QIT Solutions: Blog

QIT Solutions - Blog Images 1

Windows 10 End of Support, a practical guide for business from your MSP

QIT Solutions|Sep 10, 2025|

Windows 10 reaches end of support in October 2025. After that point Microsoft stops shipping security updates for the operating system on standard channels. As an MSP that spends every day dealing with patch cycles, incident response, and lifecycle planning, here is the plain truth. Staying on an unsupported platform will raise your risk, your cost, and your operational friction. The good news is that you have clear options. You can buy paid security coverage for a period of time, you can upgrade in place on supported hardware, or you can refresh devices and treat the project as an opportunity to modernize fleets, budgets, and user experience. This article breaks down the tradeoffs so you can choose a path that fits your business.

What end of support means in real life

When an operating system reaches end of support, vulnerability fixes stop arriving on Patch Tuesday. New exploits do not slow down. Attackers know which versions fall out of support and actively target them because success rates improve once vendors stop patching. Compliance frameworks also care. Auditors will flag unsupported operating systems during security reviews. Cyber insurers will ask questions, raise premiums, or exclude incidents tied to unsupported systems. Software vendors begin to mark the platform as legacy, which leads to slower support response and fewer bug fixes for your line of business tools. None of this happens the next morning, but the risk curve bends upward and it keeps climbing.

From an operations view you will also feel secondary effects. Your IT team or MSP will need to isolate older machines on the network and monitor them more closely. Routine work like deploying new versions of agents and tools gets harder. End users will encounter more compatibility pain as browsers, drivers, and security products move on.

Option one, pay for security updates through Extended Security Updates

Microsoft offers Extended Security Updates for Windows 10. ESU gives you access to critical and important security fixes each year for a fee. It is licensed per device and renewed annually. Historically the price steps up each year to encourage customers to move forward. For planning purposes, assume the annual cost will rise and that you will want to exit ESU within a two or three year window at most.

When does ESU make sense

  • You have critical applications that are not yet certified for Windows 11 and you need a time buffer to finish testing or to migrate to a new platform
  • You have hardware that can run Windows 11, but the cutover window would disrupt seasonal operations, so you want to stagger upgrades across quarters
  • You want to pair ESU with a virtual desktop strategy such as Windows 365 or another cloud hosted desktop, which can include or offset ESU costs in some licensing models

Caveats to understand

  • ESU does not deliver new features. It only provides security patches. Stability fixes that are not security related will still be out of scope
  • ESU is a short bridge, not a long term plan. Treat it as runway to complete upgrades and refreshes, not as a way to freeze time
  • Device counting and license management need discipline. You will pay per machine, and audits will expect accurate counts

Financial view

If you have 100 endpoints and take ESU for one year, the total spend can look manageable compared to an immediate fleet refresh. By year two and year three the rising fee changes the math. Many organizations find that ESU for one year plus a structured upgrade program produces the best balance of risk and cost.

Option two, upgrade in place to Windows 11

A large share of Windows 10 machines can upgrade in place if they meet CPU, TPM, memory, and storage requirements. In place upgrades are often the lowest cost path because you reuse existing hardware and keep user data and apps intact. The reality is that some devices will not qualify. Others qualify but are at the end of their useful life and would create avoidable support tickets if kept in service.

How to approach in place upgrades

  1. Build an asset inventory with hardware specs, warranty status, and critical app lists
  2. Segment devices into three buckets. Ready for in place upgrade. Needs small upgrade such as more RAM or a larger SSD. Not eligible due to CPU or TPM
  3. Pilot with a small group that mirrors real business workflows. Include power users, finance, and anyone who relies on specialty peripherals
  4. Automate the rollout through your MSP toolset. Schedule changes outside business hours, and include rollback checkpoints
  5. Close the loop with post upgrade health checks and user support

Hidden costs to watch

  • Old peripheral drivers, label printers, card readers, and scanners often need new drivers or firmware
  • Encryption policies and endpoint protection rules may need small changes for Windows 11
  • A few legacy apps may require compatibility mode or an interim upgrade from the vendor

Option three, refresh hardware and modernize the fleet

Where devices are not eligible or are aging out, a refresh removes risk and improves productivity. New laptops and desktops offer stronger security features, faster storage, and better battery life. Port standardization also helps with docking and conference room setups. The question for finance is whether to buy outright or to lease.

Buying outright

Buying hardware outright is simple. You pay once and own the device. Depreciation is predictable. You avoid financing charges. The tradeoff is lumpy cash outlay and the temptation to stretch device life beyond the support window. Running five year old machines often seems thrifty until the soft costs arrive. Lost minutes per day from slow boot, app lag, and flaky Wi Fi add up. More help desk tickets add cost. Unplanned downtime can erase the savings from deferring a refresh.

Leasing and device as a service

Leasing spreads the cost across predictable monthly payments. Device as a service extends that model with bundle options such as warranty, accidental damage, loaner pools, asset tracking, and secure disposal. For many organizations, the big win is lifecycle discipline. Terms often align with a three year refresh and a structured return. That keeps fleets current without internal debates each budget cycle.

When leasing shines

  • You want to align device spend with revenue through operating expense instead of capital expense
  • You need consistent hardware standards across sites and teams
  • You value guaranteed refresh timing and baked in logistics for provisioning and returns

When buying can be better

  • You have a small number of devices and simple needs
  • You run equipment in controlled environments with low risk and can maintain strong device hygiene
  • Cash flow is strong and you prefer to avoid financing costs

Building a timeline and budget that work

From the MSP seat the most successful customers follow a structured plan that spreads change across quarters. Here is a simple playbook you can adapt.

Quarter one

  • Inventory every device and map app dependencies
  • Decide which devices will upgrade in place and which will refresh
  • Identify minimum viable standards for new hardware such as CPU family, memory, storage, Wi Fi, and camera quality
  • Approve a pilot plan for both in place upgrades and new hardware imaging

Quarter two

  • Execute the pilot and collect feedback from users and managers
  • Lock standardized models with your procurement partners
  • Decide on buy versus lease, and sign master agreements for either path
  • Stand up a migration runbook that covers data backup, profile transfer, encryption, and endpoint security

Quarter three

  • Roll out upgrades and replacements in waves by department or site
  • Monitor incident volumes and adjust the pace to minimize disruption
  • Retire or repurpose old devices in a controlled process with certified data wipe and a clear chain of custody

Quarter four

  • Close out ESU coverage if used
  • Update your asset system and warranties
  • Review the year, what worked well, what needs to change for the next lifecycle

Security guardrails that keep risk down throughout the transition

Even with a good plan the period around a platform change can be noisy. Put these controls in place to keep your exposure low while you move.

  • Enforce multi factor authentication everywhere, including remote access and admin tools
  • Keep endpoint protection current and monitor for tamper events
  • Segment any machines that remain on Windows 10 behind restrictive rules and limit access to sensitive systems
  • Use application allow lists for high risk roles or kiosks
  • Back up user data to approved locations before any upgrade or replacement
  • Track and patch third party applications, browsers, and plugins, since these are common attack paths

Total cost of ownership, a simple way to compare options

When leadership asks for the numbers, compare the real cost over a three year horizon. Add the following pieces for each path.

For ESU

  • Annual ESU fee per device, multiplied by the number of devices and number of years
  • Extra monitoring and isolation time for older devices
  • Likelihood of more incidents that consume support hours
  • The cost of a later rush upgrade if you defer too long

For in place upgrade

  • Labor to plan, pilot, and roll out the upgrade
  • Minor hardware upgrades where needed, for example memory or SSD
  • Lost time during upgrade windows
  • Reduced risk and better productivity once on Windows 11

For refresh with purchase

  • Purchase price, imaging, and deployment services
  • Warranty and accidental damage coverage
  • Productivity gains from faster machines, which you can estimate as minutes saved per day

For refresh with lease or device as a service

  • Monthly fee times term length and number of devices
  • Included services like swap, logistics, and disposal
  • The value of predictable refresh and reduced internal handling

Often the blended path wins. Use ESU for a short time on machines that truly need delay, upgrade in place where it is safe and efficient, and refresh the rest through a mix of purchase and lease that fits your cash flow.

Communication matters as much as the tech

End users care about their work, not the operating system. You will get better results if you communicate early and keep it simple.

  • Explain the reason, unsupported systems raise risk and cost for everyone
  • Share the schedule by team, with clear expectations on timing and any short planned downtime
  • Provide a quick start guide for Windows 11 so that users know where common settings moved
  • Offer office hours or short training clips, which reduces tickets on day one
  • Thank teams that participate in pilots and use their feedback to improve the rollout

Procurement and supply planning, avoid surprises

The market for business laptops and desktops can tighten when many companies refresh at once. Work with your MSP and vendors to lock in standard models and lead times. Ask for a spare pool for fast replacements. Confirm warranty terms and on site support coverage. Align shipping and imaging workflows so that devices arrive ready for sign in, with security controls and corporate branding already in place.

A note on special cases

Some roles will always need exceptions. Engineering rigs, lab devices with attached instruments, manufacturing workstations that control equipment, and thin clients tied to specific terminals are common examples. Document those cases and treat them as separate workstreams with their own risk and mitigation plans. You may combine ESU with network isolation and enhanced monitoring for those stations while you pursue vendor certifications or design a replacement.

How to decide in one meeting

If you only have time for one decision session, use this checklist.

  • Confirm the end of support timeline and the goal to be off Windows 10 as soon as practical
  • Approve a short ESU window for true exceptions only
  • Approve in place upgrades for all eligible devices under a managed pilot and phased rollout
  • Approve a refresh for remaining devices using either purchase or lease based on budget
  • Approve communication and training materials for end users
  • Assign owners and target dates for inventory, pilot, rollout, and wrap up

Your MSP will turn those approvals into a runbook and a calendar with clear owners.

Final thought

End of support is not just a security milestone. It is a chance to clean up hardware sprawl, retire legacy apps, improve user experience, and bring predictability to your device lifecycle. Pay for coverage only where it buys you time, move the bulk of your fleet forward, and use the transition to tighten your standards. The result is a safer, faster, and easier to manage environment that supports the business rather than getting in the way.

QIT Solutions

QIT Solutions set out to solve what was then a major problem for small businesses: having difficulty keeping up with their IT needs. We noticed that large corporations often had multiple employees specializing in different aspects of the industry and realized this approach would work well also among smaller organizations who might not be able to sustain such teams, but still require help managing an oversized workload. We provide a single resource for all your IT issues.

Related posts:

  1. This Is How IT Fails Let me tell you the truth about IT problems. They...
  2. The Silent IT Budget Killer Most business owners treat their IT budget like a gym...