SupportClient Support
Contact Us

What Does Windows 10 End of Support Mean for Your Cyber Essentials Certification?

Date Posted:

What Does Windows 10 End of Support Mean for Your Cyber Essentials Certification?

Date Posted:

Blog
A simple graphic with an orange background on one side, black on the other reads 'Windows 10 End of Support'. The Intrasource logo is in the bottom left corner.

If your business needs to stay Cyber Essentials or Cyber Essentials Plus certified, then you may want to keep an eye on the Windows 10 end of support (EOS) situation.

After 14th October 2025, Windows 10 is unsupported unless you upgrade to Windows 11 or enrol the device into extended security updates (ESU).

Cyber Essentials (CE) requires in scope software to be licensed, supported and patched within 14 days for critical and high risk issues. With regards to Windows, your pass/fail hinges on three choices per device: Upgrade, buy ESU, or remove from scope and place into strict isolation.

What Cyber Essentials actually asks for (the bits that matter here):

 

  • Licensed & supported software on all in scope devices.
  • Patch within 14 days when the update fixes a high risk or critical vulnerability (or when the vendor doesn’t disclose severity).
  • If software becomes unsupported, remove it from devices or remove it from scope by preventing all internet traffic (and document this).

CE applies to devices that connect to the internet or access services from it.

So, what changes on 14th October 2025?:

  • Windows 10 leaves mainstream security servicing. Without Extended Security Updates, it’s unsupported and it cannot remain in scope for CE.
  • With ESU, Windows 10 continues to receive security updates; you must still meet the within 14 day patch expectation and hold evidence.
  • Microsoft 365 Apps on Windows 10 are not supported after this date, even if they continue to run. Factor that into risk and user experience planning.

So, How should you approach the decision of whether to purchase ESU or upgrade to Windows 11:

 

  • Step 1: Is the device in CE scope? In other words, is it connected to the internet or accessing services online? If not, record your justification and keep it strictly isolated offline.
  • Step 2: What is the devices supported status? After the 14th Oct 2025, is the operating system (OS) still supported? Either Windows 11 or Windows 10 with ESU. If not, go to Step 4.
  • Step 3: If the OS is supported, show that you can patch critical and high risk updates within 14 days in your monitoring and policy documentation. You are then on the right track to pass and/or keep your Cyber Essentials certification.
  • Step 4: If your OS is unsupported and cannot be made supported in time, you have two choices. You can either:
    • Remove from scope: block all internet traffic and document this.
    • Remediate: Upgrade to Windows 11 or keep Windows 10 and enrol into ESU; then return to Step 3.

In short;

If a Windows 10 PC is on the internet after 14th October 2025, you must either:

  1. Upgrade to Windows 11, or
  2. Buy ESU and keep patching within 14 days, or
  3. Take it out of scope by blocking all internet access and documenting that control.

What to do over the next month or so:

  1. Export a list of your Windows 10 devices or ask your IT provider to do it.
  2. Decision for each device: Upgrade now, ESU (temporary bridge), or remove from scope.
  3. Agree a timeline & budget. ESU is often around £50 per device for Year 1 with significant rises in year two and three; ask your provider for a firm quote.
  4. Document and keep all proof: Whether ESU licences or Windows 11 keep evidence of updates, plus patch logs showing fixes applied within 14 days.
  5. If using ESU, set an exit date. Treat it as a temporary solution and not a long term arrangement.

Outside of Cyber Essential let’s look in general terms where ESU fits, and where it doesn’t.

 

Good use of ESU:

  • A temporary bridge (6–12 months). This could be because you have legacy solutions that will only run on older operating systems. It is advisable to work towards upgrading wherever possible and as soon as possible. The longer you leave it the more risk you have.
  • A small, shrinking subset of devices where it doesn’t make financial sense to upgrade.
  • Combined with robust patching, asset tracking, and limited internet exposure, but should still be temporary with and exit plan.

Poor use of ESU:

  • A blanket purchase for the whole estate. You should be much more strategic about which devices your purchase ESU for. Plan and budget for upgrading in preference to wholesale ESU.
  • Running for multiple years without a retirement plan.
  • Treating ESU as a substitute for segmentation or patching discipline. This is a dangerous approach that could cause major issues if vulnerabilities are breached.

Other important non CE considerations:

  • If you want to take out Cyber insurance you should know that insurance underwriters expect software to be supported and patched (often within 7 to 14 days for critical risk). They also expect to see MFA and managed backups in place.
  • For ISO/IEC 27001 there needs to be evidence of a managed technical vulnerability process, asset inventory, risk evaluation and timely remediation.
  • NCSC device security guidance suggests you should keep devices and software up to date; plan for obsolete products with risk based mitigations and migration plans.

How can Intrasource help?

 

  • Quick free Cyber Essentials and Windows 10 review. We’ll chat through your options and plan next steps.
  • Windows 11 upgrade plan: A simple, low disruption rollout for the majority of PCs.
  • We can help with developing an ESU plan that makes sense for budgets and tech requirements.

Get in touch and book a short Cyber Essential and/or Windows 10 readiness call today.

Return to Blog
Blog
A simple graphic with an orange background on one side, black on the other reads 'Windows 10 End of Support'. The Intrasource logo is in the bottom left corner.

If your business needs to stay Cyber Essentials or Cyber Essentials Plus certified, then you may want to keep an eye on the Windows 10 end of support (EOS) situation.

After 14th October 2025, Windows 10 is unsupported unless you upgrade to Windows 11 or enrol the device into extended security updates (ESU).

Cyber Essentials (CE) requires in scope software to be licensed, supported and patched within 14 days for critical and high risk issues. With regards to Windows, your pass/fail hinges on three choices per device: Upgrade, buy ESU, or remove from scope and place into strict isolation.

What Cyber Essentials actually asks for (the bits that matter here):

 

  • Licensed & supported software on all in scope devices.
  • Patch within 14 days when the update fixes a high risk or critical vulnerability (or when the vendor doesn’t disclose severity).
  • If software becomes unsupported, remove it from devices or remove it from scope by preventing all internet traffic (and document this).

CE applies to devices that connect to the internet or access services from it.

So, what changes on 14th October 2025?:

  • Windows 10 leaves mainstream security servicing. Without Extended Security Updates, it’s unsupported and it cannot remain in scope for CE.
  • With ESU, Windows 10 continues to receive security updates; you must still meet the within 14 day patch expectation and hold evidence.
  • Microsoft 365 Apps on Windows 10 are not supported after this date, even if they continue to run. Factor that into risk and user experience planning.

So, How should you approach the decision of whether to purchase ESU or upgrade to Windows 11:

 

  • Step 1: Is the device in CE scope? In other words, is it connected to the internet or accessing services online? If not, record your justification and keep it strictly isolated offline.
  • Step 2: What is the devices supported status? After the 14th Oct 2025, is the operating system (OS) still supported? Either Windows 11 or Windows 10 with ESU. If not, go to Step 4.
  • Step 3: If the OS is supported, show that you can patch critical and high risk updates within 14 days in your monitoring and policy documentation. You are then on the right track to pass and/or keep your Cyber Essentials certification.
  • Step 4: If your OS is unsupported and cannot be made supported in time, you have two choices. You can either:
    • Remove from scope: block all internet traffic and document this.
    • Remediate: Upgrade to Windows 11 or keep Windows 10 and enrol into ESU; then return to Step 3.

In short;

If a Windows 10 PC is on the internet after 14th October 2025, you must either:

  1. Upgrade to Windows 11, or
  2. Buy ESU and keep patching within 14 days, or
  3. Take it out of scope by blocking all internet access and documenting that control.

What to do over the next month or so:

  1. Export a list of your Windows 10 devices or ask your IT provider to do it.
  2. Decision for each device: Upgrade now, ESU (temporary bridge), or remove from scope.
  3. Agree a timeline & budget. ESU is often around £50 per device for Year 1 with significant rises in year two and three; ask your provider for a firm quote.
  4. Document and keep all proof: Whether ESU licences or Windows 11 keep evidence of updates, plus patch logs showing fixes applied within 14 days.
  5. If using ESU, set an exit date. Treat it as a temporary solution and not a long term arrangement.

Outside of Cyber Essential let’s look in general terms where ESU fits, and where it doesn’t.

 

Good use of ESU:

  • A temporary bridge (6–12 months). This could be because you have legacy solutions that will only run on older operating systems. It is advisable to work towards upgrading wherever possible and as soon as possible. The longer you leave it the more risk you have.
  • A small, shrinking subset of devices where it doesn’t make financial sense to upgrade.
  • Combined with robust patching, asset tracking, and limited internet exposure, but should still be temporary with and exit plan.

Poor use of ESU:

  • A blanket purchase for the whole estate. You should be much more strategic about which devices your purchase ESU for. Plan and budget for upgrading in preference to wholesale ESU.
  • Running for multiple years without a retirement plan.
  • Treating ESU as a substitute for segmentation or patching discipline. This is a dangerous approach that could cause major issues if vulnerabilities are breached.

Other important non CE considerations:

  • If you want to take out Cyber insurance you should know that insurance underwriters expect software to be supported and patched (often within 7 to 14 days for critical risk). They also expect to see MFA and managed backups in place.
  • For ISO/IEC 27001 there needs to be evidence of a managed technical vulnerability process, asset inventory, risk evaluation and timely remediation.
  • NCSC device security guidance suggests you should keep devices and software up to date; plan for obsolete products with risk based mitigations and migration plans.

How can Intrasource help?

 

  • Quick free Cyber Essentials and Windows 10 review. We’ll chat through your options and plan next steps.
  • Windows 11 upgrade plan: A simple, low disruption rollout for the majority of PCs.
  • We can help with developing an ESU plan that makes sense for budgets and tech requirements.

Get in touch and book a short Cyber Essential and/or Windows 10 readiness call today.

Return to Blog

Related Posts

Menu