ThreatAware CEO Jon Abbott gives his expert advice on securely preparing for Microsoft Windows 10 end of life, coming this October.
After a decade of service, Microsoft is retiring Windows 10 later this year. By 14 October, any machine still running the operating system will need to upgrade to Windows 11, or else run the risk of going on without any more support.
Businesses that choose to keep their devices operating unsupported in the wilderness will leave themselves hugely vulnerable, with no more security updates and patches to keep the circling cybercriminals at bay.
We’ve seen the consequences of this many times in the past. Part of the reason the 2017 WannaCry attack was so damaging was the vast numbers of machines still creaking by with Windows XP, which had been retired for many years by then.
While the October deadline is still a couple of months away, updating or decommissioning every endpoint is a significant task, especially for larger estates. Organisations that have yet to make the switch will certainly be faced with vulnerable machines when support ends, so they must act urgently to minimise the window of risk. This starts with understanding the nature of their IT estate and the scale of the task.
Lack of visibility over device sprawl
Despite the looming deadline, significant upgrades come with a host of challenges that can delay progress: tech refreshes are typically resource and time intensive and bring the risk of system downtime or disruption to normal operations.
Many companies also rely on legacy or custom hardware and software that may not be compatible with the new operating system.
Perhaps recognising the vast number of devices relying on Windows 10, Microsoft recently threw users a couple of lifelines.
Personal Windows 10 users can enrol with Extended Security Updates (ESUs) until October 2026 for a one-time fee as long as they sign into a Microsoft account.
Meanwhile, enterprises continue to receive updates for a fee that will double each year, up to a maximum of three years. The time limit and increasing cost means organisations should see this as a temporary extension at best.
In the long term, businesses must ensure that every Windows 10 device in their IT estate is either updated or decommissioned. This is easier said than done, however, especially when many companies don’t have the full picture of all the devices involved.
We find companies often lack full visibility of their IT estate, relying on manual inventory processes that are rapidly outdated. Many companies have a large swathe of devices connected to their network that are unaccounted for, falling outside the scope of IT oversight and security processes.
So, the first priority in managing Windows 10 has to be getting a full and accurate account of all of these devices.
Effective discovery means consolidating data from sources such as Active Directory, SCCM, Intune and help-desk logs, as well as uncovering unmanaged BYOD and home-office PCs via agentless scanning.
Only with comprehensive, up-to-date visibility can IT teams prioritise assets correctly and avoid nasty surprises mid-migration.
Risk-based prioritisation of upgrades
After the full scope of the challenge is understood, the next step is to set priorities.
Companies that still have a large number of devices operating Windows 10 will likely be dealing with them for many years yet. If it’s not possible to sort every device in time for October, teams must identify where the biggest risks lie and focus on those areas.
Not all endpoints merit equal urgency – for example, finance teams and R&D labs, and others handling sensitive data under GDPR, SOX or PCI-DSS, should leap to the front of the queue.
Teams also need to determine the systems that cannot be upgraded, either because the hardware won’t run Windows 11 or because there is bespoke software that won’t be compatible. Companies will need to strike a tolerable balance between risk and expense when dealing with these assets.
Building a migration roadmap
Once the process is underway, a structured, step-by-step plan is essential to minimise disruption and ensure consistency. There are several key steps to deliver this:
Asset discovery and compatibility assessment
Compile a hardware readiness matrix. Windows 11 has more requirements than its predecessor, including TPM 2.0 chips, UEFI Secure Boot and 64-bit CPU.
Potentially incompatible applications such as SCADA platforms or bespoke software tools must also be accounted for. Early compatibility testing on Windows 11 uncovers blockers before they derail your roll-out.
Pilot planning with Windows Autopilot
Automate device provisioning to standardise builds and support remote employees: when a laptop arrives, the user logs in and it builds to your exact specification, eliminating manual imaging and configuration errors.
There should be clear success metrics to validate each pilot cohort, such as boot times, application stability and user acceptance.
Phased roll-out
Group the remaining endpoints by function and geography. Use automation to trigger pre-upgrade checks, deploy the OS refresh and run post-migration health scans. Live dashboards surface blocker tickets and compliance heatmaps enable rapid remediation before teams can move on to the next group
Deployment tracking and reporting
Report weekly migration progress and risk status to stakeholders, including the board and department heads, to maintain visibility and momentum.
Governance, reporting and rollback plans
Alongside the process of managing the machines themselves, effective governance is crucial to keep migration on track and mitigate emergencies. Establish a cross-functional steering committee with representatives from IT operations, security, procurement and application owners to approve upgrade windows, handle exceptions and enforce SLAs so that issues can be resolved.
IT and security teams should be equipped with live dashboards for reporting upgrade success rates, blocker tickets and security posture improvements in real time.
Teams should also have an eye on any ESU enrolments and treat them strictly as temporary backstops. Review them regularly and retire any remaining Windows 10 licences as soon as the migration rings close.
Finally, you must get a good response plan in place. Establish a solid business continuity plan and test it to ensure that, should something go wrong, there are processes and systems in plan to minimise disruption.
It’s also important to set clear rollback criteria for all mission-critical systems and test any recovery procedures that will be used. This includes system snapshots and backups that will let you revert swiftly if an upgrade breaks production. Integrating with native tools such as Microsoft Configuration Manager or Intune can simplify creating remediation workflows and automated rollback triggers. This ensures that upgrade failures are swiftly addressed and that service level agreements (SLAs) for resolution are enforced.
Framing migration as a catalyst for modernisation
Rather than a one-off compliance exercise, Windows 10 end-of-life can be a springboard for mature cyber-asset management.
Security leaders should use the upgrade to make improvements, including deploying agentless visibility across all endpoints, continuous health monitoring and tighter controls over shadow IT.
While getting ready for Windows 11 must be a top priority, don’t make the mistake of treating it as a one-off event. Eventually, there will be a new Windows operating system, and Windows 11 will be the one getting phased out. Rather than just scrambling to meet the immediate deadline, this is an opportunity to modernise infrastructure and processes, future-proofing the organisation against the next challenge.
By Jon Abbott
Jon Abbott is the CEO of ThreatAware, a platform designed to unify the security stack. Abbott has 25 years’ experience in the IT industry. He recently spoke to SiliconRepublic.com about his career and gave expert insights on cybersecurity for businesses.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.