A staggering $7.3 billion. That's the headline figure Nexthink projected as the first-year cost for enterprises stubbornly clinging to Windows 10 after its October 14, 2025 end-of-support date. Multiply an estimated 121 million still-active Windows 10 PCs by Microsoft's $61-per-device Extended Security Update (ESU) list price, and the arithmetic seems straightforward. But behind that alarm-bell number lies a far more complex calculus—one that demands IT leaders weigh hardware readiness, application compatibility, migration labor, and security risk against the ticking clock of cumulative, doubling annual fees.

Microsoft will stop all quality and security updates, as well as official technical support, for Windows 10 on October 14, 2025. The only official lifeline is the ESU program, which for commercial customers costs $61 per device in Year One, doubles in Year Two, and doubles again in Year Three. Payments are cumulative—if you join late, you pay for all prior years. For consumers, a one-year option exists at $30, or free through certain limited pathways. But for enterprises, the bill can quickly balloon into a nine-figure line item, making migration timing not just a technical decision, but a financial imperative.

The math that produced a billion-dollar warning

Nexthink based its estimate on StatCounter's August 2025 snapshot showing Windows 10 still held 45.6% of the worldwide Windows install base, compared to Windows 11's 49%. Applying that share to a modeled total device count yielded the 121-million machine figure. Multiplying by $61 gives roughly $7.38 billion, which was rounded to $7.3 billion in industry headlines. That calculation, however, is a directional economic signal, not a precise invoice. Several critical caveats apply:

  • It assumes every device is commercial. Consumer and small-business devices might qualify for lower-cost or free alternatives, reducing the aggregate spend.
  • It ignores volume pricing. Enterprises with Microsoft agreements often negotiate discounts on ESU or receive inclusions through cloud bundles. Microsoft exempts Windows 10 virtual machines running in Windows 365, Azure Virtual Desktop, and certain other Azure services from additional ESU charges entirely.
  • The device count is an estimate. StatCounter's data reflects web traffic patterns, not an asset registry. Different telemetry pools yield different totals; even a 5% swing in the population assumption changes the dollar figure by hundreds of millions.

Moreover, the $61 cost covers only the first year. If an organization delays migration by two or three years, the per-device cost escalates rapidly. A device enrolled in all three years would cost $61 + $122 + $244 = $427 total—almost seven times the first-year fee. That steep penalty is designed to push enterprises toward upgrading rather than renting legacy support indefinitely.

What ESU actually buys—and what it doesn't

ESU provides critical and important security updates, but nothing else. No non-security bug fixes, no new features, and no general technical support. If an ESU update causes a regression in a line-of-business application, customers must troubleshoot it themselves or pay for separate support incidents. The coverage is also version-gated: only Windows 10 version 22H2 qualifies. Devices still running 21H2 or earlier must be upgraded to that baseline first, adding a preparatory step.

These limitations can erode the apparent value of ESU in highly regulated or complex environments. For example, a healthcare provider with HIPAA obligations might find that running an OS on minimal security patches—without full vendor backing—invites auditor scrutiny and requires expensive compensating controls. Similarly, a manufacturer with legacy industrial control applications may face driver incompatibilities that only a fully supported Windows 11 deployment, or virtualization, can resolve. ESU buys time, but it does not buy peace of mind.

The Windows 11 migration: pain points and progress

IT teams are caught between the cost of inaction and the friction of change. Nexthink's own digital employee experience (DEX) telemetry reveals that Windows 11 migrations have experienced teething problems: in measured samples, Windows 11 devices showed twice the rate of system crashes and more hard resets compared to Windows 10. Independent reports throughout late 2024 and 2025 corroborate instability episodes tied to specific feature updates (such as 24H2), driver conflicts, USB malfunctions, and anti-cheat software incompatibilities.

Yet Nexthink DEX Strategist Tim Flower cautions against blaming the OS alone. “Every migration comes with teething problems, and what we’re seeing with Windows 11 is no different,” Flower told TechRadar. “Often it’s not Windows 11 itself causing the issues, but the underlying hardware, drivers or the way systems are deployed.” This nuance matters: a rushed, poorly tested deployment will generate support tickets regardless of platform maturity, whereas a carefully staged rollout can avoid most pitfalls.

The key is telemetry-driven pilot programs. By running representative hardware and application mixes under full DEX monitoring, organizations can distinguish OS bugs from driver flaws, build reproducible remediation playbooks, and gain confidence before scaling. Flower’s advice—check hardware readiness, verify application compatibility, and educate workers—is the bedrock of any successful migration.

Comparing the real costs: ESU vs. migration vs. containment

A single ESU year-one fee of $61 per device may seem cheaper than replacing a fleet of aging laptops, but that narrow view misses three other cost buckets:

  • Hardware refresh or retrofit: Windows 11 requires TPM 2.0, Secure Boot, and compatible CPUs. Many older machines lack these capabilities entirely; retrofitting is rarely feasible, forcing a capital purchase. Even modern devices may need firmware updates and driver package validation.
  • Migration labor and project costs: Testing, packaging, deployment, rollback planning, and user training consume significant IT hours. Automation tools (Intune, Windows Autopatch) can reduce this, but the initial investment is non-trivial.
  • Risk and mitigation costs: Running an unsupported OS without ESU heightens cyber risk, potentially leading to breach costs, compliance fines, and higher insurance premiums. If you choose ESU but delay modernization, you still carry the operational overhead of managing a heterogeneous environment.

For a concrete comparison, consider a 10,000-device fleet. Year-one ESU would cost $610,000. A full hardware refresh at $1,000 per device (for, say, 30% incompatible machines) runs $3,000,000—but it eliminates future ESU fees and puts the organization on a supported platform for years. If migration labor adds $200 per device, the total one-time project might reach $5,000,000. Spread over three years, that’s $1.67 million annually, versus $427,000 in ESU fees per device for three years ($4.27 million for 10,000 devices) plus ongoing operational drag. The break-even depends on fleet age, app compatibility, and how quickly you can retire legacy hardware.

Cloud remediation adds a third dimension. Moving Windows 10 workloads to Windows 365 or Azure Virtual Desktop not only extends ESU coverage at no extra license cost but also shifts hardware risk to the cloud provider. However, it introduces monthly per-user fees and demands robust connectivity. Many organizations adopt a hybrid: migrate standard users to Windows 11 on modern hardware while isolating specialist legacy apps in virtual machines or dedicated, contained physical endpoints.

A prioritized action plan for IT leaders

1. Immediate: Inventory and categorize
- Scan every Windows 10 device for hardware readiness (TPM 2.0, CPU, Secure Boot) and current OS version. Devices not on 22H2 must be upgraded before ESU enrollment.
- Classify by role: mission-critical, line-of-business, kiosk, lab, or general productivity.

2. Short-term: Triage applications and pilot migration
- Identify the top 100 apps by user impact and validate vendor support on Windows 11. For those that fail, explore containerization, virtualization, or replacement.
- Run small, diverse pilot groups with full DEX telemetry to surface driver or compatibility issues early.

3. Mid-term: Execute phased migration
- Automate imaging and driver management. Validate OEM driver packages for your specific hardware models before broad deployment.
- Roll out in waves aligned to business units and maintenance windows. Prepare user communications and quick-start guides focused on UI changes.

4. For constrained systems: Use targeted ESU or isolation
- Purchase ESU for a defined, small subset that cannot migrate now—but commit to a hard timeline. Avoid open-ended reliance.
- For highly sensitive legacy systems, consider network segmentation, limited user rights, and enhanced EDR as compensating controls.

5. Long-term modernization
- Where possible, pivot to cloud entitlements (Windows 365/Azure Virtual Desktop) for remaining Windows 10 workloads to neutralize hardware and ESU costs.
- Sunset unsupported devices on a strict schedule; align ESU renewal dates with migration phases to avoid surprise multi-year charges.

The unvarnished risk outlook

An unsupported Windows 10 machine is a magnet for attackers. Publicly disclosed vulnerabilities post-October 2025 will have no official patches, leaving systems exposed to drive-by exploits and ransomware. For organizations bound by PCI DSS, HIPAA, or similar frameworks, running an unsupported OS can directly violate contractual or regulatory requirements, triggering audits or breach notifications.

Even with ESU, the security posture remains weaker than a fully supported release. Critical-rated patches will arrive, but optional non-security fixes that harden the OS against novel attack patterns are absent. Moreover, the absence of general support means any incident response will be slower and more costly. These hidden risks often dwarf the visible license fees.

Why the $7.3 billion figure is just a starting point

Headline totals treat the enterprise fleet as a monolith. In reality, a multinational with 50,000 devices might have thousands that already run Windows 11, thousands eligible for free cloud-based ESU, and thousands so old they must be replaced regardless of OS strategy. The actual cash outlay for ESU could be half the headline estimate—or double if migration stalls and year-three pricing kicks in. IT leaders must reconcile external market statistics with their own asset inventories. StatCounter’s 45.6% share is a useful trend indicator, but it’s no substitute for a real-world device audit.

Stability metrics likewise require context. The crash-rate spike attributed to Windows 11 was often linked to specific hardware combinations or early feature updates. Organizations that invest in rigorous pilot testing and vendor coordination consistently report deployment outcomes well below the worst-case headlines. As Flower noted, the OS is rarely the sole culprit.

A measured verdict: don't pay the billion-dollar tab—plan around it

Staying on Windows 10 without a plan is the one option guaranteed to waste money and increase risk. Paying the full $7.3 billion collective tab by passively renewing ESU year after year is a poor strategy for most. The winning approach is nuanced: use ESU as a short-term bridge for the most problematic devices while aggressively migrating the majority to Windows 11. Layer in cloud virtualization to absorb legacy application friction and eliminate hardware dependencies.

The organizations that will thrive are those that treat the October 2025 deadline as a catalyst for broader endpoint modernization—combining hardware refresh cycles, application rationalization, and management automation into one coherent program. In that light, the $7.3 billion alarm isn't a bill you must pay, but a cost you can avoid with deliberate, data-driven action.