On October 14, Microsoft will officially end support for Windows 10. After that date, the operating system will no longer receive security patches, feature updates, or technical assistance.
One new survey estimates that around 21 million people in the UK still own and use a laptop or desktop computer running Windows 10. And worryingly, a quarter of Windows 10 users said they plan to keep using the operating system after updates stop, leaving them exposed to potential security threats and scams if they don’t take action.
The public sector’s reliance on legacy systems, compliance obligations and high exposure to cyberattacks all mean that the end of Windows 10 support is not just an IT upgrade issue – it’s a cybersecurity imperative. But upgrading an underlying OS isn’t as simple as pushing a button; it often triggers cascade effects across dependencies, compatibility, certification and testing.
Moreover, sectors designated as Critical National Infrastructure (CNI), such as government services, utilities, transport, or energy often run “brownfield” systems with lower tolerance for disruption, long certification cycles, and tightly regulated environments.
“Several sectors defined by the UK as critical national infrastructure … are still dependent on legacy IT systems,” said Scott Walker, chief architect at Orange Cyberdefense, who warned that many devices may be incompatible with Windows 11. Some may miss the deadline entirely or have fragments of their network left running Windows 10. In large networks, “some [machines] could be missed” in the migration, he said.
Walker believes that compensating mitigations will be essential. “The cost of updating an OS and upgrading hardware will not be a small sum, but it will be dwarfed in comparison to the cost of a successful breach.”
The risk is real: in its 2025 survey of 600 UK CNI cybersecurity leaders, Bridewell found that 98 percent of CNI organisations admit to security challenges, with a notable proportion citing data protection issues and evolving threats as core concerns.
Attack Surface Expands Without Patches
Once Windows 10 is out of support, any new vulnerabilities discovered in its core will remain unpatched. The danger then is that the OS becomes a static target. Attackers will actively scan for unpatched systems, especially those in environments known to host sensitive data.
Lewis Barry, principal security architect at inforcer, noted that in September 2025 alone, Microsoft released 58 patches with “critical or important” CVE designations. If those vulnerabilities (and future ones) go unpatched, organisations remain exposed to Elevation of Privilege and Remote Code Execution attacks.
“Upgrading to Windows 11 is necessary to keep receiving security updates … but it also acts as the vehicle for all the new Windows features and AI enablement Microsoft brings to the platform,” said
Barry.
“Zero days will be undefendable – it’s open season for attackers,” said CTO at Panaseer, Charaka Goonatilake, who stressed that organisations must map out exactly where Windows 10 is used, and apply compensating controls where it isn’t yet replaced.
“Once attackers get a foothold, they’ll move laterally across your network … Organisations need a comprehensive understanding of how and where Windows 10 is currently in use.”
If you liked this content…
Securing the transition: Considerations for device re-use and recycling amid changing regulations
Protect your organisation with these cybersecurity tips
Think Digital Partners most read editorial of 2021
Government to help us all ‘confront’ cyber threats to both business and personal data
Cybersecurity for the public sector: increasing identity security and building resilience
Additionally, public sector organisations rarely operate in isolation. They rely on third-party services, supply chains and interconnected systems. Attackers may target weaker links – for example, contractors or legacy systems still running Windows 10 – as a stepping stone. Once inside, they can escalate privileges or pivot into critical systems.
Windows 10: Let it Go
VP research director Merritt Maxim at Forrester noting that the end of Windows 10 support forces organisations into a strategic decision.
“Customers will be required to either purchase Microsoft’s Extended Security Updates (ESU) for their Windows 10 assets; move to Windows 11 or another OS; take a different approach to providing application and data access to users – such as thin-client with virtual desktop infrastructure (VDI), bring your own device (BYOD), or browser-only access – or secure existing Windows 10 assets in a manner that will reduce the risk of compromise on these unsupported desktops.”
Maxim added that Microsoft has steadily enhanced the security baseline in Windows 11, making it a more secure platform than any previous version.
“If your organisation is staying with Windows as your default desktop operating system, you need to move to Windows 11. Staying on Windows 10 only increases the risk of compromise … it’s time to let it go. IT leaders should embrace the changes that improve user experience and security posture at the same time. Business leaders need to take all this into account when planning their migration or continued deployments of Windows desktops. Team leaders for endpoints, security, applications, and even patching need to collaborate on migrating to Windows 11 to ensure that all teams have the tools and plans necessary to support a successful migration.”
Resistance From Decision-Makers and Users
Nevertheless, in many public bodies, the purse strings are held by non-technical stakeholders. IT and security teams must justify the business case: why spend on devices and labour now, versus accepting residual risk.
“Internal IT teams and MSPs may still meet resistance … there will still be an associated time and financial investment … in terms of determining if any hardware upgrades are necessary … checking software requirements,” said Ben Lee, head nerd at N-able & Microsoft MVP.
Lee cautioned that in past OS transitions (Vista → 7, 8 → 10), the user-facing changes were more obvious. With Windows 11, most of the changes are under the hood – making the benefits less tangible to non-IT stakeholders.
Compounding that, scepticism around new features in Windows 11 may deter adoption. Lee mentions Microsoft’s Copilot and Recall features – considered controversial by some – as a potential sticking point for organisations dealing with sensitive data. Many users may fear these features from a privacy or security angle, unaware that business policy management can disable or restrict them.
Public Sector Priorities
- Rapid inventory and risk profiling: Catalogue all Windows 10 devices: who uses them, for what, and how critical they are. Assign a risk score to prioritise migration or compensating controls.
- Phased migration and pilot testing: Avoid “big bang” upgrades; test in small groups, validate app compatibility, and expand gradually using Intune or SCCM.
- Hardware and software compatibility assessment: Evaluate TPM 2.0 and Secure Boot compliance. Modernise or replace legacy applications that fail under Windows 11.
- Mitigating controls and compensations: Apply segmentation, Zero Trust, and EDR tools. Walker recommends CTEM and SASE to complement transitional defences.
- Stakeholder education and change management: Communicate the true cost of inaction – reputational damage, breach costs, and fines – while addressing concerns around AI and privacy features through clear policy.
Conclusion: Push the Migration Pedal
For the public sector, the end of Windows 10 support creates risk around unpatched vulnerabilities, lateral movement, supply chain attack, regulatory exposure and reputational damage. Extended Security Updates and compensating controls can only delay the inevitable – they are not substitutes for modernisation.
While migration carries costs, complexity, and resistance, the alternative – standing still – is riskiest of all. A phased, data-driven migration, coupled with compensatory security controls, stakeholder education, and resilient backup strategies should be the non-negotiable baseline.
