And what are the challenges of migrating to a newer system, such as Windows 11?

Windows 10 reaches the end of its lifecycle on 14 October 2025. But what does this mean? What are the challenges of migrating to new systems? What are the security implications? And what are the risks of delaying migration?

We put these questions – and others – to our head of security testing, James Pickard.

In this interview

• What it means when systems or software reach the end of their lifecycle
• Extended support programmes
• Why you might not migrate to a new system
• Why you shouldn’t use unsupported systems or software
• How using end-of-life services affect compliance
• Challenges associated with migrating to new systems
• How common it is for organisations to continue using unsupported systems

Hi James. So, what does it mean when systems or software reach the end of their lifecycle?

End of life is basically when software or hardware products stop being actively supported by their suppliers or vendors. In other words, there are no more security updates, so any newly discovered vulnerabilities remain unpatched, and there’s no more technical support, so users can’t seek help from the vendor when things inevitably start to go wrong.

This means users are increasingly exposed to cyber threats and face higher support costs. Plus, of course, relying on unsupported software and systems can breach your legal or regulatory obligations, potentially leaving you open to enforcement action from the regulators.

In short, end-of-life systems are an increasing liability, introducing more and more operational, security and compliance risks for the user.

In other words, you have to migrate to a new system?

Well, you can sometimes enrol your devices on an ESU (extended support programme), but this comes at a premium (the price doubles every year) and doesn’t include things like new features or general support – it’s just a security package. Extended support programmes aren’t available to everybody and provide security support for a limited time, so you’re just buying yourself a bit more time to migrate – it’s not a viable long-term solution.

[Note: you can find out more about the ESU programme for Windows 10 here.]

So, why would you do that rather than migrate to a newer version?

The big issue in this case is that Windows 11 requires TPM 2.0, Secure Boot and newer CPUs, so older devices physically can’t run it. Many organisations will therefore have to buy new PCs, so there’s a hardware as well as a software cost involved in this upgrade.

For some organisations, upgrading hardware is simply too expensive or too complex. For instance, industrial and medical systems tend to rely on bespoke software that’s incompatible with modern systems, so it’s often very difficult – sometimes impossible – to upgrade without replacing your entire infrastructure or losing access to important machinery for an extended period. This is a particular problem in the public sector, where budgets are tighter.

It’s hugely impractical to upgrade an MRI machine, for example – the system needs to be revalidated, you need approval from the relevant regulatory body [the Medicines and Healthcare products Regulatory Agency in the UK] and support from the machine’s manufacturer. All of this takes time, while the machine is out of action – which hospitals obviously want to avoid.

Running unsupported or outdated software or hardware is rarely a choice, but it can be easier to isolate the machine from the wider network and implement compensating security controls instead.

Why is it important that organisations migrate to the latest versions, and not use unsupported systems or software?

When a new threat is discovered, a patch wouldn’t necessarily be released for outdated systems. So that vulnerability would remain open and exploitable. The older a system gets, the more vulnerabilities tend to emerge.

Take the example of the WannaCry ransomware infection a few years ago. Microsoft patched the vulnerability it exploited, but only for supported systems. Older, unsupported systems – such as Windows XP, which was still widely used, including in the NHS – remained vulnerable. The ransomware spread easily through these machines, affecting hundreds of thousands of victims around the world until the scale of the problem forced Microsoft to take the unprecedented step of issuing patches for unsupported versions of its products to stop it spreading further.

As well as the operational issues associated with leaving yourself vulnerable to attack, you mentioned compliance earlier.

Absolutely. Being out of support will definitely affect your compliance with things like the Cyber Essentials scheme, ISO 27001, and the GDPR [General Data Protection Regulation] and DPA [Data Protection Act] – the PCI DSS [Payment Card Industry Data Security Standard] too. Compensating controls such as segregating the machines running unsupported systems and software from the wider network can help mitigate the risk.

So, what are the main challenges associated with migrating from Windows 10?

We’re seeing a lot of companies moving towards Office 365. This isn’t necessarily as familiar as some setups, so settings that would give them greater hardening might be missed or not applied. We do a build review and an Office 365 review, which would both cover this.

Sounds like the major challenge is cost rather than anything else.

Yes, you can roll the updates out reasonably easily, including remote rollouts for hybrid or homeworkers. It’s more about whether your machines are capable of running it.

Based on your experience in the field, how common is it for organisations to continue using legacy systems?

For externally facing systems, this is still quite a rarity. We probably see 1 in 40 or 50 organisations running externally facing systems that are unsupported. Internally, it’s another story – we see a lot of internal systems that are unsupported. I’d say about half of our penetration tests come across unsupported servers or workstations.

What’s the main reason for that?

Lack of proper decommissioning, essentially: systems don’t get decommissioned properly after migration but are left running. And because they’re no longer on the asset management list, people forget about them. That’s why it’s so important to undertake penetration tests during your build cycle. Before you go live, get it tested and make sure you’re happy with the build before it is deployed. Then test again to make sure. An internal vulnerability scan on your network or internal pen test to identify any machines that haven’t been switched over will also be beneficial if you haven’t got a reliable asset management list.

Gold Build Penetration Test

Our Gold Build Penetration Test employs a mix of advanced manual testing techniques and automated scans to simulate real-world attacks and identify risks within your internal infrastructure, including those affecting:

• Secure configurations
• Network traffic
• Secure passwords
• Patching
• Secure authentication
• Encryption
• Information leakage

About James Pickard

James is an expert penetration tester – and our head of security testing – with more than a decade in the field.

He’s led and executed penetration tests across diverse industries on a global scale. He specialises in two key areas: infrastructure testing and authorisation bypass techniques.

James excels in leadership and technical expertise. He’s managed the penetration testing team since 2018, directing them through tasks, improving testing procedures and cultivating collaborative relationships with clients.

We’ve previously talked to James about security trends for 2024 and beyond.

We hope you enjoyed this edition of our ‘Expert Insight’ series. Explore our full index of interviews here.

Photo by Clint Patterson on Unsplash