Windows 10 Security Updates Extended to 2027 - Read the Fine Print

The Extra Year Is Real. The Word "Free" Has Fine Print.

In late June 2026, Microsoft quietly extended the Windows 10 Extended Security Updates (ESU) program through October 12, 2027. That is a full year past the original plan. No press release, just an edit to a support page. If you still run machines on Windows 10, you have a bit more runway before they stop getting security patches.

Before you file this under "handled," there is a catch most headlines skipped. The free extension is the consumer program. For most managed business fleets, it does not apply.

Free vs Paid: The Distinction That Matters

There are two separate ESU tracks, and they are not interchangeable.

Consumer ESU, the "free to 2027" one:

• For personal Windows 10 devices
• Free if you sync settings to a Microsoft account, or about $30 per device for a year
• Does NOT cover PCs joined to a domain, Microsoft Entra, or managed through Intune or MDM

Commercial ESU, the business one:

• For organization-managed devices
• Paid and escalating: roughly $61 per device in year one, then $122, then $244
• Cumulative: skip year one and buy in later, you still pay for year one
• Runs a maximum of three years, through October 2028

Here is the irony. If your machines are centrally managed the way business machines should be, you are excluded from the free path. A handful of unmanaged Pro machines might qualify for the $30 route. A domain or Intune-managed fleet does not.

What ESU Actually Gives You

Either track is security patches only: critical and important vulnerabilities. No feature updates, no bug fixes, no performance improvements, no guaranteed compatibility with newer software, no technical support. It keeps the OS from being an open door for ransomware. That is the whole value. Patched is not the same as supported.

Can Your Hardware Run Windows 11?

This is what actually decides your timeline. Windows 11 requires TPM 2.0, and machines built before roughly 2018 often do not meet it. That is the real reason so many small businesses are still on Windows 10. Upgrading the OS means buying hardware, and that is real money.

Start with a hardware audit. With Intune, or even a simple PowerShell script, you can pull every device in your environment and flag which are Windows 11 ready and which are not. If you are not on Intune yet, this is a good reason to start. It gives you fleet-wide visibility without touching each machine.

Once you know the split, you have a plan. Maybe 70% qualify for a free in-place upgrade and 30% need to be budgeted for replacement over the next 12 to 18 months. That is a manageable conversation. "Replace everything now" is not.

Don't Let 2027 Sneak Up

October 2027 is not far. Hardware procurement for small businesses takes longer than people expect: lead times, budget cycles, vendor availability. Treat this extension as a planning window, not a delay.

• Rest of 2026: audit and prioritize
• Late 2026 into early 2027: replace what cannot run Windows 11
• By early 2027: clean environment, transition done, deadline irrelevant

And if you manage updates through Windows Update for Business or Microsoft 365, check that your policies reflect current deadlines. I have walked into environments where machines were deferring updates 60 days on a policy nobody had revisited in years.

One Thing to Do This Week

Pull a list of every Windows 10 device in your organization. Note the processor and check it against Microsoft's Windows 11 supported CPU list. Under 50 machines, that is about an hour. More than that, Intune makes it fast. That list is your upgrade roadmap. Budgeting, scheduling, and vendor conversations all follow from it.

If you do not have the internal bandwidth to run this, Exine does exactly this kind of planning for small and mid-size businesses across NJ and NYC.