October 14, 2025 came and went. If you're reading this, there's a reasonable chance your business still has Windows 10 machines on the network — and if so, you've been running without Microsoft security patches for seven months.

Windows 10 didn't stop working when support ended. What stopped was the monthly stream of patches that closed newly discovered vulnerabilities. Any vulnerability Microsoft has patched in Windows 11 since October 2025 remains unpatched on Windows 10.

You have three realistic options: buy Extended Security Updates to keep patches coming while you plan the upgrade, upgrade compatible hardware to Windows 11 now, or replace devices that can't make the jump.

---

What Changed on October 14, 2025

Microsoft ended all support for Windows 10 on October 14, 2025. Here's what that means in concrete terms:

• Security patches: The monthly updates that closed newly discovered vulnerabilities stopped. Microsoft's Patch Tuesday releases since October 2025 have covered Windows 11 — Windows 10 machines receive nothing.
• Bug fixes: Software defects identified after the deadline will not receive official resolution.
• Technical support: Microsoft will no longer assist with Windows 10 issues through normal support channels.
• Compliance certification: Industry frameworks that require a "supported operating system" — including certain HIPAA technical safeguard interpretations and PCI DSS requirements — no longer apply to Windows 10.
• Microsoft 365 app support: Microsoft stopped supporting Microsoft 365 apps (Outlook, Word, Excel, Teams) running on Windows 10 as of the EOL date. The apps continue to function and receive updates through your subscription, but Microsoft won't address compatibility issues or errors that arise from running them on an unsupported OS. If something breaks in Outlook or Teams on a Windows 10 machine, Microsoft support will tell you the fix is to upgrade.

What Windows 10 Still Does

Your machines didn't stop working. Email, documents, accounting software, browsers — all of it continues to function. The issue isn't that Windows 10 broke. It's that the security layer underneath those applications is no longer being maintained.

Each month since October 2025, Microsoft has shipped patches for Windows 11 that addressed newly discovered vulnerabilities. Some of those vulnerabilities exist in Windows 10's codebase too — they just don't get fixed. Over time, that gap compounds.

---

Your Three Options Right Now

Every business still running Windows 10 faces the same triage decision. Run Microsoft's PC Health Check tool on every Windows 10 machine first — the result of that scan largely determines which path applies.

The following sections go deeper on ESU pricing, compliance exposure, and how to execute the upgrade triage in 30 days.

---

Extended Security Updates: Cost, Coverage, and Caveats

ESU is Microsoft's paid extension program for Windows 10. It delivers critical security patches beyond the October 2025 deadline — but it has important limitations worth understanding before purchasing.

What ESU Actually Covers

ESU delivers only critical and important security patches as rated by the Microsoft Security Response Center. What it does not include:

• Bug fixes for non-security issues
• Performance improvements
• Feature updates or UI changes
• New compliance certifications
• General technical support

ESU is a security bridge while you execute an upgrade plan, not a substitute for migrating.

Current ESU Pricing

Enrolling today costs $183/device minimum for businesses — that buys coverage through October 2027. But Year 1 expires October 2026, so you're effectively buying into Year 2 immediately upon enrollment.

Who Gets ESU Free

Before paying, check whether you qualify:

Third-Party Micro-Patching: A Lower-Cost Option for Isolated Machines

For legacy machines that genuinely can't be upgraded or replaced quickly, 0patch (0patch.com) offers an alternative worth knowing about. 0patch delivers unofficial micro-patches for known vulnerabilities on unsupported Windows versions, including Windows 10 — at a significantly lower annual cost than Microsoft's cumulative ESU pricing for business.

It's not a substitute for ESU in regulated environments: patches are third-party rather than Microsoft-issued, coverage is narrower, and it won't satisfy compliance frameworks that require official vendor support. But for an isolated machine running non-critical, non-PHI workloads while you execute your replacement plan, it fills a gap. Evaluate it alongside ESU when the hardware economics don't favor buying two years of Microsoft coverage upfront.

---

Your Compliance and Cyber Insurance Exposure

HIPAA

If your practice handles protected health information (PHI) and that data is accessible from Windows 10 endpoints, you have exposure. The HIPAA Security Rule requires covered entities to protect against "reasonably anticipated" threats — and an unpatched operating system with known, publicly disclosed vulnerabilities doesn't meet that standard.

The HHS Office for Civil Rights (OCR) has cited unpatched and unsupported software as a contributing factor in enforcement actions. It doesn't guarantee a penalty, but it provides OCR with documented evidence of insufficient safeguards if a breach occurs — a practical compliance concern for healthcare practices in South Florida operating under HIPAA.

Florida Information Protection Act (FIPA)

Florida's Information Protection Act requires businesses to take "reasonable measures" to protect personal information and to notify affected individuals in the event of a breach. If a breach occurs on an unpatched Windows 10 machine, the lack of patches becomes evidence that reasonable safeguards were not in place. Financial services firms and legal offices are particularly exposed here.

Cyber Insurance

---

30-Day Migration Triage for South Florida Businesses

If you're starting from zero today, here's a realistic sprint outline. This isn't an ideal-state 9-week plan — it's a catch-up sequence for a business that's already seven months past the deadline.

Week 1: Inventory and Triage

• Run PC Health Check on every Windows 10 device. Document results.
• Categorize devices into three buckets: Ready to upgrade, Needs BIOS settings adjusted, Needs replacement.
• Identify legacy applications that may block a Windows 11 upgrade. Check vendor compatibility pages — many have shipped Windows 11-compatible versions in the past year.
• Check whether any devices have ESU already enrolled via the Microsoft 365 Admin Center.

Week 2: Quick Wins

• For devices that pass the hardware check: upgrade in place. If you own a valid Windows 10 Pro license, the Windows 11 upgrade is still free through Windows Update. See our Windows 11 compatibility guide for the step-by-step.
• For devices where TPM 2.0 or Secure Boot is disabled in BIOS: enable it, re-run PC Health Check, then upgrade. A significant percentage of "incompatible" machines pass after this step alone.
• Purchase ESU only for devices that genuinely cannot upgrade or be replaced within 60 days. Don't buy it as a blanket stopgap.

Week 3: Hardware Decisions

• Get quotes for replacement hardware on devices that don't qualify and can't be fixed via BIOS settings.
• Prioritize replacing the highest-risk endpoints first: devices used for financial transactions, PHI access, or remote work.
• For legacy software blocking Windows 11: contact the vendor about a compatibility update or upgrade path.

Week 4: Execute and Document

• Complete in-place upgrades on all qualified hardware.
• Begin deploying replacement devices as they arrive.
• Document your migration status — both completed and in-progress — for compliance purposes. Documented progress demonstrates good-faith remediation in the event of an audit or insurance review.
• For any Windows 10 machines staying temporarily: isolate them on a separate VLAN with restricted internet access and current endpoint protection signatures.

---

Hardware Compatibility: What Passes, What Doesn't

The main barriers to a Windows 11 upgrade are TPM 2.0 and Secure Boot. Both are present on most hardware made after 2018 — but they're sometimes disabled in BIOS by default, causing PC Health Check to flag a device as incompatible when it actually qualifies.

Devices that typically pass the Windows 11 check:

• Intel 8th generation (2017) processors or newer
• AMD Ryzen 2000 series (2018) or newer
• Most business laptops purchased 2019 or later

Devices that fail but may be fixable:

• Hardware from 2017–2018 with TPM 2.0 present but disabled in BIOS/UEFI
• Systems where Secure Boot is disabled in firmware settings
• Devices that need a BIOS/UEFI firmware update to expose TPM 2.0 support

Devices that genuinely require replacement:

• Intel 7th generation or older processors
• AMD Ryzen 1000 series (first generation)
• Hardware without TPM 2.0 capability (most pre-2016 machines)

For a detailed breakdown of Windows 11 hardware requirements including the newer NPU requirements in 25H2, see our Windows 11 system requirements guide.

For devices where compatibility hinges on Secure Boot and TPM configuration, our Secure Boot and TPM guide walks through the BIOS steps for common hardware.

---

Choosing a Windows 11 Edition

Once you're upgrading, the Home vs. Pro decision matters for business use.

For a detailed comparison of Pro vs. Enterprise features, see our Windows 11 Pro vs Enterprise guide. For smaller businesses deciding on the base license, our Windows Home vs Pro comparison covers the practical tradeoffs.

---

Post-Migration Setup

After upgrading, a few configurations make a real difference for business use:

Security baseline:

• Enable BitLocker on all drives (Windows 11 Pro). On mobile devices, this is a critical data protection step — a lost or stolen laptop without BitLocker means the drive contents are readable without any authentication.
• Configure Windows Hello for Business if you're in an Azure AD or domain environment.
• Verify Windows Defender is active and set to update automatically.

Google Workspace integration: If your business runs Google Workspace, Windows 11 and Google apps require a few configuration steps that aren't obvious out of the box. Our guide on managing Windows 11 alongside Google Workspace and OneDrive covers the specific settings that prevent sync conflicts and permission issues.

Replacement hardware: If you're buying new devices as part of this process, our reviews of the Dell XPS 14 and Microsoft Surface Laptop 6 cover the options that make the most sense for business environments in the current price range.

---

Frequently Asked Questions

We missed the October 2025 deadline. Is it too late to buy Windows 10 ESU?

No — Microsoft still allows enrollment. But businesses joining now must pay Year 1 and Year 2 costs cumulatively: $183 per device minimum ($61 + $122) to get covered through October 2026. Consumer users on Windows 10 Home can still enroll for $30/year through the Microsoft Store.

What does Windows 10 Extended Security Updates actually cover?

ESU covers critical and important security patches as defined by the Microsoft Security Response Center — nothing else. No bug fixes, no feature updates, no UI changes, no compliance recertification. It is a security maintenance bridge only. If you're relying on ESU as a long-term solution, you've extended the timeline but not resolved the underlying problem.

Will our cyber insurance cover a breach on a Windows 10 machine?

It depends on your policy language. Many business cyber insurance policies now require "supported operating systems" as a coverage condition. Before assuming you're covered, read the policy definitions — and disclose the Windows 10 exposure to your broker proactively. Some insurers will accept a documented migration plan rather than requiring immediate remediation.

How do I check if our computers can run Windows 11?

Download Microsoft's PC Health Check tool — it evaluates each device and explains specific failures. The most common barriers are TPM 2.0 and Secure Boot. Both are present on most hardware made after 2018, but may be disabled in BIOS settings. Machines from before 2016 are unlikely to qualify regardless of settings.

Should we pay for ESU or just replace the hardware?

If the device is under 3 years old and fails the Windows 11 check only because of TPM or Secure Boot settings in BIOS, enable those settings and try upgrading for free — no ESU needed. If the device is 4+ years old and genuinely can't run Windows 11, buying ESU on aging hardware delays the inevitable. Budget for replacement instead of paying $183/device for five months of coverage on hardware you'll retire anyway.

Does Windows 11 have real friction compared to Windows 10?

Yes — the interface changes are real, and some users find them disruptive at first. The taskbar is centered, the right-click context menu is simplified (which some users dislike), and the Settings app layout is different from Windows 10. Most users adapt within a week or two. The transition cost is real, but it's a one-time adjustment, not an ongoing issue.

---

Where to Go From Here

Seven months past the deadline, the path forward is the same regardless of where you're starting from: assess what you have, decide which machines upgrade versus replace, and address the highest-risk endpoints first. ESU is available for devices that need a bridge, in-place upgrades are free for compatible hardware, and most business-grade replacement hardware ships within a few days.

If you're in South Florida and need hands-on help with the triage process — running the hardware inventory, determining which devices upgrade vs. replace, and handling the upgrade deployment — that's exactly what iFeelTech does for small and medium businesses.

Schedule a Windows 10 Assessment

---

Related Reading

• Windows 11 System Requirements and Compatibility Guide
• Windows 11 Pro vs Enterprise for Business
• Windows Home vs Pro: Which Does Your Business Need?
• Secure Boot and TPM: What They Are and Why Windows 11 Requires Them
• Windows 11 with Google Workspace and OneDrive