One year until Windows 10 ends: Here’s the security impact of not upgrading (2024)

As with other products, Microsoft will likely offer some extended security updates even after the end-of-life date in October 2025, but there are many risks to be considered.

One year until Windows 10 ends: Here’s the security impact of not upgrading (1)

Credit: Shutterstock

In about one year, Windows 10 machines will reach the end of their lifespan, at least as far as Microsoft is concerned. That’s a pretty big deal considering the older operating system far eclipses its Windows peers in terms of market share, with around two-thirds of the machines out there still running Windows 10.

Will Microsoft extend support for the aging OS after October 14, 2025? Likely, but not without a cost.

Windows 10 was released in July 2015, and it’s been a rocky road to get to where businesses and users consider it stable. It’s feature releases have moved icons around, reset settings, and even been halted or postponed due to bugs in resetting defaults and other issues.

But like many things Microsoft, when we get to the end of that road, we’re often not quite ready to let go. In this final year, you should be reviewing what Windows 10 use has on your current security status as well as the long-term impact to your business as it loses support.

Inventory Windows 10’s current impact

By now, you should have a good idea of which applications will need additional time and resources to upgrade and those that will need to stay on a Windows 10 platform (if that is even possible).

Microsoft has already announced that it plans to offer Windows 10 users an extended security update (ESU) program similar to what they did (and still do) for Windows 7. Business customers can purchase extended updates for three years in order to extend the lifespan of an existing device.

If you use traditional Windows 10 on physical hardware, you will probably opt for Microsoft’s first option — traditional five-by-five activation. I’m assuming that the licensing process will be similar to the Windows 7 ESU process, in which a servicing stack-like update was installed on the computer which then enabled the system to be able to obtain the updates and install them.

In the Windows 7 era, as with this update, you needed to install the update using WSUS or Config manager. While you could download the patch and manually install it from the Microsoft catalog, you would not be able to use Windows update all by itself to deploy the update.

The pricing will be $61 per device, for one year, anticipated to increase and double in year two and year three. Nonprofit pricing will also be announced later. If you have a more hybrid solution deployed, Microsoft will offer the ESU with a slight discount if you are an Intune or Windows Autopatch customer. This license has an approximately 25% discount and will cost $45 per user (up to five devices) for Year 1.

Review the long-term risk of staying on Windows 10

But should you stay on Windows 10 even if you do opt to purchase ESU patches? First, review your cyber insurance policy for any coverage issues should you decide to continue with Windows 10 unpatched, or continue with Windows 10 with ESU coverage.

Cyber insurance policies often point to the PCI DSS standards for coverage maintenance guidelines. Protection can be denied or dropped based on, arising from, or in any way involving:

  • Any insured’s failure to comply with or follow the PCI Data Security Standard or any payment card company rules.
  • The implementation or maintenance of, or compliance with, any security measures or standards relating to any payment card Data including, but not limited to, any fine or penalty imposed by a payment card company on a merchant bank or payment processor that an Insured has paid or agreed to reimburse or indemnify.

For point-of-sale systems, for example, the PCI DSS standards indicate that systems are protected with required controls — file integrity monitoring, anti-malware, patches, audit logging, and so on. Thus, to be in compliance with PCI DSS standards, you can’t leave point-of-sale systems installed, operating, and interacting with customers if you knowingly do not keep them protected and patched. You would risk losing cyber insurance coverage if you did not have protections in place.

As the standard clearly points out, you have a responsibility to your customers. “Actors with bad intentions can use security vulnerabilities to gain privileged access to systems,” it says. “Many of these vulnerabilities are fixed by vendor-provided security patches, which must be installed by the entities that manage the systems. All system components must have all appropriate software patches to protect against the exploitation and compromise of account data by malicious individuals and malicious software.”

Section 6.3 of the PCI DSS standard states that security vulnerabilities should be identified and addressed. If you layer on the Secure SLC Standard you need to be aware that, “While use of software developed and maintained in accordance with the Secure SLC Standard provides assurance that the vendor makes security patches and software updates available in a timely manner, the entity retains responsibility for ensuring that patches and updates are installed in accordance with PCI DSS requirements.”

Buying ESU patches will require a support contract

Remember, while you will be able to purchase ESU patches from Microsoft, the company indicates that it will no longer provide official support without a support contract from Microsoft. Once again, review your cyber insurance coverage to see whether it will consider third-party support or alternatives to this lack of support coverage by the original vendor.

If you and your cyber risk vendors decide that you are in a position where you can accept the risk of unpatched Windows 10 systems by using mitigation to protect and defend them by isolating them on VLANs and blocking them from the internet, you’ll have to review the risk of reputation to your firm.

If they are used only in narrow, unique locations and are blocked from external access and the internet, you may be able to manage and accept the risk. Ultimately it comes down to this: Can you accept and manage the risk? Will your vendors allow you to accept the risk of extended support updates or limiting access to network resources and the internet?

Is the risk of sticking with Windows 10 worth it?

While history with other end-of-life Windows products demonstrates that Microsoft will release out-of-band updates — even to systems that haven’t purchased extended security updates — if it deems the risk to unpatched, in-use machines to be too great.

Once again, reach out to your risk advisors to see whether this is acceptable to your industry or if it would prove to be unfavorable and too much of a risk for headlines and SEC filings. We now live under the new SEC cyber disclosure rules that mandate a faster reporting timeline as well as more transparency.

Ultimately, you will have to decide whether you have options to assist you with the risk of not patching Windows 10 machines, or whether it will be more advantageous to invest in supported technologies. If you are moving toward a cloud-first deployment, Windows 11 is more suited for the task and thus better for your organization.

The question you need to ask yourself is not whether you can purchase updates after Microsoft has officially ended the Windows 10 lifecycle, but rather, does your cyber risk posture put you in a position where the risk is acceptable to do so?

If you haven’t already reached out to your vendors and insurance companies to review their positions on this question, now is the time to do so. You have one year to determine whether Windows 10 beyond end of life is an acceptable risk.

Related content

  • newsMicrosoft privilege escalation issue forces the debate: ‘When is something a security hole?’ Fortra has announced what it dubs a Microsoft security hole. There is no dispute that the privilege escalation issue exists, but there is much argument over whether it’s a flaw.By Evan SchumanSep 27, 20245 minsWindows SecurityAccess ControlVulnerabilities
  • newsCrowdStrike defends access to Windows kernel at US Congressional hearing into July worldwide update failure Executive calls the failure a ‘perfect storm,’ says the issue has been fixed and the company is 'deeply sorry'.By Howard SolomonSep 24, 20244 minsRegulationWindows SecurityThreat and Vulnerability Management
  • newsMicrosoft summit plots end of kernel access for EDR security clients After years of stalling, the CrowdStrike incident has spurred Microsoft engineers to grasp the nettle. By John E. DunnSep 16, 20246 minsWindows SecurityEndpoint Protection
  • PODCASTS
  • VIDEOS
  • RESOURCES
  • EVENTS

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.

One year until Windows 10 ends: Here’s the security impact of not upgrading (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Maia Crooks Jr

Last Updated:

Views: 5791

Rating: 4.2 / 5 (43 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Maia Crooks Jr

Birthday: 1997-09-21

Address: 93119 Joseph Street, Peggyfurt, NC 11582

Phone: +2983088926881

Job: Principal Design Liaison

Hobby: Web surfing, Skiing, role-playing games, Sketching, Polo, Sewing, Genealogy

Introduction: My name is Maia Crooks Jr, I am a homely, joyous, shiny, successful, hilarious, thoughtful, joyous person who loves writing and wants to share my knowledge and understanding with you.