More than a month before Microsoft stops issuing security patches for Windows 10, a fresh Kaspersky telemetry snapshot is sounding a loud alarm: a majority of devices in its dataset remain on Windows 10, with a non‑trivial tail still running unsupported releases such as Windows 7 — a situation that raises measurable security, compliance and operational risks for businesses of all sizes. (kaspersky.com)
In its formal lifecycle calendar Microsoft has set the end‑of‑support date for Windows 10 as October 14, 2025. After that date Microsoft will no longer provide routine security updates, feature updates, or technical support for Windows 10 editions — including Home, Pro, Enterprise, Education and IoT variants. This is a hard deadline for organisations to factor into their risk and upgrade planning. (support.microsoft.com)
Parallel to the lifecycle announcement, Microsoft published consumer and commercial Extended Security Updates (ESU) options and a consumer enrollment path that allows eligible consumer devices to receive one additional year of security patches through October 13, 2026 under certain conditions. Commercial ESU pricing and terms are different and can be renewed for up to three years. (blogs.windows.com)
Kaspersky’s recent public statement uses anonymized telemetry from the Kaspersky Security Network (KSN) to snapshot installed OS versions among consenting endpoints. Their top‑line figures — which have been widely syndicated — show roughly 53% of monitored devices still on Windows 10, 33% on Windows 11, and 8.5% on Windows 7, with corporate endpoints skewing older (around 59.5% Windows 10 in the corporate segment in Kaspersky’s sample). Kaspersky’s security analysts warn that running outdated OS releases in production environments elevates risk and may create compatibility problems with modern security tooling. (kaspersky.com)
For organisations, the calculus is straightforward in principle and challenging only in execution: identify what matters most, protect those assets immediately (ESU, cloud migration or accelerated refresh), and plan the remainder on an achievable timeline that prevents an unmanaged, heterogeneous estate from becoming a persistent security gap. The short window left before EOL makes immediate action the prudent choice. (support.microsoft.com)
Source: bangkokpost.com Firms warned about using outdated Windows systems
In its formal lifecycle calendar Microsoft has set the end‑of‑support date for Windows 10 as October 14, 2025. After that date Microsoft will no longer provide routine security updates, feature updates, or technical support for Windows 10 editions — including Home, Pro, Enterprise, Education and IoT variants. This is a hard deadline for organisations to factor into their risk and upgrade planning. (support.microsoft.com)Parallel to the lifecycle announcement, Microsoft published consumer and commercial Extended Security Updates (ESU) options and a consumer enrollment path that allows eligible consumer devices to receive one additional year of security patches through October 13, 2026 under certain conditions. Commercial ESU pricing and terms are different and can be renewed for up to three years. (blogs.windows.com)
Kaspersky’s recent public statement uses anonymized telemetry from the Kaspersky Security Network (KSN) to snapshot installed OS versions among consenting endpoints. Their top‑line figures — which have been widely syndicated — show roughly 53% of monitored devices still on Windows 10, 33% on Windows 11, and 8.5% on Windows 7, with corporate endpoints skewing older (around 59.5% Windows 10 in the corporate segment in Kaspersky’s sample). Kaspersky’s security analysts warn that running outdated OS releases in production environments elevates risk and may create compatibility problems with modern security tooling. (kaspersky.com)
What the numbers actually mean (and what they don’t)
Kaspersky telemetry: a valuable signal, not a global census
Kaspersky’s dataset is large and operationally relevant because it reflects devices protected by Kaspersky products that have opted into KSN telemetry. That makes the data useful for spotting trends and measuring risk within that installed base. However, it is not a probability‑sampled, device‑by‑device global census; measurement method matters. Different data sources that use other sampling methods — notably pageview‑weighted trackers such as StatCounter — produce materially different snapshots of “market share” for Windows versions. Treat Kaspersky’s percentages as a telemetry‑based warning signal rather than an absolute global headcount. (kaspersky.com)Comparison with other measurement sources
For example, StatCounter’s pageview dataset showed Windows 11 at roughly 49.0% and Windows 10 at 45.7% for recent monthly snapshots — a picture where Windows 11 is already ahead on browsing activity. Differences between telemetry (installed base) and pageview (web activity) are expected: browsing behaviour, device usage patterns and the composition of panels create divergence. Both views matter to IT decision‑makers: telemetry highlights installed risk, while pageview metrics indicate active user environments and ecosystem momentum. (gs.statcounter.com)Why businesses should treat this moment as urgent
1) Security exposure increases dramatically after EOL
When an OS reaches end of support it no longer receives patches for newly discovered vulnerabilities. That leaves any remaining installations exposed to exploitation, lateral movement and persistence techniques that threat actors routinely weaponize after vendor support stops. The pattern is well documented in previous EOL events: Windows 7 and XP once provided rich pickings for opportunistic and targeted attackers. For organisations with regulated data, unpatched OSes also become a compliance and audit liability. (support.microsoft.com)2) Compatibility erosion with modern software and security tools
As vendors evolve, new security agents, management tooling and application builds may assume modern platform primitives or APIs that exist in Windows 11 (or in patched Windows 10 builds) but not in older releases. Over time this increases operational friction: vendor‑supported integrations fail, telemetry gaps appear, and workarounds multiply. Kaspersky explicitly flags the compatibility risk as a core business continuity concern. (kaspersky.com)3) Escalating remediation cost and disruption
Delaying migration typically compounds cost. A well‑planned device refresh or phased Windows 11 migration executed ahead of EOL is usually less expensive and disruptive than emergency upgrades, emergency ESU purchases, or a crisis response to an incident on an unpatched estate. Hardware refresh cycles, software compatibility testing and user training all take calendar time and budget; the closer organisations get to the deadline, the less time for careful testing, and the higher the chance of mistakes. (learn.microsoft.com)Microsoft’s Extended Security Updates: what organisations and consumers need to know
Commercial ESU (enterprises, organisations)
- Pricing for commercial organisations begins at US$61 per device for Year One, and Microsoft has signaled that the price will increase in subsequent renewal years (commonly doubling each year for the three‑year window). Commercial enrolment is available through Volume Licensing and CSPs. This is a stop‑gap for organisations that legitimately need more migration time but still want to receive monthly security patches. (theverge.com)
- Cloud entitlements: Windows 10 VMs running in Microsoft cloud services such as Windows 365 and Azure Virtual Desktop are entitled to ESU patches with no additional charge, which can be a cost‑effective route for some organisations to extend protection for workloads that have already moved to cloud hosts. (blogs.windows.com)
Consumer ESU options (individuals and small businesses)
Microsoft created a consumer‑friendly enrollment wizard to simplify ESU for personal devices and small accounts. The consumer options include:- Free enrollment by enabling Windows Backup (syncing PC settings and data to a Microsoft account / OneDrive).
- Free enrollment by redeeming 1,000 Microsoft Rewards points.
- A paid option of US$30 (or local currency equivalent) per account — the paid consumer ESU covers up to 10 devices linked to the same Microsoft account.
Practical caveats and rollout issues
- The ESU enrolment wizard was initially rolled to Windows Insiders and began broader rollout afterward; some users have reported issues redeeming Rewards credits or seeing the enrolment option appear — a sign that not every device will experience a perfectly smooth self‑service path. Administrators should test the enrolment flow on representative devices. (learn.microsoft.com)
- The free consumer path requires a Microsoft account and the use of cloud sync — organisations that refuse cloud accounts for policy reasons or that use restricted local‑only accounts will need to consider the paid consumer ESU or enterprise alternatives. (support.microsoft.com)
Migration choices for organisations: practical playbook
Step 1 — Triage and inventory (immediate)
- Build a verified, authoritative inventory of Windows devices, their OS version, build number, and business criticality. This must include virtual machines and BYOD endpoints that access corporate resources.
- Identify devices that are eligible for in‑place upgrade to Windows 11 (hardware compliance with TPM, Secure Boot, CPU and driver requirements). Use automated compatibility tools where available.
- Flag devices that are incompatible and must be replaced, or which should be remediated via cloud migration (Windows 365 / AVD) or constrained work modes. (learn.microsoft.com)
Step 2 — Risk stratification (24–72 hours)
- Classify endpoints by data sensitivity and exposure (internet‑facing, VPN only, medical devices, POS, kiosks), then prioritise high‑risk systems for immediate remediation or ESU coverage.
- Map business‑critical applications and vendor support windows; negotiate vendor testing slots for mission‑critical apps that will need validation on Windows 11 or patched Windows 10 builds. (kaspersky.com)
Step 3 — Decide ESU vs. migration
- Short term: purchase ESU for devices that cannot be migrated before October 14, 2025 but still require protection. For large estates this may be necessary.
- Medium term: plan a phased migration to Windows 11 with pilot groups, imaging, driver validation, and user training. Where hardware replacement is needed, align procurement with refresh cycles to limit estate churn.
- Alternative: where full migration is infeasible, consider cloud hosting of legacy workloads (Windows 365 Cloud PCs or Azure VMs), which may carry built‑in ESU advantages. (blogs.windows.com)
Step 4 — Implement and validate
- Use modern management tooling (MDM + Intune, Autopatch, or established SCCM processes) to push upgrades, validate telemetry and enforce security baselines.
- Validate endpoint protection compatibility (AV, EDR, DLP) with Windows 11 and test that monitoring and logging remain intact post‑upgrade. (kaspersky.com)
Small business and consumer guidance
Small businesses often lack the budget and IT staff for mass migrations. Their pragmatic options are:- Use the consumer ESU route if eligible (enrol free via Windows Backup or use Rewards / $30 purchase) to buy time for a planned, lower‑stress migration window. (support.microsoft.com)
- For devices incompatible with Windows 11, evaluate device replacement against alternatives such as ChromeOS Flex, lightweight Linux distributions or managed cloud desktops — balancing TCO and application compatibility.
- Engage trusted service partners to bundle migration, imaging and onsite validation as part of device refresh programs to reduce internal effort and speed the transition. (windowscentral.com)
Key technical realities to verify before upgrading
- Drivers and firmware: confirm vendor support for Windows 11 drivers and patch firmware (UEFI/BIOS, storage, network). Legacy drivers can break critical peripherals and management tooling.
- Security stack compatibility: ensure endpoint detection and response (EDR), disk encryption and remote management tools are supported and tested on Windows 11.
- Application compatibility: validate business applications and legacy middleware under Windows 11 in a pilot, looking for service‑pack or vendor‑patched builds that explicitly support the newer OS.
- Backup and rollback plan: create validated rollback images and ensure backups exist before broad deployment in case of regression or unexpected failures. (learn.microsoft.com)
The risk of “partial” migration strategies
A common approach — migrating only a portion of the estate and leaving less critical systems on Windows 10 with ESU — reduces immediate cost but creates an operational burden:- Fragmentation increases helpdesk complexity and inconsistent security posture.
- Compatibility islands may force vendors to support multiple versions in parallel, increasing patch and QA costs.
- Attack surface asymmetry: attackers tend to probe the weakest links; a mixed estate yields pivot opportunities to reach critical assets.
The practical economics of ESU vs. migration
- For enterprises: ESU’s per‑device starting price of US$61 in Year One (commercial) is useful to buy time, especially for segmented and phased migrations; but the price escalates in subsequent years, making it expensive as a long‑term strategy. (theverge.com)
- For consumers and small businesses: Microsoft’s consumer ESU approach (free if you enable Windows Backup or by redeeming 1,000 Rewards points, or US$30 for up to 10 devices) is a time‑limited way to avoid emergency upgrades for one year. That can be attractive for households and very small setups, but it is a temporary bridge. (support.microsoft.com)
- Cost of migration includes hardware refresh, imaging, staff time, app validation and end‑user training. When amortised over the lifecycle, replacing non‑compatible hardware and moving to Windows 11 or cloud PCs often becomes the lower‑risk, longer‑term investment compared with repeated ESU renewals. (windowscentral.com)
What to watch for in the coming weeks
- Uptake of ESU enrolment: organizations should monitor successful enrollment rates and any reported glitches with Microsoft Rewards redemption or the backup‑based free path — community comments and Microsoft Q&A threads show some users encountering issues. Test and confirm the flow on representative devices. (learn.microsoft.com)
- Vendor lifecycle announcements: application and peripheral vendors will publish Windows 11 compatibility maps and driver updates; track those to prevent surprises during migration. (kaspersky.com)
- Shifts in public metrics: pageview trackers and telemetry providers will continue reporting market‑share swings as migration accelerates; use multiple data sources to triangulate your organisation’s likely posture rather than relying on a single headline figure. (gs.statcounter.com)
Strengths and weaknesses of the current landscape
Notable strengths
- Microsoft has offered multiple ESU pathways tailored to both consumers and organisations, including a consumer‑friendly free enrollment path — a pragmatic concession that recognises the practical difficulty of instant mass upgrades. (blogs.windows.com)
- The availability of cloud options (Windows 365, Azure VMs) provides a technically sound alternative for lifting sensitive workloads off legacy endpoints without immediate hardware replacement. (blogs.windows.com)
Risks and weaknesses
- A significant portion of the installed base — particularly in telemetry datasets such as Kaspersky’s — remains unpatched and vulnerable as the deadline approaches. That creates a window of elevated risk for opportunistic exploitation. (kaspersky.com)
- Measurement differences between data providers create uncertainty over the true global distribution of OS versions; organisations should not base migration strategy on a single public headline. Corroborate telemetry with on‑premise inventories. (gs.statcounter.com)
- Operational friction: many SMEs and regulated organisations face barriers (hardware cost, vendor testing) that will delay clean migrations and require careful budgeting and governance to avoid long‑term exposure. (windowscentral.com)
Action checklist for IT leaders (next 30 days)
- Produce a verified asset inventory and tag devices by upgrade readiness and business criticality.
- Pilot Windows 11 upgrade stream for a representative set of endpoints and vendors; validate EDR/AV, networking and print services.
- Decide ESU coverage for devices that cannot be migrated immediately and procure commercial ESU or plan consumer ESU enrolment where appropriate.
- Communicate with line‑of‑business stakeholders about schedules and potential application testing impacts.
- Ensure backups, rollback images and incident response playbooks are up to date before mass deployment. (learn.microsoft.com)
Final assessment
Kaspersky’s telemetry adds a clear, credible warning: a large slice of devices in its monitored population remain on Windows 10 as the October 14, 2025 cut‑off approaches. That telemetry is supported by other industry observations showing uneven migration progress and substantial numbers of incompatible or unrefreshed machines. Microsoft’s ESU program — with segmented commercial pricing and consumer concessions — buys time for careful migrations, but it is deliberately temporary and not a substitute for a deliberate upgrade strategy. (kaspersky.com)For organisations, the calculus is straightforward in principle and challenging only in execution: identify what matters most, protect those assets immediately (ESU, cloud migration or accelerated refresh), and plan the remainder on an achievable timeline that prevents an unmanaged, heterogeneous estate from becoming a persistent security gap. The short window left before EOL makes immediate action the prudent choice. (support.microsoft.com)
Conclusion
The impending end of Windows 10 support is no longer a distant policy milestone — it is a near‑term operational reality. Kaspersky’s telemetry provides a useful, sobering snapshot of where risk is concentrated today, while Microsoft’s ESU options and cloud pathways supply tactical breathing room for organisations that need additional time to migrate responsibly. The most critical next step for IT teams is to convert awareness into validated inventory, prioritised remediation and tested migration plans so that security, compliance and business continuity are preserved beyond October 14, 2025. (kaspersky.com)Source: bangkokpost.com Firms warned about using outdated Windows systems