way to continue receiving security updates, but not standard technical support or new features.

  
  

• ESU is a temporary solution. The programme will end on 13th October, 2026, and can be accessed at any time till then.