A significant number of enterprises continue to grapple with the lingering presence of Windows 10 within their operations, as migration to Windows 11 has stagnated. Recent data from asset tracking service Lansweeper reveals that approximately 16.9 percent of monitored Windows devices are still running the older operating system—equating to roughly one in six machines. This figure marks a notable decline from a year ago when Windows 10 constituted about half of the monitored devices, a trend that has continued since Microsoft ceased standard support.
As the deadline for support looms, the implications for security are becoming increasingly concerning. Even those installations enrolled in the Extended Security Updates (ESU) program, which offers security fixes, will eventually face vulnerabilities. Consumer devices are slated to receive updates until October 12, 2027, while commercial customers can extend coverage until October 10, 2028. After these dates, support will cease entirely.
Small and medium-sized businesses (SMBs) are particularly vulnerable, with Lansweeper estimating that 21.4 percent of SMB machines still operate on Windows 10. Cost constraints often play a significant role in this continued reliance on legacy systems. Certain sectors exhibit even higher exposure; for instance, 23 percent of healthcare and pharmaceutical systems remain on Windows 10, while consumer and retail devices hover around 22.7 percent.
According to Lansweeper’s analysis, a Windows 10 device typically carries an average of 1,903 active Common Vulnerabilities and Exposures (CVEs), compared to just 652 on Windows 11, highlighting a concerning disparity. Esben Dochy, principal technical evangelist at Lansweeper, noted that this average includes devices that have received ESU patches, indicating that the security landscape is complex and multifaceted.
One of the challenges contributing to this situation is the phenomenon known as “patch diffing,” where vulnerabilities in Windows 10 can be inferred from fixes applied to Windows 11. Lansweeper pointed out that the supported operating system effectively provides attackers with a roadmap to exploit the unsupported one. Currently, only 14 percent of Windows 10 assets have ESU patches applied, suggesting that a significant portion of the remaining devices is not neglected but rather held in place due to various constraints such as vendor dependency, certification gaps, and cost considerations.
Many devices, particularly in specialized fields like healthcare and industrial sectors, are tied to vendor certifications that complicate the upgrade process. In some cases, a Windows 11-certified version of the device or software may not yet exist, leaving organizations in a precarious position. Additionally, devices operating in isolated environments may have accepted the risk associated with remaining on Windows 10, further complicating the urgency of migration.
The current landscape is challenging, and the stagnation of Windows 11 adoption exacerbates the situation. Market share data from sources like Statcounter indicates minimal change in the distribution of Windows 10 and its successor over recent months, following a brief surge after the end of support. Lansweeper aptly summarized the situation: “The easy migrations are done. What’s left is the hard core: devices that haven’t moved because they can’t or won’t.”
Compounding these challenges is the rising cost of new PC hardware, a trend that shows little sign of abating. Microsoft has acknowledged the importance of the ESU program in mitigating the risks of malware and cybersecurity threats by providing essential security updates. In light of the substantial number of Windows 10 machines still in operation, the extension of the ESU program for consumer devices underscores the need for organizations to assess their Windows 10 estates and ensure that each device is adequately patched. As time progresses, the proportion of vulnerable Windows 10 devices is likely to increase, particularly for those unable to transition to Windows 11.