Microsoft officially abandoned support for most versions of Windows 10 on October 14, 2025. It will continue to offer Extended Security Updates (ESU) temporarily for Windows 10 version 22H2, but that support will eventually expire as well, and can be expensive to maintain.

This decision by Microsoft is significant because 40%-45% of Windows users globally still regularly use Windows 10. From a cybersecurity perspective, this poses a significant risk. By ending support for the OS, Microsoft will no longer provide key updates to close vulnerabilities and fix bugs in Windows 10. This creates an enticing target for threat actors who are always on the lookout for the lowest-hanging fruit.  

Next Steps and Challenges 

Users of Windows 10 are encouraged to implement a migration plan to Windows 11 as soon as possible, but for many organizations, this poses challenges. A migration to a new operating system is costly and time-consuming, and may also create issues for legacy or niche software that only runs well on older versions of Windows.  

This issue is especially glaring for businesses that operate industrial processes and run Operational Technology (OT) systems. Cyberattacks targeting OT systems increased by more than 87% from 2023 to 2024, according to data published by the Dragos Infrastructure security firm. The reason is simple: many OT systems run on legacy operating systems that accumulate vulnerabilities, making them irresistible targets for threat actors. This threat now extends to Windows 10 as it officially becomes legacy.  

The Risks in Postponing Migration 

Organizations that don’t migrate to Windows 11, regardless of the reason, will run into several challenges. It’s important to understand the possible risks of not upgrading, regardless of how daunting the task may seem: 

• Regulatory and cyber-insurance requirements: Organizations that continue to run legacy operating systems no longer supported by a vendor may be violating regulatory requirements. This could result in steep financial penalties and even loss of operating licenses. The organization may also find that they have voided insurance policies. Should a successful security incident occur, these organizations may be left uncovered by their cyber-insurance for failing to meet requirements to keep systems up to date.  

• More headaches for IT staff: Maintaining both current and legacy systems for IT staff is daunting. When an operating system is no longer supported, key features often undergo significant changes, and older networking protocols are sometimes altered or discontinued. Managing these mixed environments can create unnecessary work for IT staff. With the EOL of these operating systems, technical support also ends, leaving IT teams frustrated if problems arise. 

• Extended security update costs increase: ESU (Extended Security Updates) programs double in price annually and are rarely as thorough in scope as updates to new operating systems. Patches to critical vulnerabilities typically take longer to be released for legacy systems, leaving these devices exposed to exploits for longer. Considering these factors, the return on investment from using an outdated OS becomes less impressive with time.  

• Legacy systems expose the organization to cyber-threats: Even if the legacy systems receive ESU updates for the operating system, these sometimes don’t address security vulnerabilities from third-party applications. These applications often can’t be updated due to OS limitations. This results in a greater number of potential vulnerabilities for threat actors to exploit. Once one of these systems is compromised, the threat actor can spread across the entire organization.  

Guidelines to Consider

Organizations faced with this dilemma should prioritize migration while following some simple guidelines:

• Start by taking inventory of all systems running Windows 10 or older, including laptops, OT, and kiosk devices.

• Prioritize migrating critical systems first. Any systems containing sensitive data will be the first ones targeted by threat actors. 

• Review application support for any legacy system. Many vendors will stop updating or supporting versions of applications designed to run on Windows 10. Take inventory of these applications and understand the possible impact on business if these applications no longer function.

• Evaluate ongoing costs for those systems that will remain on Windows 10. These costs can include not only ESU for the operating system itself, but also any legacy applications the organization plans to continue running on these systems, along with their associated extended support costs.  

How Bitdefender Can Help 

While many organizations gradually migrate their environments to Windows 11, Bitdefender understands that these migrations are complex and take time, and are not a viable option for a significant number of businesses.

Bitdefender is committed to protecting organizations running Windows 10 with our award-winning security solutions and services. Many of our features are decoupled from the operating system. This enables us to continue delivering advanced protection independent of the OS version your organization is running. The list of operating systems that have reached end of life with Bitdefender is published in our FAQ. However, our solutions will continue to fully support all versions of Windows 10 with features that include: 

• Advanced anti-virus with machine learning and AI. Our core anti-virus is equipped with the most advanced protection against modern ransomware, spyware, and all manner of cyber-threats. Offering robust heuristics technology, file-less attack protection, anti-tampering, anti-exploit protection, tamper-proof ransomware mitigation, cloud and local sandboxing, and more.  

• Extensive Risk Management included. GravityZone Risk Management is a key component of Bitdefender’s prevention-first strategy and part of the core feature of the endpoint protection. It can help identify vulnerabilities in the operating system, applications, and even user behaviors that can lead to a damaging security incident. It also includes on-button remediation options and full integration with GravityZone Patch Management.  

• Content, Application, and Device Control. GravityZone’s Content Control allows security teams to manage access to external sites and can help prevent users from compromising the organization's security. Application Control enables white-listing and black-listing of applications, giving security teams greater control over which apps are installed on systems. Device Control helps protect organizations from insider threats by giving security teams full control over external devices’ (such as USB drives) ability to connect to endpoints.  

• Robust Cloud Security and Container Protection. GravityZone Cloud and Server Security offers powerful protection for cloud workloads and containers. It’s designed to prevent threats in cloud environments—including virtual machines running Windows 10—with unique optimizations to keep resource consumption low and thus reduce operating costs for organizations’ cloud security.  

• Powerful Add-Ons. GravityZone add-ons provide additional layers of prevention, protection, detection, and response capabilities.  GravityZone Patch Management allows for the patching of operating systems and applications across multi-OS environments, including Windows 10. System-Wide Integrity Monitoring aids organizations in achieving a zero-trust architecture by allowing security teams to define granular access to critical files and system resources while monitoring for unauthorized changes. GravityZone EDR/XDR delivers detection and response capabilities to organizations of all sizes covering a broad attack surface that includes systems, networks, cloud workloads, identity platforms, business and productivity applications. Mobile and Email security help keep organizations safe from common initial access attacks that compromise our most used communication methods.  

• Award-Winning Cybersecurity Services. Bitdefender MDR is one of the top-rated MDR service providers by customers and will continue to support Windows 10 environments. Beyond 24x7 monitoring, Bitdefender MDR offers services often not found with other MDR providers such as Dark-Web monitoring, brand and IP protection, global intelligence analysis, Digital Forensics Incident Response (DFIR) and more.  Other services, which will continue to include support for Windows 10, include Offensive Security Services and Cybersecurity Advisory Services.  

EOS Doesn’t Have to Mean End to Protection 

Organizations continuing to operate Windows 10 face mounting pressure from multiple directions—regulatory compliance, rising cyber-insurance premiums, and an expanding threat landscape that specifically targets unsupported systems.  

While migration to Windows 11 remains the ideal path forward, Bitdefender recognizes that transitions happen on practical timelines dictated by operational constraints, budget cycles, and technical dependencies. Our commitment extends beyond acknowledging these challenges and into providing comprehensive protection for Windows 10 environments through layered defenses that address the unique vulnerabilities of legacy systems.

Bitdefender ensures your organization can maintain its security posture during migration—or when transition isn't feasible. Windows 10 may now be legacy, but your protection strategy doesn't have to be.