Home » Tech Translated — IT Blog for Australian Businesses | All IT Services » Windows 10, Eight Months On: ESU Costs, Secure Boot Expiry, and What Australian Businesses Should Do Now
Whitepaper hero graphic: Windows 10 after end of support, your 2026 plan to upgrade, replace or bridge with ESU
By — Head of Relationships |

Author: Dan Briggs  |  Published: 22 June 2026  |  Reading time: 17 minutes

Executive summary

Windows 10 reached the end of Microsoft support on 14 October 2025. Eight months on, a large share of Australian business PCs are still running it, and the cost of staying put is about to climb. Two things are converging this winter that should put a Windows decision back on the agenda for owners and managers.

First, the price of buying yourself more time is rising. Microsoft’s paid Extended Security Updates (ESU) for businesses start at US$61 per device for the first year and double every year after that, to US$122 and then US$244. The first year of cover runs out in October 2026, so the cheap window is closing.

Second, a quieter technical change lands this month. The digital certificates that underpin Secure Boot, the feature that protects your computers as they start up, begin expiring in June 2026. Devices that are still supported or enrolled in ESU receive replacement certificates automatically. Machines that have dropped off support, which includes most Windows 10 PCs not covered by ESU, will not, and they slowly lose the ability to receive boot-level security fixes.

The practical message is simple. If your business still has Windows 10 machines, the second half of 2026 is when you decide their future: upgrade them to Windows 11, replace the hardware, pay for extended updates as a bridge, or move users to a cloud PC. This guide walks through each option with real costs and dates, the risks of doing nothing, what the changes mean for professional services, hospitality and not-for-profit organisations specifically, and a checklist you can work through before the spring quarter.

Where things stand in mid-2026

Support for Windows 10 ended on 14 October 2025. Since that date, Microsoft no longer ships free security patches, quality fixes, feature updates or technical support for the operating system, as set out on its end of support page. The machines keep working. They start up, run your line-of-business software, open email and print invoices exactly as they did the day before. That is precisely what makes this risk easy to ignore.

The version mix has shifted hard towards Windows 11 since the deadline. Statcounter’s worldwide figures had Windows 11 at around 73 per cent of desktop Windows and Windows 10 at roughly 26 per cent in early 2026. Put plainly, about one in four Windows PCs was still running an unsupported operating system months after the cut-off. We see the same pattern across the businesses we talk to: a fleet that is mostly on Windows 11, with a stubborn tail of older machines that could not be upgraded in time, or that nobody got around to.

That tail is where the exposure sits. An unsupported operating system does not fail loudly. It accumulates unpatched vulnerabilities quietly while everything appears normal, and that gap widens every month. When researchers find a new flaw in Windows 10 now, there is no fix coming unless the device is covered by ESU. Attackers know this, and unsupported systems are a well-understood soft target.

What “end of support” actually costs a business

The risk is not only the headline one of a breach. Three slower problems tend to bite first.

Software vendors follow Microsoft. Accounting packages, practice management systems, point-of-sale software and security tools progressively drop support for Windows 10, which means new versions may not install and vendors can decline to help when something breaks on an unsupported platform. Microsoft 365 Apps (the desktop Word, Excel and Outlook) are a clear example: running them on an out-of-support version of Windows is no longer a supported configuration, and reliability issues that follow are your problem to absorb.

Cyber insurance is the second pressure. Insurers increasingly ask whether your systems are vendor-supported and patched. Running an unsupported operating system can complicate a claim or push up premiums, and some policies now treat it as a basic hygiene failure. If you make a claim after an incident on a Windows 10 machine that was out of support, expect questions.

Compliance is the third. Under the Privacy Act, organisations covered by the Australian Privacy Principles must take reasonable steps to protect personal information they hold (APP 11). The regulator has been more active and better resourced recently, and “we were running software the vendor stopped supporting” is a difficult position to defend if client or customer data is exposed. The Australian Signals Directorate’s Essential Eight also assumes operating systems and applications are kept current and patched, which is hard to claim on an unsupported platform.

The new pressure: Secure Boot certificates start expiring this month

The development that makes June 2026 a genuine deadline rather than a vague “sometime soon” is the expiry of Microsoft’s Secure Boot certificates.

Secure Boot is a security feature built into modern PCs. When a computer powers on, Secure Boot checks that the startup software has a valid digital signature before it loads, which stops malicious code from hijacking the machine before Windows is even running. Those signatures rely on certificates issued back in 2011, and certificates have expiry dates.

According to Microsoft’s guidance, the Microsoft Corporation KEK CA 2011 and the Microsoft UEFI CA 2011 certificates expire in June 2026. The Windows Production PCA 2011 certificate, which signs the Windows boot loader itself, expires in October 2026. Replacement certificates issued in 2023 need to be in place on each device before the old ones lapse.

What happens if a device misses the new certificates

This is where it pays to be precise, because the change has been widely misreported as “your PC will stop booting in June”. It will not. Microsoft is clear that a device which reaches the expiry date without the new certificates will still start and run normally, and ordinary Windows updates keep installing.

What the device loses is the ability to receive new protections for the early startup process: updates to the Windows Boot Manager, refreshes to the Secure Boot databases and revocation lists, and fixes for newly discovered weaknesses in the boot chain. In other words, that layer of security quietly freezes in time and becomes a growing blind spot. For a business, the consequence is not a dead machine tomorrow; it is a fleet that is slowly losing one of its security foundations while looking perfectly healthy.

Who needs to act, and who is already covered

Most PCs manufactured from 2024 onwards shipped with the updated 2023 certificates already in place, so they are fine. Devices made before 2024 generally need the update applied. The good news is that Microsoft is rolling the new certificates out automatically through monthly Windows updates for eligible, supported devices, and the process is on by default for machines that are ready for it.

The catch is the one that matters for this whole topic: a device only receives those monthly updates if it is still getting updates at all. A Windows 11 machine, or a Windows 10 machine enrolled in ESU, will collect the new certificates in the normal course of patching. An out-of-support Windows 10 machine that is no longer receiving updates will not, and it is exactly the population of devices most likely to be sitting on pre-2024 hardware. The Secure Boot change therefore reinforces the central decision rather than standing apart from it. Keeping a Windows 10 device genuinely secure now depends on keeping it supported.

Your four real options

For each Windows 10 machine still in service, there are four sensible paths. Most businesses end up using a mix across their fleet rather than one answer for everything.

Option 1: Upgrade the device to Windows 11

If a machine meets the Windows 11 hardware requirements, an in-place upgrade is usually the cheapest and least disruptive route. The requirements that trip people up are TPM 2.0, Secure Boot capability, a supported processor and a minimum of 4 GB of memory (8 GB or more is far more comfortable for real work). The upgrade keeps the user’s files and most applications, and there is no licence fee to move from Windows 10 to Windows 11 on eligible hardware.

In practice, the work is in the checking and the testing, not the upgrade button. You want to confirm each device is genuinely capable, verify that your critical software is supported on Windows 11, and schedule the rollout so staff are not knocked offline mid-task. For a small office this can often be done over a week or two of evenings; for larger fleets it is a staged project.

Option 2: Replace the hardware

Machines roughly five years and older frequently fail the Windows 11 requirements, most often on TPM or processor generation. Rather than spend money extending the life of equipment that is already slow and out of warranty, this is often the moment to replace it. A new business-grade PC arrives on Windows 11, comes with the 2023 Secure Boot certificates already in place, and resets the clock on warranty and performance.

Replacement is the largest line item of the four options, so it benefits most from planning. Spreading purchases across two or three quarters smooths the cash impact, avoids the scramble if supply tightens closer to the next deadline, and lets you standardise on a small number of models that are easier to support. If budget is the constraint, prioritise the machines that hold or touch sensitive data and the staff who cannot afford downtime.

Option 3: Pay for Extended Security Updates as a bridge

If you cannot move every device in time, Microsoft’s commercial ESU program buys you supported, patched Windows 10 for up to three years past the deadline. The pricing, confirmed on Microsoft Learn, is structured to encourage you to move sooner rather than later:

  • Year one: US$61 per device (cover began in November 2025).
  • Year two: US$122 per device (the price doubles).
  • Year three: US$244 per device (it doubles again).

Two details catch businesses out. The cost is cumulative: if you skip year one and decide to enrol in year two, you still have to pay for year one as well, because the updates build on each other. And ESU is security updates only. It does not include new features, non-security fixes or general technical support, and devices must be on Windows 10 version 22H2 to qualify. The minimum purchase is a single licence, so ESU works for one stubborn machine as readily as for fifty.

Used well, ESU is a bridge, not a destination. It is the right call for the device running a piece of equipment whose vendor has not yet certified Windows 11, or the handful of machines you simply cannot replace before spring. It is a poor call as a way to avoid the decision entirely, because the doubling price makes year three more expensive than a decent replacement PC.

Option 4: Move the user to a cloud PC

There is a fourth option that often gets overlooked. If a Windows 10 device connects to a Windows 365 Cloud PC, that endpoint is entitled to Extended Security Updates at no additional cost for up to three years while the Windows 365 subscription is active, as Microsoft notes in the same ESU documentation. The same no-extra-cost ESU entitlement applies to Windows 10 virtual machines running in Azure and Azure Virtual Desktop.

This suits businesses that are heading towards cloud desktops anyway, or that have older hardware they would rather keep as a simple terminal than replace outright. It is more of a strategic shift than a quick fix, so it is worth weighing as part of a broader plan rather than a same-week patch.

A note on consumer ESU for very small operators

Sole traders and very small offices may come across the consumer version of ESU, which is separate from the business program. Per Microsoft’s consumer ESU page, individuals can enrol a personal Windows 10 PC for one year of updates through to 13 October 2026, at no cost by syncing PC settings with a Microsoft account, by redeeming 1,000 Microsoft Rewards points, or by paying a one-off US$30 (or the local-currency equivalent plus tax). It requires signing in with a Microsoft account, and it only buys a single year. For anything resembling a managed business fleet, the commercial program is the appropriate route; the consumer path is a stopgap for a lone machine, not a business strategy.

How this lands by sector

The right mix of options depends a great deal on what your business does and what those Windows 10 machines are actually running.

Professional services

Accounting, legal, advisory and financial firms hold concentrated, sensitive client data and live inside a handful of applications: practice management, document management, accounting and the Microsoft 365 suite. The exposure here is twofold. An unsupported operating system weakens the APP 11 “reasonable steps” position if client data is ever compromised, and software vendors in this space move quickly to require current platforms. For most professional services firms the answer is to get every fee-earner and support staff machine onto Windows 11, using short-term ESU only for the rare device tied to a specialist application that has not yet been certified.

Hospitality

Hospitality runs on devices that are easy to forget because no one sits in front of them all day: point-of-sale terminals, kitchen displays, booking kiosks and back-office PCs, many of them on older Windows builds. These are exactly the pre-2024 machines most likely to miss the Secure Boot certificate update, and a POS terminal that handles card payments is not somewhere to carry unnecessary security risk. The practical step is to inventory every Windows device in each venue, including the ones bolted under a counter, confirm whether each is on a supported, patched platform, and plan replacements or ESU for any that are not.

Not-for-profits

Not-for-profits feel this most acutely because budgets are tight and hardware is often older and donated. The temptation is to keep machines running as long as possible, but charities hold donor and beneficiary data that is just as sensitive as any commercial firm’s, and a breach is disproportionately damaging to an organisation that runs on trust. The encouraging news is that the options scale down well: ESU starts at a single licence, Microsoft offers non-profit pricing and grants on much of its software, and a staged hardware refresh can be planned around grant and funding cycles. Doing nothing is the only genuinely expensive choice.

Action checklist

Whatever your sector, the same groundwork applies. Work through this before the spring quarter so any hardware purchases land with time to spare.

  1. Build a device inventory. List every Windows machine in the business, where it is, who uses it and what version of Windows it runs. You cannot plan around devices you have forgotten about.
  2. Flag the Windows 10 machines. Separate them into “can upgrade to Windows 11”, “cannot upgrade, needs replacing” and “must stay on Windows 10 for now because of a specific application”.
  3. Check Windows 11 eligibility properly. Confirm TPM 2.0, Secure Boot capability, processor and memory for each machine rather than guessing from its age.
  4. Confirm Secure Boot certificate status. Make sure supported machines are receiving monthly updates and have collected the 2023 certificates, and identify any out-of-support devices that will miss them.
  5. Map your critical software. Verify that your accounting, practice management, POS and other key applications are supported on Windows 11 before you move the machines that run them.
  6. Decide ESU only where it earns its place. Reserve extended updates for devices you genuinely cannot move yet, and note that year one cover lapses in October 2026.
  7. Budget across quarters. Spread replacements over two or three quarters to soften the cash impact and avoid a last-minute rush.
  8. Set a completion date and own it. Pick the date by which the last Windows 10 machine will be retired or bridged, and hold the plan to it.

Comparing the options at a glance

Option Best for Indicative cost Key dates and limits
Upgrade to Windows 11 Machines that meet the hardware requirements No OS licence fee; cost is labour and testing Do it before the device falls further behind on patches
Replace the hardware Devices roughly five years and older that fail Windows 11 checks Highest cost; new business PC per device Plan across quarters; new machines include 2023 Secure Boot certificates
Commercial ESU A short bridge for devices that cannot move yet US$61 year one, US$122 year two, US$244 year three, cumulative Requires Windows 10 22H2; security updates only; max three years
Cloud PC (Windows 365) Older endpoints and businesses moving to cloud desktops Windows 365 subscription; ESU included at no extra cost ESU entitlement lasts up to three years while subscription is active
Consumer ESU A single personal or sole-trader PC, not a managed fleet Free with settings sync, 1,000 Rewards points, or about US$30 One year only, through 13 October 2026

A practical 90-day plan

If this has been sitting on the “we should sort that out” list, here is a realistic way to close it out over a quarter without disrupting the business.

Weeks 1 to 3: see what you have. Pull together the device inventory, identify every Windows 10 machine, and run the Windows 11 eligibility checks. By the end of this stage you know exactly how many devices can upgrade, how many need replacing, and how many are tied to a specific application.

Weeks 4 to 8: decide and order. Confirm which critical applications are cleared for Windows 11, choose the path for each device, and place hardware orders for the machines that need replacing. Enrol any genuine bridge devices in ESU so they are covered while the rest of the plan plays out. Schedule upgrades around your busy periods rather than through them.

Weeks 9 to 13: execute and verify. Run the in-place upgrades, deploy the new machines, and migrate users with their data and settings intact. Confirm that every remaining device is supported and patched, including the Secure Boot certificate status, and retire or repurpose the old hardware securely. Finish with a short written record of what is now running where, which makes the next refresh far easier.

The bottom line

Windows 10 has not stopped working, and that is exactly why it is easy to leave alone. But the economics and the security picture both point the same way this winter. Extended update prices double in October, the cheapest bridge year is running out, and the Secure Boot certificates that protect your machines as they start up begin lapsing this month, with the devices most likely to miss the fix being the very Windows 10 PCs that have already dropped off support. Every month of delay narrows your options and raises the cost of the eventual move.

The businesses that handle this well are not the ones with the biggest budgets. They are the ones that did the inventory early, made a clear decision for each machine, and spread the work and the spend across a couple of quarters instead of scrambling at the next deadline. That is an afternoon of planning now in exchange for avoiding a rushed, expensive project later.

Frequently asked questions

My Windows 10 computers still work fine. Why should I do anything now?

They will keep working, which is the trap. The problem is invisible: without support, newly discovered Windows 10 vulnerabilities go unpatched, and from this month out-of-support machines also stop receiving Secure Boot certificate updates. The risk, the insurance complications and the compliance exposure all build quietly while the device looks healthy. Acting now is far cheaper than reacting after an incident.

Is it really worth paying for ESU, or should I just replace the machines?

ESU makes sense as a short bridge for the specific devices you cannot move yet, such as a PC tied to equipment whose vendor has not certified Windows 11. Because the price doubles each year and is cumulative, it is poor value as a long-term substitute for upgrading. By year three you are paying more than a capable replacement PC would cost. Use it deliberately, not as a way to defer the decision indefinitely.

How do I know if a computer can run Windows 11?

The common blockers are TPM 2.0, Secure Boot capability and processor generation, alongside a memory floor of 4 GB. Age is a rough guide, but the only reliable answer comes from checking each machine against the requirements. Most devices bought new in the last four or five years upgrade without issue; older ones often do not.

Will my PC stop booting when the Secure Boot certificates expire in June 2026?

No. Microsoft is clear that devices will still start and run, and ordinary Windows updates keep installing. What an affected device loses is the ability to receive new boot-level security protections. The fix arrives automatically through Windows Update on supported and ESU-enrolled machines, which is why keeping a device supported is the practical way to stay protected.

Can All IT Services handle the whole move for us?

Yes. We audit your devices, confirm Windows 11 eligibility and software compatibility, plan the budget across quarters, and run the upgrades, replacements and any ESU enrolment with minimal disruption to your team. You get a clear plan and a single point of contact rather than a pile of decisions to make alone.

Talk to All IT Services

We help businesses across Sydney, Brisbane, the Central West of New South Wales and Melbourne plan and run exactly this kind of transition, from the first device audit through to retiring the last Windows 10 machine, without lock-in contracts and without the jargon. If you want a clear picture of where your fleet stands and a costed plan for the rest of 2026, we can help.

Call us on 1300 425 548 or get in touch through allitservices.com.au/contact-us for a straight assessment of your options.

Sources and further reading

Posted in All Resources Strategic Whitepapers

About All IT Services

We’re a leading IT specialist providing premium services and support to businesses across Australia’s eastern seaboard. Our strength lies in our size – big enough to tackle complex projects yet small enough to pick up the phone when you call.  At All IT Services, our approach is refreshingly straightforward - no endless wait times or tech jargon. Just real people with genuine passion and expertise in IT solutions.

CONTACT US