More than half of the world's personal computers still run Windows 10 with just weeks remaining until Microsoft halts routine security updates on October 14, 2025, according to telemetry from Kaspersky's Security Network. The security vendor's snapshot shows 53% of monitored devices on Windows 10, only 33% on Windows 11, and a troubling 8.5% still clinging to the long-expired Windows 7. Among business users, the Windows 10 stickiness is even higher—59.5% for corporate devices and 51% for small businesses. These figures, published by Technology For You, land like a thunderclap for IT teams racing against a deadline that will not budge.

But the numbers are not as monolithic as they appear. The same week Kaspersky's study surfaced, public web-analytics tracker StatCounter painted a different picture: Windows 11 at roughly 49% of desktop Windows pageviews worldwide, with Windows 10 at about 45.6%. Neither dataset is wrong, but they measure fundamentally different things. Understanding that gap—and acting on it—is what separates organizations that will sail through end-of-support from those that will scramble.

The Kaspersky snapshot: what it measures and why it matters

Kaspersky extracted anonymized operating-system metadata from consenting participants in its Kaspersky Security Network (KSN). The data reflects endpoints where Kaspersky products are installed, offering granular, device-level visibility. Because KSN telemetry includes patch levels and can segment by consumer versus business, it excels at revealing security-exposure gaps. The headline warnings are unambiguous: a majority of devices in its sample lack Windows 11, and an unnervingly large tail runs an OS—Windows 7—that stopped receiving patches in 2020.

"Migrating to a newer OS may be misguidedly perceived as an unnecessary and even disruptive action offering only minor new features, while complicating existing workflows because of interface changes," said Oleg Gorobets, Security Expert at Kaspersky. "However, from a cybersecurity point of view, a system which is not receiving security updates is like a house with a rotting fence which can be knocked down with just a single kick."

Yet KSN is not a random global sample. It skews toward regions and sectors where Kaspersky has historically held strong market share, and it only captures devices with Kaspersky software installed and telemetry consent enabled. For an enterprise with a similar footprint—say, heavy presence in Eastern Europe or certain regulated industries—the Kaspersky figures may mirror reality closely. For a North American company running a different endpoint stack, they might overstate the Windows 10 prevalence.

StatCounter versus telemetry: two lenses, two pictures

StatCounter samples browser user-agent strings across millions of pageviews to estimate OS market share. Its August 2025 data shows Windows 11 leading at ~49% and Windows 10 at ~45.6% of desktop Windows visits. The gap between these measurements and Kaspersky's 53%/33% split underscores a critical lesson: source methodology shapes every headline percentage. Web-tracking numbers reflect internet-facing consumer activity, not the dark matter of factory-floor PCs, kiosks, or locked-down corporate desktops that rarely browse the web.

Other voices in the industry corroborate the operational warning even if absolute percentages vary. Major PC makers and enterprise tool vendors have openly stated that business migration to Windows 11 will stretch deep into 2026 for many organizations. That real-world inertia validates Kaspersky's general alert: large pockets of Windows 10—and even Windows 7—persist inside corporate networks, and remediation is overdue.

Why the discrepancy demands action, not debate

For decision-makers, fixating on which dataset is "right" misses the point. The discrepancies carry four concrete risks:

  • Security posture miscalibration: If your risk model assumes a Windows 10 population near StatCounter's 45%, you may under-resource patching, monitoring, and isolation if your actual estate mirrors Kaspersky's 53% (or higher).
  • Budget and procurement gaps: Enterprise licensing negotiations and ESU purchases sized against a single web metric can leave endpoints unprotected when the real device count surfaces.
  • Operational blind spots: Vulnerability scans, app-compatibility testing, and migration waves must be scoped to your own inventory, not a global median that mixes consumer and business hardware.
  • Compliance and insurance exposure: Regulated industries face audit findings if unsupported OS counts are underreported. Cyber insurers increasingly demand evidence of migration progress.

Technical fallout after October 14, 2025

Once the cutoff passes, Windows 10 will no longer receive routine security patches. That triggers a cascade of predictable consequences:

  • Unpatched vulnerabilities: Newly discovered flaws will not get Microsoft's standard fixes. Known exploit techniques—privilege escalation, remote code execution, credential theft—become permanent openings unless ESU patches are applied.
  • Compatibility drift: ISVs will target Windows 11 APIs, leaving Windows 10 users with missing features or outright blocks as applications update.
  • Regulatory liability: Running unsupported software can violate frameworks like PCI DSS, HIPAA, and GDPR, potentially inviting fines.
  • Attack surface explosion: Historical precedent from Windows 7 and XP end-of-life events shows threat actors accelerating campaigns within days of patch cutoff, using automated tools to scan for unpatched hosts.
  • Microsoft 365 app support erosion: While Microsoft may ship limited security fixes for its productivity suite on Windows 10 for a brief window, relying on app-level patches without OS hardening is unsustainable.

Migration playbook: concrete paths forward

Organizations and home users must pick from a menu of proven strategies, often combining several:

1. Upgrade eligible devices to Windows 11

This remains the preferred long-term path. It brings hardware-enforced security (TPM 2.0, virtualization-based security), longer support lifecycles, and full compatibility with modern software. Steps include running PC Health Check, piloting on representative hardware, validating line-of-business apps, and deploying in phased waves.

2. Enroll in Extended Security Updates (ESU)

ESU is a bridge, not a destination. Commercial customers pay an escalating annual fee per device, and the program only covers critical and important rated vulnerabilities. Devices must be on Windows 10 22H2 or later. Consumer ESU options are limited; Microsoft offered a one-year extension for $30, but details and availability vary by region. ESU buys time but must be paired with an active migration plan.

3. Replace incompatible hardware

For devices that can't run Windows 11 due to missing TPM 2.0, unsupported CPUs, or insufficient memory, a hardware refresh is inevitable. Trade-in programs can offset costs and reduce e-waste.

4. Switch to an alternative OS

Linux distributions (Ubuntu LTS, Linux Mint, etc.) can give old hardware a secure second life at zero licensing cost. Application compatibility, user retraining, and management tooling remain significant hurdles.

5. Virtualize legacy Windows 10 workloads

Windows 365 or Azure Virtual Desktop can host critical legacy applications in a patched, cloud-isolated environment while endpoints migrate. This approach reduces immediate exposure and simplifies app compatibility handling.

6. Network isolation and microsegmentation

For endpoints that cannot be upgraded or enrolled in ESU, strict network segmentation, application allow-listing, and removal of internet access are last-line mitigations. These reduce lateral movement risk but do not eliminate host-level vulnerabilities.

A security-first migration plan for IT teams

Successful enterprises follow a structured, risk-prioritized approach:

  1. Inventory everything: Discover every Windows 10 and Windows 7 endpoint, including shadow IT, IoT devices, and operational technology. Classify by data sensitivity and business criticality.
  2. Compatibility testing: Use Microsoft's App Assure, the Readiness Toolkit, or third-party suites to map application dependencies. Build a remediation matrix.
  3. Risk triage: Migrate internet-facing and high-privilege devices first. Apply compensating controls (EDR, MFA, network segmentation) to low-priority stragglers.
  4. Budget and procure: Layer ESU costs into procurement cycles; negotiate as part of broader enterprise agreements. Plan hardware refresh waves in alignment with depreciation schedules.
  5. Pilot, iterate, scale: Run a cross-functional pilot, document rollback procedures, and create end-user communication scripts. Then expand in waves, monitoring deployment health.
  6. Post-migration validation: Confirm endpoint protection agents, backup integrity, and compliance posture before decommissioning old hardware.
  7. Secure decommissioning: Wipe or destroy retired drives to prevent data leakage.

Cost, risk, and governance: what the board must hear

Leaders often underestimate the real cost of inaction. A single ransomware incident on an unpatched Windows 10 server can dwarf years of ESU licensing fees. Key governance points:

  • ESU is not free: Year-one commercial pricing is typically around 50% of the full Windows licensing cost per device, doubling each subsequent year. It's a budget line item, not a strategy.
  • Board reporting: Risk committees need visibility into migration progress, ESU spending, and exceptions. Environmental impact of large-scale hardware refreshes should be part of the conversation.
  • Insurance alignment: Many cyber policies now require supported OS versions. Lying on a renewal application about Windows 10 sunsets could void coverage.
  • Procurement leverage: Negotiate ESU pricing in conjunction with Microsoft 365 renewals or Azure commits to flatten cost curves.

Attack landscape after October 14: what to expect

Threat actors follow a well-worn playbook after EOL dates:

  • Researchers disclose vulnerabilities that affect Windows 10 but not Windows 11.
  • PoC exploits appear within days, weaponized attacks shortly after.
  • Mass scanning tools target unpatched services (SMB, RDP, print spooler) on legacy OS versions.
  • Ransomware groups pivot to exploit known EOL attack paths, often targeting healthcare, manufacturing, and government.

Layered defenses become paramount: modern EDR with exploit prevention, network traffic analysis, hardened identity with MFA, and aggressive patch management for everything except the OS itself. But these controls only reduce risk—they cannot replace OS-level security updates.

Kaspersky's dataset: strengths and limits

When using the 53% figure, treat it as a powerful but imperfect signal.

Strengths:
- Endpoint-level detail with business/consumer segmentation.
- Direct insight into patching gaps among security-conscious users.
- Timely warning aligned with other industry migration signals.

Limits:
- Not a randomized global sample—overrepresents regions and verticals where Kaspersky is strong.
- Excludes devices that do not run Kaspersky software, particularly those with competing endpoint suites.
- Should not be directly compared to web-traffic trackers without adjusting for methodology.

Smart organizations cross-reference KSN-style telemetry with their own device inventories, web analytics, and network scans to build a complete picture.

Bottom line and immediate priorities

The calendar is the only non-negotiable variable. October 14, 2025, is a hard stop for routine Windows 10 security updates. Kaspersky's data—whether exactly 53% or directionally similar—makes the operational urgency impossible to ignore. Large numbers of business systems still run Windows 10, and a smaller but catastrophic subset still runs Windows 7. The clock is not ticking; it is chiming.

Every IT and security leader must: inventory every endpoint immediately; test compatibility and choose upgrade, ESU, or replacement paths; allocate budget now; and deploy layered defenses for the transition period. The cost of measured action is a fraction of the potential cost of a breach on an unsupported OS. The work that prevents the headline regrets must start—and finish—before the calendar forces the decision.