Defra £312m IT Modernisation as Windows 10 Nears End of Support

The UK’s Department for Environment, Food & Rural Affairs (Defra) quietly disclosed that it has spent roughly £312 million modernising its IT estate — a programme that removed 31,500 Windows 7 laptops, patched tens of thousands of vulnerabilities and migrated dozens of legacy applications — even as Microsoft’s Windows 10 reached its official end‑of‑support milestone in October 2025.

Background / Overview​

Defra’s figures were provided in a formal update from interim Permanent Secretary David Hill to the Public Accounts Committee (PAC), submitted in response to the committee’s earlier recommendation that the department strengthen its business case for IT investment and report back within a year. The department reports that, across the 2022–23 to 2024–25 spending review period, the £312m investment covered device refreshes, vulnerability remediation, legacy application migration and datacentre consolidation. The scale is unambiguous:

• 31,500 laptops moved off Windows 7 to Windows 10.
• 49,000+ critical vulnerabilities remediated.
• 137 legacy applications migrated to modern platforms.
• One datacentre closed with three more planned.
• A residual backlog of 24,000 end‑of‑life devices and 26,000 smartphones scheduled for replacement over the next three years.

Taken together, Defra says these measures will strengthen the reliability of mission‑critical services — flood prevention, biosecurity at the border, farming payments and animal health systems — and reduce immediate cyber risk. But the timing and choice of target operating system create a new set of policy and procurement problems for the department.

---

Why the timing matters: Windows 10 end of support and ESU​

Microsoft publicly set a firm lifecycle cutoff for mainstream Windows 10 servicing: October 14, 2025, after which routine security, quality and feature updates for most Windows 10 editions would stop unless a device was enrolled in the Extended Security Updates (ESU) programme. Microsoft documents that guidance on its lifecycle and ESU pages. ESU exists as a time‑boxed bridge. For consumers Microsoft published a one‑year consumer ESU window (ending October 13, 2026) and provided online enrolment paths; for commercial customers ESU was offered through volume licensing with a multi‑year, escalating price schedule. Industry reporting and Microsoft’s own materials describe a Year‑One list price for commercial ESU around $61 per device, designed to double each subsequent year — a clear commercial incentive to migrate rather than pay indefinitely. That programme design is crucial: buying ESU for large fleets can become materially expensive within a few years, while cloud activation routes and Windows 365/Cloud‑PC entitlements can absorb ESU in specific scenarios. But these options vary by workload, licensing and whether devices meet Windows 11 readiness criteria.

---

What Defra actually bought for £312m — the wins and the caveats​

Tangible security and operational gains​

Defra’s investment shows clear operational progress. The most concrete wins reported are:

• Immediate risk reduction: Replacing 31,500 Windows 7 laptops eliminated an acute, high‑risk population of unsupported endpoints that were unpatchable and attractive to attackers.
• Vulnerability remediation: Fixing over 49,000 critical vulnerabilities is a measurable security outcome that reduces attack surface and supports regulatory compliance.
• Application rationalisation: Migrating 137 legacy apps and closing datacentre capacity reduces operational fragility and lowers infrastructure footprint.
• Improved service resilience: The department frames these changes as defensive investments to keep essential services — from agricultural payments to animal health systems — running reliably.

These are real, material improvements compared with leaving thousands of devices on Windows 7, which had been unsupported for years.

The unavoidable caveat: bought obsolescence​

Despite those gains, the choice to standardise the newly refreshed fleet on Windows 10 — in a programme that ran into 2024–25 — raises a difficult strategic mismatch. Windows 10’s vendor‑supported mainstream servicing ended on October 14, 2025, which means many of the department’s recently upgraded endpoints now sit on a platform that will soon be unsupported unless Defra pays for ESU or replatforms them to Windows 11 or cloud PCs.
Defra’s own update acknowledges this tension but did not, in the publicly available letter, unambiguously confirm whether commercial ESU licences had been purchased for the upgraded fleet at the time of reporting. That lack of clarity is politically and fiscally significant given the possible downstream costs.

---

The numbers in practice: ESU economics and procurement realities​

Understanding the scale of the problem requires hard numbers and realistic procurement modelling.

• ESU commercial list pricing has been widely reported at roughly $61 per device for Year One, with Year Two and Year Three projections escalating sharply. That doubling cadence is an explicit nudge to accelerate migration rather than subsidise indefinite legacy maintenance.
• At even modest per‑device rates, ESU for tens of thousands of devices is non‑trivial. For example, a Year‑One ESU bill for 31,500 devices at $61 each is approximately $1.92 million — a manageable figure relative to £312m up front, but one that compounds if extended and if additional cohorts (like the outstanding 24,000 EOL devices) need coverage. And Year Two/Three pricing can multiply that figure dramatically.

Procurement realities complicate this arithmetic:

• Many of the older machines in Defra’s backlog will not meet Windows 11 hardware requirements (TPM 2.0, UEFI Secure Boot, supported CPU families), making in‑place upgrades impossible and increasing the capital cost of replacing them with modern Windows 11‑capable devices.
• Cloud PC and Windows 365 entitlements can absorb ESU for certain workloads, but migrating stateful, domain‑joined, or specialised application workloads to cloud desktops requires licence, network and operational changes that introduce both cost and transition risk.

---

Governance, procurement timing and public‑sector oversight​

Defra’s response to the PAC arrived roughly 17 months after the committee’s original one‑year follow‑up deadline. Delays in governance reporting are not merely bureaucratic; they matter because vendor lifecycles are calendar events that cannot be negotiated at the last minute. The PAC requested follow‑up by May 2024; Defra’s later submission reduced transparency on whether it purchased ESU or exactly how it will fund the Windows 11 migration or cloud transition that comes next. Key governance lessons from this episode:

• Align procurement windows with vendor lifecycle events. Operating systems and major enterprise platforms announce EOL dates years in advance; public‑sector procurement cycles must be synced to avoid mid‑programme obsolescence.
• Publish time‑boxed migration plans. If ESU is to be used, document which devices will be covered, for how long, and at what expected cost to prevent surprise budget shocks.
• Tie transformation milestones to measurable KPIs: vulnerability counts, mean time to restore, uptime for critical services, and successful migration of the highest‑risk applications.

---

Practical risk management: what Defra (and similar organisations) should do next​

There is a single practical imperative: avoid repeating the cycle. The following steps are pragmatic and sequenced.

• Immediately publish a time‑boxed roadmap for the next 36 months that lists:
• which cohorts will be migrated to Windows 11 and when;
• which devices will be covered by commercial ESU, and for how long;
• which services will move to Cloud PCs or be rehosted.
• Prioritise business‑critical, border‑facing and externally exposed services for accelerated migration and testing.
• Use ESU only as a targeted bridge, not a default. Reserve ESU for non‑replaceable, high‑risk endpoints and budget it explicitly.
• Expand cloud activation and Windows 365 use where it reduces ESU cost exposure while maintaining acceptable security and performance SLAs.
• Adopt circular procurement and refurbishment to reduce e‑waste and net capital costs; mandate secure data‑erasure and certified recycling in contracts.
• Improve parliamentary reporting cadence: quarterly publicly available progress updates to restore oversight confidence.

These steps focus on reducing financial risk, operational fallout and environmental harm while preserving the short‑term security gains already achieved.

---

Technical realities: Windows 11 compatibility and the hidden costs of in‑place upgrades​

Upgrading a device from Windows 10 to Windows 11 is not purely a software exercise; it is an inventory and hardware compatibility problem.

• Minimum hardware requirements for Windows 11 (TPM 2.0, Secure Boot, supported CPU families and a baseline of memory and storage) mean not all existing devices are upgradeable. In many public‑sector estates that gap drives the need for new hardware procurement. Microsoft’s lifecycle materials and readiness tools make this explicit and link compatibility checks to upgrade eligibility.
• For specialised, domain‑joined workstations that host legacy applications, migration needs application owners, supplier involvement and often re‑certification and retesting before the service can be declared modernised.
• Where in‑place hardware changes (BIOS updates, firmware upgrades, TPM activation) are possible, the per‑device cost and the risk of service interruption must be accounted for. For devices that cannot be remedied, full replacement is the only safe route.

These technical realities make the “one‑click OS upgrade” narratives insufficient for large, mission‑critical estates.

---

Political optics and accountability​

From a public‑policy perspective, the optics are awkward. The headline number — £312 million — reads as decisive action on legacy IT. In practice, it is a multi‑year programme with real security wins but lingering liabilities. Opponents and auditors will reasonably ask whether the department bought transient benefits by choosing an operating system that itself was due to be retired within months of the rollout completing.
The accountability question is not purely retrospective. It is forward‑looking: Defra must show that the initial investment maps to a funded, realistic plan to reach a supported baseline for all critical services without perpetual ESU dependency.

---

Broader lessons for public‑sector IT modernization​

Defra’s case is emblematic of a wider problem that affects many governments and large organisations:

• Modernisation is not a single purchase. Hardware, OS, application refactoring and organisational change must be budgeted and scheduled together.
• Vendor lifecycles are fixed calendar constraints. Treat them as hard dates in procurement and budgeting processes.
• ESU is a limited lifeline, not a long‑term strategy. Its pricing structure and commercial design are intended to accelerate migration, not subsidise legacy upkeep.
• Transparency matters. Timely reporting to oversight bodies improves auditability and helps secure subsequent funding when needed.

These lessons apply beyond Defra and are a practical checklist for any public CIO managing a large legacy estate.

---

Strengths and weaknesses — an analyst’s assessment​

Notable strengths​

• The programme addressed immediate and tangible security risks: the removal of a large Windows 7 estate and remediation of tens of thousands of critical vulnerabilities are not cosmetic wins; they materially reduce attack surface.
• Application migration activity and datacentre consolidation signal an intent to modernise beyond the desktop layer.
• Investment delivered demonstrable operational improvements for services that affect citizens directly.

Significant risks and weaknesses​

• The OS choice created a shortened support runway and potential recurring costs via ESU or rapid replatforming.
• Lack of public clarity about ESU purchases and the funding pathway to Windows 11 or cloud desktops leaves a fiscal black hole in the near term.
• Procurement and governance delays reduced parliamentary oversight and increased reputational risk.
• Environmental and sustainability impacts from mass device replacement require active mitigation through circular procurement and refurbishment commitments.

---

What this means for citizens, taxpayers and IT practitioners​

For citizens and taxpayers, the issue boils down to value for money and public accountability. The £312m investment produced meaningful security gains, but taxpayers can reasonably expect a clear plan showing how those gains will be preserved without recurring, avoidable additional expenditure.
For IT leaders and practitioners in the public sector, Defra’s experience is a cautionary tale:

• Start lifecycle alignment planning early.
• Use ESU deliberately and document its scope.
• Prioritise high‑risk services for early migration.
• Keep oversight bodies informed with quarterly, measurable reporting.

---

Conclusion​

Defra’s £312 million modernisation programme delivered significant, measurable security and operational improvements — most importantly removing thousands of Windows 7 endpoints and cleaning up a large backlog of critical vulnerabilities. Those actions matter: they reduced immediate risk to services that protect public safety, food supply and border biosecurity.
Yet the decision to standardise the refreshed fleet on Windows 10, as Microsoft’s own lifecycle clock ran down to a fixed October 14, 2025 cutoff, created a strategic mismatch between short‑term remediation and medium‑term resilience. The choice increases the likelihood of further large‑scale expenditure — either via commercial ESU, rapid hardware refreshes, or migration to cloud PCs — unless Defra now pursues and funds a tightly time‑boxed migration to Windows 11 or cloud‑native desktops and publishes clear, quarterly progress reports for parliamentary oversight. The core lesson is straightforward: modernisation is an end‑to‑end programme, not a sequence of disjointed purchases. Vendor lifecycle events are immovable deadlines; procurement calendars, budgets and migration schedules must be anchored to them to avoid the costly repetition of buying yesterday’s solution tomorrow.

---

Source: Windows Central Good job: UK govt spent £312M upgrading to Windows 10 before support ended