Where We Are After October 14, 2025
Microsoft ended mainstream support for most editions of Windows 10 on October 14, 2025. Since then, Windows 10 machines still work, but they no longer receive monthly security updates by default. Businesses can purchase Extended Security Updates (ESU) for one, two, or three additional years — but the price roughly doubles each year, and ESU was never intended as a long-term strategy. In 2026, the only defensible posture is a documented Windows 11 migration plan with ESU as a temporary bridge for genuine exceptions.
Start With an Honest Inventory
You cannot migrate what you cannot see. Export a device list from Microsoft Intune, your RMM, or domain controllers and pair it with hardware data: CPU generation, TPM 2.0 presence, RAM, and Secure Boot state. Microsoft's PC Health Check is fine for a handful of devices; for a fleet, use your RMM or Intune's Endpoint analytics to tag each machine as Ready, Upgrade Possible with BIOS/firmware, Hardware Replacement, or Retire.
Why Windows 11 Raises Your Security Floor
Beyond a new UI, Windows 11 enforces hardware-backed baselines that materially improve endpoint security: TPM 2.0, UEFI Secure Boot, virtualization-based security (VBS), hypervisor-protected code integrity (HVCI), and Credential Guard on by default for supported hardware. For SMBs, that means reduced credential theft exposure and a stronger baseline for Zero Trust initiatives. Skipping this upgrade leaves you paying for ESU while missing the defensive upside.
The Staged Migration Plan
Phase 1: Pilot (Week 1–2)
Choose 5–10 volunteer users across departments, including one in finance and one in a line-of-business role. Pilot on already-compliant hardware. Validate your full application list, printer drivers, VPN, and EHR/ERP connectivity. Capture issues in a shared tracker.
Phase 2: Department Waves (Week 3–8)
Migrate in waves of 20–30 users, aligning to business calendars. For Orange County law firms, avoid filing deadlines; for retail, avoid weekends. Use Intune Autopilot or SCCM task sequences where possible to cut hands-on time.
Phase 3: Exceptions and ESU (Week 9–12)
Any device that cannot be upgraded goes into a documented exception register with a replacement date, and temporarily receives ESU. No machine stays in exception indefinitely without a signed variance.
BitLocker, Intune, and Configuration Baselines
Migration is the right time to raise the floor, not just swap the OS. Enforce BitLocker with keys escrowed in Azure AD or Active Directory; apply Intune security baselines or Microsoft Security Baselines; block local admin rights for standard users; deploy an EDR/MDR agent that supports Windows 11; and confirm your backup agent is on the compatibility list. See our cybersecurity basics for the control list.
What to Do With Legacy Apps
Most LOB apps run fine on Windows 11, but some require vendor validation. Build a compatibility matrix with application owner, vendor statement, test result, and cutover risk. For apps that cannot move, isolate the legacy host behind network segmentation and treat it as high-risk — do not leave an unsupported OS on your flat LAN.
Rollback and Support Guardrails
Full image backup of every device prior to upgrade; verified restore on 2–3 pilot machines
10-day rollback window within Windows Update where feasible
Helpdesk runbook with top 20 known issues and fixes before Phase 2 starts
Communications plan: what users see, what to ignore, how to report problems
Change-freeze the week of each wave for non-related changes
ESU Is a Bridge, Not a Destination
Extended Security Updates should cover only devices with legitimate blockers — specialty medical imaging, specific shop-floor controllers, or apps actively in vendor replacement. For every ESU device, budget replacement within 12 months. Cyber insurers are increasingly asking about unsupported OS counts on renewal; see our post on cyber insurance requirements for context.
Frequently Asked Questions
Can we skip Windows 11 and jump to Windows 12?
There is no public Microsoft release plan that makes this realistic in 2026. Move to Windows 11 now; future upgrades will be in-place from 11.
Does Windows 11 require a Microsoft account?
For business editions joined to Azure AD or Active Directory, local business accounts are still supported.
How much does ESU cost?
Per-device pricing roughly doubles each year and is per device, per year. Budget accordingly — two years of ESU often exceeds replacement cost.
What about Copilot+ PCs?
Copilot+ PCs are Windows 11 with NPU-accelerated features. They are optional, not required for migration.
Need Help Running the Program?
BitBlockIT runs managed Windows 11 migrations for Orange County SMBs, including Intune Autopilot, BitLocker, and EDR rollout. Start with a free IT assessment or contact us. More reading: IT budget planning and cybersecurity library.
BitBlockIT provides managed IT services, cybersecurity, cloud solutions, and IT consulting for Orange County and Southern California businesses. This page may describe our services, areas we serve, resources, blog, or contact information.
Loading…
