Windows 10 end of support — the day after 14 October

On 14 October 2025 Microsoft ships the last free Patch Tuesday for Windows 10. Ten years and two months after the launch of 1507 (29 July 2015), version 22H2 hits end-of-support across every commercial edition: Home, Pro, Pro for Workstations, Pro Education, Enterprise, Education and Enterprise multi-session. The LTSC versions keep their own calendar (LTSC 2021 until January 2027, IoT LTSC 2021 until January 2032). Everything else gets no free updates from 15 October on.

What changes operationally for anyone staying on Windows 10 past 15 October, what the slow exit via ESU costs, and what kind of vulnerabilities is reasonable to expect against that installed base over the next twelve months.

What Windows 10 stops receiving on 15 October

The Microsoft Support page is explicit and short: machines on Windows 10 22H2 keep working, but stop receiving security updates, feature updates, optional updates and technical support. The last free Patch Tuesday is October 2025, which closed with 175 vulnerabilities patched and three zero-days under active exploitation — CVE-2025-24990 (Agere Modem Driver), CVE-2025-59230 (Remote Access Connection Manager) and CVE-2025-47827 (IGEL OS Secure Boot bypass). The November one and later, outside ESU, do not land on Windows 10.

By layer, what is lost:

• MSRC security updates. Critical and important. Microsoft keeps publishing them for Windows 11 and Windows Server; CVEs shared between Windows 10 and other branches are documented, but the patched binary for Windows 10 22H2 is not distributed outside the ESU program.
• Feature updates and optional updates. There is no 23H2 or 24H2 for Windows 10. The line ends at 22H2 build 19045.x final for the month.
• Technical support. Any ticket opened in standard support after 14 October closes pointing at the upgrade path or ESU.
• Driver updates via Windows Update. What arrives there depends on the OEM. Historically with Windows 7, drivers vanished from the catalogue within months.
• Microsoft Defender and MAPS. Microsoft announced Defender definitions remain on Windows 10 until at least October 2028 — the engine yes, but it does not patch the kernel or the vulnerable system components.

For Office, the calendar is offset: Microsoft 365 Apps officially stop supporting Windows 10 also on 14 October 2025, although Microsoft itself confirms that Office security updates for Windows 10 continue until October 2028 to avoid forcing a double migration in the same quarter.

ESU — the paid exit (and free in the EEA)

Extended Security Updates is the same program Microsoft applied to Windows 7 (2020-2023) and Windows XP (2014-sometime between never and always), with one new thing: for the first time it is offered to consumers, not just to enterprise.

Consumer

Three enrolment routes for individual users:

• Free with Windows Backup. Sync settings to the cloud and sign in with a Microsoft account.
• Free with 1,000 Microsoft Rewards points.
• $30 USD or equivalent, single payment. Covers up to ten devices per Microsoft account.

Coverage: until 13 October 2026. One year, not three.

Regional variant: for residents of the European Economic Area (EU + Iceland, Norway, Liechtenstein) enrolment is free without the Windows Backup requirement, only with a Microsoft account that authenticates at least once every sixty days. The concession was published in September 2025 after pressure from Euroconsumers invoking the Digital Markets Act. For EEA users in practice, the first year of consumer ESU is free if you accept having an active MSA.

Enterprise

Through Volume Licensing, the per-device price is the usual classic ESU one:

• Year 1: $61 USD per device.
• Year 2: $122 USD (double).
• Year 3: $244 USD (double again).

The years are cumulative — if you enrol in year 2 without having bought year 1, you pay both. For customers with Intune or Windows Autopatch there is a ~25% discount on year 1 ($45/device). Maximum coverage runs until 13 October 2028, same as the previous generation.

At 1,000 devices, year 1: $61,000. Year 2: $122,000. Year 3: $244,000. Three-year total $427,000 before any operational cost (management, deployment, program monitoring). For comparison: a mid-range Lenovo ThinkPad with Windows 11 compatibility sits around $1,000-1,400. A thousand machines is $1-1.4M of capex, but capex with a 4-5 year useful life, not $427K just to keep Windows 10 running as it is.

The landscape EOS leaves behind

As of 30 September 2025, StatCounter Global Stats puts Windows 10 desktop share at around 40-42 % worldwide — above Windows 11, which hovered around 50 % with a flat trend. After 14 October Windows 10 even gained a few points according to TweakTown and VideoCardz, suggesting that a fraction of the installed base does not intend to migrate in the short term.

What the Lansweeper data published through 2025 suggests: roughly half of the corporate estate does not meet Windows 11 hardware requirements (TPM 2.0, official CPU compatibility list, Secure Boot). That fraction is the one that will stay on Windows 10 with ESU if it pays, or unpatched if it does not.

Where Windows 10 actually lives outside the standard enterprise workstation:

• Point-of-sale. Retail chains with Windows 10 IoT tills (the IoT LTSC 2019 branch is still supported, but there are many deployments on non-LTSC IoT Enterprise).
• ATMs. Banks with legacy fleets of ATMs on Windows 10 IoT.
• Signage and kiosks. Airports, hospitals, touchscreens.
• OT and SCADA. HMIs, engineering, industrial supervision on Windows 10 Pro and Enterprise. The PLC vendor does not certify the HMI on Windows 11; the migration is a long project.
• Healthcare. PACS, imaging modalities, planning workstations. FDA / CE-MDR regulated software with lengthy certification cycles.
• Office workstations with legacy CAD/MES. 2000s-2010s applications requiring shims or compatibility policies that no longer work the same way on Windows 11.

The fraction of Windows 10 migrating to Windows 11 is the one with compatible hardware and standard software. The fraction that stays is the one with old hardware, legacy software and regulated devices — the same one that has historically paid the most for previous EOS.

The precedents: Windows XP (2014) and Windows 7 (2020)

Windows XP — the WannaCry lesson

Windows XP standard support ended on 8 April 2014. Three years later, on 12 May 2017, WannaCry exploits MS17-010 (EternalBlue, SMBv1 RCE) against ~230,000 Windows machines in 150 countries, many of them unpatched Windows XP and Windows 7. Microsoft had to ship out-of-band patches for XP and Windows 8 despite being out of support. We covered the incident in the WannaCry anniversary post.

The pattern: vulnerability found by the NSA, leaked by Shadow Brokers, weaponised by Lazarus, unpatched XP installed base = worldwide pandemic. The gap between EOS and catastrophe was three years.

Windows 7 — the less visible lesson

Windows 7 support ended on 14 January 2020. Microsoft offered three years of enterprise ESU, until January 2023. There was no public WannaCry-equivalent against post-EOS Windows 7, but the pattern was different: silent exploitation by opportunistic crews (Conti-style ransomware affiliates, Black Basta) against organisations that stayed on Windows 7 past the date without paying ESU. Classic CVEs like CVE-2020-0796 (SMBGhost) and CVE-2021-1675 (PrintNightmare) were exploited against a mixed Windows 7/8/10/2008R2 base, with a disproportionate share of victims being unpatched ones.

Reading: Windows 7 EOS did not produce a media event, it produced a 36-month drip. Windows 10 is likely to look more like this than like XP — the detection and response ecosystem is far more mature than in 2017, EDR vendors maintain coverage, and the base that stays on Windows 10 typically does so with compensating controls (Defender Endpoint, network segmentation, etc.). But absolute risk goes up and the cost of each incident goes up with it.

What kind of vulnerabilities we will see against Windows 10 post-EOS

Three categories to watch over the next twelve months, assuming the historical pattern:

1. Wormable network services

SMB, RPC, Print Spooler and derivatives. CISA’s KEV catalogue accumulates through 2025 a considerable collection of bugs in these surfaces. Any critical CVE that surfaces in Windows 11 and is retroactively found to affect the Windows 10 22H2 stack too will remain unpatched in public channels outside ESU. The first candidate lands in November if the Patch Tuesday brings a pre-auth RCE in a service exposed by default.

2. Local Privilege Escalation chains

Third-party signed drivers (like the ltmdm64.sys retired in October 2025 with CVE-2025-24990), OEM vendor drivers, privileged userspace components. EDRs detect post-exploitation, but the LPE chain is where the attacker consolidates access after a foothold. For someone already inside via phishing or browser exploitation, an unpatched LPE on Windows 10 is the missing piece.

3. Browser exploitation

Chromium-based Edge keeps receiving updates on Windows 10 at least until October 2028 (Microsoft confirmed it in May 2024). Chrome does not guarantee indefinite Windows 10 support — Google published in its policy that supported versions will continue until at least January 2028. A patched browser but an unpatched kernel is an uncomfortable scenario: a sandbox escape from the browser that depends on an unpatched kernel bug removes half the defence.

CISO reading

Three operational questions to answer before Q1 2026:

1. Realistic inventory

Full asset audit, not estimate. Workstations, laptops, kiosks, signage, OT, healthcare, point-of-sale. How many Windows 10 machines, which edition, which hardware, which critical software with no Windows 11 alternative. Without an inventory, the rest of the decision is blind.

# Example: quick discovery via CIM across a domain
Get-CimInstance -ComputerName (Get-ADComputer -Filter * | Select-Object -ExpandProperty Name) `
  -ClassName Win32_OperatingSystem `
  -ErrorAction SilentlyContinue |
  Select-Object PSComputerName, Caption, Version, BuildNumber, OSArchitecture

For large estates, better with SCCM/MECM, Intune, Lansweeper, Tanium, Rapid7 InsightVM or whatever is already in production. What matters is that the data is fresh — the migration will be moving for months and a three-month-old inventory is already noise.

2. Decision per tier

Once you have the inventory, segment by criticality and machine type:

• Tier A — standard workstations with compatible hardware. Upgrade to Windows 11 via Autopilot, MECM or manual rollout. Marginal cost.
• Tier B — workstations with incompatible hardware but planned refresh. Hardware refresh within the fiscal year. Capex cost but recoverable.
• Tier C — machines with legacy software blocking Windows 11. ESU while the software migration is worked (recompilation, virtualisation, replacement). Counts as tech debt with an expiry date.
• Tier D — OT, healthcare, regulated. ESU + strict network segmentation + augmented monitoring. Realistic minimum exit timeline 24-36 months.
• Tier E — machines that have been unpatched for three years already today. The problem is not EOS, it is prior patch hygiene. These are the machines that will turn up in the next post-mortem if no one touches them.

3. Compensating controls for what stays

For anything that stays on Windows 10 without ESU (or with year-1 ESU and a 12-month exit plan), exposure control:

• Network segmentation — Windows 10 off the flat network, behind an internal firewall with explicit rules.
• Application allowlisting — WDAC or AppLocker with a restrictive policy. What is not allowed does not run.
• EDR with telemetry — Defender for Endpoint, CrowdStrike, SentinelOne, etc., with active alerting and validated response.
• Enforced MFA for any authentication to sensitive resources from these machines.
• Removal of external exposure — no Windows 10 machine with services listening on the internet.

None of these controls replaces the patch, but combined they raise the cost to the attacker by an order of magnitude. It is the difference between “trivial machine” and “machine that requires a three-step chain for post-exploitation”. The opportunistic attacker moves on; the targeted one continues, but slows down.

The day after

On 14 October the final Patch Tuesday closed with three zero-days under active exploitation. The November one will land without Windows 10 on the list of affected platforms — and that does not mean the new bugs do not hit the shared kernel, it means the corrected binary for Windows 10 only ships through ESU. Whoever is not enrolled does not receive it.

The operational question is not “do we migrate?“. It is “what fraction of the estate migrates now, what fraction enters ESU, and what fraction stays outside both with compensating controls?“. For the last fraction, the clock started on the 15th.

References

• Microsoft Support — Windows 10 support has ended on October 14, 2025.
• Microsoft Lifecycle — Products reaching End of Support on October 14, 2025.
• Microsoft Lifecycle — Windows 10 Home and Pro, Windows 10 Enterprise and Education.
• Microsoft — Windows 10 Consumer Extended Security Updates.
• Microsoft Learn — Extended Security Updates (ESU) program for Windows 10.
• Tom’s Hardware — Windows 10 extended support is now free, but only in Europe (25 Sep 2025).
• StatCounter Global Stats — Desktop Windows Version Market Share Worldwide.
• BleepingComputer — Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws.
• The Hacker News — Two New Windows Zero-Days Exploited in the Wild (CVE-2025-24990, CVE-2025-59230).