On October 14, 2025, Microsoft will permanently end security updates for Windows 10, cutting off a lifeline that has kept over a billion devices patched and protected for nearly a decade. After that date, no more monthly Patch Tuesday fixes, no more zero-day defenses, and no more technical support unless you pay, migrate to the cloud, or buy new hardware. The countdown is real, and it’s forcing a reckoning for home users and enterprise IT managers alike.

At the Bangkok Post, nearly all office PCs run Windows 10 but cannot meet Windows 11’s strict TPM 2.0 and processor requirements—a dead end that echoes across millions of small businesses and home offices worldwide. “I myself have several PCs that run perfectly fine, but with Windows 11 having some hardware requirements that make them unavailable for the upgrade,” writes a staff member in a recent article. The choices are stark: upgrade what you can, buy time with extended security updates, bypass the hardware checks at your own risk, shift to the cloud, or abandon Windows altogether.

This guide unpacks every option, the real costs, and the hidden risks—drawing on official Microsoft documentation, community experience, and the practical realities revealed in the Bangkok Post’s own testing.

What “End of Support” Actually Means

The October deadline applies to all mainstream Windows 10 editions: Home, Pro, Enterprise, Education, and others. After that date:

  • No more security updates or bug fixes from Microsoft for the operating system.
  • No technical support for Windows 10 issues.
  • No compatibility guarantees for new applications or cloud services.
  • Microsoft 365 apps will continue to receive security updates for a limited transitional period, but full support ends alongside the OS.

In plain terms, every unpatched Windows 10 PC becomes a growing target for malware, ransomware, and credential theft. For regulated industries or anyone handling sensitive data, running an unsupported OS is a compliance failure. Even for home users, online banking and personal information become demonstrably more vulnerable with each month that passes after the cutoff.

Your Options at a Glance

You have five broad paths, each with trade-offs that depend on hardware, budget, and tolerance for risk.

1. Upgrade to Windows 11 (Where Possible)

Microsoft’s preferred route. Windows 11 delivers hardware-backed security—mandatory TPM 2.0, Secure Boot, and virtualization-based protections—plus productivity improvements like Snap Layouts and Copilot integration. But the hardware bar is high:

  • A compatible 64-bit processor from Microsoft’s approved list (Intel 8th Gen or newer, AMD Ryzen 2000 or newer), 4 GB RAM, 64 GB storage, UEFI firmware with Secure Boot, and TPM 2.0.
  • An internet connection and Microsoft account are required for Home edition setup.

Use the PC Health Check tool to confirm eligibility. If your device qualifies, the upgrade is free and offers full support and feature updates indefinitely. If not, you’ll need to consider other options.

2. Consumer Extended Security Updates (ESU)

For those who cannot or will not upgrade in time, Microsoft is offering a consumer ESU program that extends Critical and Important security updates for one additional year—through October 13, 2026. This is a stopgap, not a long-term fix. Enrollment is open now and offers three paths:

  • Free: Enable Windows Backup or sync your PC settings to your Microsoft account.
  • Rewards: Redeem 1,000 Microsoft Rewards points.
  • Paid: A one-time $30 USD purchase per ESU license, which can cover up to 10 devices linked to the same Microsoft account.

Important caveats:
- ESU provides security patches only; no new features, design changes, or technical support.
- You must enroll with a Microsoft account, even for the paid version—a point of friction for those who prefer local accounts.
- The coverage ends absolutely in October 2026, at which point you must migrate.

Businesses have a separate, more expensive ESU tier (see below).

3. Business Extended Security Updates

For organizations, ESU is priced per device and escalates aggressively to encourage migration:
- Year 1 (Nov 2025 – Oct 2026): $61 per device
- Year 2 (Nov 2026 – Oct 2027): $122 per device
- Year 3 (Nov 2027 – Oct 2028): $244 per device
- Total for three years: $427 per device

These updates are delivered through volume licensing programs, and the pricing intentionally makes long-term ESU more expensive than buying new hardware. For cloud-hosted Windows 10 workloads on Windows 365 or Azure Virtual Desktop, however, ESU is included at no extra cost—a crucial detail that shapes cloud migration decisions.

4. Install Windows 11 on “Incompatible” Hardware (Bypass Workarounds)

Community tools like Rufus and simple registry edits can bypass Windows 11’s TPM, Secure Boot, and CPU checks, enabling installation on many older PCs. Countless enthusiasts and budget-strapped offices have gone this route successfully. But this path carries real and often underappreciated risks:

  • Official stance: Microsoft does not recommend or support installing Windows 11 on unsupported hardware. It may deny updates or support to such devices.
  • Update reliability: Community reports on sites like Lifewire and GitHub show mixed results. Some bypassed installs receive monthly cumulative updates, but feature updates (like the annual 23H2→24H2) have been known to fail or require manual reinstallation.
  • Evolving bypass landscape: Microsoft updates can intentionally or accidentally close bypass avenues. The Rufus developer and others update their tools in a cat-and-mouse game, but there are no guarantees.
  • Weakened security: Bypassing TPM 2.0 and Secure Boot disables hardware-backed protections that Windows 11 relies on to defend against firmware attacks, ransomware, and credential theft. The OS may still run, but its security posture is diminished.

For one-off hobbyist rigs, the risk might be acceptable. For business-critical machines or systems handling sensitive data, an unsupported install is a poor compliance choice. Expect to manage updates manually and maintain a robust backup plan.

5. Buy a New PC or Use Windows 365 (Cloud PC)

A new Windows 11 or Copilot+ PC is the cleanest long-term solution—it provides full support, modern security, and access to AI-powered features. But it demands upfront capital.

Windows 365 offers an alternative: a cloud-hosted Windows desktop that streams to almost any device, including aging Windows 10 hardware. Microsoft explicitly states that Windows 10 virtual machines running on Windows 365 or Azure Virtual Desktop are entitled to ESU at no additional cost. Moreover, the endpoint device you use to connect to the Cloud PC can itself receive ESU for up to three years if you maintain an active Windows 365 subscription.

  • Pricing: Entry-level Windows 365 Business plans start around $28 per user/month (varies by configuration and region) for a basic Cloud PC with 2 vCPUs, 4 GB RAM, and 128 GB storage.
  • Upsides: Immediate access to a fully supported Windows 11 environment without replacing every desk-side PC; centralized management; predictable per-user cost.
  • Downsides: Ongoing subscription fees; dependence on reliable internet; potential latency for graphics-heavy or local peripheral tasks.

For organizations that can’t refresh hardware en masse, Windows 365 becomes a compelling bridging strategy.

6. Switch to an Alternative Operating System

Older PCs that can’t run Windows 11 can gain a second life with a lightweight Linux distribution. Linux Mint, Debian, and Manjaro are free, actively supported, and familiar enough for users accustomed to Windows interfaces. The trade-off is a learning curve and potential app compatibility gaps—Microsoft Office and Adobe Creative Suite don’t run natively, though web versions and open-source alternatives fill many needs. Switching to macOS is also an option, but it almost always involves buying Apple hardware, making it a premium-priced migration.

ESU: The Numbers, the Catch, and the Fine Print

Consumer ESU is the simplest way to buy time: $30 for one year, covering up to 10 devices on a single Microsoft account. The free enrollment via Windows Backup may be the easiest path for casual users.

Business ESU, at up to $427 over three years, is a deliberate disincentive. The doubling per year signals that Microsoft expects organizations to complete their transition within the first year. And for any device that processes personal data or is subject to regulations like GDPR, HIPAA, or PCI-DSS, remaining on an ESU-patched but eventually unsupported OS may still raise audit flags after 2026.

Crucially, ESU requires a Microsoft account for enrollment—even for business users activating via volume licensing. This has drawn criticism from privacy advocates and IT shops that have historically operated with local accounts for security or policy reasons.

The Real-World Risks of Bypassing Hardware Checks

The community’s workarounds are well documented, and many users report smooth sailing. But the ground is shifting. Microsoft has updated Windows Setup processes to make bypasses more difficult, and future cumulative updates may inadvertently or intentionally break running on unsupported configurations. The Rufus developer’s own GitHub repository reflects an ongoing battle, with users reporting that feature updates sometimes succeed and sometimes require a clean install.

Security is the more insidious risk. Without TPM 2.0, Windows cannot store cryptographic keys securely, making BitLocker less resilient and opening the door to firmware tampering. Secure Boot bypass leaves the boot chain vulnerable to rootkits. These aren’t hypothetical threats—they’re actively exploited vectors in high-profile ransomware campaigns.

If you proceed with an unsupported install, isolate that machine from critical networks, keep it fully backed up, and treat it as disposable.

Windows 365: When It Makes Sense

For businesses, the math can work. Instead of replacing a fleet of aging laptops at $600–$1,200 each, a $28/month subscription shifts spending to operating expense and delivers a secure, always-up-to-date Windows 11 desktop from the cloud. Microsoft includes ESU for both the cloud VM and the local Windows 10 endpoint, effectively giving up to three years of breathing room.

The key trade-offs: network dependency and per-user pricing can become expensive if not rightsized. But for remote and hybrid workforces already accustomed to cloud tools, Windows 365 integrates smoothly with Microsoft 365 and Intune, centralizing management and policy enforcement.

Migration Checklist: A Step-by-Step Plan

  1. Inventory every Windows 10 device – note CPU, TPM status, RAM, storage, and business role.
  2. Categorize risk and compliance impact – flag devices that access sensitive data or are bound by regulatory requirements.
  3. Test Windows 11 eligibility using PC Health Check and vendor compatibility tools for line-of-business applications.
  4. Decide per-device strategy: upgrade, ESU, Cloud PC, or OS replacement.
  5. Backup and validate recovery – image critical systems, test rollback procedures.
  6. Pilot upgrades and cloud migrations with a small user group; monitor performance and update behavior.
  7. Communicate timelines to stakeholders and end users 60–90 days before any enforced change.
  8. Execute a phased rollout with support checkpoints each step of the way.

What Microsoft Gets Right—and Where the Plan Pinches

Strengths:
- A firm, predictable end-of-life date gives enterprise IT time to budget and plan.
- A low-cost consumer ESU acknowledges the reality that millions of home users won’t replace hardware on a deadline.
- Cloud pathways (Windows 365, Azure Virtual Desktop) give organizations flexible options without a forklift hardware refresh.

Pain Points:
- The TPM 2.0 and CPU list creates an artificial cliff, retiring perfectly functional PCs that could otherwise run Windows 11 securely.
- Consumer ESU lasts only one year—helpful but intentionally short. Users who delay will still face a migration decision within 12 months.
- Requiring a Microsoft account for ESU enrollment alienates users and businesses that have deliberately avoided cloud-linked identities.
- Bypass workarounds are increasingly unreliable and carry security trade-offs that casual users may not fully grasp.

What to Do This Quarter

  • Run PC Health Check on every Windows 10 PC you care about. If it’s eligible, schedule the free Windows 11 upgrade before October.
  • If upgrading isn’t possible, enroll in consumer ESU now—free via Windows Backup or Rewards, or with the $30 purchase—to avoid a zero-day gap. Remember, you need a Microsoft account.
  • For business fleets, model the total cost of ownership: ESU tiered pricing vs. hardware refresh vs. Windows 365 subscriptions. Use pilot groups to uncover hidden costs around app compatibility and user training.
  • If you’re considering an unsupported Windows 11 install, test it thoroughly on non-critical hardware first and document a recovery plan.
  • Start your Linux or macOS evaluation today if that’s your chosen path; migrating before the deadline reduces pressure.

Don’t Wait Until the Last Patch Tuesday

October 14, 2025, is not a day of chaos—it’s a deadline that removes Microsoft’s safety net. The smartest move is to act now: inventory, decide, and pilot your migration. Whether you choose the clean upgrade, the $30 stopgap, a cloud-powered bridge, or a leap to Linux, owning the timeline puts you in control. The alternative—reacting under pressure—is how corners get cut, backups get skipped, and security gets compromised.