The clock is ticking louder than ever for enterprises still running Windows 10. On October 14, 2025, Microsoft will pull the plug on free security updates, leaving IT leaders with three unappealing choices: pay for pricey Extended Security Updates (ESU), rush through a Windows 11 migration, or gamble with unpatched systems. New research from digital employee experience vendor Nexthink puts a jaw-dropping price tag on that crossroads—over $7.3 billion in potential Year One ESU costs for the global enterprise fleet. But diving deeper reveals a complex web of cloud exemptions, negotiated discounts, and migration realities that make the real bill far less uniform than the headline suggests.
The $7.3 Billion Shock: How Nexthink Got That Number
Nexthink built its model on a simple but powerful premise: multiply the remaining Windows 10 enterprise device pool by the official Year One ESU list price of $61 per device. They started with an estimated 1.4 billion Windows devices worldwide, assumed roughly 30% are commercial or public sector (about 420 million), and then applied market-share data and observed migration trends to whittle that down. Between mid-May and early August 2025, Nexthink recorded a 33% drop in Windows 10 device counts across its telemetry. Extrapolating that decline to the October deadline, they arrived at approximately 121 million enterprise devices still on Windows 10. Multiply by $61, and you get $7.38 billion.
It’s a valid, striking calculation—exactly the kind of shock therapy needed to focus executive minds. But it’s also a directionally accurate alarm, not a literal invoice. The figure assumes every eligible device will pay the list price, something that won’t happen in the real world of volume licensing agreements and cloud entitlements.
Why the Figure Is Both Useful and Misleading
The strength of the $7.3B headline lies in its ability to communicate scale instantly. Boardrooms notice a number that large, and it forces a conversation about migration planning. The exponential pricing model—$61 in Year One, $122 in Year Two, and $244 in Year Three, with cumulative purchases required if you join late—is deliberately punitive to push organizations toward Windows 11. That discipline is healthy.
But the model’s weaknesses matter. First, device counts are estimates, not census tallies. Market-share tools like Statcounter use sampling methodologies that can swing results by hundreds of millions of devices. A one-percentage-point change in the Windows 10 share assumption shifts the headline figure by tens of millions of dollars. Second, the $61 list price is just that: a list price. Large enterprises routinely negotiate discounts of 15–30% through volume licensing, and many have cloud entitlements that erase ESU charges entirely for virtualized workloads. Microsoft explicitly exempts Windows 10 VMs running in Windows 365, Azure Virtual Desktop, and certain Azure-hosted instances from ESU fees. Education customers get vastly reduced rates: $1, $2, and $4 across the three years.
Treat the Nexthink number as a directional warning—excellent for lighting a fire under procurement, but not a line item to quietly reserve in the budget.
The Real Cost of ESU: More Than Just a Price Tag
Beyond the per-device fee, ESU introduces hidden costs. It provides security patches only—no new features, no technical support beyond those patches, and no guarantee that third-party software vendors will continue to support Windows 10. As applications and peripherals evolve, an organization clinging to ESU may find itself locked out of upgrades or facing compatibility audits. The cumulative purchase rule adds an insidious trap: if you skip Year One and try to enroll in Year Two, you must also pay for Year One, erasing any perceived savings from delay.
Moreover, ESU doesn’t restore a full security posture. Firmware updates, driver patches, and application-level fixes remain the organization’s responsibility. For devices that handle regulated data, staying on an extended-support OS may complicate compliance with PCI DSS, HIPAA, or GDPR, even with ESU in place. Insurers are increasingly scrutinizing outdated operating systems, and some may charge higher premiums or exclude coverage for incidents on unsupported platforms.
Windows 11 Adoption Gains Ground, But Migration Isn’t Uniform
According to Statcounter, Windows 11 overtook Windows 10 globally in mid-2025, reaching 49.08% market share compared to Windows 10’s 45.53%. That’s a welcome milestone, but it masks a two-speed reality. Consumer devices and modern enterprise fleets have moved swiftly; regulated industries, healthcare, manufacturing, and specialized workstations lag. These sectors often run custom applications, industrial controllers, or lab equipment that cannot be upgraded without extensive validation. Hardware requirements like TPM 2.0 and approved CPUs lock out many older machines from in-place upgrades, forcing costly hardware refreshes.
Driver and peripheral support adds another layer. Niche devices—medical imaging controllers, factory floor serial adapters, legacy point-of-sale systems—may lack Windows 11 drivers. For these, a short ESU window is often the only viable bridge while replacements are procured and tested.
The Hidden Friction: Hardware, Drivers, and App Compatibility
Nexthink and other observers note that Windows 11 rollouts have shown higher instability in some fleets—more crashes and hard resets compared to Windows 10. The culprit isn’t necessarily the OS itself but the accumulated cruft: outdated firmware, unsigned drivers, and inconsistent deployment methods. Organizations that skip thorough pre-upgrade hygiene often pay the price in post-migration helpdesk calls.
Application compatibility is the silent budget-killer. Re-testing and sometimes re-coding line-of-business apps can consume months and hundreds of thousands of dollars. IT teams frequently underestimate this effort, assuming that because an app ran on Windows 10, it will seamlessly transition to Windows 11. That assumption fails when 16-bit components, deprecated APIs, or custom kernel drivers are involved.
The Security Calculus: Why Unsupported Windows 10 Is a Ticking Bomb
When the patch spigot turns off, threat actors pounce. Zero-day exploits proliferate quickly once attackers know the vendor won’t provide free updates. Ransomware gangs specifically target unpatched systems, and data from breach reports consistently shows that outdated operating systems are an easy entry point. Even with ESU, the security patch scope is narrower than mainstream support; organizations must maintain rigorous endpoint detection and response (EDR), network segmentation, and application allow-listing for any Windows 10 device that remains.
Compliance adds another layer. Regulators may treat an ESU-covered OS more leniently, but they still expect a clear migration roadmap. Audit findings often cite the lack of a documented end-of-life strategy as a control failure. And cybersecurity insurance carriers are increasingly asking: “What’s your plan for Windows 10?”—and pricing policies accordingly.
A Practical Playbook: What CIOs Should Do Right Now
Time is the one resource you can’t buy with ESU dollars. A structured approach over the next 90 days can dramatically reduce risk and cost:
- Days 0–14: Inventory and triage. Use SCCM, Intune, or third-party DEX tools to map every Windows 10 device, categorize it by business criticality, and flag any regulatory constraints. Identify which devices can be upgraded in place, which need hardware replacement, and which must be isolated or shifted to cloud VMs.
- Days 14–30: Financial modeling. Build a TCO model comparing ESU costs (at negotiated rates, not just list price) against the all-in cost of migration—including labor, hardware, and productivity loss. Factor in cloud exemptions for Windows 365 and Azure Virtual Desktop.
- Days 30–60: Pilot migrations. Pick three representative user groups and run real-world upgrades. Measure crash rates, app failures, helpdesk volume, and employee sentiment using DEX telemetry. Use the data to refine your rollout plan and build a business case for any necessary hardware purchases.
- Days 60–120: Execute. For each device cohort, lock in the decision: upgrade in place, replace, or move to cloud VM (with or without short-term ESU). Finalize procurement timelines and communicate the plan clearly to stakeholders.
Cost Comparison: ESU vs. Upgrade vs. Replacement
A high-level breakdown of the three main paths:
- ESU only: Year One $61/device list price, doubling each year. Devices remain on aging hardware. Cumulative costs for three years could approach $427 per device. No new hardware, but ongoing security risk and potential compliance friction.
- In-place remediation: Update firmware, drivers, and perhaps add a TPM module where possible. Variable cost, but typically $50–$150 per device in labor. Avoids CapEx but may still leave older hardware in service, and doesn’t solve app compatibility for deeply legacy software.
- Hardware replacement: New PC with Windows 11, often $800–$1,500 per unit. Eliminates ESU and future migration debt. Includes modern security features like Secured-core PC and hardware-based isolation. Best long-term TCO for most knowledge-worker fleets.
- Cloud Desktop (Windows 365/AVD): Converts CapEx to OpEx, removes local hardware constraints, and exempts VMs from ESU fees. Monthly subscription costs range from $30–$100+ per user depending on configuration. Ideal for remote work, contractors, or burst capacity but requires always-on internet and may not suit offline or high-latency use cases.
For most modern fleets, a combination of targeted hardware refreshes and cloud solutions beats a multi-year ESU spend. Specialized embedded systems may be the exception—here, a one-year ESU window coupled with aggressive isolation is often the most pragmatic path.
Governance and Common Pitfalls
A migration of this scale demands trinity governance: CIO, CISO, and procurement must operate as a single unit. Siloed decisions—procurement buying cheapest ESU seats while security demands immediate upgrades—create friction and balloon costs. Common mistakes include:
- Treating ESU as a long-term plan. It’s a temporary bridge, and Microsoft designed it to become painfully expensive after Year One. Long-term reliance is operationally fragile and invites audit scrutiny.
- Under-skilling the app compatibility effort. Line-of-business applications are the top blocker in nearly every migration. Dedicate a dedicated testing team and budget 30–40% of your migration project cost to app remediation.
- Ignoring negotiated licensing. Cloud entitlements can slash your ESU bill to zero for eligible VMs. Engage your licensing specialist now to map every workload against Microsoft’s exemptions.
The Bottom Line: Turn Alarm Into Action
The $7.3 billion figure from Nexthink serves its purpose: it awakens executive teams to the sheer scale of the Windows 10 end-of-support problem. But the real bill for your organization will be determined by how quickly you move, how well you negotiate, and how smartly you leverage cloud alternatives. The deadline isn’t shifting, and Microsoft’s pricing escalator only gets steeper. The organizations that treat the next 90 days as a migration sprint—with inventory, modeling, pilot testing, and governance—will not only dodge a multi-million-dollar bullet but will emerge with a more secure, modern, and manageable digital estate.