NHS Windows 11 Upgrade Hurdle: 2% Blocked by Uncertified Software

Hospitals upgrading thousands of Windows endpoints have hit a stubborn final hurdle: a small number of clinical-supplier vendors have not certified their software for Windows 11, forcing trusts to quarantine expensive medical kit, pay retrofitting fees or run unsupported Windows 10 systems that no longer receive security patches.

Background / Overview​

The technical migration from Windows 10 to Windows 11 has been framed by Microsoft as a security-first push: Windows 11 requires a higher baseline of platform protections — TPM 2.0, UEFI Secure Boot and a curated list of supported processors — and Microsoft stopped mainstream support for Windows 10 on 14 October 2025. These changes mean that endpoints left on Windows 10 will not receive routine security updates unless covered by paid Extended Security Updates (ESU) arrangements. For many NHS trusts the migration itself was successful at scale: some trusts report upgrading roughly 98% of their Windows estate to Windows 11 through a mixture of in‑place upgrades and targeted hardware refreshes. That near-complete rate, however, masks a concentrated risk — a remaining ~2% of devices that are functionally critical but technically or contractually blocked from upgrading because the supplier-supplied clinical application or firmware has not been certified for the new OS. One well-documented example at Rotherham NHS Foundation Trust shows how even a small wedge of incompatible devices can create outsized operational and patient-safety pressure.

---

Why this matters: security, safety and patient risk​

Healthcare IT is uniquely sensitive because downtime or degraded diagnostics can immediately affect patient care. Cybercriminals know this: hospitals and pathology providers are high-value targets for ransomware because encrypted systems can prevent critical tests or block the clinical workflows that enable operations. Past incidents prove the stakes — the 2017 WannaCry outbreak disrupted dozens of NHS trusts and forced tens of thousands of appointment cancellations; formal analyses put the NHS bill for the incident in the tens of millions of pounds. More recently, a June 2024 ransomware attack on a pathology services partner disrupted services across major London hospitals and has been linked, in later reporting and inquiries, to at least one patient death where delayed diagnostics were a contributing factor. These precedents turn a 2% incompleteness in migration into a real patient-safety problem rather than an IT‑only inconvenience. Key security implications:

• Unsupported Windows 10 hosts will not receive OS-level security patches after Microsoft’s cut‑off date, expanding the attack surface for remote code execution and privilege-escalation exploits.
• Medical devices often sit on the network and interact with other clinical systems, so a compromised device can be a lateral pivot into mission-critical infrastructure.
• Quarantining devices is a defensive necessity, but segmentation can reduce functionality — effectively denying clinicians the equipment they rely on unless alternate workarounds are available.

---

The technical gate: why Windows 11 blocks some devices​

Windows 11’s system requirements are strict by design. Minimums include:

• TPM 2.0 (or firmware TPM/fTPM) enabled and functioning.
• UEFI firmware with Secure Boot enabled.
• A supported, relatively recent CPU family and modest RAM/storage minima (4 GB RAM / 64 GB storage).
• DirectX 12 / WDDM 2.x support for graphics-related features.

Those platform-level expectations create a compatibility cliff for some classes of kit:

• Embedded or OEM‑sealed systems shipped with a validated OS image often lack a firmware path to enable TPM, or have processors not on Microsoft’s supported list.
• Clinical software vendors typically certify their application against a precise OS build and driver set; updating the host OS can trigger full re-validation cycles with regulators such as the MHRA (Medicines and Healthcare products Regulatory Agency) and internal clinical safety processes. That makes hurried updates risky and slow.

In short, Windows 11 is not just an “install and go” upgrade for many medical endpoints — it’s a platform re-baseline that can force hardware changes, firmware toggles or supplier-driven software rework.

---

The Rotherham example: a microcosm of wider failure modes​

Rotherham NHS Foundation Trust is one of the better-documented case studies. Trust IT teams reportedly upgraded around 7,000 devices over a multi-year programme, landing roughly 98% on Windows 11. The remaining 2% are clinical endpoints whose supplier-provided software is not yet Windows 11 compatible. In at least one instance a vendor quoted five-figure retrofit charges (reported figures vary between £25,000 and anecdotal references to expensive replacement costs) to make a three‑year‑old device compatible. The trust has quarantined non‑upgraded systems to reduce cyber exposure while negotiating remediation. What this illustrates:

• A modest percentage of devices, when concentrated in clinical pathways, can create disproportionate operational risk.
• Suppliers can, intentionally or not, transfer lifecycle costs to the health system by charging for certification or by refusing to backport compatibility.
• Regulatory obligations for device safety are real and legitimate — but without an accelerated pathway for compatibility-only patches, the honesty of those obligations may translate into clinical harm or dramatically increased procurement spend.

---

The hard choices: quarantine, ESU, retrofit, or replace​

Faced with incompatible devices, trusts commonly consider four blunt options:

• Quarantine or isolate the device on segmented VLANs and accept degraded clinical availability until certification is complete. This reduces exposure but threatens care continuity.
• Purchase Extended Security Updates (ESU) for Windows 10 as a temporary bridge. ESU buys time but is deliberately priced and structured as a finite, escalating-cost solution. For large fleets it quickly becomes expensive.
• Pay the vendor for a retrofit or re‑validation. Some vendors demand five-figure sums that can rival acquisition costs — an unpredictable and inequitable expense imposed on public providers.
• Replace the hardware entirely, which ensures compatibility but is capital‑intensive and creates e‑waste and logistics overhead.

All four options carry trade-offs in cost, time and patient-safety impact. The correct mix is context-dependent, but the systemic problem is that the burden falls unevenly on overstretched NHS procurement and IT teams.

---

Procurement, contracts and supplier behavior: the systemic failure​

The crisis is not purely technical. Procurement contracts and lifecycle clauses are central to the failure modes:

• Many device purchase agreements focus on initial acceptance testing and warranty windows rather than long-term OS portability or cost‑sharing for major platform upgrades. That leaves trusts negotiating ad‑hoc remediation years into a device’s service life.
• Small specialist vendors may lack the engineering bandwidth or commercial incentive to retrofit older product lines, choosing new‑product development over legacy support. This misalignment is not merely vendor inertia — it’s market economics colliding with public procurement expectations.
• Regulatory re‑validation is necessary in many cases, but regulators and procurement authorities currently lack a fast‑track pathway for compatibility-only updates that do not change clinical functionality. That regulatory friction adds months to the roadmap at a significant cost.

The result is a structural mismatch: vendors are not contractually required to absorb upgrade costs; regulators rightly demand safety assurance; and hospitals are left holding the risk and the bill.

---

Financial and environmental consequences​

The immediate fiscal impact is real: anecdotal retrofit quotes in the tens of thousands for single devices and an aggregated need for selective hardware refresh across trusts imply large, unplanned capital pressure. ESU for large device populations is expensive and will erode operating budgets that were not planned for this contingency. Over the medium term, an accelerated refresh cycle also creates e‑waste and sustainability questions that procurement policies must account for.
Key financial considerations:

• ESU is a time-limited cost with prices that can rise year-on-year; it is intended as a bridge, not a permanent fix.
• Retrofit or revalidation fees charged by suppliers can be unpredictable and sometimes exceed what a trust would pay to replace a unit outright.
• Centralised capital funding, or procurement frameworks that mandate lifecycle support, will likely be the most efficient means to avoid a fragmented, unequal patchwork of risk across trusts.

---

Operational mitigations and a practical playbook​

Tech teams working under these constraints can take immediate, measurable steps to lower risk and buy time while longer-term solutions are negotiated.
Immediate (0–30 days)

• Inventory and classify: create a device-level inventory capturing OS build, CPU model, TPM state, firmware version, vendor application, clinical function and network exposure. This dataset is essential for prioritisation.
• Segment and quarantine: place unsupported endpoints into restricted VLANs, remove internet exposure, and strictly control which hosts can communicate with them. Segmentation is not perfect, but it materially reduces lateral attack risk.

Short term (1–3 months)

• Vendor engagement and escalation: demand written remediation plans, timelines and firm costings. Use procurement contracts and NHS escalation channels where available.
• Targeted ESU procurement: buy ESU selectively for truly irreplaceable endpoints as a last-resort bridge, and budget for its rising cost profile.

Medium term (3–12 months)

• Rehost legacy apps where feasible: isolate legacy clinical applications into controlled VMs, Cloud PC environments or Azure Virtual Desktop sessions to decouple the certified application from an ineligible host. This avoids firmware rework and can deliver Windows 11 security posture to critical apps on legacy hardware.
• Plan strategic hardware refreshes that prioritise ICU, pathology, imaging and other patient-critical device classes. Spread procurement across financial cycles to smooth capital impact.

---

Policy solutions and procurement reform (what should happen next)​

Fixing this problem at scale requires coordinated policy action, not piecemeal local fixes.
Recommendations:

• Central retrofit fund: a targeted pot for trusts forced to replace or retrofit clinical devices due to supplier non‑support would reduce per-trust bargaining disadvantage and regional inequality.
• Fast‑track regulatory pathway: regulators should define a limited, expedited conformity route for compatibility-only updates that do not alter clinical behaviour, shortening supplier timelines while preserving safety.
• Contractual lifecycle clauses: NHS procurement frameworks must require vendors to guarantee OS compatibility for a defined portion of expected device life, or to provide reasonable retrofit paths at capped costs.
• Supplier accountability and public procurement scoring: include responsiveness to platform evolution and cyber security maintenance as weighted criteria in supplier selection and renewals.

A central, coordinated approach would distribute cost, streamline vendor behaviour, and reduce the operational bargaining asymmetry trusts currently face.

---

Strengths, weaknesses and critical risks​

What’s gone right

• Many trusts ran disciplined migration programmes, clearing the vast majority of their estates to Windows 11 ahead of the October 14, 2025 support cut‑off. These programmes show that scale migration is achievable with planning, firmware enablement and vendor coordination.

What’s gone wrong

• A small number of supplier‑locked devices remain a systemic failure point: concentrated risk in critical clinical paths that cannot be absorbed by local IT teams alone.
• Procurement and contract design did not reliably account for future OS baselines and lifecycle support obligations; that omission is now creating ad‑hoc, expensive remediation negotiations.

High-consequence risks

• Operational disruption: quarantining critical devices can reduce diagnostic throughput and postpone procedures. The Synnovis ransomware incident shows how lab disruptions can cascade into cancelled operations and, in extreme cases, contribute to patient deaths.
• Insurance and compliance: running unsupported OSes can undermine compliance with data-protection and cyber-insurance requirements, potentially reducing coverage or increasing premiums.

Unverifiable or anecdotal claims (flagged)

• Single-case retrofit quotes such as the specific figures reported by individual trusts are useful illustrations but not statistical measures of national cost. Extrapolating a national bill from one quote is speculative; the Rotherham figures should be read as indicative of the problem, not definitive proof of average supplier pricing.

---

What vendors, regulators and the NHS must do now — a prioritized checklist​

• Vendors: commit to reasonable retrofit pricing and publish compatibility roadmaps that include expected timelines for OS certification. Where changes are safety‑neutral, use a regulator‑approved fast‑track.
• Regulators (MHRA): create a narrow, expedited route for compatibility-only updates that preserves clinical safety while drastically shortening vendor testing time.
• NHS England / Central Government: establish a central funding mechanism and mandate lifecycle clauses in future framework agreements. Use procurement leverage to require vendor support windows that match expected device lifetime.
• Trust IT teams: finish comprehensive inventories, implement segmentation, and plan hybrid mitigations (VM rehosting, Cloud PC) where retrofit or replacement is infeasible.

---

Conclusion​

The NHS’s Windows 11 migration programme has succeeded in the large: most endpoints are now on a modern, more secure platform. But the last mile — the devices that cannot be upgraded because vendors haven’t certified their clinical software — reveals a brittle dependency in the healthcare supply chain. Left unaddressed, that brittleness will continue to force impossible choices: quarantine vs clinical availability, costly retrofits vs risky ESU, or rapid capital spends with environmental and budgetary consequences.
Fixing this requires more than local IT heroics. It needs supplier accountability baked into procurement, regulatory pragmatism to fast‑track compatibility-only updates, and central funding to avoid an unequal patchwork of risk across trusts. Without those changes, the healthcare sector will keep paying for an avoidable collision between platform security policy and the economics of medical device support — a collision whose real costs will be measured in diverted operations, lost clinician hours, and, in the worst cases, patient harm.

---

Source: TechRadar NHS devices diagnosed with compatibility issues - and Windows 11 is being prescribed as treatment