As Windows 10 end-of-support looms, IT faces a painful choice

Back in 1933, US President Franklin D. Roosevelt told the country, “The only thing we have to fear is fear itself.” Those were inspiring words for a nation in the throes of the Great Depression — but terrible advice for an IT executive struggling to decide whether to upgrade to Windows 11 by October, when Windows 10 is due to reach end of support.

For IT leaders, there is much to fear. How much of their current hardware is compatible with Windows 11? Far more critically, what about operational technology devices that manage industrial processes, on-prem legacy apps (including tons of homegrown code), and the unknown numbers of applets that IT doesn’t know about?

That “unknown” list includes inherited apps from the company’s last 50 acquisitions, as well as shadow apps that business units never bothered to report to corporate. 

At the same time, there is a noticeable lack of enthusiasm among IT leaders for making the upgrade at all, given the perception that Windows 11 simply doesn’t offer much in terms of materially new or better functionality. 

The decision is being forced, because Microsoft says that it will not add new capabilities or provide security patches for Windows 10 for corporate customers after October 14, 2025 — unless they enroll in the Extended Security Updates (ESU) program for Windows 10. 

Microsoft is doubling the ESU price every year: For the first year, it will be $61/device, which will rise to $122/device for the second year and then $244/device for the third year. After that, the company says it will cut off all Windows 10 support entirely. (Microsoft did not respond to a Computerworld request for an interview for this story.)

Enrolling 5,000 Windows 10 PCs in ESU for the full three years would cost a business more than $2.1 million. A large organization that wants to keep 30,000 PCs on extended Windows 10 support for three years would have to pay more than $12.8 million to do so.

This leaves IT leaders having to choose between a potentially painful upgrade to Windows 11 and having to pay a massive amount of money for continued Windows 10 support, depending on how many seats will remain on Windows 10.

Windows 11 upgrade challenges

Despite the fact that Microsoft has been reminding customers of the Oct. 2025 end-of-support deadline for at least four years, many organizations have put off upgrading to Windows 11 as long as possible. A recent analysis by Digital Employee Experience software provider ControlUp, for example, found that just half of the one million Windows endpoints in its enterprise customers’ environments had been migrated to Windows 11 as of late June.

There are multiple reasons for the delay, according to analysts.

For some CIOs, it’s a matter of priorities. “Most have realized that the Windows 11 migration is relatively straightforward and doesn’t require much effort once started,” said Gartner VP/analyst Stephen Kleynhans. “This allowed them to complete other projects and take a slower, less disruptive pace with the migration.”

However, he added, “Many have realized the ‘window’ to act is starting to close.”

Those are the lucky ones. Other IT leaders have encountered significant hardware and software incompatibilities.

Windows 11 has an extensive list of hardware requirements, including the inclusion of a Trusted Platform Module version 2.0 and Secure Boot support. This means that many Windows 10 PCs now in use can’t be upgraded to the new OS without expensive and time-consuming modifications — on top of the disruption from taking those machines out of service while they are modified.

“Most enterprises are in the midst of a protracted and costly refresh of PCs purchased during the early days of the COVID pandemic. Customers realize that the easiest and safest way to move to the new OS is to buy new machines with Windows 11 already installed,” Kleynhans said.

“However, hardware refresh projects have gone slower than expected due to budgetary constraints and supply chain issues, necessitating more in-place upgrades to meet the October deadline,” he continued. “Most larger enterprises have a few machines incompatible with Windows 11 still in service, but many compatible machines are misconfigured or under-configured, requiring replacement.”

Legacy software — especially in-house or customized apps — and outdated peripheral devices can also cause problems.

“While compatibility between Windows 10 and Windows 11 has been extremely good, most enterprises report having one or two ancient applications or old peripherals that can’t be made to work on Windows 11,” Kleynhans said. “These were often stumbling along on Windows 10 and could have broken with any security update. Enterprises often get bogged down trying to decide how to deal with updating these old apps.”

The hidden software nightmare

The hidden software problem is potentially worse. Every IT director knows that they simply don’t have full visibility into the multitude of small applets that typically perform very narrow functions. 

On an ecommerce site, for example, one small applet — homegrown by a coder 20 years ago — might connect completed purchases with the most relevant shipping partner. Other than the tiny number of people handling that aspect of the site, no one else knows about it or has any reason to know about it. 

But when the upgrade happens and that applet doesn’t work properly under Windows 11, everyone will suddenly learn of that applet’s existence when e-commerce revenue plunges. 

“It speaks to the increase in the complexity of the upgrade decision, these hidden interdependencies,” said Melody Brue, a VP/principal analyst for Moor Insights & Strategy. 

Brue referred to this problem as “the great reckoning of technical debt,” adding, “this will not just be an upgrade. It’s forcing this reckoning that will expose and magnify all of the technical debt.”

Brue is using the term “technical debt” in a non-traditional manner. Typically, it refers to the cost of fixing software that suffered when speed shortcuts were taken when it was developed, presumably to save money or time. But Brue is using it to refer to all manner of unknown or outdated applications throughout the enterprise’s global environments.

Will Microsoft really pull the plug on Windows 10 support?

One burning question on IT leaders’ minds is whether Microsoft will follow through on its threat to stop the flow of security patches for Windows 10 after the October deadline. It depends on many factors, especially how many IT shops stick with Windows 10.

Microsoft has already softened its position on Windows 10 support. After initially saying it would not support Microsoft 365 apps on Windows 10 past the October deadline, the company did an about-face in May, announcing that it will support M365 apps on Windows 10 until 2028. And in late June, Microsoft suddenly offered consumers (but not commercial customers) a way to get one year of Windows 10 security patches for free. The company also noted that it will continue providing security intelligence updates for its Defender Antivirus software on Windows 10 for three more years.

Some tech leaders believe these changes indicate that Microsoft may eventually relent on ongoing Windows 10 support for the enterprise.

“I don’t envision this to be as big a hurdle as people are making it out to be,” said Brian Phillips, VP for Macy’s Technology. “Many are worried about losing ongoing patches, for example. I can say categorically that they will not. Microsoft is bluffing.”

Phillips added that he expects at least some security patches to continue even for customers not in the ESU program. For example, Microsoft may continue to issue Windows 10 patches it rates as Critical or Important to everyone, but will only issue patches rated as Moderate or Low to those paying for extended support, Phillips said

Jeremy Roberts, a senior director of research at the Info-Tech Research Group, agreed that it is far from certain what kind of support, patches, and functionality Microsoft will ultimately deliver to Windows 10 post-October.

“It’s always a game of chicken with Microsoft,” he said.

To put it mildly, it’s challenging for IT to make rational upgrade decisions when the consequences for not upgrading keep changing — and could very well change again over the next several months. 

The ROI factor

Roberts said this decision will likely be driven by the same return on investment factors that always dictate to enterprise CIOs what to do and when to do it.

“If I am spending resources on an OS upgrade, I am not spending it on things that are far more important,” he said. 

A viable choice is to pay the tech support and delay the upgrade, Roberts said. “You’re borrowing productivity from tomorrow and kicking the can down the road,” he said. 

When thousands (or tens of thousands) of employees need to be trained on and get comfortable using a new OS, the productivity hit can be substantial. There’s no avoiding the disruption that will come with a mass migration to Windows 11, so it’s up to company leaders to decide when it’s most feasible.

The decision boils down to a few difficult options: 

Make the upgrade and risk having to spend maybe a couple of months putting out fires from the untold number of apps that fail. During that time, productivity will likely take a sharp hit.

Opt to not initially upgrade, which might mean losing compatibility with partners and customers who do make the move to Windows 11. And that decision means paying a lot for support payments — for an out-of-date OS.

Split the difference by upgrading a portion of the environment. That would reduce the exposure from not upgrading, while minimizing the disruption from the unknown app problems. 

That’s the approach Macy’s takes to OS upgrades, according to Phillips, who said he has seen Windows upgrade problems with small apps that IT tends to not think about. “Everything from training apps to clock-in-and-clock-out, some browser components — they all have to be tested and rewritten,” Phillips said. 

Macy’s tackles that testing by shutting down half the POS units in a store and upgrading them, he said. They use the odd/even method: updating only the odd machines one day and the even machines at a later date. That way, productivity during upgrades is maintained, because an associate can always turn to a machine nearby and use that.

New hardware is typically the most expensive part of an upgrade, but it’s also easier to track, because enterprises generally know about every piece of hardware in their environment. Hardware delivers far fewer IT surprises than software. 

Hardware costs are tied to each enterprise’s unique situation, with dozens of factors including volume, models and configurations, geography, and even tariffs coming into play. But IT leaders can — and should — run their own calculations regarding hardware. Globally, how many PCs have the security and capacity to handle Windows 11? How many PCs are about to be replaced anyway? What is the cost difference between upgrading existing hardware to Win11 specs versus purchasing new Win11 PCs?

Next, there are the support calculations. How does the cost of upgrading or replacing current hardware compare with the cost of continued Windows 10 support? That support cost is based on how many seats need extended protection, so the spreadsheet has to reduce the support costs based on how many machines can make the transition to Windows 11.

One possible projection for a small enterprise might look like:

Year 1: Leave 5,000 devices on Windows 10 and pay for extended support for them. Upgrade 3,000 machines that can be upgraded. Purchase 1,000 new Windows 11 PCs.

Year 2: Reduce the number of devices on Windows 10 extended support to 2,500. (The support cost for the PCs remaining on Windows 10 doubles this year, so reducing the number by half keeps that cost the same.) Buy new PCs for the other 2,500 that were on Windows 10 that first year.

Year 3: Replace the remaining 2,500 Windows 10 devices with new Windows 11 PCs, which means no more extended support costs.

Year 4: Buy new PCs to replace the 3,000 old machines that were upgraded to Windows 11 that first year. Now all users are on Windows 11 — just in time for a new operating system/hardware refresh cycle, when IT gets to do this all over again.

Of course, if Microsoft announces in, let’s say, December that it is extending Windows 10 support for another year, all ROI calculations will have to be rerun.

There are additional options for IT leaders to consider as well, including Windows 365, Microsoft’s cloud-based desktop-as-a-service offering, which costs $41/user/month for a standard enterprise configuration.

Forrester senior analyst Paddy Harrington had a different suggestion that will not please Microsoft. 

“Do we even need Windows anymore? How many of our applications are web-based? More and more users are doing the majority of their work in a browser, using SaaS apps. Why are you even keeping Windows desktops?” Harrington asked. “Is Linux an option for you? Or one of the thin clients? You have to be open to changing your religion.”

Triage choices

For those who decide to stick with traditional Windows PCs, Harrington is a proponent of phased upgrades. That means deciding which apps and machines get upgraded now and which are delayed. One option is to “start with the assets that are most critical to your business, such as financial, your HR, your app dev if that is your world,” Harrington said. 

Another approach is to start with the ones that you are confident will be fine in the Windows 11 environment. Instead of legitimately worrying about the small percentage of software that is unknown, focus on the known apps. Throw them into a sandbox and test if they will survive in Windows 11. 

That would allow IT to safely upgrade almost all of its environment, which would reduce the cost of the support for the remainder. “Move what is safe. You know what they are, whether they are applets or extensions,” Harrington said. 

Some IT officials who are having to make this decision have understandably strong opinions.

Kolapo Akande, the founder of Pledge Software and the former performance architect manager at Accenture, encourages IT to upgrade everything.

“Enterprises should not default to extended support. It’s essentially a tax on indecision. Unless they have a mission-critical legacy app with no viable workaround, migrating to Windows 11 now is the smarter long-term play, especially for organizations already on hardware nearing refresh cycles,” Akande said. “Paying for extended support often leads to sunk costs and delays in adapting internal IT policies for modern endpoint security and management.”

For those who can’t migrate their full environment, Akande has a recommendation: “Isolate legacy machines in virtualized or air-gapped environments to minimize exposure. This lets you limit extended support costs to the bare minimum while moving the rest of the org forward.”

Ari Harrison, director of IT at BAMKO, a global promotional products company, said his team concluded that the risks of not moving to Windows 11 were not worth it.

“Every month you stay put, you invite unpatched exploits, shrinking vendor support, and a growing skills gap as admins move on. The ESU program buys breathing room but at a steepening price curve that’s designed to push you off the ledge, not keep you comfortable on it,” Harrison said.

“Think of it as paying rent on a condemned building,” he continued. “The smarter play is to upgrade now, while you control the tempo and can schedule downtime on your own terms.”