More than 16% of Windows enterprise PCs still run Windows 10, and each one carries an average of 1,903 actively tracked vulnerabilities, according to new telemetry from asset management firm Lansweeper. That’s nearly three times the 652 vulnerabilities found on a typical Windows 11 machine. The data, published July 14 and first reported by SC Media, lands nine months after Microsoft ended mainstream support for Windows 10 on October 14, 2025.

The anatomy of a vulnerability gap

Lansweeper’s scan of millions of endpoints across its customer base shows 16.9% of Windows clients are still on Windows 10, while Windows 11 has climbed to 78.8%. Those holdover devices are not equally manufactured: 66.6% of their active CVEs are rated high or critical, and 2.4% are already known to be exploited in the wild. The exploitable-vulnerability rate is 1.7 times higher than that of Windows 11.

That raw CVE count, however, is a measure of exposure—not a verdict that Windows 10’s code is inherently three times more broken. A machine’s CVE total sums up flaws in everything installed: the OS, third-party apps, drivers, browser components, firmware, and missing application patches. A device that has missed months of general software updates will inflate the count. But the operational conclusion is unchanged. Once a supported OS receives a security fix that its predecessor lacks, attackers routinely compare the patched code with the old version to reverse-engineer the underlying flaw. That practice—patch diffing—makes every month of delayed migration more dangerous.

Microsoft’s July 2026 Patch Tuesday sharpens the picture. Windows 11 continues to absorb cumulative security updates. Standard Windows 10 22H2 installations outside Extended Security Updates (ESU) do not. The divide grows with each monthly release.

What’s keeping Windows 10 alive

The holdouts cluster where replacement is hardest. Lansweeper reports Windows 10 is most common in healthcare and pharmaceuticals (23.0% of Windows devices), consumer and retail (22.7%), and manufacturing (18.0%). These sectors run endpoints tied to laboratory instruments, point-of-sale terminals, industrial controllers, kiosks, and vendor-certified software—devices where a simple reimage isn’t an option.

But the popular narrative that ancient hardware blocks migration doesn’t hold up. Only 2.8% of the remaining Windows 10 machines fail Windows 11’s hardware requirements. In healthcare, where the Windows 10 footprint is largest, a mere 1.1% of devices are hardware-incompatible. The real barriers are application testing backlogs, vendor approvals, funding cycles, and incomplete asset inventories. What remains is a collection of deferred migration work, not a fleet of impossible-to-upgrade boxes.

Extended Security Updates: a temporary fix with fine print

Microsoft’s ESU program can provide critical patches, but only if it’s activated correctly. Consumers can receive security updates through October 13, 2026, for eligible Windows 10 22H2 systems. Commercial customers can license coverage beyond that date, while Windows 10 LTSC and LTSB editions follow separate lifecycles. However, an inventory that simply lists “Windows 10” is meaningless. Administrators must sort devices into at least four buckets:

  • Windows 10 22H2 devices enrolled in and successfully downloading ESU updates.
  • Windows 10 22H2 devices eligible for ESU but not activated, not licensed, or inconsistently patched.
  • Windows 10 LTSC/LTSB machines still supported under their own lifecycle timelines.
  • Windows 10, Windows 7, Windows 8.1, or Windows XP boxes with no applicable servicing path.

Buying ESU licenses isn’t the same as protecting endpoints. Deployment requires Windows 10 22H2 with current prerequisites, the ESU licensing preparation package, and activation of the correct key. A device that can’t reach activation services or fails to install monthly updates remains a weak point. For security teams, asset-management data must marry endpoint-management data: Windows edition, build, ESU status, last successful update, local admin exposure, network segment, application criticality, and regulatory context all matter.

Locking down what can’t be upgraded yet

For machines that cannot move immediately, practical containment is the first line of defense. Remove direct internet access. Segment them from user and server networks. Strip unnecessary local administrator rights. Restrict inbound management protocols. Enforce application allow-listing where feasible. Monitor aggressively for unusual authentication and lateral movement. A legacy endpoint should not keep the same trust relationships as a fully supported Windows 11 PC.

Organizations should also avoid treating ESU as a reason to pause planning. ESU is a bridge for systems with a verified migration path, not a permanent platform strategy. It brings selected security fixes but no feature updates, no modernized application dependencies, and no escape from the cost of maintaining a shrinking exception fleet. The Lansweeper data puts a finer point on this: nearly one-fifth (18.7%) of all monitored Windows devices already run an end-of-life OS when you include Windows 7, Windows 8.1, and Windows XP. Those older systems often live outside mainstream management entirely—in workshops, labs, warehouses, and networks that look isolated but rarely are.

The clock is ticking louder

Consumer ESU ends in October 2026. Commercial ESU may roll on, but at increasing cost and complexity. As more patches land for Windows 11, the incentives for adversaries to reverse-engineer them only grow. The easy devices have already migrated. What’s left are the invisible machines, the specialized ones, the poorly documented ones—and those are exactly the endpoints that demand the most deliberate inventory, isolation, funding, and replacement decisions before the next support cliff arrives.