UK’s trusted IT infrastructure partner since 2003
sales@servnetuk.com
0800 987 4111
Servnet
ConfiguratorGet in Touch
Windows 10 end of life: what your UK business must do now (2026) — networkWindows 10 end of life: what your UK business must do now (2026) — reach
Trends & Opinion

Windows 10 end of life: what your UK business must do now (2026)

Daniel Hughes · Managed IT Lead, Servnet9 min read

Microsoft stopped issuing free security updates for Windows 10 on 14 October 2025. If your business is still running it on even a handful of machines, those devices are no longer getting the monthly patches that close newly discovered holes, and every month that passes widens the gap. This is not a drill you can keep postponing, and it is not only an IT problem: an unpatched fleet is a compliance, insurance and reputational problem too. Here is a clear-headed account of what end of life actually means, the realistic options in front of you, and a sensible order to do them in.

A sensible 60-day Windows 11 rollout
W0W2W4W6W8W9Inventory fleet2wUpgrade eligible3wReplace old kit4wESU bridge (few)2wTotal: 9 weeks end-to-end

What 'end of life' actually means for you

End of life does not mean your computers stop working on a given morning. Windows 10 still boots, your software still runs, and on the face of it nothing has changed. That is exactly what makes it dangerous. The change is invisible: Microsoft no longer ships the security updates that fix vulnerabilities as they are discovered, so each new flaw found in the operating system stays open on your machines indefinitely.

Attackers know these dates better than most businesses do. The period immediately after an operating system goes out of support is when exploitation of newly disclosed bugs rises, because the people running it are, by definition, no longer protected. For a UK business this also touches your obligations: an unsupported operating system makes a Cyber Essentials certification untenable, can breach the terms of a cyber-insurance policy, and weakens your position under data-protection rules if an incident follows.

Your three honest options

There are only three real responses, and most businesses will use a mix. The first is to upgrade eligible machines to Windows 11 in place, which is free if the hardware qualifies. The second is to replace machines that cannot run Windows 11, which is most older kit, with new ones. The third, a deliberate stopgap rather than a solution, is to pay for Extended Security Updates to buy time on a few machines you genuinely cannot move yet.

The reason replacement features so heavily is the hardware bar Windows 11 sets. It requires a reasonably modern processor, a TPM 2.0 security chip and Secure Boot. A laptop bought before roughly 2018 will usually fail the check, and no amount of effort makes it eligible. That is not Microsoft being awkward for its own sake; the security baseline genuinely depends on those hardware features.

  • Upgrade in place: free, fast, only for machines that pass the Windows 11 hardware check
  • Replace: required for older devices that lack TPM 2.0 or a supported processor
  • Extended Security Updates: a paid, time-limited bridge for the few machines you cannot move yet

Why a cheap 'just keep it running' plan backfires

The tempting path is to do nothing and hope. It is also the most expensive option once you account for risk. A single ransomware incident that enters through an unpatched endpoint can take a small business offline for days, and the recovery, lost trade and potential fines dwarf the cost of a planned refresh. We have written separately on the real cost of IT downtime, and an out-of-support fleet is one of the most reliable ways to invite it.

Extended Security Updates have their place, but read the design intent: Microsoft prices them to rise each year precisely so they are uncomfortable to live on. They are a bridge for a specific machine tied to a line-of-business application you cannot yet replace, not a strategy for a whole office. Treat them as a deadline extension with a meter running, not a reprieve.

What to do with each machine
Does this device pass the Windows 11 check?
Passes
Upgrade in place - free
Fails
Replace with new
Tied to old app
ESU as a short bridge

A sensible 60-day plan

Start with an inventory: every Windows device, its age, and whether it passes the Windows 11 check. You cannot plan a refresh you have not measured. Group the results into upgrade-in-place, replace, and the small bridge-with-ESU set. Then sequence by exposure, dealing with internet-facing and remote-worker laptops first, because those are the machines an attacker reaches most easily.

Replacement is also an opportunity, not just a cost. Machines bought now will carry the business for the next four to five years, so it is worth specifying them properly rather than buying the cheapest box on a shelf, a trap we cover in the hidden cost of cheap business laptops. If you would rather not run this yourself, an outsourced partner can inventory, plan and roll out the whole fleet, which is one of the clearer cases for outsourcing IT versus hiring in-house. Browse current business laptops when you are ready to spec the replacements.

Key takeaways
  • Windows 10 security updates ended on 14 October 2025; machines still on it stop receiving patches for new flaws.
  • End of life is invisible day to day, which is what makes it risky: nothing breaks, but exposure grows monthly.
  • Most businesses need a mix of in-place upgrades, replacements for older hardware, and a small ESU bridge.
  • Windows 11 requires TPM 2.0, Secure Boot and a modern CPU; pre-2018 machines generally cannot upgrade.
  • Start with an inventory, sequence by exposure, and treat Extended Security Updates as a metered deadline, not a plan.
Frequently asked

FAQs — Windows 10 end of life

Timing and risk

Can I keep using Windows 10 after October 2025?

The machines still work, but they no longer receive security updates, so any newly discovered flaw stays open. That breaks Cyber Essentials, can void cyber-insurance and raises your exposure to ransomware. Plan a move rather than relying on it. See Cyber Essentials.

Is it really urgent if nothing has broken?

Yes. The risk is invisible by design: nothing stops working, but every new vulnerability found in Windows 10 now goes unpatched on your devices. Attackers target out-of-support systems precisely because the users are no longer protected, so the gap widens every month.

Options

What if a machine cannot run Windows 11?

If it lacks TPM 2.0 or a supported processor, an in-place upgrade is not possible, so the machine needs replacing. For a few devices tied to software you cannot yet move, paid Extended Security Updates buy limited time. Spec replacements properly using our laptop guidance.

Related

Got a question this article didn't answer?

One conversation with an engineer who's done this before. No sales script.

Talk to Servnet →