The single date worth pinning to your wall is 13 October 2026. That is when the consumer Extended Security Updates programme for Windows 10 ends, and it is also when year 1 of commercial ESU coverage finishes for business devices enrolled in the paid programme. After that date, consumer devices and business devices without year 2 commercial ESU stop receiving ESU security patches.
Your business can either be moved to Windows 11 by then, have a small number of genuine exception devices covered by the next commercial ESU year, or be running on an operating system that no longer gets fixed when something goes wrong. There is no good reason to treat delay as the main plan.
If your team is small and you have not yet decided what to do, the honest read is that you have weeks rather than months of comfortable planning time. Migration capacity across the industry tightens noticeably in September, hardware lead times can stretch, and every other business that left it late will be queuing in the same line. Booking work in June or July is calm. Booking it in mid-September is panic.
Here is the practical view of where things stand, what your real options are, and what a sensible plan looks like from now until autumn.
Where we actually are
Windows 10 support ended on 14 October 2025. Microsoft followed that with an Extended Security Updates programme to give people a runway. For consumers, ESU is a one-year extension running to 13 October 2026, available at no additional cost if you sync PC settings to a Microsoft account, by redeeming 1,000 Microsoft Rewards points, or through a one-off purchase of $30 USD or local currency equivalent.
For businesses, ESU is a separate paid commercial programme, available for up to 3 years through volume licensing. Microsoft lists year 1 at $61 USD per device, with the price doubling every consecutive year. In UK budgeting terms, that means you should plan for roughly £48 per device before tax in year 1, then allow for the doubling structure in years 2 and 3, depending on exchange rates.
A few details catch businesses out. The consumer route does not work for devices joined to an Active Directory domain, joined to Microsoft Entra, or enrolled in Mobile Device Management. That covers most company-managed PCs, so business devices normally need the commercial programme. The commercial programme is cumulative, which means buying year 2 requires year 1, and year 3 requires the previous years too. Skipping a year is not an option.
ESU only covers critical and important security updates. It does not provide new features, customer-requested non-security updates, general product improvements, or normal technical support. It buys you time. It does not keep the platform healthy long-term.
Global figures from May 2026 showed Windows 10 still accounting for just over a quarter of Windows desktop usage worldwide. The UK figure was lower, at just under 18%, but that still leaves plenty of businesses with a mixed estate.
What actually changes on the date
Nothing visible. Your machines keep booting. Your apps keep opening. That is the trap.
What changes is the security posture. From 14 October 2026 onwards, a consumer Windows 10 device has no further consumer ESU route. A business Windows 10 device only continues receiving ESU security updates if it is covered by the relevant commercial ESU year. Any device outside that protection becomes a growing attack surface.
New vulnerabilities will still be found. The difference is that unsupported Windows 10 devices will not receive the fixes. Attackers know this perfectly well, because end-of-support systems are easier to target over time. Every newly disclosed flaw becomes more serious when the operating system underneath is no longer being patched.
There is a knock-on. Cyber insurance underwriters have been tightening their questions for several years, and running an unsupported operating system on a domain-joined device is the sort of thing that ends up in an exclusion clause. Your auditors and your larger customers may ask too, especially if you supply into regulated sectors where supplier security is now a contractual matter. This sits inside the same widening expectation we covered in why IT compliance matters.
Your real options
Strip away the noise and there are four routes. Most businesses end up using a combination.
| Option | What it is | When it makes sense |
|---|---|---|
| Upgrade in place | Move eligible Windows 10 PCs to Windows 11 with no hardware change | Hardware meets Windows 11 requirements, including TPM 2.0 and a supported CPU |
| Replace hardware | Buy new Windows 11 PCs to replace machines that cannot upgrade | Older devices, performance issues, or end-of-warranty fleets |
| Pay for ESU | Stay on Windows 10 with paid security updates for 1 to 3 years | Specific machines tied to legacy apps that cannot move yet |
| Move to alternatives | Cloud PCs through Windows 365, or a different OS for specific roles | Light-touch users, contractors, or workloads that suit virtual desktops |
The honest case for ESU is narrow. It is a bridge, not a destination. Use it for the genuine awkward cases, such as a specialist machine running a piece of software the vendor has not updated, or a meeting room PC tied to particular hardware. Do not use it as a way to avoid making a decision about the rest of the fleet, because the cost doubles each year.
The eligibility check is where most surprises hide. Windows 11 needs a 64-bit processor on the supported list, 4GB RAM and 64GB storage as the minimum, UEFI firmware with Secure Boot, and TPM 2.0. The TPM and supported CPU requirements are the usual blockers on machines that look perfectly fine otherwise. An older laptop can feel perfectly usable and still fail the Windows 11 checks. That is annoying. It is also not something to guess at.
If you are running on the Microsoft stack already, the broader picture in useful Office 365 features and what to expect from an Office 365 assessment is a useful companion read while you think about what to keep and what to retire.
A realistic timeline from now until October
Working backwards from the deadline, here is what a calm plan looks like. The exact dates shift depending on your size, but the sequence holds.
June to July: Inventory your devices and check Windows 11 eligibility on each. Identify which apps and peripherals you actually depend on.
July to August: Decide for each machine whether you upgrade, replace, bridge with ESU, or retire. Order any new hardware now, because lead times can stretch in autumn.
August to early September: Pilot the upgrade with a small group, ideally including someone who uses the awkward legacy app you are nervous about.
September: Run the bulk of upgrades and rollouts, in waves rather than all at once.
Early October: Mop up the stragglers and confirm any ESU enrolments are in place for the genuine bridge cases.
The piece that surprises people every time is the pilot. A machine that upgrades cleanly in your IT team’s hands can still fall over for a finance colleague because their printer driver, their accounts software or their VPN client has a quirk on Windows 11. Catching that in August is fine. Catching it on a Tuesday morning in October is not. This is the same logic behind our platform migration services and the same discipline that good IT service management calls for: plan, pilot, then roll out.
The things people forget
A few traps come up so reliably that they are worth listing.
Line-of-business applications. The single biggest cause of delay in any migration is the one piece of software your business actually depends on, where the vendor is slow, expensive or no longer trading. Identify these now, not in September. If the vendor has a Windows 11 supported version, get the licence question sorted early. If they do not, that machine becomes an ESU candidate and you accept the cost as the price of running an old app.
Peripherals and drivers. Printers, scanners, cheque-readers, label printers and specialist instruments are the second biggest source of pain. A model that works fine on Windows 10 may need a different driver, a different cable, or in some cases simply a replacement device.
Office and Microsoft 365 compatibility. Microsoft has said it will continue providing Microsoft 365 app security updates on Windows 10 until 10 October 2028, but the platform itself is the wrong place to settle. Microsoft 365 Apps are no longer supported on Windows 10 in the normal sense, even though those security updates continue for a transition period. If you are looking at Copilot and the wider AI tooling, that is a Windows 11 conversation.
The case for the tool is set out plainly in why businesses should embrace AI tools like Microsoft Copilot, and the practical features in the key features of Microsoft 365 Copilot for business and the advantages of Microsoft 365 Copilot. If you are weighing it up, is your business using Microsoft 365 Copilot yet is a fair read. Plan the OS move, then the productivity layer, in that order, all of which sits inside what a good microsoft 365 support services london partner should be helping you with.
Backups. This is the easy thing to skip, and the one that costs the most when it goes wrong. Before any migration, you want a clean backup you can actually restore from. That covers files on the device and, more importantly, data in your Microsoft 365 tenant. Microsoft 365 backup explains why this matters, cloud to cloud backup covers the principle, and common cloud backup mistakes is the sober read. Google Workspace teams should see Google Workspace backup for the equivalent.
Treat the move as a chance, not a chore
A migration is the cheapest time to fix things you have been putting off. You are already touching every device. The marginal cost of doing the related jobs at the same time is small, and the marginal benefit is large.
A few worth bundling in. Modern device management through Microsoft Intune is much easier to roll out alongside a Windows 11 deployment than as a separate project. The same applies to endpoint security for remote teams and the practical endpoint hardening steps that close the easy gaps. Detection is part of the same job, which is why EDR matters more than ever, and the basics in password best practices are worth a refresh while you are reshaping how people sign in.
Security testing finds the gaps before someone else does, so network penetration testing explained sets out why this matters, and how often should you run network penetration testing covers the cadence. The distinction in pen testing versus vulnerability scanning is useful if you are not sure what you actually need. Cyber Essentials accreditation is often easier to achieve on a freshly migrated estate than on a tangled old one, and it is a useful proof point for your customers.
Phishing remains the most common entry point for attackers, and a freshly built device on Windows 11 still does not protect you against a determined social engineer. So anti-phishing controls and the basics of how to spot a phishing email belong in the same conversation. As an anti phishing company new york and London businesses use, we treat the migration as the moment to refresh staff awareness, not as a tech project in isolation. The wider context in why your business needs a business continuity plan and the small business guide to ransomware is worth a read too, because the worst time to discover your continuity plan is the wrong shape is in the middle of a rollout.
If you would rather not lose internal time to this, outsourcing your IT to an MSP is a fair route, and the case is set out in why businesses should consider an MSP for their IT needs.
Credentials, old devices and the tidy-up
Two quieter jobs worth bundling in. Check whether old user credentials have leaked from your tenant or from any past breaches, because retired machines and former staff sometimes leave loose ends. The basics are in dark web monitoring explained and the response in what to do if your company credentials appear on the dark web. Our dark web monitoring company london businesses rely on is built for exactly this kind of early signal.
Old devices coming out of service need proper retirement, not a corner of a cupboard. Wiped, accounted for, and disposed of through a route that gives you a certificate. That sounds dull. It is the kind of thing that becomes a data protection problem when a discarded laptop turns up on eBay 6 months later.
Multi-site and cross-border realities
If your business runs across more than 1 country, the migration gets harder for predictable reasons. Different offices buy different hardware on different cycles, local IT habits vary, and timezone overlap with your central team is narrow. Plan country by country, not as 1 project. We handle this through our european support services and our multinational it support company work for businesses spread across borders. If you would rather hand the whole thing to a managed business it support services partner, the full range of services gives you the shape of what that covers, and our consulting team can help you scope it.
Frequently asked questions
What happens to my Windows 10 PC after 13 October 2026?
It will keep working. Consumer ESU ends on that date, so a consumer Windows 10 PC will not have another consumer ESU year to move into. For a business device, security updates only continue if the device is enrolled in the next commercial ESU year. Any Windows 10 PC outside ESU, or not moved to Windows 11, becomes an increasing risk over time.
Can my business carry on using the free consumer ESU route?
Generally no. The consumer programme is not available for devices joined to an Active Directory domain, joined to Microsoft Entra, enrolled in MDM, in kiosk mode, or already covered by an ESU licence. That covers most business PCs. Business devices usually need the paid commercial ESU programme through volume licensing.
Is upgrading to Windows 11 free?
Yes, for devices that meet the requirements and run a licensed copy of Windows 10. The cost is in the time to plan, test and roll out, and in replacing machines that cannot meet the Windows 11 requirements, especially TPM 2.0 and the supported CPU list.
How do I find out which of my PCs can run Windows 11?
Microsoft’s PC Health Check tool gives a per-device answer for customer PCs, and most management platforms will run an estate-wide report for business environments. The common blockers are TPM 2.0, Secure Boot capability and the supported processor list, which rule out many machines bought before about 2018.
Should I just buy ESU and decide later?
For a small number of awkward machines, yes. As an estate-wide strategy, no. Year 2 of commercial ESU doubles the cost, and year 3 doubles it again, so postponing the decision becomes expensive quickly. Use ESU as a bridge for genuine edge cases, not as a way to defer a fleet move.
What if I miss the October deadline entirely?
Your machines will keep running, but any device outside Windows 11 or the relevant commercial ESU year will be operating on an unsupported OS. That is a security risk, an audit risk, and increasingly a cyber insurance question. The sensible response is not to panic, but to pause new starters or sensitive work on those devices and book the move as soon as you can.
The sensible next step
The clean version of this story is straightforward. Inventory your devices now. Decide for each what happens before October. Pilot in August. Roll out through September. Use ESU only where you genuinely need it, and treat the move as the right moment to tidy up the security, backup and identity pieces while you are touching everything anyway.
If you would like help running the audit, ordering hardware in time, or handling the migration so your team can keep doing their jobs, speak to Northern Star. We will give you an honest view of where you stand, what it will cost, and the shape of a plan that gets you across the line before the autumn rush makes life harder than it needs to be.
