Windows 10 End of Support 2025: Remediation Plan

TL;DR (for busy IT & security leads)

• Date: Windows 10 support ends October 14, 2025.
• Paths: Upgrade to Windows 11, enroll Windows 10 ESU, or isolate/segment until migration.
• Plan: Treat Windows 10 end of support 2025 remediation like a mini-program: inventory → score risk → choose a path per asset → execute and collect audit-ready evidence.

• Need help fast? Start with a risk workshop → prioritized backlog → sprint execution:
  • Risk Assessment: /risk-assessment-services/
  • Remediation: /remediation-services/
  • Quick outside-in checks: free.pentesttesting.com

---

What EOS means, who’s in scope, and ESU timeline

When Windows 10 hits End of Support (EOS), it stops receiving security updates. That creates measurable cyber and compliance risk for any device still on Windows 10.

Who’s in scope:

• On-prem devices (desktops, laptops, kiosks)
• Remote devices (field, WFH)
• VDI/Cloud-hosted Windows 10 sessions and jump boxes
• Lab/OT/legacy systems that can’t be upgraded quickly

ESU (Extended Security Updates): available for up to 3 years post-EOS for commercial/education customers. Year 1 pricing is typically ~$61/device; it doubles each year (Y2 ~$122, Y3 ~$244). Azure-hosted Windows 10 VMs and Windows 365 Cloud PCs may receive ESU entitlement with the right licensing/config, reducing cost on those footprints.

Use ESU only as a bridge, not a permanent state. Bake in deadlines and compensating controls.

---

Discovery & scoring: build the Windows 10 exposure map

1. Enumerate Windows 10 assets (on-prem, remote, VDI):

• Intune / Configuration Manager / RMM
• Active Directory (OU, group membership)
• CMDB + VPN/MDM enrollments
• Public exposure (VPN gateways, RDP, SMB, management ports)

2. Business criticality: tag systems that support revenue, regulated data (ePHI/PCI/PII), operations, or exec workflows.
3. Internet exposure & blast radius: devices with public services, unmanaged admin tools, lateral movement pathways.
4. Exceptions: list hard-to-upgrade devices (drivers, vendor apps, lab instruments); propose isolation and deadlines.

Quick scripts you can run today

Intune (Microsoft Graph PowerShell) — list Windows 10 devices

# Requires Microsoft.Graph module
Connect-MgGraph -Scopes "Device.Read.All","DeviceManagementManagedDevices.Read.All"
Select-MgProfile -Name "beta"

$win10 = Get-MgDeviceManagementManagedDevice -All |
  Where-Object { $_.OperatingSystem -eq "Windows" -and $_.OsVersion -like "10.*" }

$win10 | Select-Object deviceName, userDisplayName, osVersion, complianceState, azureADDeviceId |
  Sort-Object deviceName | Format-Table -AutoSize

Active Directory — find Windows 10 computers

Import-Module ActiveDirectory
Get-ADComputer -LDAPFilter '(operatingSystem=Windows 10*)' -Properties operatingSystem,operatingSystemVersion,lastLogonDate |
  Select Name,operatingSystem,operatingSystemVersion,lastLogonDate | Sort Name

Remote WMI check (CIM) — verify OS & build

$targets = Get-Content .\win10_hosts.txt
$cred = Get-Credential
$report = foreach ($h in $targets) {
  try {
    $os = Get-CimInstance -ClassName Win32_OperatingSystem -ComputerName $h -Credential $cred -ErrorAction Stop
    [pscustomobject]@{ Host=$h; Version=$os.Version; Build=$os.BuildNumber; Caption=$os.Caption }
  } catch {
    [pscustomobject]@{ Host=$h; Version=$null; Build=$null; Caption="UNREACHABLE" }
  }
}
$report | Export-Csv .\win10_inventory.csv -NoTypeInformation

SCCM/ConfigMgr WQL — report Windows 10 clients

SELECT Name, Operating_System_Name_and0, Build01
FROM v_R_System
WHERE Operating_System_Name_and0 LIKE '%Workstation 10.0%'
ORDER BY Name

Outside-in reality check (headers/TLS/exposure):
Run a quick scan and attach results as evidence:

• 👉 Use our Free Website Vulnerability Scanner: free.pentesttesting.com
• Save before/after PDFs in your EOS evidence folder.

Free Website Vulnerability Scanner — homepage screenshot

---

Decision tree: Upgrade, ESU, or Isolate

                         ┌───────────────┐
                         │  Windows 10?  │
                         └───────┬───────┘
                                 │Yes
                  ┌──────────────┴──────────────┐
                  │                              │
          HW meets Win11?                 HW won't meet Win11 (now)
                  │                              │
             ┌────┴────┐                   ┌─────┴───────────┐
             │ Upgrade │                   │   ESU (Y1)      │
             └────┬────┘                   └─────┬───────────┘
                  │                                │
     Enforce deadlines & evidence        Add compensating controls
                  │                                │
         If blockers exist                 Plan isolation or VDI
                  │                                │
             Isolate until migrated     Migrate by date, re-score risk

When to Upgrade to Windows 11: device is compatible, business-critical, or Internet-exposed.
When to use ESU: temporary bridge for critical apps/hardware; include sunset dates.
When to Isolate: lab/legacy/OT or blocked upgrades. Enforce network segmentation, use jump boxes, and prohibit direct Internet access.

---

ESU cost modeling (compare to refresh)

Assumptions: Y1 $61/device, doubling annually; ESU up to 3 years.

param(
  [int]$Devices = 500,
  [int]$Years = 2,   # 1..3
  [int]$NewPC = 800, # avg refresh unit cost
  [double]$CapexDiscount = 0.0 # simple model
)

$rates = 1..$Years | ForEach-Object { [math]::Pow(2, $_-1) * 61 }
$esuTotal = ($rates | Measure-Object -Sum).Sum * $Devices
$refreshTotal = $NewPC * $Devices * (1 - $CapexDiscount)

[pscustomobject]@{
  Devices=$Devices
  ESU_Years=$Years
  ESU_Rate_Y1=$rates[0]
  ESU_Rate_YN=$rates[-1]
  ESU_Total=$esuTotal
  Refresh_Total=$refreshTotal
  Recommendation = if ($esuTotal -lt $refreshTotal) { "ESU bridge (short term), plan phased refresh" } else { "Refresh > ESU: upgrade/replace now" }
} | Format-List

Tip: Run multiple scenarios by cost center; attach outputs to your EOS Decision Log.

---

Isolation (when upgrades lag)

Windows Defender Firewall (local or via GPO) — allow only RDP from a jump box, block everything else inbound:

# Allow RDP from jump box only
New-NetFirewallRule -DisplayName "Allow RDP from JumpBox" -Direction Inbound -Protocol TCP -LocalPort 3389 `
  -RemoteAddress 10.10.10.5 -Action Allow

# Block all other inbound
New-NetFirewallRule -DisplayName "Block Inbound (EOS lockdown)" -Direction Inbound -Action Block

Entra ID dynamic device group — tag Windows 10 for conditional access/quarantine

(device.deviceOSType -eq "Windows") and (startsWith(device.deviceOSVersion, "10."))

Intune device filter (sample) — “Windows10-EOS” group

# Pseudo: assign restricted app policies/compliance to this filter
# Devices: OS equals Windows; OS version starts with 10.

Nmap sanity-check (Linux/Mac admin host) — find exposed RDP/SMB

nmap -p 3389,445 --open -oG rdp_smb.grep 10.20.0.0/16
grep "/open/" rdp_smb.grep | awk '{print $2}' | sort -u > exposed_hosts.txt

Attach the exposed_hosts.txt to your Isolation Evidence folder.

---

Remediation runbook (copy-paste)

Days −3 to 0: pre-work & backups

# WBAdmin bare-metal style (example; validate targets/retention!)
wbadmin start backup -backupTarget:\\backup\win10$ -include:C: -allCritical -quiet

• Confirm restore points or image backups on a test cohort.
• Draft Change Tickets with rollback criteria and owners.

Day 0–1: ESU activation (if chosen)

:: Install ESU MAK key
slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

:: Activate ESU (use the proper Activation ID for Year 1/2/3)
:: Year1 f520e45e-7413-4a34-a497-d2765967d094
:: Year2 1043add5-23b1-4afb-9a0f-64343c8f3f8d
:: Year3 83d49986-add3-41d7-ba33-87c7bfb5c0fb
slmgr.vbs /ato f520e45e-7413-4a34-a497-d2765967d094

:: Verify license state for evidence
slmgr.vbs /dlv > C:\ProgramData\ESU_proof.txt

Day 1–7: deploy controls & verification

• Windows Update rings or WSUS approvals for ESU updates.
• Restricted Firewall/GPO for isolated devices.
• Conditional Access: block legacy auth, require compliant device.
• Evidence pack: WSUS/Intune compliance exports, ESU_proof.txt, screenshots of Update History.

Day 7–30: upgrade waves

• In-place upgrade to Windows 11 where supported (retain app/data).
• Post-upgrade verification: Secure Boot/TPM 2.0, BitLocker, Defender, policies, and baseline benchmarks.

Rollback plan

• If post-change health checks fail → backout to backup image, re-enter isolation, open a problem ticket, and reschedule.

---

Evidence collection (auditor-ready)

Create a dedicated “Windows10-EOS” folder in your evidence vault:

• Inventory CSVs (Intune/AD/SCCM) + data-pull timestamps.
• Decision log per device (Upgrade / ESU / Isolate) + owner + deadline.
• Screenshots: Windows Update history, Intune compliance, GPO settings, firewall rules.
• ESU proof: license activation (slmgr /dlv), WSUS/Intune deployment results.
• Change tickets: implementation and rollback records.
• Retest artifacts: rescans, patch baselines, outside-in checks.
• Exceptions: reason, compensating controls, expiry dates.

---

Implementation code gallery (more useful snippets)

Detect TPM & Secure Boot (upgrade readiness)

Get-CimInstance -ClassName Win32_Tpm | Select-Object SpecVersion, IsEnabled_InitialValue, IsActivated_InitialValue
Confirm-SecureBootUEFI

Create a “Quarantine” local firewall profile

Set-NetFirewallProfile -Profile Domain,Private,Public -DefaultInboundAction Block -DefaultOutboundAction Allow

Export Intune compliance for evidence

$devices | Select deviceName, complianceState, lastSyncDateTime |
  Export-Csv .\intune_compliance_snapshot.csv -NoTypeInformation

Label & track exceptions (PowerShell)

$exceptions = Import-Csv .\exceptions.csv  # Host,Reason,Owner,Expiry
$exceptions | ForEach-Object {
  Write-Host ("[{0}] {1} (owner: {2}) until {3}" -f $_.Host,$_.Reason,$_.Owner,$_.Expiry)
}

Minimal change-ticket template (Markdown)

# Change: Windows 10 EOS – {Upgrade|ESU|Isolation} for {HOST/GROUP}
Owner: {Name}   Date: {YYYY-MM-DD}   Change ID: {ID}

## Scope
Devices: {...}
Business Impact: {...}

## Steps
1) Backup evidence
2) Apply {upgrade/esU key/firewall policy}
3) Verify {update history/esU /dlv/compliance}

## Rollback
Restore from image; reapply isolation rules.

## Validation
Attach: inventory export, screenshots, logs, ticket links.

---

Sample report (redacted) from the tool to check Website Vulnerability

---

Related services & quick links

• Start a scoped workshop: Risk Assessment → /risk-assessment-services/
• Need hands-on keyboards? Remediation Services → /remediation-services/
• Explore more articles: Pentest Testing Corp Blog → /blog/
• Quick scan before you start: Free Website Vulnerability Scanner → free.pentesttesting.com

---

Recent on our blog

• Android Security Bulletin October 2025: Fleet Triage — triage steps & scripts. /android-security-bulletin-october-2025/
• CVE-2025-20352: Cisco IOS/IOS XE SNMP 0-Day — Fix Now. /cve-2025-20352-cisco-ios-ios-xe/
• PCI DSS 4.0: Your Post-March 31 Remediation Plan. /pci-dss-4-0-remediation/
• Citrix NetScaler CVE-2025-7775: Fix & Verify. /citrix-netscaler-cve-2025-7775/

---

Final Note

Need a hands-on team to execute this Windows 10 end of support 2025 remediation plan with evidence your auditors will love?

• Start a Risk Assessment: /risk-assessment-services/
• Get Remediation Help: /remediation-services/
• Run a quick outside-in scan: free.pentesttesting.com

---