Field note
Windows 10 After End of Support: Microsoft 365 and Cyber Essentials Risk
Unsupported endpoints are not just a patching issue. They distort access policy, audit evidence, refresh plans, and every uncomfortable exception conversation.
Windows 10 end of support is not only a hardware refresh problem. It affects Microsoft 365 support posture, endpoint risk decisions, and how believable your control story sounds when someone asks hard questions.
The headline date is clear: Windows 10 support ended on October 14, 2025. That part is straightforward.
The nuance is where people get sloppy. Microsoft says Microsoft 365 Apps on Windows 10 continue to receive security updates for three years after that date, through October 10, 2028, to help customers transition. That does not make Windows 10 a supported long-term steady state. It means Microsoft gave customers a bridge, not a reason to stop planning.
That distinction matters. Teams sometimes hear "Apps still get updates" and translate it into "the estate is fine". It is not fine. It is in transition, and your controls should treat it that way.
The four routes for every remaining device
For every Windows 10 device, pick one route.
| Route | When it makes sense | Evidence |
|---|---|---|
| Upgrade to Windows 11 | Hardware supports it | Upgrade plan and completion date |
| Replace device | Hardware cannot support Windows 11 | Procurement tracker |
| Use Extended Security Updates | Short-term bridge only | ESU coverage and retirement date |
| Isolate or remove | Legacy device with limited use | Access restriction evidence |
The mistake is leaving devices in a fifth category called "we will come back to it later".
Why Microsoft 365 teams should care now
Windows 10 devices still hold tokens, sync OneDrive, open mail, join Teams meetings, and access SharePoint. That means they remain part of the tenant attack surface whether you like the desktop fleet or not.
Good Microsoft 365 controls reduce the blast radius, but they do not erase the lifecycle issue:
- Conditional Access requiring compliant devices.
- Intune compliance checking supported OS versions.
- Defender for Endpoint onboarded.
- Update rings and reporting.
- Clear exception list for unsupported devices.
- No admin portal access from unsupported endpoints.
The support nuance most teams miss
Microsoft 365 Apps feature updates on Windows 10 stop at Version 2608 on a channel-specific schedule, then security updates continue until October 10, 2028. So if you are still running Windows 10, you are already managing a diminishing path with extra conditions attached.
That means planning matters more, not less. You want to know:
- how many Windows 10 devices remain
- which of them are eligible for Windows 11
- which of them are hanging on because of a real business dependency
- when each exception ends
Cyber Essentials angle
The NCSC position is simpler than many internal debates. Supported software and timely patching still matter. If a device sits outside normal support, you need a defensible route such as upgrade, replacement, or a formally managed extended-support path with clear retirement dates.
What does not work is vague intent. "We are looking at it" is not an operating control.
Treat each remaining Windows 10 endpoint as an exception with an owner. Once you do that, the reporting gets sharper and the excuses get shorter.
References
Related notes
04 May 2026 · 3 min
Cyber Essentials Plus Endpoint Samples
Related: cyber essentials plus, intune, defender for endpoint.
27 Apr 2026 · 3 min
Cyber Essentials Patch Evidence
Related: cyber essentials plus, patching, intune.
23 Apr 2026 · 3 min
Cyber Essentials MFA Cloud Auto-Fail
Related: cyber essentials plus, mfa, microsoft 365.
Need help mapping this to your own tenant, controls, or assessment timeline?