Don’t let Windows 10 end‑of‑support put you at risk

The context

Windows 10 officially reached end of support on 14 October 2025. Since that date, Microsoft no longer provides technical assistance, feature updates or security patches for the operating system. More than 400 millions of computers are affected worldwide. 

Devices running Windows 10 continue to function, but they are now exposed to an expanding range of cyber threats, with no official fixes on the way. For organisations, this means every unpatched Windows 10 machine will gradually accumulate exploitable vulnerabilities, increasing the likelihood and impact of cyber incidents. And this risk is already there. 

Cybercriminals actively target end-of-life systems, knowing that exploits will not be remediated. Running unsupported software may also put organisations in breach of cybersecurity compliance frameworks such as GDPR or sector-specific standards.

Immediate options

The immediate options are clear and only three paths are available:

• Upgrade to Windows 11, which offers a more modern and secure computing environment, providing hardware meets the technical requirements;
• Enrol in Microsoft's Extended Security Updates (ESU) programme, which extends critical security update coverage for up to one year after end of support, i.e. until 14 October 2026. This is a time-limited bridge, not a long-term solution;
• Replace devices that cannot support Windows 11 with hardware that meets current requirements.

Pragmatic action plan

Manufacturers face a heightened challenge. Many operational technology (OT) environments still include legacy Windows such as XP, 7 or unsupported 10. 

These “high‑risk legacy systems” often lack patches and modern Antivirus (AV) or Endpoint Detection and Response (EDR) support, making them prime targets for ransomware and disruptive attacks on production lines. 

Because OT has long life cycles and strict availability requirements, compensating controls become essential when upgrades are not immediately possible.

Here is a pragmatic action plan to reduce risk now:

• Upgrade to supported versions wherever feasible; replace equipment if required to meet Windows 11 specifications.
• Apply compensating controls when it is not possible to upgrade, and document the risk acceptance period.
• Segment networks to isolate legacy assets from business IT and the internet.
• Enforce strict allow‑lists for devices, services and outbound connections.
• Use locked‑down, least‑privilege accounts with multi‑factor authentication where supported.
• Restrict and broker remote access via jump hosts, virtual private network (VPN) with multi-factor authentication (MFA) and time‑bound approvals.
• Enhance monitoring with OT‑aware detection, log aggregation and alerting on anomalous behaviour.
• Conduct targeted risk assessments, and test incident and crisis procedures with tabletop exercises.

Priority should be given by criticality and exposure: internet‑facing or externally reachable systems first, then high‑impact production assets. 

Combining patching, configuration hardening and visibility drives down dwell time. 

Finally, align decisions with the asset lifecycle roadmap allows today’s stopgaps evolve into sustainable, supported platforms.

Get support from Luxembourg Digital Innovation Hub

Assessing the cybersecurity readiness and planning a secure migration path can be complex. The Luxembourg Digital Innovation Hub (L-DIH), powered by Luxinnovation and its partners including the Luxembourg House of Cybersecurity, supports manufacturing and industrial companies in Luxembourg in evaluating their cyber risks and identifying the right solutions. 

L-DIH can help organisations assess their exposure, plan migration or compensating controls and connect them with trusted solution providers.