If your business is still running Windows 10, you probably already know it. You might even have a plan to deal with it, or at least a vague intention of making one. The deadline came on October 14, 2025, the machines kept running, and somewhere along the way, “we’ll get to it” became the standing policy.
The problem isn’t that nothing happened. It’s that nothing happening started to feel like proof that nothing would.
According to usage data tracked through early 2026, roughly 26 percent of active desktops globally are still on Windows 10. Some of those businesses enrolled in Microsoft’s paid extension program. Others have been running fully unprotected since last October. Either way, October 13, 2026, is now four months out, and that’s when the first year of extended coverage ends and the cost of staying put doubles overnight.
About 26 percent of active desktops globally were still on Windows 10 as of early 2026. Plenty of other businesses are in the same spot — but your insurance provider doesn’t care about that.
Why Are Businesses Still Running Windows 10 Eight Months Later
The short answer: Windows 11 was supposed to be a simple upgrade, and for a lot of businesses, it turned out not to be. A security chip called TPM 2.0 is the reason most migration plans stalled.
The hardware requirement that blocked more upgrades than expected
Think about it the way you’d think about a building code change. The city updated the requirements, and now some buildings have the infrastructure to comply, while others simply don’t. You can repaint an older building all you want, but if the wiring isn’t there, no amount of cosmetic work gets you to code.
Windows 11 did something similar. It requires a specific hardware security chip called TPM 2.0, and Microsoft has been clear that this requirement isn’t going anywhere. If a machine doesn’t have it, Windows 11 won’t run on it. There’s no workaround and no software patch for a missing chip. When that compatibility check fails, replacement is the only path forward.
Analysts estimate that around 500 million PCs globally don’t have what Windows 11 needs to run. For a small business with ten computers bought between 2015 and 2019, that number stops being an industry stat and becomes a purchasing conversation nobody budgeted for.
Windows 11 has four hardware requirements it won’t negotiate on:
- TPM 2.0 chip (must be onboard, firmware, or discrete; external USB versions don’t qualify)
- Secure Boot capability enabled in BIOS or UEFI firmware
- A compatible processor (most Intel 8th generation or later; AMD Zen 2 or later)
- At least 4GB of RAM and 64GB of storage
Fail the first two requirements, and the machine can’t be upgraded. Full stop.
How the wait-and-see approach became permanent for many businesses
The businesses that cleared the hardware hurdle often hit a different one: there was always a reason to wait. Application compatibility testing. Employee retraining. A budget quarter that wasn’t quite right. And then October arrived, nothing visibly broke, and a temporary delay quietly became a standing policy.
That logic is understandable. It’s also the most common reason small businesses end up in the worst possible version of this situation. The risk of running unpatched Windows 10 isn’t that your machine stops working. It’s that someone else starts using it.
What No Security Updates Actually Means for Your Business Right Now
Here’s the part that surprises most business owners: running Windows 10 without security updates doesn’t just mean your software is old. It means that every vulnerability discovered after October 14, 2025, stays permanently open on those machines. Not temporarily unpatched. Permanently.
Every vulnerability discovered after October 2025 stays permanently open
This isn’t a hypothetical. A threat group called Storm-2460 exploited CVE-2025-29824, a Windows Common Log File System driver vulnerability, against systems where the patch window had already closed. The vulnerability was published and documented. The systems were running. No patch existed for them because Microsoft had already stopped making patches.
Attackers follow end-of-life announcements the way a mechanic watches a manufacturer stop making a particular part. Every new Windows 10 vulnerability published after October 2025 becomes a permanent, documented entry point on any machine running the OS without ESU coverage.
For a small business, the stakes are concrete. A single compromised Windows 10 machine can serve as the initial entry point for ransomware that spreads across your entire network, regardless of what every other device in the building is running.
How unpatched Windows 10 affects your cyber insurance coverage
Cyber insurance in 2026 isn’t just about whether you have a policy. It’s about whether you have grounds for a claim. Many insurers now deny claims where an unsupported operating system contributed to the breach — and your policy’s underwriting criteria may already include OS support requirements that your current setup doesn’t meet.
Before your next renewal, ask your broker specifically whether your policy covers incidents on unsupported operating systems. The answer will tell you more about your actual coverage than the premium amount will.
What HIPAA, PCI-DSS, and other frameworks require from your OS in 2026
Compliance frameworks don’t ban Windows 10 by name. What they require is that the systems handling your sensitive data stay supported and patchable — and an OS with no patches coming can’t satisfy that. Auditors find this gap, and they document it.
Frameworks that require supported, actively patched operating systems:
- Healthcare organizations operating under HIPAA
- Businesses processing payment card data under PCI-DSS
- Financial services firms subject to GLBA requirements
- Service organizations maintaining SOC 2 certification
- Federal contractors and adjacent companies operating under NIST frameworks
Running Windows 10 without ESU enrollment fails the baseline patching requirement of every framework on that list.
What Coverage Window Remains and When It Closes
Microsoft’s Extended Security Updates program is essentially a paid lease extension. You get critical and important security patches only, with no new features, no technical support, and a hard expiration date. The pricing is structured to make upgrading feel better than staying put over time, because it is.
What ESU Year 1 covers and what it does not cover
Commercial ESU Year 1 runs $61 per device and closes on October 13, 2026, roughly four months from today. Enrolled businesses are receiving security patches and nothing else. The machines are still running an OS that vendors are actively walking away from, and ESU provides the patches without solving what’s underneath.
ESU buys time. Treating it as anything more than that is where the math starts to go sideways.
What does it mean if your business has never enrolled in ESU at all
If your business skipped enrollment entirely, those machines have been running without any patch coverage since October 14, 2025. Every security vulnerability published since that date is an unaddressed gap on those devices.
Commercial ESU enrollment is still available. Signing up now won’t erase the exposure window that already existed, but it stops new vulnerabilities from stacking up going forward. For any business that can’t complete a hardware refresh before October 2026, that’s still worth doing.
Why does the cost of ESU Year 2 change the math on waiting
The pricing structure is what makes long-term reliance on ESU so hard to justify. Commercial coverage doubles every year and can’t be skipped:
| Year 1 | Year 2 | Year 3 | |
|---|---|---|---|
| Coverage period | Oct 2025 to Oct 2026 | Oct 2026 to Oct 2027 | Oct 2027 to Oct 2028 |
| Cost per device | $61 | $122 | $244 |
| Can you start here without paying the prior years? | N/A | No | No |
A business that wants to enroll in Year 2 but skipped Year 1 owes both retroactively, at $183 per device before a single new patch arrives. For a 15-machine office paying through all three years of the program, the total ESU bill reaches approximately $6,405. At that number, a phased hardware refresh almost always costs less and actually solves the problem instead of extending it.
What Moving Off Windows 10 Looks Like for a Small Business
Here’s the part most people expect to be overwhelming, and it doesn’t have to be. Moving off Windows 10 for a small business comes down to assessing each device and assigning it one of three paths based on what the hardware can actually do.
How to find out which machines can actually run Windows 11
Microsoft’s PC Health Check tool scans any Windows 10 device and gives you a clear pass or fail. Many machines that fail initially do so because TPM 2.0 is disabled in the BIOS settings rather than absent from the hardware entirely. An IT partner can turn that on in about ten minutes. Other machines simply don’t have the chip and need to be replaced.
Run the scan before assuming the worst. Businesses frequently discover more upgrade-eligible machines than they expected.
The right path for each type of device in your fleet
| If your machine… | The right path | What to expect to pay |
|---|---|---|
| Passes the Windows 11 compatibility check | Free in-place upgrade, done | $0 |
| Fails the check due to a software dependency blocking the upgrade | Commercial ESU Year 2 as a defined bridge, with a set exit date | $122 per device |
| Fails the check with no software dependency in the way | Hardware replacement | Roughly $400 to $700 per device |
The most important word in the middle row is “defined.” ESU Year 2 is a reasonable choice when there’s a specific reason for the delay and a firm plan to exit it — not as the path of least resistance because the problem feels too large to start.
Building a phased approach that fits your actual budget
A phased refresh doesn’t have to be an all-hands infrastructure project. Start with the machines handling your most sensitive data, work outward from there, and spread replacements across two or three quarters. That approach distributes the cost without leaving the highest-exposure devices sitting unaddressed while you wait for a budget window that may never feel perfect.
The businesses that got through this cleanly didn’t solve it all at once. They made a list, assigned each device a path, and started moving. An IT partner can run that device assessment in a few hours, turning what feels like an overwhelming problem into a clear set of next steps.
If your business is still running Windows 10 and you’re not exactly sure where things stand — what’s enrolled, what’s exposed, which machines can upgrade for free, and which ones need to be replaced — that’s precisely where a conversation with Certified CIO starts. Schedule a call and get a clear picture of your environment before October 13, 2026, arrives.


