As new versions of a widely available operating system like Windows become available, the company offering the software must make decisions regarding the ongoing support and updates for older iterations. In June 2021, Microsoft announced that it would be ending support for Windows 10 on October 14th, 2025; that date has now passed with the final release of version KB5066791. In practical security terms, the “end of life” means that Windows 10 will no longer receive updates protecting it against newly emerging exploits and CVEs.
A Massive, Unsecured Ecosystem
The end of support for Windows 10 is not just an inconvenience for the 35.43% of Windows PCs worldwide that still use the system. It also opens up a wide swath of users and systems to massive threats. Many of the systems still running Windows 10 are unable to update to Windows 11 due to hardware incompatibility, leaving them vulnerable to a wide variety of threats without security patches or technical support.
It’s not only individuals at risk from using Windows 10: many of these systems sit in critical sectors, including hospitals, schools, and factories. These are often large organizations that handle massive volumes of highly sensitive data, and for which widespread software updates would require coordination and possible downtime. With the end of support for Windows 10, attackers will target these legacy systems as low-hanging fruit with the potential for large payouts.
Lessons from the Past: The XP and 7 Aftermath
In the wake of Windows 10 support ending, it is vital to look to past events to inform actions moving forward. After Windows XP’s end-of-life, there were significant issues regarding the security of Windows XP systems. The fallout demonstrated the tendency for attackers to target unsupported systems, as well as the severe need for organizations to plan for the eventual transition to a new system before the end of support arrives.
There is a longstanding pattern of malware evolution and exploit reuse on unsupported platforms as threat actors take advantage of the knowledge that system updates will no longer be pushed out to account for their attacks. End-of-life operating systems are long-term investments with the understanding that new attacks are not likely to be detected and fought.
The Enterprise Dilemma
Organizations face increased risks in security and compliance when they continue to operate outdated systems. Using an operating system that is no longer being updated creates gaps in protection and control. Shadow IT and outdated Windows 10 endpoints remaining unmonitored lead to significant hidden risks that organizations cannot effectively protect against.
Extended Security Updates (ESUs) can offer a temporary shield against some threats, continuing to provide Critical and Important security updates for a period of time. The window for consumer ESUs is one year, while commercial systems can get one to three years of continued updates, priced per device. However, relying on ESUs can often create uneven protection and leave gaps, as it does not apply to all security updates or non-security technical support issues.
The Consumer Gap and the Global Digital Divide
Unfortunately, the switch to Windows 11 is not universally as simple as it is for many. “Much of the hardware we use today simply cannot be upgraded due to dependencies on hardware and software security features,” says Morey Haber, Chief Security Advisor at BeyondTrust. “Only new computers with both Secure Boot and TPM will be supported, and able to migrate to Windows 11.”
Hundreds of millions of systems can’t upgrade to Windows 11 due to these hardware limitations, and these devices will continue connecting to networks and cloud services, effectively expanding the attack surface. This gap will lead to a potential rise in scams, phishing, and malware campaigns targeting Windows 10 users.
The Broader Cybersecurity Implications
The end of support for Windows 10 has a number of implications for the broader cybersecurity landscape, bringing an increased potential for botnets, ransomware propagation, and data breaches. This highlights the need for robust and layered defense strategies: endpoint protection, network segmentation, and zero trust adoption.
Microsoft, security vendors, and policymakers can mitigate the cybersecurity fallout of Windows 10’s end of life by not only stressing the importance of using updated devices and systems but also offering practical guidance for easing the transition. It is crucial to understand that simply updating to Windows 11 is not a quick and easy option for many organizations, who will require investment in new technology in order to be able to run the newer OS on their devices. Collaborative security efforts and practical guidance are crucial for ensuring widespread protection against the threats that accompany the end of support for Windows 10.
Looking Ahead: From Obsolescence to Resilience
Moving forward, it is vital for organizations to foster cyber resilience rather than relying on old technology as it becomes obsolete. The transition to Windows 11 is not just an operating system update, but a shift toward heavily AI-enhanced functionality with Copilot and agentic AI capabilities. Adopting AI-first security frameworks is an essential part of protecting devices and systems. Long-term, security experts and users must understand that lifecycle planning and proactive modernization are now essential to cyber hygiene.
