Today is September 14th. It’s a date that might not strike you as significant. (That date passed on Thursday.) But it is – especially if you’re in the information security field and have the responsibility of keeping sensitive IT environments safe from hackers, cyber criminals and nation state actors.
It’s significant because, a month from today, on October 14th 2025, Microsoft Corporation has declared that it will end support for its Windows 10 operating system – software that accounts for roughly half (~45%) of the Windows install base: well over a billion systems globally. The end of support – long anticipated- will be a kind of Mardi Gras for hackers – a long and raucous celebration as Windows 10 systems cease to receive free security patches from Microsoft and, over time, become less and less secure: sprouting serious security flaws and vulnerable software dependencies that leave them ripe for compromise by malicious actors. That population of hundreds of millions of unsupported Windows systems will foster bigger and more severe cyber attacks, as malicious actors actively targeted Windows 10 systems to foster attacks on- and the theft of data from private and public sector entities.
Ground rules, guard rails needed for “end of life”
What’s our take on this? Well, as you may know, SRFF is on the forefront of organizations demanding clearer requirements from manufacturers and vendors around “end of life” declarations. Back in March we teamed up with Consumer Reports, PIRG and the Center for Democracy and Technology to introduce model legislation requiring clear disclosure to consumers on software support lifespans _before_ they purchase a smart product. In the months ahead we hope to see this legislation introduced and passed by state legislatures – and maybe even on Capitol Hill.
#PayForFree: Microsoft’s “Extended Support” For Windows 10
As for Microsoft: practically speaking, the “end of life” declaration will end Microsoft’s provision of regular, free security updates for Windows 10 systems. Yes, Microsoft will still make security updates for Windows 10 available – for a price. For companies already deeply hooked into the Microsoft ecosystem, Windows 10 patches will continue. Customers that subscribe to Microsoft’s Windows 10/11 E3, E5 or Microsoft 365 Business Premium services – which range from $20 to more than $50 per user, per month- will receive security updates at no additional cost to the already high per user costs they pay the company.
For businesses not already hooked in to one of those subscription programs, Microsoft has promoted its Extended Security Updates (ESU) program for Windows 10: A paid annual subscription that provides critical and important security updates for up to three years after the October 14th end of support declaration. The cost? Again: not cheap. Microsoft will charge a $61 annual fee per device, for the first year. That cost will double each year after that: $122 per device for year two and $244 per device. Oh, and if your organization enrolls in the ESU program later – say 2027 or 2028, you’ll start at the elevated rate and have to purchase the licenses for the preceding years. The message here is clear: ‘upgrade…or else.’
For consumers, Microsoft offers three options for getting Extended Security Updates for one year after October 14, 2025, which continue the #payforfree model it uses with its enterprise customers. Namely, consumers can:
- Pay a one-year subscription for a flat rate of $30 per device.
- Get Windows 10 updates for free for year if they subscribe to Microsoft Backup and enable Windows Backup to sync your PC settings to the cloud. As CNET points out: that’s a free subscription but with a 5GB storage limit that many Windows 10 backups may exceed, requiring a premium upgrade to 100GB that will cost $24 annually.
- Redeem 1,000 Microsoft Rewards points to get a free one-year subscription
400 Million Windows 10 Devices Aren’t Upgrade-able
We get it: Microsoft is hoping to push its customers to upgrade to the newer Windows 11 operating system. But to do that, the company is imposing substantial costs on consumers and businesses that wish to continue receiving security updates after October 14th. And even those paywalled patches will cease in the next 1 to 3 years, despite the fact that much of the hardware running Windows 10 may last for another 10 years or longer.
Many of those Windows 10 users won’t make the jump to Windows 11. Why? Because – unlike previous Windows upgrade cycles – this one requires Windows users to find new hardware, also. That’s because much of the hardware running Windows 10 software does not contain the TPM 2.0 security chip needed to run Windows 11. Estimates put the number of Windows 10 devices incapable of upgrading to Windows 11 at around 400 million worldwide.
October 14th: A Mardi Gras for Hackers
Practically, of course, many small businesses and consumers facing steep new fees to buy new hardware or keep existing hardware but pay for security updates will take the path of least resistance (and expense): do nothing. Let their Windows 10 systems continue operating absent regular patches and security updates.
For ransomware gangs and other malicious actors, that will make Oct. 14 a kind of Mardi Gras: the launch of a global population of hundreds of millions of unpatched – and unpatchable endpoints – including an estimated 180 million Windows 10 systems deployed on business networks. As we’ve pointed out before: Attacks exploiting flaws in end of life devices have been linked to numerous cybercriminal and nation-state actors who target EOL devices to populate malicious botnets like “Faceless,” which is made up of 40,000 end of life small office home office (SOHO) routers, or the KV-Botnet, which the China-backed actors Volt Typhoon have boosted by aggressively targeted IoT devices like end of life broadband routers and IP cameras to build out attack platforms used to target larger private firms, government agencies and critical infrastructure.
EOL Windows 10 systems will be attractive targets: with far more endpoints running the Windows 10 software. And those endpoints sport more computing power, network connectivity and storage than IP cameras or routers, not to mention access to sensitive data and IT environments. Take away their security updates and support and its “Game On!”
Sign a letter…and join the fight
While Microsoft’s decision might seem like its a fait accompli, it’s not. By calling out the severe public health and safety impacts of a nearly four trillion dollar corporation erecting paywalls in front of security updates, we can try to bend the company’s decision making in the direction of public health and safety.
What can you do? In the short term, you can join with SRFF by adding your name to a letter urging Microsoft to reverse its decision to end support for Windows 10. The more push back the company receives from information security pros and others the more likely it is to reconsider.
More broadly: join SRFF’s fight to erect common sense guardrails and business standards around decisions regarding the end of support and/or end of life for software and “smart” software-driven and Internet connected devices. SRFF launched a campaign to “abandon abandonware” and, in March, joined with Consumer Reports, PIRG and the Center for Democracy and Technology (CDT) to put forward the Connected Consumer Product End of Life Disclosure law, model legislation to promote new laws that protect consumers of smart, Internet-connected products from the financial and security impacts of vendors walking away from support of smart products.
To join the fight, click the button below or check out this form on our website.