Windows 10
What Happens If You Don’t Move from Windows 10?
(Updated for 2025 Quarantine Criteria)
Authors: ISO and the EPM Team
Background
https://learn.microsoft.com/en-us/lifecycle/products/windows-10-enterprise-and-education?branch=live will reach end of support on October 14, 2025.
After this date, unsupported Windows 10 systems will no longer receive free security updates unless enrolled in Extended Security Updates (ESU) program.
The ESU program offers paid security updates for up to three years (through October 2028) but comes with costs, limitations, and a limited time horizon.
https://learn.microsoft.com/en-us/windows/whats-new/extended-security-updates
Risks of Not Migrating
Devices without support will accumulate critical vulnerabilities over time, increasing the risk of compromise.
Incompatibility with enterprise applications, drivers, antivirus software.
Increased strain on IT support and higher disruption for end users.
Impacts
Automatic quarantine actions will apply once a device meets criteria (see below).
Even if not quarantined, unsupported systems with vulnerabilities will negatively impact departmental vulnerability scorecards.
Users may experience degraded performance, compatibility issues, and reduced support quality.
Security Considerations
Exceptions:
Windows 10 without an ESU: If a host becomes eligible for quarantine and cannot be isolated, departments must follow the standard ISO exception process.
Non-EPM-managed Windows 10 devices: Departments must follow the standard ISO exception process for MAKs.
Quarantines: Devices remaining on Windows 10 without an ESU will accumulate vulnerabilities over time. For devices that meet the ISO’s quarantine criteria, systems will be subject to network restrictions:
Host quarantine criteria:
One or more critical vulnerabilities older than 30 days with a known exploit, or
More than three CISA-listed vulnerabilities older than 14 days with a known exploit.
On the global VRF (i.e., legacy wired networks)
Device Prerequisites
To be eligible to install updates from the ESU program, devices must be running Windows 10, version 22H2 or above.
Purchasing Extended Security Updates (ESUs)
EPM-managed devices:
Department obtains a PO that states the ESU license quantity/device count. Notify your Dean/VP and security@utexas.edu for accountability.
Department submits a ticket to epm-requests@austin.utexas.edu that includes the PO and a list of hostnames.
EPM will install and activate the ESU key.
Non-EPM-managed device:
Departments will need to purchase, install, and activate the ESU key for their devices. Additionally, departments must submit an ISO exception for their MAKs.
Cost: The EDU price is set by Microsoft at $1. The price doubles every consecutive year for a maximum of three years (October 2028).
Where to Buy: Departments must purchase ESUs directly from Dell, Microsoft’s OEM reseller for higher education.
Scope: Licenses are per-device only. There is no bulk or enterprise-wide option.
ESU purchases are departmental; there is no campus-wide license.
ESU Multiple Activation Keys are not usable until the end of support date of Windows 10 (October 14, 2025), which is when the defined ESU coverage period begins.
Recommended Actions
Conduct an inventory review to identify systems still running Windows 10.
Create a migration plan to upgrade to Windows 11 or supported LTSC versions
Reimage or replace devices as needed, using applicable university IT tools and support.
Verify hardware and software compatibility with newer operating systems.
Ensure all supported systems are patched promptly to avoid quarantine.
How to Enable the ESU Key for a Non-EPM-managed device
Applies to: Systems not managed by EPM’s Configuration Manager.
Follow the Microsoft documentation to install and activate the ESU key.