As Windows 10 approaches its official end of support on October 14, 2025, UK businesses and individuals still relying on the operating system will need to make a critical decision: upgrade to Windows 11 or subscribe to Microsoft’s Extended Security Updates (ESU) program. The ESU program is designed to provide essential security patches for those who choose to remain on Windows 10, but it comes at a rising cost and with limited support.
For UK organisations, the ESU pricing is structured to double each year, making it a progressively more expensive option. The estimated per-device costs are as follows:
This means that a business with 50 devices could face a total ESU cost of £17,500 over three years, assuming they maintain all devices on Windows 10 throughout the period. These updates will only include critical and important security patches — no new features, no performance improvements, and no general support will be provided.
Businesses in regulated sectors such as finance, healthcare, or legal services, continuing with Windows 10 without ESU could lead to compliance violations under standards like GDPR, Cyber Essentials, or ISO 27001. This makes the ESU program a necessary, albeit temporary, bridge for organisations that need more time to transition to Windows 11 or cloud-based solutions like Windows 365 or Azure Virtual Desktop, which include ESU at no additional cost.
Without updates, your device will be at high risk. Cybercriminals, believe it or not, will know this and actively target outdated devices. They'll use Ransomware and Malware programs to target security holes that aren't patched. When a zero-day alert is raised, you'll not receive the patch to remediate this, and your data will be at high risk.
As mentioned above, if you are in a regulated industry sector, having no ESU would revoke your certificate and may open the business to fines and penalties.
Another reason to have an ESU is related to your supply chain. You may have clients or suppliers who require your business to be compliant. If you aren't, they may have to remove their business from you and place it elsewhere.
If a cyber attack disrupts your business due to no security patches, how will your reputation be perceived?
Business applications may also stop working on devices that don't meet the required security standards, causing a loss of productivity.