Windows 10 is out – what Bavarian SMEs should do six months after end of support

Six months have passed since Microsoft ended support for Windows 10 on 14 October 2025. In our existing-customer conversations since November, a clear pattern emerges: most mid-sized companies know about it — and still haven't acted. A metalwork company in Bischofswiesen in the Berchtesgadener Land with 34 workstations summed it up in March: "We kept putting it off because the business is running. Now we're not even sure it's still legal."

That's no isolated case. Based on what we see, 30 to 50 percent of all office workstations in Bavarian SMEs are still running on Windows 10 today. The reasons are familiar: tight IT budgets, fear of compatibility problems with older line-of-business applications, lack of internal resources. But the question of whether the business still runs doesn't answer the question of whether it's still secure.

What "no support" actually means

As long as Microsoft published security patches, known vulnerabilities in Windows 10 were closed within weeks. That safety net is gone. Every security gap discovered in Windows 10 from October 2025 onwards stays open — permanently. Attackers know this mechanism and historically launch intensified campaigns against systems shortly after EOL dates, because the effort pays off: a discovered zero-day remains exploitable on unpatched systems for years.

For companies covered by NIS2 or Article 32 of the GDPR, another problem arises. Both frameworks require systems on a current, supported state as part of the technical protection measures. A data protection incident on a Windows 10 machine without active support is likely to produce uncomfortable follow-up questions when the obligation to notify the BayLDA kicks in. The Federal Office for Information Security (BSI) has explicitly recommended for years that operating systems no longer supported be removed from production environments.

ESU: safety net or expensive band-aid?

With the Extended Security Updates (ESU) programme, Microsoft offers an extension of security patch support — paid, tiered, and time-limited. For companies, year 1 costs USD 61 per device via volume licensing or CSP partner. Year 2 costs USD 122, year 3 already USD 244 per device. The programme runs until October 2028 at the latest.

We did the maths for the metalwork operation in Bischofswiesen: 34 devices, all three ESU years used. Cost for the extended patch support alone: around USD 14,700 — without migration and management effort, without new hardware. For the same amount, by our calculation, you could have completely replaced 12 to 15 devices and covered the rest via Windows 11 upgrades, since some of the hardware already meets the system requirements.

ESU makes sense for devices that, for technical reasons, cannot be migrated in the short term — for example, specialised measurement PCs at machines with proprietary software for which the manufacturer doesn't yet have a Windows 11 certificate. As a strategy for everyday office operations, it is the most expensive of all bad options. In our IT security consulting, we recommend ESU exclusively as a bridge for specifically named exception systems.

Windows 11: hardware hurdles in practice

Most Windows 11 discussions end quickly at the TPM 2.0 chip. That is justified — without it, the official installer refuses installation. In our work with existing customers using devices from 2018 to 2021, the picture is more nuanced. Many computers from that generation already have TPM 2.0 built in, it is simply disabled in the UEFI BIOS. A firmware update and a BIOS setting solve the problem in twenty minutes.

For older systems (built in 2016 or earlier) without TPM 2.0 and without an activatable alternative, there are two routes: replace the hardware or operate under a controlled exception policy. For companies with active Azure AD integration and Microsoft Intune, Microsoft has documented a managed exception route — we use it for individual specialised devices, but we would never recommend it for the breadth of the workstation fleet. It bypasses the requirement but does not create a secure environment.

The actual work in a migration at a company with 20 to 80 workstations is not the operating-system upgrade itself, but the preparation: which line-of-business application runs on which computer, is there a Windows 11 compatibility test from the manufacturer, and how do local printers, network drives and VPN clients behave under Windows 11? In our experience, this inventory typically takes one to two days for a company of this size — and saves significantly more time than it costs.

What makes more sense than waiting

A structured approach is still possible in spring 2026, but the window for a calm migration is closing. With every month, the statistical risk grows that a known Windows 10 vulnerability is actively exploited.

We recommend our customers a three-part approach: first, an inventory of all Windows 10 devices with their age and hardware profile. Then a clear categorisation — migratable, migratable with hardware swap, or justified ESU exception. Finally, a migration roadmap with realistic time windows that does not endanger ongoing operations.

For the IT infrastructure of many companies, a Windows 11 migration is also the right moment to switch to modern management concepts such as Microsoft Intune or Entra ID. Anyone still working today with local group policies and manual Windows updates has the chance, after migration, to permanently reduce that effort.

The metalwork entrepreneur in Bischofswiesen decided at the end of March on a hybrid path: 28 devices will be migrated to Windows 11, 4 machines on the production floor receive ESU for a maximum of twelve months until the CAD vendor delivers the Windows 11 certificate, 2 devices will be replaced. The migration is in progress — without operational interruption, department by department.

---