Windows 10: The Most Expensive Path Is Doing Nothing

4 min read

Guest CommentaryWolfgang Hahl, Chief Revenue Officer, enthus GmbH

For private users, the matter is settled. In Germany, Windows 11 now runs on roughly three out of four devices in general web use. In the business world, the picture looks different: a significant share of machines still run Windows 10 – and it is precisely where it costs the most that migration is stalling.

The Essentials in Brief

• Support has ended: Since October 14, 2025, Windows 10 no longer receives regular security and feature updates. The system keeps running; the protection does not.
• ESU is not a fleet strategy: Microsoft’s Extended Security Updates cost about €53 per device in the first year and double each year. Over three years, that adds up to roughly €372 per device – for standing still.
• Three paths instead of waiting: An orderly Windows 11 migration for the bulk of the fleet, targeted ESU bridging for genuine exceptions, and Device-as-a-Service where the hardware is at end of life anyway.

This is not an oversight born of complacency. It is the result of a trade-off that many midsize companies have kept deferring – and it grows more expensive the longer it remains unresolved.

Related:BYOD gap widening in German companies  /  VMware price shock: DACH companies face a tough choice

What Ended on October 14, 2025 – and What Didn’t

Since October 14, 2025, Microsoft no longer delivers regular security and feature updates for Windows 10. The operating system keeps running; support does not.

What did not end: the risk. An operating system without security updates is not a frozen state but an ever-growing attack surface. Every new vulnerability disclosed after the cutoff date remains open. For companies subject to NIS-2 or held to the “state of the art” standard, running an unsupported operating system in production is therefore also a governance issue – not just a technical one.

Microsoft has put a safety net in place for the transition period: the Extended Security Updates (ESU). But you should understand what they are – and what they are not.

The ESU Bridge Is a Stairway Up

ESU continues to deliver critical and important security updates for Windows 10 – no new features, no improvements. It is a painkiller, not a cure. And it is deliberately priced so that standing still eventually hurts.

For businesses, ESU costs per device:

• Year 1: about €53
• Year 2: about €106
• Year 3: about €213

The price doubles every year. Over the full three years until the program ends on October 14, 2028, that adds up to roughly €372 per device – purely to stand still. Those who join late must pay for the preceding years; individual years cannot be skipped.

Microsoft lists ESU prices in its home currency; the euro figures cited here are based on the ECB reference rate of June 19, 2026, and rounded.

In other words: ESU is the right choice for clearly defined exceptions. As a fleet strategy, it is the most expensive way to postpone a decision that is due anyway.

Why the Mittelstand Is Stuck

The reasons companies stay on Windows 10 are rarely inertia. Usually, it is a combination of three real obstacles:

• Hardware: Windows 11 requires TPM 2.0, Secure Boot, and a supported CPU generation. A noticeable share of devices procured before 2019 do not meet these requirements – and cannot simply be “brought up to spec.”
• Software: Specialized applications, industry software, or machine integrations that were never certified for Windows 11 block entire departments.
• Processes: Migration is project work – inventorying, compatibility testing, rollout, user support. Without capacity in the IT team, it keeps getting pushed back.

These obstacles do not go away by waiting. They get more expensive – through rising ESU fees on one side and aging hardware on the other.

Three Paths – and When Each Fits

There is no single right path. There are three that can be combined.

1. The orderly Windows 11 migration. For the bulk of the fleet, this is the direct path. With modern device management – deployment via Autopilot, management via Intune, identities via Entra ID – the rollout becomes predictable rather than manual. The first step is always the same: an honest inventory of which devices and applications are migration-ready and which are not.

2. Targeted ESU bridging. For demonstrably incompatible legacy systems – specialized hardware, legacy line-of-business applications, machine-adjacent workstations – ESU makes sense. But deliberately time-limited, clearly scoped, and with an exit date. ESU is the bridge for the last ten percent, not for the entire fleet.

3. Device-as-a-Service as a modernization lever. Where the hardware is at the end of its lifecycle anyway, a Device-as-a-Service model solves several problems at once: It replaces the investment backlog with predictable monthly costs, brings Windows 11-capable devices in-house, and takes procurement, provisioning, and lifecycle management off the IT team’s hands. A deferred CapEx burden becomes a predictable operating expense.

The Math You Should Do Now

An honest TCO analysis does not pit “migrate now” against “do nothing.” It pits “orderly modernization” against “rising ESU fees on aging hardware, plus the migration later anyway.”

In the vast majority of cases, modernization wins. Not because new technology is nice – but because the bridge gets more expensive every year and ultimately leads across the same river.

”

// Direct Quote

We are hearing this right now in many conversations with midsize businesses: The devices are still running, so the transition gets pushed back. What gets lost in the process: With ESU, you pay more year after year for nothing to improve. The smart decision is not to wait as long as possible – but to clarify now which devices will be migrated, which need to be bridged, and where a switch to a service model takes the issue off the table for years.

You don’t yet know how many of your devices are Windows 11-capable? That is the right first step. As a Microsoft partner, enthus builds a reliable device and application inventory, assigns each system to one of the three paths, and carries out the migration with modern endpoint management – including Device-as-a-Service where hardware renewal is due.

Frequently Asked Questions

What exactly are Extended Security Updates (ESU)?

ESU is a paid Microsoft offering that continues to provide critical and important security updates for Windows 10 after the official end of support on October 14, 2025. It delivers no new features and no improvements – only patches for known vulnerabilities.

How much does ESU cost per device?

About €53 per device in the first year, about €106 in the second, and about €213 in the third. The price doubles every year. Over the full three-year term until October 14, 2028, that adds up to roughly €372 per device. Those who join later must pay for the preceding years.

How long does the ESU program run?

The program ends on October 14, 2028. Until then, individual years cannot be skipped – anyone joining in the third year must pay for the first two years as well.

When does ESU make sense and when doesn’t it?

ESU makes sense for clearly defined exceptions: specialized hardware, legacy line-of-business applications, or machine-adjacent workstations that are demonstrably not Windows 11-capable and are being bridged for a deliberately limited time. As a fleet strategy for the entire device base, it is the most expensive way to defer a modernization that is due anyway.

What is the first step in a Windows 11 migration?

An honest inventory: Which devices and applications are migration-ready, and which are not. From this, you assign each to one of the three paths – orderly migration for the bulk, targeted ESU bridging for genuine exceptions, and Device-as-a-Service where the hardware needs to be replaced anyway.

Image source: AI-generated (June 2026).