On October 14, 2025, Microsoft will end all free security updates and technical support for Windows 10, leaving an estimated 121 million enterprise devices exposed unless their operators pay up. A new analysis from digital employee experience firm Nexthink puts the aggregate first-year cost of continued security coverage at over $7.3 billion—a figure that has turned the end‑of‑support deadline into a boardroom emergency across the globe.
The Countdown to October 14, 2025
After October 14, Windows 10 will receive no more patches, feature updates, or official Microsoft assistance unless the device is enrolled in a paid Extended Security Update (ESU) program. Unsupported machines will continue to run, but each newly discovered vulnerability will widen the attack surface for ransomware, data exfiltration, and compliance violations. For regulated industries, running an unsupported OS can mean failing an audit or losing cyber insurance coverage. That reality is compressing procurement cycles and flinging upgrade budgets into the spotlight.
Microsoft has been signalling this deadline for years, yet the Windows 10 install base remains stubbornly large. Many organizations put off migration while waiting for hardware supply chains to recover, or simply underestimated the scale of the work. Now, with just over a year remaining, they face a three‑way choice: migrate to Windows 11, pay for ESU, or adopt an alternative platform.
The Nexthink Analysis: Modeling a $7.3 Billion Headline
Nexthink’s public modeling starts from Microsoft’s own device numbers—roughly 1.4 billion monthly active Windows devices worldwide. Assuming about 30% are in commercial or public‑sector use yields approximately 420 million enterprise endpoints. Using StatCounter market‑share snapshots and telemetry from its own customers, Nexthink estimates that roughly 181 million of those devices were still running Windows 10 in mid‑2025, with a projected decline to 121 million by the October cut‑off.
Multiplying those 121 million devices by the first‑year ESU list price of $61 per device produces the $7.3 billion headline (about €6.7 billion at September 2025 exchange rates). That sum is an industry‑level illustration, not a fixed invoice. It does not account for volume licensing discounts, the roughly 25% discount available through cloud activation via Microsoft Intune or Windows Autopatch, or the fact that Windows 365 Cloud PC subscribers get ESU at no extra charge for covered workloads. Still, the number shows why Microsoft’s ESU program could become a multi‑billion‑dollar line of business overnight.
Sensitivity matters. A small error in the enterprise‑device share or in the migration‑rate projection changes the total by hundreds of millions. Currency fluctuations add another layer of uncertainty. Organizations must build their own bottom‑up estimates, not rely on the aggregate figure.
How the Extended Security Updates Program Works
Microsoft offers three commercial paths to receive ESU:
- Traditional “5‑by‑5” activation: A per‑device license applied through volume activation tools. Year 1 costs $61 per device. Years 2 and 3 cost $122 and $244 per device, respectively. This steep escalation is designed to push organizations toward migration.
- Cloud activation: Organizations managing devices with Microsoft Intune or Windows Autopatch can activate ESU through the cloud at a discount of roughly 25% off list price. This also simplifies deployment and license tracking.
- Windows 365 Cloud PC inclusion: Devices that access Windows 11 Cloud PCs through Windows 365—and certain virtual machine scenarios—receive ESU at no additional cost as part of the subscription, subject to a one‑year commitment. This effectively allows cloud‑adopting organizations to neutralize ESU expenses for eligible workloads.
For consumers, Microsoft announced a one‑year ESU option with lighter enrollment, but enterprise pricing is the primary driver of cost models. The annual price doubling means that a device kept on ESU for the full three years costs its owner $427 total, not counting any discounts. A fleet of tens of thousands can quickly generate an eight‑figure bill.
Windows 11 Upgrade: A Rocky Road
Microsoft recommends Windows 11 as the primary migration path, but the upgrade is anything but frictionless. Nexthink’s telemetry and independent analyst reports show that Windows 11 rollouts have exhibited higher crash and hard‑reset rates compared with Windows 10 during early deployments. Nexthink attributes the gap largely to hardware and driver incompatibilities, as well as deployment hygiene, rather than to a fundamental flaw in the OS. That nuance is cold comfort to IT teams facing helpdesk spikes after each wave.
Hardware requirements add another hurdle. Windows 11 demands TPM 2.0 and a processor from an approved list. A significant slice of functional Windows 10 hardware cannot be upgraded in place without component replacement. Organizations must decide whether to upgrade firmware and drivers on existing devices, replace them outright, or shift workloads to virtual desktops. Each choice carries procurement lead times, logistics costs, and e‑waste consequences.
Application compatibility testing and remediation often eclipse hardware costs. Validating line‑of‑business apps, containerizing legacy tools, and re‑training users can consume the lion’s share of migration budgets. Pilots, phased rollouts, and a robust remediation pipeline are the only reliable way to reduce the operational risk—but they add months to the calendar.
Alternatives: Linux, VDI, and Cloud PCs
Not every organization needs to follow Microsoft’s recommended path. Three alternatives can reduce or eliminate ESU exposure:
- Linux desktop migration: For shops where Windows‑only applications are limited, moving to a supported Linux distribution avoids both hardware refreshes and ESU fees. The trade‑off is a different user experience, retraining costs, and potential gaps in application availability. It works best for task workers and developer workloads, not general knowledge workers.
- Virtualization and VDI: Replatforming legacy apps into a Windows 11 virtual desktop infrastructure (VDI) or Windows 365 Cloud PCs lets organizations run supported OS images while keeping older endpoints as terminals. This converts a capital problem into a recurring cloud cost and introduces network dependency, but it can sharply reduce the number of physical devices that need immediate replacement.
- Segmentation and isolation: For highly regulated or industrial environments where migration is technically impossible, air‑gapping unsupported Windows 10 systems, applying compensating controls, and constraining internet exposure can be a short‑term stopgap. It is a mitigation tactic, not a long‑term solution, and it rarely satisfies auditors.
Each alternative adds its own operational complexity and cost vectors. A total‑cost‑of‑ownership analysis that accounts for support headcount, security tools, and user productivity is essential before choosing.
Financial Modeling: The Real Cost of ESU
Consider a hypothetical enterprise with 100,000 Windows endpoints. Three scenarios illustrate the financial trade‑offs:
| Scenario | Year 1 Cost (USD, gross) | Notes |
|---|---|---|
| Immediate full migration | $0 ESU; hardware refresh costs for non‑upgradeable devices | Front‑loaded capex; project costs for app remediation |
| One‑year ESU buy‑time | $6.1M (100k × $61) | ESU covers all devices while migration proceeds over 12 months |
| Hybrid | $3.66M for 60k devices after 25% cloud discount; ESU avoided for 30k via Windows 365; 10k pay full list | Complex, but lowest net outlay if cloud adoption is high |
Year 1 is only the beginning. If migration slips, Year 2 adds $122 per device, and Year 3 adds $244. A fleet that stays on ESU for the full three years pays $42.7M. Cloud activation discounts and Windows 365 inclusion can chop that number by a quarter or more, but the trend is unmistakable: ESU buys time, not a permanent solution.
Organizations must also model indirect costs: lost productivity during crashes, helpdesk overtime, security incident response, and potential compliance fines. A disciplined multi‑year cashflow model should stack migration capex against ESU opex and show the board the cost of inaction.
An Operational Playbook for IT Leaders
Success hinges on a sequenced plan. The following steps compress the work and lower the chance of desperate, last‑minute ESU purchases.
-
Inventory and baseline (0–2 weeks)
- Build a complete device inventory with OS version, hardware model, TPM presence, and installed applications.
- Tag every device as “in‑place upgrade,” “upgradeable with component swap,” “replace,” or “segment.” -
Prioritize by risk and value (2–4 weeks)
- Rank devices by data sensitivity, user criticality, and compliance exposure.
- Group devices into migration waves: pilot (5–10%), fast lane (kiosks, knowledge workers), slow lane (specialized clinical or industrial systems). -
Run compatibility pilots (4–8 weeks)
- Test Windows 11 in‑place upgrades on a representative sample of hardware and application stacks.
- Measure crash rates, app breakage, and user experience with digital employee experience (DEX) tooling. Iterate remediation. -
Decide on ESU coverage and activation route (concurrently)
- For devices that cannot be migrated by October 14, purchase ESU only for the minimal set needed, and prefer cloud activation for the discount.
- If you already use Intune or Windows Autopatch, plan cloud activation immediately to lock in lower costs and simplified lifecycle management. -
Execute and recover (3–12 months)
- Phase upgrades using automated deployment tools. Maintain rollback plans.
- For replaced devices, ensure secure data sanitization and responsible recycling. -
Post‑migration validation and decommissioning
- Deactivate ESU licenses once devices are migrated. Reconcile license inventories and retire legacy images.
Beyond the Balance Sheet: Security, Compliance, and E‑Waste
Unsupported Windows 10 instances are a gift to threat actors. In the months after October 2025, exploits targeting new Windows vulnerabilities will have no official patch on unpaid machines. Ransomware groups routinely scour for unpatched systems; an unsupported OS is an invitation.
Compliance frameworks such as PCI DSS, HIPAA, and ISO 27001 mandate that systems receive security updates. Running an unsupported OS may lead to audit findings, higher insurance premiums, or loss of certification. For publicly traded companies, it can become a material risk disclosure.
The hardware refresh wave raises environmental concerns. Tossing millions of perfectly functional PCs because they lack a TPM 2.0 chip or a supported CPU has sparked accusations of planned obsolescence. Where feasible, component upgrades, virtualization, or donation to certified refurbishers can reduce the e‑waste footprint. Some organizations are exploring trade‑in programs that ensure responsible recycling.
Strategic Decisions for the Boardroom
The end of Windows 10 support is not a routine IT maintenance event; it is a multi‑year operational and financial program that demands board‑level governance and funding. Key takeaways for executives:
- ESU is a tactical tool, not a strategy. The annual price doubling makes prolonged reliance a financial drain. It should be used only to buy the time needed to complete migration.
- Migration risk is real but manageable. Windows 11 instability reports are mainly tied to driver and compatibility issues. A rigorous pilot and phased approach, backed by DEX telemetry, can contain the disruption.
- Levers exist to lower the bill. Cloud activation via Intune, Windows 365 inclusion, and targeted virtualization can cut ESU spend by a quarter or eliminate it for parts of the estate. Negotiating with volume licensing partners can further reduce costs.
- Model everything. Build a cashflow model that stacks ESU opex against migration capex, and include indirect costs such as user downtime and helpdesk spikes. The right answer will differ for every organization.
Panic is the enemy. Organizations that start now with a clear inventory, a ruthlessly prioritized migration plan, and a disciplined approach to ESU exceptions will avoid the worst of the post‑October chaos. For those who cannot migrate in time, targeted ESU purchases—activated via the cloud where possible—will keep the lights on while the real work continues. The billions loom only for those who wait.