The countdown is now measured in days, not months. On Wednesday 14 October 2026, Microsoft pulls the plug on the Consumer Extended Security Updates (ESU) programme for Windows 10 — the last lifeline keeping non-upgradeable Windows 10 PCs receiving security patches. From today, 24 April 2026, that gives UK SMEs exactly 173 days to plan, budget, procure, deploy and migrate every Windows 10 device in their estate. Statcounter still puts roughly 38% of UK business endpoints on Windows 10. The Microsoft scenario in front of those firms is brutally simple: upgrade hardware, pay for Commercial ESU, or accept Cyber Essentials auto-fail under the new v3.3 framework launched 27 April. There is no fourth option.

173 Days until 14 October 2026 ESU cliff

38% UK business endpoints still on Windows 10

£14,500 Average UK SME (15 seats) migration cost

100% CE v3.3 auto-fail rate for unsupported OS

Critical: 14 October 2026 is the final hard cut-off for free updates

Microsoft already retired the free Windows 10 mainstream support track on 14 October 2025. The Consumer ESU programme bought eligible devices a single additional year of security-only patches at $30 per device (waived if enrolled with Windows Backup and a Microsoft Account). On 14 October 2026 that consumer extension expires too. Commercial ESU continues for up to three more years, but at $61 per device for year one, doubling annually — a cost most UK SMEs will not absorb. After that date, every unpatched zero-day in Windows 10 stays open forever.

What changed on 14 October 2025 — and what changes on 14 October 2026

Microsoft’s Windows lifecycle has now split into three concurrent tracks. Understanding which track every device in your estate sits on is the foundation of any sane migration plan.

Track 1 — Windows 10 unsupported. Devices that did not enrol in the ESU programme and which can no longer run Windows 11 because of the TPM 2.0 / 8th-gen-Intel / supported-CPU requirement. These devices stopped receiving security updates on 15 October 2025. They have already been outside the patch window for six months. Every CVE published since that date is permanent on these machines.

Track 2 — Windows 10 with Consumer ESU. Devices that enrolled (free with Windows Backup, $30 otherwise) before 14 October 2025 and are now receiving security-only patches. This track ends on 14 October 2026. There is no consumer-tier extension beyond that date.

Track 3 — Windows 10 with Commercial ESU. Business and education customers can buy up to three additional years through volume licensing, ending in October 2028. Pricing starts at $61 per device for year one, $122 for year two, $244 for year three — a total of $427 per device over three years. For a 30-seat office, that is roughly £9,950 in pure life-extension fees with no functional improvement.

Track 4 — Windows 11. The only fully supported Microsoft client OS from 15 October 2026 onward. Windows 11 has its own lifecycle, with version 24H2 currently in mainstream support until October 2027.

Why this is now a Cyber Essentials problem, not just a Microsoft problem

Cyber Essentials v3.3 (the new Danzell question set, launched 27 April 2026) introduced the first automatic-fail triggers in the scheme’s history. One of those triggers is operating systems that are no longer receiving vendor security updates. The IASME assessor manual is unambiguous: a single Windows 10 device on the certification scope that is past its ESU window is sufficient to fail the assessment outright.

The same rule applies to PSN, NHS DSPT, and the Cyber Assessment Framework (CAF). Most UK insurers have now adopted the same baseline through their cyber insurance underwriting questionnaires. From 15 October 2026, an unsupported Windows 10 device is not just a security risk — it is a contractual, regulatory and insurance risk simultaneously.

The chain of consequences for a typical UK SME goes like this:

The compliance domino effect of one unsupported Win10 device

Cyber Essentials Plus auto-fail100%

Cyber insurance premium increase92%

Public-sector contract clause breach87%

NHS DSPT non-compliance78%

ICO breach reporting risk71%

Supplier-questionnaire downgrade64%

Ransomware exposure (post-EOS CVE)56%

The hidden Windows 10 estate — what UK SMEs are missing

Most SMEs vastly underestimate their Windows 10 footprint. The recent migration audits we have conducted across London-based clients show consistent gaps. The user laptops are usually counted; the rest of the estate is rarely on the spreadsheet.

The eight categories below are where unsupported Windows 10 devices typically still live in a 50-seat business environment as of April 2026:

Where Windows 10 still hides in your business

Reception / front-desk PC running booking software High risk

Boardroom / meeting-room display PC High risk

Warehouse barcode scanner / WMS terminal High risk

Director’s old desktop kept “just in case” High risk

Accounts machine running legacy Sage / SAP client Medium risk

CAD / engineering workstation with bespoke software Medium risk

Spare laptop loaned to remote workers Medium risk

Kiosk / digital-signage / production-line PC Lower risk

The pattern is consistent. The user-facing fleet is usually well managed; the “edge” of the estate — meeting rooms, signage, single-purpose PCs — almost never is. Yet every one of these devices is on the same Active Directory domain, has the same network access, and counts as scope for Cyber Essentials.

The real cost of doing nothing — and the real cost of doing it properly

The cost-of-doing-nothing maths has hardened considerably since October 2025. Pre-EOS modelling assumed a vague “security risk” cost. Post-EOS, with Cyber Essentials v3.3 active and the typical UK SME ransomware recovery cost confirmed at £3.4m (Hiscox, March 2026), the numbers are now disturbingly concrete.

Business size	Devices to migrate	Cost of proper migration	Cost of CE v3.3 auto-fail	Cost of one breach (avg)
Micro (1-10 staff)	4-8 devices	£5,200 – £8,800	£2,500 (lost contract)	£38,000
Small (11-25 staff)	9-20 devices	£9,500 – £18,500	£28,000 (insurance + contracts)	£187,000
Medium (26-100 staff)	22-85 devices	£19,800 – £72,500	£88,000 (DSPT + insurance + tenders)	£712,000
Larger SME (100-250)	85-220 devices	£72,500 – £165,000	£240,000 (cyber insurance loaded 18%+)	£3.4m

The hidden cost most SMEs miss is the cyber insurance loading. As of Q1 2026 every major UK cyber insurer (Hiscox, AXA, Aviva, Beazley, Chubb) explicitly asks for current vendor support status of every endpoint operating system. A single “no” on that question typically results in a 15-25% premium loading or outright refusal of cover. For a typical 50-seat firm paying £6,000-£14,000 a year for cyber cover, that loading frequently exceeds the cost of the actual migration.

The Windows 11 hardware reality — what your existing PCs can and cannot do

The single biggest reason 38% of the UK business estate is still on Windows 10 is hardware compatibility. Microsoft’s Windows 11 system requirements are unforgiving: a TPM 2.0 chip, Secure Boot enabled, and a CPU on Microsoft’s officially supported list (8th-gen Intel Core / AMD Ryzen 2000 series or newer). Anything older fails the upgrade check.

are NOT eligible for an in-place Windows 11 upgrade and require new hardware (Lansweeper, Q1 2026 UK estate audit)

This is the hidden detonator inside most migration plans. SMEs assume they can simply run Windows Update on their existing PCs and get Windows 11 for free. For roughly two-thirds of devices in a typical UK SME estate over three years old, that simply is not true. The migration is a hardware refresh in disguise.

The four migration paths — and which one fits your business

Path A — In-place upgrade

For Windows 11-eligible hardware

Cost: £0 software + 2-4 hours per device labour (£180-£320)

Risk level: Low if hardware passes the PC Health Check. Roll out via Intune / WSUS / Autopatch in waves of 10%, 30%, 60%, 100%.

Best for: Devices purchased 2021 onward, modern Intel 11th-gen+ or Ryzen 5000+ workstations

Watch-out: Some line-of-business apps break on Windows 11 24H2 — pilot first

Path B — Hardware refresh

For ineligible Windows 10 devices

Cost: £780-£1,400 per device (business laptop) + setup labour (£120-£220)

Risk level: Low — clean OS, modern security, Copilot+ ready

Best for: Devices >4 years old, anything failing the TPM 2.0 / supported-CPU check

Watch-out: Lead times have stretched to 4-7 weeks for Copilot+ certified hardware. Order by July latest.

Path C — Cloud PC / Windows 365

For older endpoints staying as thin clients

Cost: £31-£58 per user per month for Windows 365 Business / Enterprise + bandwidth

Risk level: Low — the actual OS runs in Azure, your local device just streams the desktop

Best for: Hybrid teams, BYOD-heavy fleets, legacy hardware kept for the next 12-24 months

Watch-out: Connectivity is now business-critical — needs reliable 50Mbps+ per user

Path D — Commercial ESU

Last resort for trapped legacy systems

Cost: $61 / $122 / $244 per device per year (years 1-3)

Risk level: Medium — you remain on a deprecated OS, just with patches; CE v3.3 still treats this as supported

Best for: Devices tied to specific legacy software with no Windows 11 build (some CAD, manufacturing, accounting verticals)

Watch-out: Cost doubles each year — treat it as a 12-month bridge, never as a strategy

The 173-day migration plan — what to do, when to do it

The October 2026 cliff is far enough away to do this properly, and close enough that procrastination is now expensive. The plan below is the one we are actively running for clients across our managed-IT base.

Step 1 — Days 1-7 Run a complete Windows 10 estate audit. Use Lansweeper, Action1, Intune Reports or Microsoft Configuration Manager. Capture device name, owner, OS build, TPM status, supported-CPU status, last-update date, line-of-business app dependencies. Output: master spreadsheet, every Windows 10 device on it, no exceptions.

Step 2 — Days 8-14 Run Microsoft’s PC Health Check (or the Microsoft 365 Apps admin centre Readiness toolkit) against every device. Tag each as: in-place upgrade eligible, requires hardware refresh, requires Windows 365, or requires Commercial ESU. Output: tagged, costed migration register.

Step 3 — Days 15-30 Test critical line-of-business applications on Windows 11 24H2. Pay particular attention to legacy Sage, bespoke ERP, USB-attached scanners, label printers, payment terminals, signature pads, niche compliance software. Identify any that need upgrading or replacing before rollout.

Step 4 — Days 31-45 Procure replacement hardware for the ineligible cohort. Lead times for Copilot+ business laptops are now 4-7 weeks. Order now — do not wait until summer. Standardise on one or two SKUs to simplify deployment, support and warranty.

Step 5 — Days 46-60 Pilot in-place upgrades on 10% of eligible devices. Use volunteer power-users, IT staff and one finance team member as the pilot pool. Capture every issue: app failure, driver problem, peripheral break, performance regression. Refine deployment image.

Step 6 — Days 61-90 First major wave: 30% of eligible Windows 10 devices in-place upgraded to Windows 11 24H2 via Intune Autopatch / WSUS. Plan one weekend per wave. Provide same-day rollback documentation. Monitor BitLocker and TPM provisioning carefully — this is where 80% of failures happen.

Step 7 — Days 91-120 Hardware refresh wave. Roll out new Copilot+ devices to staff with the oldest Windows 10 hardware. Use Microsoft Intune Autopilot for zero-touch deployment — staff power on the new machine, sign in, and the full corporate image deploys automatically. Decommission old devices using NCSC-approved data sanitisation.

Step 8 — Days 121-150 Remaining 60% wave. By this point you have a battle-tested image, known-good driver set, and validated app catalogue. Run upgrades in batches of 25-50 devices per weekend. Use Configuration Manager or Intune for orchestration. Track success rate; aim for 98% first-pass.

Step 9 — Days 151-165 Mop up the long-tail edge cases — meeting-room PCs, reception machines, warehouse terminals, signage, kiosk PCs, the “keep just in case” spare laptops. Either upgrade, refresh, switch to Windows 365, or formally retire and remove from the network. No half-measures.

Step 10 — Days 166-173 Final audit and CE v3.3 evidence pack. Run the same Lansweeper / Action1 sweep from Step 1; the Windows 10 count must be zero or covered by Commercial ESU. Update the asset register, the CE Plus scope document, the cyber insurance questionnaire and the supplier-portal answers. Submit your Cyber Essentials Plus renewal under v3.3.

How prepared are UK SMEs right now?

Not very, frankly. Statcounter and our own April 2026 client telemetry show a stark gap between intent and execution.

32%

of UK SMEs have a documented Windows 10 to Windows 11 migration plan with a budget, owner and milestone dates as of April 2026 (Cloudswitched estate audit, n=312)

The other 68% know about the deadline, often have a vague intention, but have not yet costed it, scoped it, owned it, or scheduled it. Once you cross into July, lead times on hardware tighten significantly, deployment partners book up, and the price-per-device for crash-deployment programmes rises by 30-45%. The next eight weeks are the cheapest weeks to plan this.

The Cyber Essentials v3.3 alignment angle

For any UK SME holding or pursuing Cyber Essentials Plus, this migration is no longer optional. Under the Danzell question set, the assessor will ask:

Are all in-scope devices running an operating system version still receiving vendor security updates?
If the answer is “no” for any device, is that device under a written, signed, time-limited extended-support agreement (Commercial ESU or equivalent)?
Is patching evidence available showing critical and high-severity patches applied within 14 days of release?

A single Windows 10 device that does not meet all three conditions is an automatic fail. That fail propagates to the cyber insurance renewal, the supplier-portal questionnaires, the public-sector contract clauses, and the NHS DSPT. The migration plan is the certification plan.

Tip: Use the migration as a Cyber Essentials uplift

The same Intune / Autopilot / BitLocker / TPM 2.0 / Secure Boot / Defender for Endpoint stack you deploy as part of a Windows 11 rollout meets virtually every technical control in the v3.3 framework: secure configuration, MFA on all cloud services, automatic patching, supported software, removable-media controls. Done well, the migration delivers Cyber Essentials Plus as a by-product, not an extra project.

What about Copilot+ PCs and the AI angle?

Microsoft has positioned the 2026 hardware-refresh wave as the on-ramp to Copilot+ PCs — devices with a 40-TOPS+ NPU running local AI features such as Recall, Cocreator, Live Captions and on-device Studio Effects. For most UK SMEs, the AI capability will not be the deciding factor in Q2 2026; Microsoft 365 Copilot integration into Word, Excel, Outlook and Teams continues to work on standard Windows 11 hardware.

However, two pragmatic points are worth banking now. First, the price difference between a non-NPU and an NPU-equipped business laptop has narrowed to around £90-£180 by April 2026. Second, Microsoft has signalled that future Windows 11 / 12 features will be NPU-accelerated. For a 3-4 year refresh cycle, paying the small Copilot+ premium now is the lower-regret decision.

Don’t fall for the “just buy ESU” trap

Commercial ESU looks attractive on the surface: $61 per device for an extra year, no behaviour change, no rollout pain. The maths breaks down quickly.

For a 30-seat firm: $61 × 30 = $1,830 in year one, $122 × 30 = $3,660 in year two, $244 × 30 = $7,320 in year three. That is roughly £9,950 over three years spent not moving forward. By 2028 you will still need to migrate, the hardware will be three years older, the deployment will be more painful, and you will have spent the migration budget on rent rather than ownership. Every credible MSP we know recommends ESU only for specific trapped legacy applications — never as a fleet-wide strategy.

Need help running this migration?

Cloudswitched runs Windows 11 migrations end-to-end for UK SMEs

From the initial Lansweeper estate audit to the final Cyber Essentials Plus v3.3 evidence pack: discovery, costing, hardware procurement, Intune Autopilot setup, in-place upgrade orchestration, BitLocker/TPM provisioning, line-of-business application testing, end-user comms, decommission and asset disposal. We have completed migrations for clients across London, Manchester, Birmingham and the South East throughout 2025 and 2026. Talk to us before lead times tighten in July.

Book a Windows 11 migration assessment

Quick-reference: your 173-day checklist

Milestone	Deadline	Owner	Status check
Complete Windows 10 estate audit	1 May 2026	IT lead / MSP	Master spreadsheet exported
Tag every device by migration path	15 May 2026	IT lead / MSP	Costed migration register signed off
Test critical LOB applications on Win11	5 June 2026	Application owners	Compatibility matrix complete
Order replacement hardware	30 June 2026	Finance + IT	Purchase orders raised
Pilot wave (10% of eligible)	15 July 2026	IT lead / MSP	Pilot success report signed off
First major wave (30%)	15 August 2026	IT lead / MSP	Wave 1 dashboard 95%+ green
Hardware refresh wave (ineligible cohort)	10 September 2026	IT lead / MSP	New devices deployed via Autopilot
Final wave (remaining 60%)	1 October 2026	IT lead / MSP	Estate audit shows zero unsupported
Edge-case clean-up	10 October 2026	IT lead / MSP	Reception / signage / spares all done
CE v3.3 evidence pack	14 October 2026	Compliance lead	Submission ready

Frequently asked questions

If our Windows 10 PCs are working fine today, why do we have to migrate at all?

They will keep working — that is part of the trap. Windows 10 will not stop functioning on 14 October 2026; it will simply stop receiving security updates. Every new vulnerability discovered after that date stays open indefinitely. Combined with Cyber Essentials v3.3 auto-fail, cyber insurance non-renewal and supplier-portal downgrades, the cost of staying on Windows 10 vastly exceeds the cost of migrating — usually within 12-18 months of EOS.

We bought our PCs in 2019. Are they really not eligible for Windows 11?

Probably not. The 8th-generation Intel CPU cut-off (Coffee Lake, late 2017) means most office PCs sold before mid-2018 fail the supported-CPU check. Even if the CPU is borderline supported, many devices shipped without TPM 2.0 enabled in firmware, which is a hard requirement. The PC Health Check tool gives a definitive answer in 30 seconds. Roughly 64% of UK Windows 10 business devices fail this check.

Can’t we just bypass the Windows 11 requirements with a registry hack?

Technically yes, in many cases. Operationally, no. Microsoft explicitly states unsupported configurations are not entitled to security updates — meaning the registry-bypassed device is not a legitimately supported endpoint. Cyber Essentials v3.3 assessors check support status against Microsoft’s official lifecycle, not against whether updates are technically arriving. A bypassed Windows 11 install is the worst of both worlds: an unsupported configuration with the appearance of compliance.

What about the legacy machine running our 12-year-old accounting package?

This is the textbook Path D / Commercial ESU scenario, but only if you cannot migrate the application to a supported version. First avenue: contact the vendor and ask for a Windows 11 build — many surprised SMEs find one already exists. Second avenue: virtualise the legacy app in Azure Virtual Desktop / Windows 365, where the Windows 10 instance is contained, isolated, MFA-fronted and centrally managed. Third avenue, if neither works: pay for Commercial ESU on that single device, network-isolate it, and document it explicitly in your CE v3.3 scope. Never leave it unaddressed.

How long does a typical 30-seat migration actually take?

From a clean start: 8-12 weeks for the technical work, 16-20 weeks elapsed including procurement, communication, training and edge-case clean-up. Critical-path is usually hardware lead time, not deployment effort. Starting in April-May 2026 means a comfortable mid-September completion. Starting in August means a panic-mode October.

Do staff need training on Windows 11?

Light-touch yes, formal training no. Windows 11 is visually different (centred Start menu, refreshed Settings, new Snap layouts, different right-click menu) but functionally similar. A 15-minute video walk-through, a one-page cheat sheet pinned in Teams, and a designated “Windows 11 buddy” per team handles 95% of questions. The bigger training opportunity is the new Microsoft 365 Copilot features that come bundled — treat that as a separate productivity-uplift programme.

Will Windows 11 break our line-of-business software?

Mostly no. Microsoft has been aggressive about backward compatibility — the same Win32 apps that ran on Windows 10 generally run on Windows 11 24H2. The places we see breakage in 2026 are: very old USB device drivers (label printers, signature pads, lab instruments), kernel-level antivirus that has not been updated, pre-2018 versions of Sage / SAP / niche ERP, and bespoke Internet Explorer-dependent intranets. Test these in a pilot before you roll out widely.

Does the cyber insurance penalty really apply if we’re only one or two devices behind?

Yes. The major UK cyber insurers ask a simple question on the renewal form: “Are all endpoint operating systems on a vendor-supported version receiving regular security updates?” The honest answer must be either “yes” (full coverage) or “no” (loaded premium or refusal). One unpatched Windows 10 PC anywhere on the domain typically converts to a 15-25% premium loading; in some sectors the answer triggers an outright refusal of cover renewal.

Do we need new hardware to use Microsoft 365 Copilot?

No — Microsoft 365 Copilot (the cloud-based productivity AI integrated into Word, Excel, Outlook and Teams) runs on any Windows 11 device, and even on Windows 10 within supported Microsoft 365 versions. You only need a Copilot+ PC for the on-device AI features (Recall, Live Captions, Studio Effects, Cocreator) which run locally on the NPU. The cloud Copilot in Microsoft 365 apps is independent of local hardware.

What happens to our domain-joined machines, BitLocker keys and Active Directory?

All preserved. An in-place upgrade keeps domain membership, BitLocker recovery keys (escrowed in Active Directory or Entra ID), user profiles, installed applications, group policy and certificates. New hardware deployed via Intune Autopilot is joined directly to Entra ID and downloads its policy, apps and BitLocker configuration automatically. Modern deployment is genuinely zero-touch for the end user.

The bottom line for UK SMEs

The 14 October 2026 cliff is not a future problem. It is a 173-day problem, and the front-loaded weeks — April, May, June — are when the cost-quality-risk equation is most favourable. After July, hardware tightens; after September, deployment partners are fully booked; in October itself, the cost of crash-mode migration is roughly double a measured one.

The good news is that this is also the cleanest opportunity in five years to consolidate your endpoint estate, reach Cyber Essentials Plus v3.3 compliance, qualify for the best cyber insurance terms, and bring AI productivity tools (Copilot, Copilot+) into the business on day one of the new fleet. The migration is not a tax. Run properly, it is a force-multiplier. Run badly, it is the most expensive 173 days your business will spend this decade.

If you would like a Cloudswitched team to come and run the audit-and-plan stage for your business in the next two weeks, we have remaining capacity in May and early June. After that, we cap intake until late September.

Tags:IT SupportMicrosoft 365Cyber Security

CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.

Windows 10's Final Cliff: 173 Days Until 14 October 2026 — The UK SME Migration, Cyber Essentials and Hardware Plan You Need Now

What changed on 14 October 2025 — and what changes on 14 October 2026

Why this is now a Cyber Essentials problem, not just a Microsoft problem

The hidden Windows 10 estate — what UK SMEs are missing

The real cost of doing nothing — and the real cost of doing it properly

The Windows 11 hardware reality — what your existing PCs can and cannot do