Microsoft has acknowledged that more time is needed for users to migrate to Windows 11, officially announcing that when Windows 10 support comes to an end in October 2025 there will be a means to allow consumers and businesses to purchase extended Windows support patches. The company announced the plan for an extended security update (ESU) program for Windows 10, including a program for Windows 10 consumer end users, in a recent blog post. While the pricing has not been announced, if the program for Windows 10 is similar to that for Windows 7, the process will have a multiyear offering with annually increasing prices.
With the Windows 7 ESU program, a product key was required to be installed on devices that were earmarked to continue receiving security updates in order to “unlock” the ability to install security updates after the end of the official support window. Without the key, patches could not be installed. Over the next two years, organizations still using Windows 10 will need to identify those workstations that do need to be upgraded and prioritize resources for them.
Review why you are still using Windows 10 on some workstations
First, consider those workstations that would actually benefit from upgrading to Windows 11. If you are contemplating Windows 10 ESUs for a workstation, it’s usually for one of two reasons: It does not have the necessary TPM or CPU to support Windows 11, or it is running a business application that won’t support Windows 11.
Given that I have yet to see many major supported programs that worked on Windows 10 fail to work on Windows 11, my guess is that for many of us what is keeping us from upgrading to Windows 11 is that we need a hardware refresh. If you are in this camp, you should prioritize and inventory your network to see what roles and positions would benefit from a Windows 11 deployment.
More than anything else, what Windows 11 brings to the table is support for more modern and more robust authentication processes. From Windows Hello to Passkey support, without an onboard TPM chip, your Windows 10 workstations will not be able to cut it in the world of cloud and online authentication. Given that today’s bad actors see passwords as just as important as vulnerabilities and are attacking our networks through our credentials, everything we can do to be able to roll out better authentication processes is key to ensuring our networks remain as secure as we can.
For example, if a device is joined to Entra (formerly Azure AD), a policy can be set so that the default experience is to remove the need for passwords and instead use Hello for Business or FIDO2 security keys as the primary authentication. Thus, hash values will no longer be able to be harvested by attackers.