Korean Government Warns: Windows 10 End of Support Risk and Migration Gaps

Four in ten government desktops at the Ministry of Science and ICT and a large share across the Ministry of the Interior and Safety remained on Windows 10 as Microsoft’s official support deadline approached, exposing a material security gap at the heart of South Korea’s public‑sector IT estate.

Background / Overview​

Microsoft set a firm end‑of‑support date for Windows 10: routine security updates, cumulative quality fixes and standard technical support for mainstream Windows 10 editions stop on October 14, 2025. After that date, devices not enrolled in an Extended Security Updates (ESU) program no longer receive monthly OS‑level security patches, leaving any newly discovered kernel, driver or system vulnerability unpatched by Microsoft. To ease the immediate operational impact Microsoft published consumer and commercial ESU options. The consumer ESU provides a limited, one‑year, security‑only bridge through October 13, 2026 for eligible devices; enterprise ESU options exist with different pricing and multi‑year terms. Microsoft’s lifecycle FAQs and customer guidance make clear that ESU is a temporary option, not a long‑term substitute for migration to a supported OS. The practical effect is simple and consequential: after October 14, 2025, unenrolled Windows 10 machines still boot and run, but they no longer receive OS‑level security fixes. That elevates their risk profile for malware, ransomware, privilege escalation exploits and nation‑state campaigns that habitually weaponize unpatched platforms. Independent telemetry from security vendors and industry analysts has shown a sizable Windows 10 installed base heading into the deadline, increasing the operational urgency for large fleets—especially in government and critical infrastructure.

---

What Chosun Biz reported — the numbers and the gap​

A recent report in Chosun Biz highlighted the paradox: the very ministry charged with national ICT strategy still runs a significant number of Windows 10 endpoints. According to the report, as of the early October snapshot:

• The Ministry of Science and ICT had 1,233 PCs on its inventory and 437 of them were running Windows 10 — roughly 35.4% of its machines.
• The Ministry of the Interior and Safety’s desktop estate showed mixed readiness: 248 of 3,803 headquarters PCs were still on Windows 10 (about 6.5%), while across the ministry and its affiliates 4,623 out of 10,749 PCs (about 43%) remained on Windows 10. At affiliated agencies alone, 4,375 of 6,946 PCs (about 62.98%) were still on Windows 10.

The Chosun Biz story reports that the Science and ICT ministry is under contract with a Windows migration provider and aims to complete a Windows 11 transition by the end of the month, but stressed that practical constraints — holiday schedules, development work for specialised 5G laptops, and the recent National Information Resources Service (NIRS) data‑center fire — made an immediate, risk‑free cutover unrealistic. The ministry reportedly signalled caution to avoid creating further instability during recovery operations.
Important caveat: those agency figures were reported to the media as counts and plans from the ministries’ own briefings and are not the product of an independent audit published by a neutral agency. The numbers are directionally credible and consistent with the broader pattern of slow Windows 11 adoption in public‑sector inventories, but they should be treated as ministry disclosures rather than audited device‑by‑device verification.

---

Why this matters now: the security and policy context​

Elevated attack surface, not abstract risk​

Unsupported OSes become practical targets. When a vendor stops shipping security updates, any new zero‑day affecting that OS can be weaponised at scale because defenders lack vendor fixes to deploy. Past EOL events (Windows XP, Windows 7) show the operational reality: attackers pivot to older, unpatched platforms as they present easier, high‑yield attack surfaces. For national ministries that handle citizen data and critical services, that risk is amplified.

Recent Korean incidents sharpen the alarm​

South Korea experienced multiple high‑profile security incidents in 2025 that have focused public and regulatory attention on resilience:

• SK Telecom disclosed a large USIM/authentication key incident in April 2025 and launched a mass USIM replacement program for subscribers; the breach prompted a government investigation and enforcement measures. The scale and regulatory reaction underscored systemic information‑security shortcomings at large telecom operators.
• Financial and payments firms were hit in summer and autumn 2025: Lotte Card reported a significant data breach affecting millions of customers, triggering an FSS (Financial Supervisory Service) investigation and consumer compensation orders. Those incidents increased pressure on regulators and private firms to harden controls.
• A catastrophic fire at the National Information Resources Service (NIRS) datacenter in late September destroyed hundreds of terabytes of government files, including the G‑Drive repository used by civil servants; recovery is ongoing and a sizeable portion of data was irretrievably lost, which intensified operational strains across agencies. The fire also temporarily disrupted services and constrained IT teams who were simultaneously tasked with system restoration and patching initiatives.

Taken together, these events create a demanding environment for IT operations: teams are balancing disaster recovery, regulatory audits, incident responses and a deadline that amplifies the risk of leaving a large number of endpoints unpatched. The optics of ministries themselves running unsupported OSes compounds public concern and political scrutiny.

---

Technical constraints that slow upgrades​

Hardware baseline and Windows 11 eligibility​

Windows 11 enforces a non‑trivial hardware baseline: a compatible 64‑bit processor (1 GHz or faster, 2+ cores), 4 GB RAM, 64 GB storage, UEFI firmware with Secure Boot capability and TPM 2.0. Many older or low‑spec devices — particularly legacy workstations deployed in government offices — fail one or more of these checks, making an in‑place, supported upgrade to Windows 11 impossible without hardware modification or replacement. This hardware filter is both a security choice and a migration friction point. The security gains of TPM, Secure Boot and virtualization‑based protections are real, but they impose replacement or retrofitting costs that can be material at scale. Where ministries run thousands of PCs with sub‑2018 CPUs or without firmware TPM, the practical answer is often replacement — a budgetary and procurement exercise that takes months to execute.

Legacy application compatibility and custom systems​

Government agencies frequently run bespoke legacy applications, middleware and line‑of‑business systems that require testing and validation before an OS upgrade. Upgrading a fleet without thorough compatibility testing risks service outages for payroll, licensing, records, or specialized ICT systems — a real political and operational headache during recovery periods. That testing takes time and often requires vendor engagement, retesting and regression plans.

Budget and procurement cycles​

Large public procurements rarely move at consumer pace. Ministries cited budget constraints and procurement lead times as reasons why lower‑spec devices are being retained on Windows 10 longer and will be phased out over months rather than days. Where device replacement is the only viable path to Windows 11, agencies must weigh capital budgets, disposal and e‑waste plans, and vendor timelines. The Ministry of the Interior and Safety’s stated plan — to upgrade some fraction this month, more within the year, and the remainder next year — is consistent with staged refresh programs driven by funding cycles.

---

How the ministries plan to respond (and the practical gaps)​

• The Ministry of Science and ICT says it is under a migration contract and aiming to finish by month‑end, but operational constraints (holiday calendar and the NIRS fire recovery) limit how quickly mass upgrades can be performed without causing service interruptions.
• The Ministry of the Interior and Safety plans to upgrade headquarters PCs remaining on Windows 10 within the year, but affiliated agencies have a slower timetable: some upgrades this month, more during the year, and a large cohort scheduled for the following year due to budget and compatibility issues. This staged approach leaves many operational endpoints exposed through the ESU window or until devices are replaced.

These pragmatic plans are defensible when measured against the realities of compatibility testing and budgetary constraints, but they also create a prolonged period in which significant numbers of government endpoints are only partially defended — for example, relying on endpoint controls, network segmentation or third‑party protection instead of vendor OS patches. Those are stopgap mitigations rather than full replacements for OS‑level updates.

---

Strengths, weaknesses and governance implications​

Strengths​

• Staged rollouts minimize immediate operational disruption. Ministries are correctly prioritizing continuity for critical services while scheduling upgrades for lower‑risk workstations. This conservative approach protects essential workflows during recovery from recent incidents.
• The availability of ESU provides a defined short‑term safety valve for critical, non‑replaceable endpoints that cannot migrate immediately. When used judiciously — documented, time‑boxed and cost‑tracked — ESU reduces near‑term exposure while replacement and testing proceed. Microsoft’s consumer and enterprise ESU paths are explicit about their temporariness.

Weaknesses and risks​

• Running tens of thousands of endpoints on an unsupported OS creates regulatory and insurance risk: a breach on an unsupported platform may expose agencies to harsher regulatory penalties, legal liability and complications in incident investigations. Recent fines and enforcement actions in South Korea show regulators are prepared to act.
• The combination of recent telecom and financial breaches with a datacenter fire means government ICT teams are stretched thin; using that operational pressure as a reason to defer upgrades invites justified criticism that risk posture is being deprioritised. The perception — that ICT ministries themselves are not at full compliance — weakens public trust.
• Reliance on ad hoc mitigations (segmentation, third‑party AV, application whitelisting) is an imperfect substitute for vendor patches. Endpoint controls can raise the bar, but cannot eliminate kernel‑level vulnerabilities affecting drivers, the scheduler or system calls. Over time, the protective value of compensating controls erodes as vendors and threat actors evolve.

Governance and transparency shortfalls​

Public organisations should treat large OS EOL transitions as procurement and risk‑management programs, with documented inventories, upgradeability assessments, ESU enrollment rationales and time‑boxed replacement plans. The Chosun Biz numbers indicate ministries are tracking inventories, but independent auditors or publicly available dashboards would improve accountability and reduce political friction.

---

Practical remediation and a prioritized checklist for government fleets​

• Inventory and classify
• Run an authoritative discovery: MDM/CMDB + PC Health Check + firmware/driver readiness scans to label devices as: Upgradeable in place, Upgradeable with firmware/driver update, Replace (ineligible), or ESU candidate. This baseline is the single most important asset for planning.
• Prioritize by risk
• Immediately target internet‑facing, privileged, and high‑value endpoints for upgrade or ESU. Devices with privileged accounts or that touch citizen data should be first. Segregate legacy endpoints onto air‑gapped or tightly micro‑segmented networks where possible.
• Use ESU as a controlled bridge
• Where replacement or compatibility testing is impossible immediately, enroll only mission‑critical devices in ESU with an expiration and replacement date. Track ESU costs centrally and treat ESU as insurance, not a destination.
• Accelerate vendor and procurement paths
• Open and accelerate procurement frameworks for device refresh, including trade‑in / refurbishing channels to lower cost and manage e‑waste responsibly. Commit to vendor driver/firmware support SLAs in procurement to avoid getting stranded after refreshes.
• Public transparency and independent verification
• Publish an aggregated, auditable roadmap showing per‑agency upgrade status, ESU enrollments and replacement funding timelines. Independent spot audits by national audit or security agencies will build public trust and incentivise timely execution.
• Preserve backups and continuity
• The NIRS fire demonstrates that backups and geographic redundancy are indispensable. Reinforce 3‑2‑1 backup policies for critical services and conduct recovery drills prior to major changes so upgrades don’t compound service outages.

---

Alternatives and longer‑term options​

• Move workloads to managed cloud or virtual desktop environments (Windows 365 / Azure Virtual Desktop) where the provider can manage OS patching and reduce endpoint exposure. This avoids per‑device hardware constraints but requires network, identity and cost tradeoffs.
• Evaluate lightweight OS alternatives (ChromeOS Flex, Linux distributions) for low‑risk, web‑centric endpoints. These can extend useful life for older hardware in certain roles but require application compatibility assessment, staff retraining and helpdesk planning.
• Consolidate procurement to gain volume discounts for replacement devices and to secure vendor driver/firmware commitments that extend hardware lifecycles. Pooled procurement across ministries often shortens lead times and reduces unit costs.

---

Clear warnings and unverifiable points​

• The specific device counts and upgrade schedules reported in the press are ministry disclosures; while they provide an operational snapshot, independent verification (audited device inventories or centralised CMDB exports) would strengthen confidence in the figures. Treat ministry‑reported timelines as plans subject to budget, technical and recovery constraints.
• The precise number of government endpoints that will remain unprotected at any given moment is volatile. Threat exposure grows as time passes after end‑of‑support, and the actual exploitability of any uncovered vulnerability depends on the vulnerability’s severity and whether exploit code circulates. Nevertheless, the absence of vendor patches materially increases prospective risk.

---

Conclusion — a narrow window for disciplined action​

The confluence of Microsoft’s October 14, 2025 Windows 10 end‑of‑support deadline, recent breaches at large Korean telecoms and financial firms, and the NIRS datacenter fire creates a concentrated period of operational and political risk for South Korea’s public sector. The ministry figures reported in the Korean press show a material cohort of government PCs still on Windows 10 — a fact that is both technically consequential and politically sensitive.
This is not an argument for panic, but for disciplined program management: immediate inventory and risk prioritisation, controlled ESU enrolment for narrowly defined exceptions, accelerated procurement for replacements, and public transparency that shows measured progress. Governments facing similar migrations have successfully navigated them by treating the transition as a multi‑quarter modernization program with clear governance, funding and accountability — not an emergency that can be resolved by ad hoc fixes. If ministries deliver on the staged plans they reported — complete the highest‑risk upgrades first, document ESU use, and publish measurable progress — they will substantially reduce the exposure window. Failure to do so, however, will continue to make unsupported endpoints attractive targets for opportunistic and organised attackers at an already fraught moment for national ICT resilience.

---

---

Source: Chosun Biz Ministry of Science and ICT keeps 4 in 10 PCs on Windows 10 as support ends