End Of Life for Windows 10 is coming pretty fast. It’s set to 14th of October 2025. After this date, security updates will stop unless you opt for Extended Security Updates (ESU). While ESU is a paid program, Windows 365 (and AVD) users can get them for free!
Extended Security Updates
Running Windows 10 after the 14th of October is of course not ideal. You are exposing yourself and your company to a whole lot of possible vulnerability issues. To mitigate this as fast as possible you can just upgrade to Windows 11, which was already released in october 2021 and is a very stable OS.
If you are moving away from Windows 10, but still have some legacy applications which prevent you from going all in on Windows 11 OR you do not meet the hardware requirements, you can opt for the ESU program which allows you to continue receiving security updates for Windows 10 after the official end-of-support date. It’s a paid service, that costs 61 dollars/device/year, and that price will double each year.
Migrate to Windows 11
I get that you’re not ready to retire your hardware just yet. It still runs well for daily tasks, and there are plenty of reasons you might still be using Windows 10, the ones that I encounter the most are:
- Old, unsupported hardware
- Old, legacy applications that do not run on Windows 11
- Your migration path towards Cloud Native management has not yet started.
Let’s do a short deep dive in these three topics:
Unsupported hardware
You might not have hit your hardware refresh cycle, or you state that the hardware is still fine for your regular Outlook access and sending mails. Keep in mind that without security updates you are becoming an easy target for bad actors.
The hardware requirements discussion comes up a lot as well, many feel that Microsoft is forcing an upgrade even though their hardware still works fine. But here’s the real question: Do you want to rely on a device that lacks hardware support for essential/basic cryptographic functions (because it’s to old)? Would you use your day to day smartphone if it couldn’t natively encrypt your data due to missing hardware? I know I wouldn’t. New security stuff comes out every so often which you certainly want to incorporate into your environment. FYI, TPM 2.0 was introduced in 2017, which is over 7 years ago!
The general advice here is to just plan a hardware refresh and do so every couple of years.
Legacy applications
Another common concern is legacy applications that supposedly only run on Windows 10. In reality, many of these may work just fine on Windows 11 using compatibility settings. It often comes down to an old application that no one fully understands, installed years ago by someone who left the company, with no documentation to be found. Scary!
The general advice here is. Start looking for new, more modern applications (or upgrade paths), with support for modern authentication, You are using an old application, probably without a support contract which is not ideal. Who’s going to fix your stuff in the applications stops working tomorrow? Have you considered the impact on your company?
Lack of a migration path towards Modern Management
Many companies are planning a move towards Modern Management because it has many advantages. It allows you to manage devices from anywhere without network dependencies or the need for Active Directory. This all with a single pane of glass to manage all devices efficiently regardless of their operating system. Features like Windows Autopilot streamline deployments, making it easier to set up and hand over new devices to employees just put the icing on the cake.
This all is nothing new you are probably aware of these advantages. But moving towards a new platform seems challenging and hard, you’ll need to invest time in it.
The advice here is: Start with small steps. Setup a greenfield Intune environment and use baselines provided by your partner. You’ll be up and running in no time.
Don’t spend time migrating every single GPO towards the Intune settings catalog. You probably don’t even know what 80% of your current policies do. Now is your time to start fresh and to onboard new devices straight into Intune.
Let internal IT and some key persons validate the new Intune set up and start handing out new, Intune provisioned devices to users upon their device refresh. Simply phase out the old MDM.
If you are looking for an easy test environment for all those Intune policies, you could leverage the power of Windows 365 as well. With its ability to easily reset the Cloud PC, or use it’s built-in restore points to quickly move back and forth between various testing scenarios. All without impacting your own production machine. You can read more on this in one of my previous posts.
Windows 365 is often an easy way to start with Intune where you could easily expand toward other physical machines. The management is identical.
How to get Extended Security Updates for free
After considering all the points above, you know the next steps and how to proceed. However, if you’re just starting with your migration Windows 11, there’s a high chance you may not meet the deadline. You’ll want to opt for the Extended Security Updates to give you more time to migrate while still providing all those old PCs with the necessary security updates.
Good news, Microsoft has you covered! Windows 365 includes free ESUs, so you can easily provision Cloud PCs for your remaining users. They can continue their daily tasks on a Windows 11 or even Windows 10 Cloud PC (if you still need that old application), and as a bonus, any Windows 10 PC that connects to a Cloud PC automatically qualifies for free ESUs. This free ESU commitment is for a maximum of three years starting from the EOS date of Windows 10.
Activate the Extended Security Updates for your machine
When you purchase the ESUs separately (through Volume Licensing), you’ll download an activation key and need to apply it to individual PCs in your environment. There is support for Volume Activation Management Tool (VAMT) or Windows Server Update Services (WSUS) to get the updates on your Windows 10 devices.
If you are using Windows 365 however, the whole process goes automatically. Every Windows 10 device that’s connecting to a Windows 10 or Windows 11 Cloud PC will automatically be configured to receive the Extended Security Updates.
Free ESU ON Azure Virtual Desktop
Azure Virtual Desktop (AVD) provides support for free ESUs as well. This however only goes for your workload running on Azure. Your Windows 10 session hosts will therefore be eligible to receive free ESUs for up to three years. If you want your physical clients to receive the free ESUs, you’ll need a Windows 365 Cloud PC – As mentioned in the Microsoft documentation.
Let’s recap
Now is the time to transition to Windows 11, even on older devices. With Windows 365, you can easily deploy Windows 11 or Windows 10 Cloud PCs while still keeping physical Windows 10 devices updated. Best of all, this is a fully supported solution that eliminates the need to purchase individual ESU licenses.
Leave a Reply