Microsoft has acknowledged that more time is needed for users to migrate to Windows 11, officially announcing that when Windows 10 support comes to an end in October 2025 there will be a means to allow consumers and businesses to purchase extended Windows support patches. The company announced the plan for an extended security update (ESU) program for Windows 10, including a program for Windows 10 consumer end users, in a recent blog post. While the pricing has not been announced, if the program for Windows 10 is similar to that for Windows 7, the process will have a multiyear offering with annually increasing prices.
With the Windows 7 ESU program, a product key was required to be installed on devices that were earmarked to continue receiving security updates in order to “unlock” the ability to install security updates after the end of the official support window. Without the key, patches could not be installed. Over the next two years, organizations still using Windows 10 will need to identify those workstations that do need to be upgraded and prioritize resources for them.
Review why you are still using Windows 10 on some workstations
First, consider those workstations that would actually benefit from upgrading to Windows 11. If you are contemplating Windows 10 ESUs for a workstation, it’s usually for one of two reasons: It does not have the necessary TPM or CPU to support Windows 11, or it is running a business application that won’t support Windows 11.
Given that I have yet to see many major supported programs that worked on Windows 10 fail to work on Windows 11, my guess is that for many of us what is keeping us from upgrading to Windows 11 is that we need a hardware refresh. If you are in this camp, you should prioritize and inventory your network to see what roles and positions would benefit from a Windows 11 deployment.
More than anything else, what Windows 11 brings to the table is support for more modern and more robust authentication processes. From Windows Hello to Passkey support, without an onboard TPM chip, your Windows 10 workstations will not be able to cut it in the world of cloud and online authentication. Given that today’s bad actors see passwords as just as important as vulnerabilities and are attacking our networks through our credentials, everything we can do to be able to roll out better authentication processes is key to ensuring our networks remain as secure as we can.
For example, if a device is joined to Entra (formerly Azure AD), a policy can be set so that the default experience is to remove the need for passwords and instead use Hello for Business or FIDO2 security keys as the primary authentication. Thus, hash values will no longer be able to be harvested by attackers.
Identify assets that need to be replaced
I would challenge everyone in your IT department to provide you with listings of assets that need to be replaced even sooner. Case in point: if you have any employees still running a computer without a solid-state drive (SSD), they are using vastly inefficient machines, and the aging hardware will affect their ability to do their jobs.
I regularly see Windows 10 hardware with older-style hard drives unable to function efficiently because the percentage of disk use is pegged at 100%. The device sits there frantically attempting to do the task the employee has asked it to do, and because of the limitation of the computer hardware, your employee is unable to complete their function. “Oh my apologies, my computer is taking a long time to refresh” is not a good excuse for any department.
Windows 10 is unable to properly perform with newer applications if it isn’t on an SSD drive, no matter the age of the rest of the components. Plan on upgrading these devices and not extending the life or purchasing ESU keys for machines in this category.
Evaluate software to determine if it still needs to be located on a physical machine
Next, evaluate your software. Many applications are moving more and more items to the cloud and thus the traditional workstation may not be as useful. Does that division need to have a traditional Windows workstation, or would they be better served with a thin client? Could they even be serviced with an alternative operating system, as long as a functional browser was available that supported the security authentication you need?
Don’t forget the management tools that must be in place before a different workstation methodology can be deployed. No matter what the employee uses to perform their job, you need to be able to manage, patch, and redeploy at will for the roles you are replacing — the costs of workstations are generally factored into equipment decisions, but not necessarily the cost of the additional management tools that may be needed.
Review your technology purchasing strategy
Next, review if you need to change how you purchase your technology. Have you traditionally purchased your equipment or leased it? If you lease, review your options with your leasing partners to see if there are any incentives to change out hardware sooner versus later. Often you can trade up before the contract is complete with no additional fees or costs.
Finally, review those pieces of software that are keeping you on Windows 10. I hope at this stage of the Windows 10 lifecycle, your organization has no such concrete examples of commercial software vendors that don’t support Windows 11. If you do, I would strongly recommend researching options for alternative vendors. If what is keeping you back is a custom-coded internal tool that relied on outdated technology or older browser implementation, you may want to make the investment now into re-coding or reevaluating your processes to make them more futureproof.
It may make sense for your budget to anticipate that some workstations will stay on 10 in order to manage the migration costs of an older internal software project to something that is more operating-system agnostic and perhaps relies more on a browser for its operation.
For those of you still on Windows 10, know that you have an official reprieve. Microsoft will provide at least three more years of additional updates. But don’t waste the time you have. Keep reviewing your asset inventory and identify those workstations, as well as internal projects, that need updating in order to keep your technology relevant and protected.