Windows 10 hits end of support on October 14, 2025. That means no security fixes for most editions unless you pay for ESU. Now’s the time to move with a crisp, low-stress plan.
The 30-day plan at a glance
Week 1: Inventory
Week 2: Prioritize risk & readiness
Week 3: Secure what must stay (temporarily)
Week 4: Migrate & validate
Week 1 — Inventory (fast + accurate)
PowerShell (AD environments): export Windows 10 fleet with build info.
Import-Module ActiveDirectory $pcs = Get-ADComputer -Filter "OperatingSystem -like 'Windows 10*'" -Properties OperatingSystem,LastLogonDate | Select-Object Name,OperatingSystem,LastLogonDate $report = foreach ($pc in $pcs) { try { $os = Get-CimInstance -ClassName Win32_OperatingSystem -ComputerName $pc.Name [pscustomobject]@{ Name=$pc.Name; LastLogon=$pc.LastLogonDate Version=$os.Version; Build=$os.BuildNumber UptimeDays=([int]((Get-Date)-$os.LastBootUpTime).TotalDays) } } catch { } } $report | Export-Csv .\win10_inventory.csv -NoTypeInformation Standalone/SMB: quick local facts.
Get-ComputerInfo | Select-Object OsName,OsVersion,OsBuildNumber,WindowsProductName Week 2 — Prioritize (who moves first?)
Tag machines by risk: old builds, long uptime, or business-critical apps.
$inv = Import-Csv .\win10_inventory.csv $tiers = $inv | ForEach-Object { $risk = "Low" if ([int]$_.Build -lt 19045) { $risk = "High" } # ancient builds elseif ($_.UptimeDays -gt 14) { $risk = "Medium" } # patch lag [pscustomobject]@{ Name=$_.Name; Build=$_.Build; Risk=$risk } } $tiers | Group-Object Risk | Select-Object Name,Count Readiness checks (Windows 11):
$tp = Get-Tpm; $sb = Confirm-SecureBootUEFI [pscustomobject]@{ TPM=$tp.TpmPresent; TPM_Ready=$tp.TpmReady; SecureBoot=$sb } Screenshot: free Website Vulnerability Scanner homepage
Screenshot of the free tools webpage where you can access security assessment tools.
Week 3 — Secure the holdouts (ESU/temporary)
If some Windows 10 devices must linger, tighten controls and consider Extended Security Updates (ESU) while you phase them out.
BitLocker + Firewall sanity:
(Get-BitLockerVolume -MountPoint C:).ProtectionStatus (Get-NetFirewallProfile | Select-Object Name,Enabled) Defender quick posture:
Get-MpComputerStatus | Select AMServiceEnabled,AntispywareEnabled,RealTimeProtectionEnabled Update-MpSignature; Start-MpScan -ScanType QuickScan Sample report from our free tool to check Website Vulnerability
Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.
Week 4 — Migrate & validate
USMT (keep user data/settings):
# On source scanstate \\fileserver\usmt\store /i:migapp.xml /i:migdocs.xml /o /c /v:5 /l:scan.log # On target (Windows 11) loadstate \\fileserver\usmt\store /i:migapp.xml /i:migdocs.xml /c /v:5 /l:load.log In-place upgrade (example):
Start-Process setup.exe -ArgumentList "/auto upgrade /quiet /noreboot" -Wait Post-cutover smoke tests: device control, EDR online, disk encryption, app launch list, and patch baseline.
Where we can help
Managed IT Services: lifecycle planning, hands-on migrations, and endpoint hardening.
https://www.pentesttesting.com/managed-it-services/AI Application Cybersecurity: secure LLM/AI workflows tied to Windows endpoints and SaaS.
https://www.pentesttesting.com/ai-application-cybersecurity/Offer Cybersecurity to Your Clients (Partner/White-label):
https://www.pentesttesting.com/offer-cybersecurity-service-to-your-client/Compliance & Risk (HIPAA, PCI DSS, SOC 2, ISO 27001, GDPR): risk assessments and remediation programs.
https://www.pentesttesting.com/risk-assessment-services/
https://www.pentesttesting.com/remediation-services/
Explore more on our blog: https://www.pentesttesting.com/blog/
Subscribe on LinkedIn: https://www.linkedin.com/build-relation/newsletter-follow?entityUrn=7327563980778995713
Note: Windows 10 support ends on Oct 14, 2025; 22H2 is the final release. Plan for ESU only as a temporary bridge.
Top comments (0)