End of Support for Windows 10: Implications for Security, Compliance, and Risk Management

On 14 October 2025 Microsoft will officially end free support for Windows 10. This apparently routine lifecycle milestone has morphed into a global security event. According to market‑share data reported by Forbes, Windows 10 still powers about 41 % of all personal computers—roughly 600 million machines. Up to 400 million of these devices cannot upgrade to Windows 11 because of hardware restrictions. When free security updates cease, those systems will remain in operation but will no longer receive patches or technical assistance. Consumer advocacy groups warn that this creates “open doors” for ransomware gangs and other malicious actors. The sheer scale of the problem—far larger than previous Windows retirements—requires organizations and individuals to assess risk, plan remediation and consider broader policy implications. This essay explores the technical, regulatory, and strategic dimensions of the Windows 10 end‑of‑support deadline, situating it within evolving data‑privacy legislation and offering guidance for stakeholders across the security ecosystem.

Understanding the End‑of‑Support Landscape

The scope of the problem

Market‑analysis firm StatCounter shows that Windows 10 still runs on more than four in ten PCs. Forbes journalist Zak Doffman notes that this represents almost 600 million devices, many of which are older and cannot meet Windows 11’s stringent hardware requirements. Past transitions were far smoother: when Microsoft ended support for Windows 8 and 8.1, only about 3.7 % and 2.2 % of users were still running the outgoing systems. This time, the high adoption of Windows 10, combined with hardware hurdles, means that hundreds of millions of devices will become “orphaned” overnight.

Advocacy organizations have warned about both security and environmental consequences. The Public Interest Research Group (PIRG) predicts a “staggering” amount of e‑waste if users discard functional but unsupported machines. With no updates, vulnerabilities that would normally be patched could remain exploitable indefinitely, giving ransomware gangs and other cybercriminals a massive new attack surface. Consumer surveys indicate that about 26 % of Windows 10 users plan to continue using the operating system after support ends, while another 40 % have no upgrade plan. This reluctance reflects cost concerns, hardware limitations and confusion about alternatives. The result is a perfect storm: millions of machines will continue connecting to networks—corporate and personal—without up‑to‑date defenses.

Official guidance

Microsoft’s official support page confirms that after 14 October 2025, Windows 10 will no longer receive technical assistance, feature updates or security fixes. The company recommends three options: (1) upgrading existing PCs to Windows 11 if they meet minimum requirements, (2) purchasing new PCs with Windows 11 pre‑installed, or (3) enrolling in the Extended Security Updates (ESU) program to receive paid (or in some regions free) patches for up to one additional year. Microsoft emphasizes that running Windows 10 without updates will leave systems at greater risk of malware and recommends replacing devices that cannot be updated. The guidance also notes that Microsoft 365 applications will end support on Windows 10 alongside the operating system, further encouraging users to migrate.

Consumer‑oriented guides provide additional perspective. A Guardian explainer describes how after support ends, Windows 10 computers will still function but will steadily become more vulnerable to viruses and malware. The article warns that users who do nothing will expose themselves to cyber‑attacks, data theft and scams. It recommends upgrading to Windows 11 if hardware allows or enrolling in the one‑year ESU program, which is free for users who sign in with a Microsoft account but costs $30 (plus tax) otherwise. The guide also suggests alternative operating systems, such as Linux or ChromeOS, for computers that cannot run Windows 11. These alternatives require technical adjustments and may not support all Windows applications, but they illustrate that users have options beyond simply purchasing new hardware.

The security implications

When Microsoft stops issuing security fixes, attackers gain a persistent advantage. Vulnerabilities discovered and exploited after the deadline will never be patched on Windows 10, effectively turning every unpatched device into a standing target. Attackers often reverse‑engineer patches released for supported systems to identify underlying vulnerabilities, then weaponize them against unpatched older versions. Therefore, Windows 10 systems will quickly accumulate a backlog of known vulnerabilities without recourse. The Forbes analysis quotes PIRG’s warning: “When there are no more updates, quickly addressed exploits become open doors,” inviting ransomware gangs to exploit millions of unpatched endpoints. Because so many machines remain, attackers can invest in bespoke exploits with high ROI.

The Guardian adds that criminals will be “particularly attracted to wide‑scale systemic weaknesses”. Lisa Barber of Which? Tech magazine cautions that continuing to use Windows 10 after support ends will put users at risk of cyber‑attacks, data theft and scams. Attackers may also leverage unsupported Windows 10 devices as initial footholds for larger network compromises, moving laterally to compromise upgraded systems. Networks containing both upgraded and legacy systems are especially vulnerable if segmentation is weak.

Risk and Compliance Implications for Organizations

Organizations face a dual challenge: they must protect their own infrastructure and remain compliant with evolving data‑protection and cyber‑security regulations. Unsupported operating systems can violate industry standards such as the Payment Card Industry Data Security Standard (PCI DSS), which requires that all system components and software be protected from known vulnerabilities. Similarly, frameworks like the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) and ISO/IEC 27001 emphasize the need for timely patching and vulnerability management. Continuing to use an operating system without security updates undermines these principles.

Regulatory exposure

Data‑protection laws worldwide impose specific security obligations. The European Union’s General Data Protection Regulation (GDPR) requires controllers and processors to implement “appropriate technical and organizational measures” to ensure a level of security appropriate to risk. Failing to upgrade from Windows 10 could be interpreted as negligence if a breach results from an unpatched vulnerability. In the United States, state laws such as the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), similarly mandate reasonable security practices. The new privacy legislation passed in California’s 2025 legislative session further tightens these expectations. For example, AB 566 (the Opt Me Out Act) requires browsers to include settings that allow users to send opt‑out preference signals to businesses. Businesses that fail to honor such signals may face enforcement actions. To implement these features, companies must ensure that their systems—including browsers running on endpoints—are capable of supporting new privacy technologies. Running outdated operating systems could impede compliance.

Another California bill, AB 656, requires social‑media companies to make account cancellations straightforward and ensure that deletion triggers full removal of personal data. This underscores a broader trend toward user control and data minimization. A third measure, SB 361, expands obligations for data brokers to disclose whether they collect sensitive personal information and whether they share it with foreign actors or AI developers. Taken together, these laws highlight the increasing overlap between privacy rights and cyber‑security controls. Unsupported systems that cannot accommodate new compliance features may create legal liabilities.

Supply chain and third‑party risk

Organizations rarely operate in isolation. Many rely on vendors, contractors, or critical infrastructure providers whose systems may include Windows 10 devices. Third‑party risk management programs must identify and assess such dependencies. Because the ESU program may not be available in all regions, international suppliers could remain vulnerable. Contracts should require vendors to maintain supported software versions or implement compensating controls. For example, network segmentation, endpoint isolation, and regular vulnerability assessments can reduce exposure if upgrading is not immediately feasible.

The end‑of‑support also intersects with physical security. Industrial control systems, building automation, and surveillance equipment often run embedded versions of Windows or rely on PC‑based management consoles. Failure to upgrade these systems can create cyber‑physical vulnerabilities that allow attackers to disrupt HVAC systems, access control, or surveillance feeds. Organizations engaged in commercial construction security or physical security solutions must evaluate whether legacy Windows 10 systems underpin their operations and plan for replacements or isolation.

Disaster preparedness and response

From a disaster‑preparedness perspective, unsupported systems increase the probability and impact of cyber incidents. Risk assessments should consider not only the likelihood of exploitation but also the potential for cascading failures. For example, a ransomware attack on a legacy Windows 10 workstation could spread to shared drives, backup servers and physical systems. Recovery may be more difficult if older devices cannot run modern recovery tools. Disaster response plans should therefore include detailed procedures for isolating or decommissioning Windows 10 devices, restoring data from unaffected backups, and communicating with regulators and stakeholders. Organizations that handle critical functions—such as healthcare, finance or public utilities—must ensure business continuity by proactively mitigating these risks.

Strategies for Mitigation

Addressing the Windows 10 end‑of‑support challenge requires a multi‑pronged approach combining technical measures, process improvements and strategic planning.

Asset inventory and risk assessment

Organizations should begin by creating a comprehensive inventory of all Windows 10 devices across their environment, including servers, desktops, laptops and embedded systems. For each asset, teams should assess whether it is eligible for Windows 11, whether hardware upgrades (e.g., adding TPM 2.0) are possible, and whether replacement is feasible. This analysis should consider not only direct costs but also the indirect costs of downtime, productivity and training. Devices that cannot be upgraded or replaced should be flagged for compensating controls.

Migration and modernization

For devices that meet the requirements, upgrading to Windows 11 is the most straightforward solution. Microsoft notes that upgrading is free for eligible PCs and provides instructions to check eligibility via Windows Updates. Purchasing new hardware may be necessary for systems that lack required components such as TPM 2.0. Modernization offers additional benefits beyond security: Windows 11 includes built‑in protections like virtualization‑based security and stricter driver signing; it also supports new productivity features and improved performance. When replacing hardware, organizations should consider energy‑efficient devices and trade‑in programs to mitigate e‑waste.

Extended Security Updates (ESU)

For devices that cannot be immediately upgraded, Microsoft’s ESU program offers temporary relief. This program provides security updates for one year after the end‑of‑support date. Some users may qualify for free ESU if they log into Windows 10 with a Microsoft account, while others must pay a fee. Organizations should weigh this cost against the risk of running unsupported systems. ESU buys time to plan and execute migration but should not be viewed as a long‑term solution. Since ESU is limited to one year for consumers and small businesses, organizations must have a roadmap for completing upgrades or replacements before 13 October 2026.

Compensating controls

When upgrading is not possible—such as for specialized industrial systems or legacy equipment—compensating controls can reduce risk. These measures include:

• Network segmentation: Isolate Windows 10 devices on separate VLANs or subnets, restricting their communication to essential services. This minimizes lateral movement if a device is compromised.

• Application whitelisting: Use tools to restrict the execution of unauthorized software, reducing the attack surface.

• Intrusion detection and endpoint detection and response (EDR): Deploy monitoring solutions that can detect and contain suspicious activity on legacy devices.

• Principle of least privilege: Ensure users and processes running on Windows 10 systems have only the minimum permissions necessary.

• Virtualization and containerization: Where feasible, run Windows 10 in a virtual machine or container with strict access controls, allowing for rapid rollback in case of infection.

These controls cannot fully replace security patches, but they can mitigate risk while migration plans are implemented.

Alternative operating systems

If Windows 11 is not an option, Linux distributions such as Ubuntu offer a secure, supported alternative. Linux provides regular security updates and can run on older hardware. However, organizations must test compatibility with existing applications and train staff on the new environment. ChromeOS Flex is another alternative for workloads primarily conducted through the browser. Both options require careful data migration and user support.

Policy and compliance integration

Upgrades should be accompanied by policy updates and training. Organizations should revise security policies to reflect the new operating environment, enforce regular patch management and align with frameworks like NIST CSF or ISO 27001. They should also ensure compliance with emerging privacy laws. For instance, browsers used within the organization must support opt‑out preference signals by 2027 to comply with California’s AB 566. Data-deletion workflows should be reviewed to ensure that account cancellations trigger deletion in line with AB 656. Contracts with data brokers and third parties should require disclosure of personal information collection practices and foreign data-sharing as mandated by SB 361.

Organizations working with federal, state, local, and tribal governments should monitor public-sector compliance requirements and potential regulatory carve‑outs. For example, certain European users may receive ESU coverage due to legal mandates. Governments may also issue guidance or funding for upgrading essential services.

Broader Implications: Privacy, AI and Security Convergence

The Windows 10 deadline coincides with a broader trend of convergence between cyber‑security, privacy, and artificial intelligence (AI) policy. California’s 2025 legislative package, which includes 14 privacy and AI‑related bills, exemplifies how jurisdictions are responding to technological advances. The Opt Me Out Act (AB 566) requires browsers to include a user-configurable setting to send a universal opt-out signal, shifting the burden of data‑broker opt-out from individuals to technology. Social media account cancellation law AB 656 ensures that deleting an account also deletes user data. SB 361 tightens oversight of data brokers, requiring them to disclose whether they collect and sell sensitive information or share data with foreign actors or developers of generative AI models.

These laws will shape the risk landscape for years to come. Companies that rely on outdated software may find themselves unable to support new privacy controls. For example, implementing a browser-level opt‑out signal may require updated browsers or OS features. Similarly, data‑deletion workflows must integrate with operating systems and cloud services to ensure complete removal. Legacy systems can impede these efforts.

AI also complicates the risk picture. Organizations are increasingly deploying AI-powered security tools while adversaries use AI for automated attacks, phishing and deepfakes. Running unsupported operating systems could hamper the deployment of AI-driven defenses. Additionally, AI regulation—such as mandated transparency and bias audits—requires computing environments that can support monitoring and reporting tools. Upgrading to modern systems thus becomes an enabler not only of security but also of privacy and AI compliance.

Conclusion

The retirement of Windows 10 is more than a routine software transition; it is a security inflection point that affects hundreds of millions of devices and the people and organizations that rely on them. With 41 % of PCs still running Windows 10 and up to 400 million unable to upgrade, the potential attack surface is enormous. Unsupported devices will function after 14 October 2025, but they will no longer receive security updates, leaving them vulnerable to exploitation. Advocacy groups warn that cyber‑criminals will exploit these weaknesses, and consumer surveys show that many users lack a plan to upgrade.

Organizations must act decisively. They should inventory Windows 10 assets, plan migrations to Windows 11 or alternative operating systems, and enroll in the ESU program where necessary. Compensating controls such as network segmentation, application whitelisting and intrusion detection can mitigate risk temporarily. Aligning with regulatory frameworks and preparing for new privacy legislation—like California’s AB 566, AB 656 and SB 361—is critical. The convergence of cybersecurity, privacy and AI policy underscores the need for holistic risk management and governance.

By proactively addressing the Windows 10 end‑of‑support challenge, organizations can transform a looming risk into an opportunity to modernize infrastructure, enhance compliance and strengthen resilience. For individuals and businesses alike, the time to act is now.

MBS

Mulier Bellator Security (MBS) offers expert guidance and comprehensive solutions to help organizations navigate the Windows 10 end‑of‑support transition. Our services include asset inventory and risk assessment, migration planning, network segmentation, and compliance auditing. To schedule a consultation or learn more about how MBS can protect your systems and ensure regulatory compliance, please email jvirga@mbsecurityusa.com or visit vergasecurity.com/contact.

References

• California just put people back in control of their data. (2025, October 9). Malwarebytes Labs.

• Doffman, Z. (2025, October 8). Microsoft ‘Security Disaster’ Looms—400 Million Windows Users Must Act. Forbes.

• Extended Security Updates (ESU) program for Windows 10. (2025). Microsoft Support.

• Gibbs, S., & Booth, R. (2025, October 14). What does the end of free support for Windows 10 mean for its users? The Guardian.

• Microsoft. (2025). Windows 10 support ends on October 14, 2025. Microsoft Support.