Microsoft ended support for Windows 10 on October 14, 2025. For businesses still running Windows 10 PCs, it means they will no longer receive free security patches, non-security bug fixes, or technical support. If that sounds ominous, it should. Many Windows 10 users stood pat as the deadline passed, and now they are approaching what many are calling a security cliff—where unsupported systems become increasingly vulnerable with each passing day.
A study conducted in mid-2025 by ControlUp examined over one million enterprise endpoints. What it found was that half of all devices were still running Windows 10, with migration rates dipping as low as 42% in large organizations. The situation isn’t any more promising for small and mid-sized businesses (SMBs). Globally, 40% of active desktop installations are still running Windows 10. For these businesses, the stakes are high—downtime, data loss, and reputational damage.
Why SMBs Are Struggling to Migrate
For SMBs, the most obvious challenge is hardware limitations. Unlike Windows 10, Windows 11 requires modern components such as TPM 2.0 and Secure Boot, and many companies lack the financial resources to replace all their machines—especially when they are still functioning well.
Another reason is software compatibility. SMBs often use custom or legacy software that has not been certified for Windows 11. Upgrading these solutions requires testing, validation, and retraining, which consume time and exhaust resources that lean IT teams can’t spare.
And then there are limited budgets. Migrations are not low-cost endeavors. The costs include hardware, licensing, and deployment, all of which siphon money from other parts of the business. Updates must also be coordinated in a way that doesn’t disrupt day-to-day operations.
Add it all up, and it’s easy to see why many companies have put migration on hold. But just as migrating can be costly, so too is taking no action at all. Yes, Microsoft is offering Extended Security Updates (ESUs), but this is not a lifetime program (It ends in October 2026), and these updates only tackle known vulnerabilities. They are no match for attackers leveraging memory-based and fileless attacks that operate in system memory and leave little or no footprint for traditional antivirus tools to detect. These attacks also bypass signature-based defenses and exploit runtime vulnerabilities, giving threat actors persistence on endpoints that appear secure.
Some SMBs will try to manage their own Windows 10 risk through a supply chain of vendors, partners, and service providers operating on interconnected systems. But what happens when one vendor misses a critical update? This is what occurred back in 2017 with WannaCry. The WannaCry ransomware outbreak exploited unpatched Windows vulnerabilities, crippling hospitals, manufacturers, and government systems worldwide. The patch was available and had been for months. Despite that, many organizations failed to act.
Now history is repeating itself with Windows 10. Attackers are waiting for the ESUs to run their course. That’s when millions of systems will be left exposed. But SMBs have real options that require both action and adaptation:
- Prioritize Migration Where Possible: Identify systems that can transition to Windows 11 and start early to avoid supply bottlenecks and rushed deployments.
- Protect What Can’t be Upgraded: Deploy preemptive security controls like Automated Moving Target Defense (AMTD) and deception technologies that continuously morph the attack surface, blocking malicious code before it executes—even on legacy systems that can’t be easily upgraded.
- Segment and Monitor: Place older devices in restricted network zones and monitor them closely for anomalies.
- Plan Beyond ESU: Use the Extended Security Update window as a bridge, not a long-term solution.
The end of Windows 10 isn’t just an IT milestone—it’s a security reckoning. With millions of small businesses still running the aging OS, attackers see opportunity where defenders see inconvenience. While ESUs may buy time, as WannaCry proved, counting on the next patch is not a defense strategy.
The most resilient organizations will be those that migrate quickly, harden what they can’t replace, and adopt proactive defenses capable of detecting and neutralizing unknown threats in real time. These approaches will prove critical for SMBs that can’t migrate today but need to protect mixed Windows 10 and 11 environments tomorrow.
Brad LaPorte is the Chief Marketing Officer at Morphisec and a former Gartner Analyst. He is a seasoned cybersecurity expert and former military officer specializing in cybersecurity and military intelligence for the United States military and allied forces. With a distinguished career at Gartner as a top-rated research analyst, Brad was instrumental in establishing key industry categories, such as Attack Surface Management (ASM), Extended Detection & Response (XDR), Digital Risk Protection (DRP), and the foundational elements of Continuous Threat Exposure Management (CTEM). His forward-thinking approach led to the inception of Secureworks’ MDR service and the EDR product Red Cloak—industry firsts. At IBM, he spearheaded the creation of the Endpoint Security Portfolio, as well as MDR, Vulnerability Management, Threat Intelligence, and Managed SIEM offerings, further solidifying his reputation as a visionary in cybersecurity solutions years ahead of its time.
Picture courtesy Getty Images for Unsplash+
