Windows 10 migration stalls as enterprises face longer security tail
Lansweeper says Windows 10 still runs on 16.9% of monitored Windows devices, leaving companies with patching, hardware and vendor-certification problems.
By Renata Fuchs · Policy Reporter
· 3 min read
Windows 10 remains installed on 16.9% of Windows devices tracked by Lansweeper, or about one in six, after Microsoft ended standard support for the operating system. The persistence of that estate matters for enterprise IT budgets and risk planning because even paid Extended Security Updates have fixed end dates, and many of the remaining machines appear difficult to move.
Lansweeper’s asset data shows a steep drop from roughly half of monitored Windows machines a year ago to the low-to-mid 40% range around the end of standard support. Windows 10 then fell to 18.6% in June, but the company says the pace of migration has slowed sharply since then.
Microsoft’s Extended Security Updates program continues to provide critical and important security fixes for eligible Windows 10 systems. Consumer devices can receive those updates until Oct. 12, 2027, while commercial customers that pay can extend coverage until Oct. 10, 2028. Microsoft says ESU is intended to reduce malware and cyberattack risk by keeping access to important security updates available. The company has extended the program for consumers, reflecting the large installed base still on Windows 10.
SMBs and regulated hardware carry more exposure
Lansweeper’s figures point to greater concentration among smaller organizations. The company estimates that 21.4% of small and midsize business machines still run Windows 10, with cost usually the constraint. Sector exposure is also uneven: 23% of healthcare and pharmaceutical systems tracked by Lansweeper remain on Windows 10, while consumer and retail devices are at 22.7%.
The vulnerability gap is wide in Lansweeper’s dataset. The company says an average Windows 10 device carries 1,903 active CVEs, compared with 652 on Windows 11, a 2.9-times difference. Esben Dochy, principal technical evangelist at Lansweeper, told The Register that the Windows 10 average includes devices that have ESU patches installed.
Lansweeper also warned about patch diffing, where attackers compare Windows 11 fixes and use them to identify related weaknesses in Windows 10. The company said the supported operating system can effectively provide clues for attacking the unsupported one.
The remaining migrations are the expensive ones
Only 14% of Windows 10 assets tracked by Lansweeper have ESU patches applied, according to the company. Dochy told The Register that many of the remaining systems are likely stuck because of vendor dependence, certification gaps, cost or accepted risk, rather than neglect alone.
Medical and industrial equipment can have operating systems tied to vendor certification, and in some cases there is no Windows 11-certified version of the required device or software, Dochy said. Retail systems can face similar limits when compliance or warranty terms bind devices to specific OS versions. For hardware maintained under vendor contracts, a customer’s ESU enrollment may not solve the broader issue if the vendor has not completed Windows 11 certification or if the upgrade requires replacement hardware.
Some devices also remain in air-gapped or isolated environments, where organizations may accept the risk for now instead of enrolling in ESU, Dochy said.
Other market-share indicators, including Statcounter, have shown little recent movement in Windows 10 and Windows 11 share after a post-support migration bump. Rising PC hardware costs add another constraint, according to Lansweeper. For IT teams, the operational issue is less about the headline end-of-support date and more about inventory: which Windows 10 devices remain, whether they are patched, and whether each can be replaced, upgraded or isolated before Microsoft’s final ESU deadlines arrive.
This story draws on original reporting from The Register.