NHS Windows 11 Upgrade Hurdles: Quarantined Devices as Windows 10 Ends

The NHS has begun quarantining medical devices that cannot be upgraded to Windows 11, after a handful of clinical-supplier vendors refused or failed to certify their software for Microsoft’s current desktop OS — leaving hospitals with a stark choice between isolating essential kit, paying steep retrofit fees, or accepting the security risk of running unsupported Windows 10. Digital Health News reported that a supplier quoted Rotherham NHS Foundation Trust £25,000 to upgrade a three‑year‑old device to work with Windows 11, and trust staff say roughly 2 percent of their estate remains on Windows 10 for the same reason.

Background: why this matters now​

Microsoft’s mainstream support for Windows 10 ended on 14 October 2025, meaning devices that remain on Windows 10 will no longer receive routine security and quality updates unless covered by paid Extended Security Updates (ESU) programs. The company describes ESU as a short‑term bridge while organisations migrate to Windows 11, but ESU options differ by market and come with prerequisites that make them unsuitable or burdensome for many hospital devices. For the NHS — a large, heterogeneous estate built over decades with a heavy mix of desktop workstations, laptops and specialized medical hardware — the timing of Windows 10’s end of support collides with three structural problems:

• Many medical devices run vendor‑locked software that was validated and certified for a particular OS version and cannot be re‑validated quickly.
• Hardware eligibility gaps for Windows 11 (TPM 2.0, UEFI Secure Boot and newer CPU baselines) force device replacement in some cases rather than an in‑place OS upgrade.
• The supply chain for clinical software and device firmware is fractured: original equipment manufacturers (OEMs) and third‑party ISVs may lack capacity, incentive or regulatory clearance to push timely Windows 11‑compatible updates.

Those conditions convert what might be a routine OS migration in a commercial enterprise into a high‑risk, safety‑sensitive problem for health systems.

---

What the Rotherham example reveals​

The Rotherham NHS Foundation Trust’s experience is a useful microcosm. The trust reports upgrading roughly 98 percent of its Microsoft estate to Windows 11, upgrading around 7,000 devices over three years — but the remaining ~2 percent includes clinical endpoints whose supplier‑supplied software is not yet Windows 11 compatible. One vendor reportedly demanded £25,000 to make a three‑year‑old device compatible, forcing the trust to quarantine the equipment to reduce cyber risk while it negotiates. That anecdote highlights several overlapping issues:

• Vendor lifecycle choices: suppliers sometimes bundle software that only runs on a certified OS image, then decline to upgrade unsupported images or demand full hardware replacement rather than issuing a software-only patch. This transfers lifecycle cost to health providers.
• Regulatory friction: vendors cite the need for Medicines and Healthcare products Regulatory Agency (MHRA) checks or medical device conformity assessments before any change touching device‑firmware/software can be made, which elongates timelines and raises cost. Rotherham’s director of health informatics emphasised that those checks are rightful, but the commercial and operational consequences can be severe.
• Clinical continuity risk: quarantining devices reduces cyber risk but may degrade care — for example, preventing a cardiology system from reading pacemakers or stopping telemetry flows that clinicians rely on. Trusts are left balancing security against clinical availability.

These dynamics are not unique to one trust: industry surveys and public reporting show healthcare lags behind other sectors in Windows 11 adoption because of validated‑software workflows and long change‑management cycles. The Register and other outlets have documented that healthcare adoption rates for Windows 11 remained low compared with sectors such as logistics, underscoring the structural migration friction.

---

Technical constraints and the ESU trade‑off​

Windows 11 raised the bar for hardware security: TPM 2.0, UEFI Secure Boot and a modern processor baseline are central to Microsoft’s platform posture. Many older laptops issued during the pandemic or bundled into healthcare estates are marginally non‑compliant or have firmware features disabled by default, forcing either firmware reconfiguration, hardware replacement, or vendor intervention. Internal migration playbooks and IT audits repeatedly point to this “compatibility cliff” as the main practical blocker.
Microsoft’s ESU programs are explicitly intended as a bridge. Consumer ESU enrollment options and enterprise ESU licensing differ by region and by device management state; for enterprise and NHS‑scale environments the commercial ESU route can be costly and operationally complex. In some markets Microsoft has adapted the consumer ESU flow (for example, easing certain enrollment conditions in the European Economic Area), but ESU is a finite measure — typically a year for consumer programs and an enterprise product on a multi‑year, priced schedule — not a long‑term alternative to upgrading. That leaves hospitals with hard choices:

• Force the vendor to provide Windows 11‑compatible software and wait through certification and testing timelines.
• Pay for vendor retrofits (rare but sometimes quoted at five‑figure sums).
• Enroll vulnerable endpoints in ESU where technically possible (and accept that ESU is temporary).
• Quarantine or isolate the devices, accepting clinical impact risk and extra operational work to maintain continuity.

---

The safety and cyber‑risk history that makes this sensitive​

The NHS has seen the stakes of unpatched systems before: the 2017 WannaCry outbreak severely disrupted services nationwide and later government analysis estimated the cost to the NHS at about £92 million due to lost output and remediation work. That episode forced national investment in cyber resilience and is the reason NHS England’s guidance now stresses moving to supported platforms. More recently, the Synnovis ransomware incident in June 2024 affected pathology services, forcing thousands of appointment postponements and extended disruption while systems were rebuilt. Those incidents are the real-world precedent that colours decision‑making today: trusts cannot treat unsupported OSes as mere administrative problems because patient care can be disrupted or delayed during cyber incidents.

---

Where vendors, regulators and procurement go wrong​

A forensic look at the vendor-to‑trust lifecycle shows three persistent failure modes:

• Contract design that omits long‑term OS portability: purchase agreements often focus on initial acceptance testing and fail to require vendor commitment to maintain compatibility with future OS baselines or to offer affordable in‑place upgrades. That contractual gap leaves trusts exposed to expensive retrofit demands years after purchase.
• Regulatory caution that creates long lead times: changing software that interacts with physical medical devices legitimately triggers clinical safety cases and MHRA conformity procedures; these are necessary but add months to any remediation timeline. Vendors will point to that regulatory burden to justify delays or higher costs.
• Vendor resource and incentive misalignment: some device manufacturers are small, niche specialists without the engineering bandwidth or commercial incentive to support the broad set of OS permutations hospitals require. Combined with device certification costs, this makes Windows 11 compatibility lower on their product roadmap.

These systemic issues mean expecting hospital IT teams alone to absorb the cost and risk is unrealistic.

---

Practical mitigation: what trusts can do now​

While supplier behaviour and regulation are addressed at different governance levels, hospital CIOs and clinical engineers can adopt mitigations now to reduce immediate exposure:

• Segment and quarantine: isolate legacy clinical devices onto tightly controlled VLANs with limited egress and strict firewalling. That reduces lateral risk if a device is compromised but requires careful routing and failover planning so clinical workflows continue where possible.
• Use compensating controls: deploy endpoint detection & response (EDR), application allow‑listing and strict device access controls. Treat ESU as a time‑boxed stopgap and pair it with defensive controls that reduce attack surface.
• Virtualise legacy workloads: where possible, run vendor software on a managed, supported platform such as a Windows 11 virtual desktop or a Windows 365 Cloud PC, keeping the physical device isolated. This can preserve clinical continuity while avoiding in‑place OS changes to certified hardware.
• Prioritise clinical impact: triage devices by clinical criticality and patient safety impact, and target replacement and vendor pressure at the highest‑risk endpoints first.
• Capture vendor commitments in contracts: require future OS compatibility clauses, change‑control SLAs and minimum maintenance windows in new procurements. For purchased kit, escalate contract negotiation to central procurement with legal leverage.
• Seek central funding or national negotiation: pooled buying power or centrally negotiated retrofit programs can bring vendor pressure and distribute costs fairly across the system.

Each of these steps reduces near‑term risk, but none substitutes for a coordinated supplier and regulatory response.

---

Policy levers and industry responsibilities​

The Rotherham story and similar reports make clear that fixing this problem requires action beyond local IT teams.

• Procurement reform: national and regional procurement frameworks should require OS portability clauses, mandatory lifecycle support windows, and vendor liability for obsolescence caused by OS discontinuation. Central purchasing agreements could include retrofit obligations for critical devices.
• Regulatory streamlining: regulators and standards bodies should provide expedited pathways for non‑functional safety‑neutral software updates that merely adjust OS compatibility without changing clinical behaviours — a fast‑track re‑certification for compatibility patches could cut months from vendor timelines while preserving patient safety.
• Vendor accountability: clinical‑device OEMs must accept that platform evolution is a predictable part of the market; providing a reasonable, time‑bound path to keep deployed devices secure is part of being a responsible supplier. Public procurement scoring should factor lifecycle responsiveness.
• Central funding for migration: the scale of device refresh and re‑validation across NHS trusts suggests that central capital funding or matched finance is likely the most pragmatic way to avoid a patchwork of local risk decisions and to prevent avoidable clinical impact.

---

Costs, environmental impact and the unintended consequences​

The Windows 11 compatibility requirement forces hard budgetary choices. Replacing an otherwise serviceable medical device because a supplier won’t issue a software update increases capital spend and produces e‑waste. Advocacy groups and industry observers warned that Windows 10’s end of support could prompt a large wave of hardware disposal if manufacturers do not provide reasonable retrofit paths — a problem with environmental and equity implications. Trusts must therefore weigh direct procurement costs against long‑term sustainability and social responsibility.

---

Critical analysis: strengths and risks in today’s response​

Strengths

• The NHS and several trusts clearly prioritised early migration: examples show sizeable in‑place upgrade programs and aggressive refresh schedules that moved the majority of estates to Windows 11 before the cut‑off. That proactive stance reduced exposure for many organisations.
• Where trusts have engaged suppliers early and combined firmware enablement with rigorous testing, upgrades proceeded smoothly — demonstrating that the problem is not insoluble when procurement, clinical engineering and suppliers coordinate.

Risks

• A small set of suppliers holding the upgrade keys to critical clinical devices creates outsized operational risk. When those vendors demand large retrofit fees or insist on full hardware replacement, they effectively create a monopoly rent on safety — a perverse outcome in a public health system.
• Regulatory safety procedures are necessary but slow. Without targeted fast‑tracks for compatibility patches that do not alter clinical function, vendors will legitimately cite regulatory process as a reason for delay — leaving hospitals to quarantine kit or buy expensive workarounds.
• ESU as a fallback is imperfect. It is a time‑limited bridge (and in some cases commercially expensive) that can lull systems into delayed action rather than solving the structural supply‑chain problem. Relying on ESU beyond the short term increases cumulative cost and leaves the clinical estate exposed to future discontinuities.

Unverifiable and cautionary points

• Individual vendor quotes (such as the £25,000 figure) are documented in reporting for specific trusts, but the wider prevalence and average retrofit cost across the NHS cannot be precisely measured from public reporting alone. That means extrapolating the national financial impact from single anecdotes would be speculative; the Rotherham quote is illustrative rather than statistically definitive.

---

Recommendations: what should happen next​

A coordinated response combining procurement, regulatory and operational action would limit clinical risk and distribute cost fairly:

• Immediate national measures
• Commission a central retrofit fund or matched financing for trust‑level device upgrades and re‑validation; prioritise high‑risk clinical endpoints and pathology/ICU/monitoring equipment.
• Issue guidance and a temporary fast‑track MHRA pathway for OS‑compatibility patches that do not change device‑level clinical logic.
• Mid‑term supplier and contract reform
• Update NHS procurement frameworks to require lifecycle guarantees and reasonable OS‑compatibility commitments for the full expected service life of devices. Include penalties or remediation obligations for vendors that fail to provide compatible updates.
• Operational best practice for trusts
• Maintain an accurate, risk‑scored device inventory and triage replacements where clinical impact is highest. Use virtualisation and network segmentation where replacement is infeasible in the short term.
• Public transparency and oversight
• Establish an audit mechanism that publicly reports the percentage of clinical endpoints still on unsupported OSes and tracks vendor remediation performance; publish aggregated metrics to inform national prioritisation.

---

Conclusion​

The NHS’s decision to quarantine some medical devices rather than continue operating them on unsupported Windows 10 highlights a brittle dependency: when a small number of suppliers control software that interfaces with life‑critical hardware, the health system inherits both commercial and safety risk. Microsoft’s October 14, 2025 end of support for Windows 10 forced a hard deadline; the immediate task for NHS leaders is to combine tactical mitigations (segmentation, ESU where necessary, virtualisation) with strategic fixes (procurement reform, vendor accountability and regulatory fast‑tracks) so that clinical services remain both safe and secure.
The Rotherham example — where a vendor demanded a five‑figure sum to render a three‑year‑old device usable on Windows 11 — is a warning: without systemic change, the nation’s hospitals will repeatedly face sharp choices between paying for compatibility, isolating clinical equipment, or running unpatched, vulnerable systems. Those choices are not merely IT policy; they directly affect patient safety, staff workflows and the public purse. The practical remedy requires coordinated, funded action across procurement, regulation and supplier behaviour to ensure the next OS transition does not expose patients or clinicians to avoidable risk.

---

Source: theregister.com NHS quarantines devices as suppliers drag feet on Windows 11