Windows 10 Is Dead. Your Computer Isn't.

The calls started a few weeks before the date and they all sounded the same. "Microsoft says my computer isn't safe anymore. Do I have to buy a new one?" No. Probably not. End of support means Microsoft stopped shipping security patches for the operating system on October 14, 2025. It does not mean the hardware turns into a paperweight. The machine boots the same on the 15th as it did on the 13th. What changed is invisible, and from a security standpoint it's the only thing that counts: the supply of fixes dried up.

That gap between "still works fine" and "no longer getting patched" is exactly where people make bad decisions. Some panic and throw money at hardware they don't need. Others shrug and keep the box online for three more years on the same network as their tax returns and their work email. Both are mistakes. The right move depends entirely on what the machine is for, who touches it, and what it can reach. I've spent a long time cleaning up after the second kind of person, so let me walk through how I actually think about this when the question lands on my desk.

What "end of life" actually means

Strip away the marketing and an OS end-of-life is a simple thing. The vendor stops producing security updates. No more monthly patches. No fixes for newly discovered holes in the kernel, the networking stack, the print spooler, the font parser, the dozen other components that attackers love. Bugs found tomorrow stay open forever on that platform.

A few things follow from that, and the order matters.

First, nothing breaks on day one. This is the part people get wrong. An unpatched OS is not a broken OS. It runs your programs, prints your documents, joins your Wi-Fi. The danger is cumulative, not instant. Every month that passes, the pile of known-but-unfixed vulnerabilities grows, and every one of those is a published roadmap for anyone who wants in. The risk curve doesn't spike. It creeps. That slow creep is what lulls people into thinking they got away with it.

Second, the rot spreads outward over time. The OS is just the first thing to lose support. Application vendors start dropping the platform too. Your browser keeps getting updates for a while past the OS cutoff, then one day it doesn't, and a browser is the single most exposed piece of software on most machines. Drivers stop getting refreshed. New hardware shows up that has no driver for the old system. Anti-malware tooling eventually follows. So the practical security of an end-of-life box gets worse on two fronts at once: the OS itself, and the increasingly stale software stack sitting on top of it.

Third, and this is the one businesses forget until an auditor reminds them, running an unsupported OS can quietly break your compliance posture. If you handle card data, health records, or anything covered by a framework that requires supported and patched systems, an end-of-life machine on an in-scope network is a finding waiting to happen. I've watched a clean audit go sideways because of one forgotten Windows box in a back room running a label printer.

So the question is never "will it still work." It will. The question is "what is it allowed to touch, and how long can I live with the holes."

Calibrate the risk before you do anything

Here's the part most advice skips. Not every end-of-life machine carries the same risk, and treating them all the same is how you either overspend or underprotect. Before you pick a fix, figure out what the box actually is.

A laptop someone uses every day to browse the web, check Gmail, do online banking, and join video calls is about as high-risk as a personal computer gets. It touches money, it touches credentials, it talks to the whole internet, and a human clicks things on it all day. That machine cannot stay on an unsupported OS for long. Full stop.

Now compare that to a desktop in a workshop whose entire job is driving one piece of equipment over a serial cable, that has never been on the internet and never will be, that lives behind a locked door. The OS being unpatched on that machine is a much smaller deal, because the thing that makes an unpatched OS dangerous is exposure, and that box has almost none. I'm not going to lose sleep over it, and neither should you, as long as it stays isolated.

Most machines fall somewhere between those two. A kid's homework laptop. A spare desktop the family shares. A point-of-sale terminal. A machine running one piece of expensive line-of-business software that the vendor never ported forward. Each one gets a different answer, and the answer comes from three questions: What does it connect to? What sensitive data does it hold or reach? Who uses it, and how careless are they? Answer those honestly and the right path usually picks itself.

Move it to Windows 11

The obvious option is upgrade the OS. If the hardware qualifies for Windows 11, this is the cleanest outcome, because you stay in the same ecosystem and the user barely has to relearn anything. The catch is the hardware bar, which Microsoft set higher than any Windows release before it, and which is the whole reason so many perfectly good machines got stranded.

Windows 11 wants a 64-bit processor on Microsoft's supported list, which in rough terms means roughly Intel's 8th-generation Core chips and newer, and AMD's Ryzen 2000-series and newer. It wants UEFI firmware with Secure Boot available. It wants TPM 2.0, a small security chip (or firmware equivalent) that handles keys and measured boot. And it wants a modest floor of memory and storage that almost anything from the last decade clears. The two that strand machines are the CPU list and the TPM requirement. A six- or seven-year-old business desktop with a great processor for everyday work can be ruled out purely because its chip is one generation too old for the list, which is genuinely annoying and which Microsoft has taken a lot of justified heat for.

Check eligibility before you do anything else. Windows has a built-in health check, and the system information will tell you your firmware mode and whether TPM is present and what version. If the machine passes, upgrade it and move on with your life. That's the easy case.

The harder case is the machine that fails the check but is otherwise fine, and here you have to make a real decision, because Windows 11 can be installed on unsupported hardware. The community has had ways around the checks since the beginning. The most reliable is a tool called Rufus, which builds a Windows installation USB and can strip out the hardware checks while it does, so the installer simply doesn't ask about TPM or your CPU. Microsoft also published a narrow registry workaround of its own for one specific situation, a machine that has TPM 1.2 and an unsupported CPU, which tells you the company knows full well people are doing this.

I'll be straight about the tradeoff, because it's real and people gloss over it. When you install Windows 11 on unsupported hardware, you're in a state Microsoft explicitly calls unsupported. The practical meaning has been fuzzy. These installs generally keep getting updates, but Microsoft reserves the right to withhold them, and they've made noise about not guaranteeing updates on these machines, including the bigger feature updates. So you're trusting that the workaround keeps working. In my experience it usually does, but "usually" is doing some work in that sentence.

I'll bypass the checks on a homelab box I can rebuild without crying. I will not bypass them on someone's primary work computer.

The whole point of a daily driver is that it doesn't surprise you. An unsupported install that might one day refuse an update is a surprise generator, and I'd rather put that user on a fully supported path than save the cost of newer hardware. Match the risk tolerance to the role. A lab can be flaky. A work machine can't.

One more thing on this path. If you do upgrade in place, take a full image backup first. Always. In-place OS upgrades go smoothly almost every time, and the one time they don't, you'll be very glad you can roll the whole disk back to exactly how it was instead of reconstructing someone's setup from memory.

Pay for time with Extended Security Updates

Microsoft offered a way to keep getting security patches past the cutoff, called Extended Security Updates, and it's worth understanding even though I treat it as a last resort. ESU is a paid program that delivers critical and important security fixes for the old OS after general support ends. It comes in a consumer flavor and a business flavor, and they behave differently.

For consumers, Microsoft made enrollment relatively painless and offered more than one way in, including no-cost routes tied to a Microsoft account, alongside a paid option. It buys one additional year of security patches. That's the shape of it: a short bridge, not a new lease.

For organizations, ESU is the familiar enterprise pattern, sold per device, available for multiple years, with the price climbing each year you stay enrolled. That escalation is deliberate. Microsoft is not trying to make staying comfortable. They're trying to make migration the cheaper option over time, and they price it so that year three hurts enough to focus the mind. I've seen this movie before with the previous Windows transition, and the plot is the same: ESU is the thing you buy when you have a specific dependency you genuinely cannot move yet and a real plan with a real date for moving it.

ESU is fine as a bridge and a disaster as a destination.

That last bit is the whole point. The failure mode I see constantly is a team that buys a year of extended updates, breathes a sigh of relief, and then does nothing for eleven months because the pressure came off. Then they're back in the same spot, except the price went up. If you buy time, you have to actually use the time. Put the migration on the calendar the same week you enroll. Assign an owner. Pick the target. Otherwise you're just renting the same problem at a rising rate.

When does ESU earn its keep? When you have a piece of software or a machine that drives expensive equipment, where the vendor hasn't shipped a version for the new OS, where ripping it out tomorrow isn't possible, and where you have a concrete project underway to replace or re-platform it. In that situation, paying for a clean supported bridge while the real fix lands is good engineering. Paying for it because you'd rather not think about the problem is just procrastination with a receipt.

Put Linux on it

This is the one I actually get excited about, because it's where "reviving old computers" stops being a figure of speech. The machines Windows 11 rejects for being too old are, by any sane measure, still fast. A desktop with a decent processor and an SSD will fly through everything a normal person does. The only reason it feels stranded is that one vendor decided its chip didn't make a list. Linux does not care about that list. A modern Linux desktop runs beautifully on hardware Microsoft wrote off, and it keeps getting security updates for free, indefinitely, with no end-of-life cliff hanging over it.

I'll temper the enthusiasm with honesty, because Linux is the right answer for a lot of people and the wrong answer for some, and pretending otherwise helps nobody.

For the right user, the transition is smaller than they fear. If someone spends their day in a web browser, email, video calls, and a document now and then, the underlying OS is almost irrelevant to them. Their whole world is in the browser, and the browser is the same on Linux. For that person, a friendly Linux distribution is a non-event after the first week. The desktop I steer Windows refugees toward is Linux Mint, specifically because it doesn't try to reinvent the experience. It has a taskbar, a start-style menu, a system tray, windows that behave the way windows have behaved since the nineties. People sit down and they're just using a computer. There are plenty of other good choices, and for genuinely ancient or low-memory hardware the lighter desktops, the Xfce and LXQt families, sip resources and bring a creaky old machine back to feeling responsive. But for the "make this old laptop usable again for a normal human" job, Mint is my default and has been for years.

Now the honest part, the friction. Linux is not Windows wearing a costume, and three things trip people up.

The first is specific Windows applications. If someone's life depends on a particular Windows-only program, the full Adobe suite, certain industry tools, a tax package, some line-of-business application with no web version, Linux makes that hard. Compatibility layers exist and have gotten genuinely good, and many things run, but I do not promise a smooth ride for someone whose livelihood hinges on one stubborn Windows app. For that person, Linux might mean keeping one Windows machine around for that one task, or it might mean Linux is the wrong call. Find out before you wipe the disk, not after.

The second is gaming, and specifically multiplayer games with aggressive anti-cheat. Linux gaming has come a remarkably long way and a huge library of games runs well now. But certain competitive titles use anti-cheat systems that refuse to run outside Windows, by design, and no amount of cleverness changes that. If the machine's owner is a serious player of one of those games, that's a hard dependency you have to respect.

The third is peripherals and weird hardware. The common stuff just works. The oddball stuff, a specific scanner, an old all-in-one printer with proprietary drivers, some niche USB widget, can be a fight. Usually there's a solution. Sometimes there isn't.

So here's how I decide. Browser-and-email people, students, the relative who keeps getting their Windows machine infected, anyone whose computing happens mostly inside a web page, those are perfect Linux candidates and they almost always end up happier. People chained to specific Windows-only professional software or anti-cheat games are not, unless they're willing to keep a Windows machine on the side for that one thing. Be honest with them up front about which camp they're in. The worst outcome is converting someone who needed to stay, watching them hit the wall on day three, and souring them on the whole idea. A switch that sticks starts with a clear-eyed look at what they actually need the computer to do.

Practical tip: you don't have to commit blind. Almost every Linux distribution can boot from a USB stick into a fully working desktop without touching the hard drive at all. Make the stick, boot the old machine off it, and spend half an hour seeing whether the Wi-Fi connects, the trackpad works, the screen looks right, the printer shows up. Thirty minutes of live testing tells you more than any forum thread. If it all works from the stick, it'll work installed.

ChromeOS Flex for the truly browser-bound

There's a narrower option that's perfect for exactly one kind of user. Google offers ChromeOS Flex, a free version of the Chromebook operating system you can install on ordinary PCs and old Macs. It turns the machine into something that boots fast, stays out of the way, and is essentially a browser with a login. For the right person it's wonderful, and that person is usually a relative who only ever browses the web, checks email, watches video, and does a little online shopping.

I reach for it when the user's needs are genuinely that simple and they'd be overwhelmed by anything that asks them to manage software. ChromeOS Flex keeps itself updated and has a small attack surface precisely because it doesn't do much. There's not a lot to misconfigure or infect.

The limits are the flip side of the simplicity, and you have to be clear about them. ChromeOS Flex is not the same as a real Chromebook. It does not run Android apps and there's no Play Store. So if someone wants to install apps the way they do on a phone, this isn't it. If their world truly lives in a browser, it's a clean, low-maintenance, secure answer that gives an old laptop years of easy life. If they need real applications, send them to Linux or a supported Windows path instead. Same advice as always: match the tool to what the person actually does, not to what sounds neat.

Give the machine a different job

Sometimes the best revival isn't keeping the box as someone's everyday computer at all. It's handing it a new role where being a few years old doesn't matter and where it can live somewhere safe. This is my favorite outcome for a desktop that's too slow to delight a daily user but far too capable to throw away, and it happens to be the most security-friendly option on this whole list, because a repurposed machine can sit on an isolated network segment doing one job, instead of roaming the internet in someone's hands.

A few jobs old hardware does happily:

  • A home server or small file store. An old desktop with a couple of drives becomes a place to keep backups, share files around the house, or run a handful of small services. Operating systems built for this exist and are free, and an old machine with enough drive bays makes a perfectly good network storage box.
  • A network-wide ad and tracker blocker. A lightweight DNS-based blocker can run on hardware so modest it's almost insulting to give it a full desktop, but if you've got the desktop sitting there, it'll do the job and then some, cleaning ads out of every device on your network from one quiet corner.
  • A media server. Park your movies and music on the old box, run media server software, and stream to the TVs and phones in the house. This is a genuinely satisfying use for a machine with a big disk and a wired connection.
  • A virtualization host or homelab. If you're the type who wants to learn, an old desktop running a hypervisor lets you spin up virtual machines to break and rebuild and experiment with, which is the single best way I know to actually learn this stuff. A flaky lab is fine; that's what it's for.
  • A dedicated backup target. Even with no fancy software, an old machine with a large drive, sitting somewhere out of the way, makes a solid place to copy important data so it isn't only in one location.

The cheapest performance upgrade you will ever buy, by the way, applies to all of these and to the daily-driver paths too: if the machine still has a spinning hard drive, put in an SSD. It is night and day. An old computer that felt hopeless on a mechanical drive often feels genuinely quick on a solid-state one, because for everyday use disk speed is the bottleneck far more often than the processor. Pair that with topping off the memory and you've transformed the thing for the price of a nice dinner. I've rescued more "this computer is too slow to live" machines with an SSD and a RAM stick than with anything else.

If you're going to keep Windows 10 anyway

⚠ Harm reduction — not a blessing

Maybe none of the above fits. The software won't move, the budget's gone, the user won't change, and the machine has to keep being a Windows 10 machine for now. Fine. I'd rather tell you how to reduce the danger than pretend you won't do it. An unsupported OS on a network is a liability, and these steps shrink it. They don't erase it. Treat it as a countdown, not a resting state.


Isolate it on the network

This is the big one and it's the thing almost nobody does until after they've been burned. The reason a single unpatched box turns into a company-wide incident is the flat network, where every device can talk to every other device, so the moment one machine is compromised the attacker walks sideways to everything else. Put the end-of-life machine on its own segment, a separate VLAN or at minimum a guest network, and tightly limit what it can reach. The classic worm scenario, where one infected machine spreads to the entire network on its own, lives and dies on whether the network let it move. Years back a piece of ransomware tore through organizations worldwide by abusing a Windows file-sharing flaw and spreading machine to machine without anyone clicking anything, and the places that got hammered were overwhelmingly the ones with flat internal networks and unpatched systems all able to see each other.

Lock down what it can reach outward

If the machine doesn't need broad internet access, don't give it broad internet access. Let it talk to the specific things it needs and block the rest. A box that drives a label printer has no business reaching arbitrary sites, and a firewall rule that says so costs nothing and closes a lot of doors.

Keep everything above the OS current

The OS is frozen, but the browser, the email client, the document software, and the anti-malware tooling may still get updates for a while. Update them religiously while their vendors still ship fixes, because the browser especially is your most exposed surface and a current browser on a stale OS is meaningfully safer than a stale browser on a stale OS. When the browser vendor finally drops support, treat that as a real escalation in risk, not a footnote.

Run as a standard user, not an admin

So many infections need administrative rights to dig in, and a huge amount of damage simply doesn't happen if the account that clicked the bad thing couldn't make system-level changes. Make the daily account a standard one and keep an administrator account separate for when you actually need it. This is good practice on any OS and it matters more on one that's no longer getting patched.

Turn off what you don't use

Old file-sharing protocols, services running for no reason, features nobody touches, all of it is attack surface. The less the machine is running, the less there is to exploit. Old, insecure file-sharing protocols in particular should be switched off if anything still has them enabled.

Get the sensitive data off it

If the machine doesn't need to hold or reach your important files, make sure it doesn't. The less there is to steal on an exposed box, the smaller the loss if it's breached.

Keep real, offline backups

If the worst happens, especially ransomware, your recovery is only as good as your backups, and backups the infected machine could encrypt are worthless. Keep a copy offline or otherwise out of reach.

Mind the USB ports

The "it's safe because it's offline" plan dies the instant someone plugs in a flash drive they found or charges their phone on it. An isolated machine is only isolated if it's actually isolated, sneakernet included. Make that part of the rules, not an afterthought.

None of this makes an end-of-life machine safe. It makes it less dangerous and buys you room while you arrange a real fix.

Failure modes

The mistakes I see over and over

Some patterns repeat so often I can almost set my watch by them.

The panic hardware buy

Someone reads a scary headline and replaces a fleet of fine machines that had years left in them, when an SSD, a memory bump, and a Linux install would have done the job for a fraction of the cost and the e-waste. Slow down. Triage first. Buy what you actually need.

The flat network

Already covered, but it's worth repeating because it's the difference between "we had a contained incident on one old machine" and "we lost the whole environment." If you do exactly one thing from this entire piece, segment your network.

The "it's offline" machine that isn't

Someone declares a box air-gapped and then quietly connects it to Wi-Fi for one update, or plugs in a USB stick, or shares a folder from it. Air-gapped means air-gapped. The moment there's a path in, the protection that path was providing is gone, and the machine is now an unpatched box on a live network wearing a sign that says it's safe.

Treating ESU as permanent

Buying a security extension and then doing nothing with the time it bought. The pressure comes off, the project stalls, and a year later you're paying more for the same problem. If you buy time, schedule the fix the same day.

Bypassing Windows 11 on the wrong machine

Stripping the checks to put the new OS on someone's critical daily driver, then being shocked when an update behaves strangely or refuses to install. Keep the bypass tricks for machines that are allowed to be flaky.

Forgetting the firmware and drivers

People migrate the OS and never look at the firmware underneath, or limp along on a graphics driver from years ago. The OS isn't the only software on the machine, and stale firmware and drivers carry their own holes.

Disposing of machines without wiping them

This one is squarely my world and it makes me wince every time. A retired computer is a hard drive full of your data being handed to a stranger. Deleting files and emptying the recycle bin does not erase the data; it just removes the signposts pointing to it, and the data sits there waiting to be recovered by anyone who knows how. Before any machine leaves your hands, properly wipe the drive, or pull it and physically destroy it if it held anything sensitive. I've recovered startling things from "wiped" drives bought secondhand. Don't be the source of someone else's data-recovery story.

What I'd actually do

If you handed me an old Windows 10 machine right now and asked what to do with it, the conversation would be short. What's it for? Who uses it? What does it touch? From those three answers, the path is usually obvious.

A normal person's everyday laptop that browses, emails, and joins calls: check if it qualifies for Windows 11, and if it does, upgrade it. If it doesn't, put Linux Mint on it and don't look back, unless they have a hard dependency on Windows-only software or anti-cheat games, in which case find that out first and plan around it. A relative who only ever opens a browser: ChromeOS Flex, and enjoy never getting another "my computer has a virus" call from them. A desktop that's too slow to love but too good to bin: drop in an SSD, give it a new job on an isolated segment, and let it serve files or block ads for the next five years. A machine running one stubborn piece of software that genuinely can't move yet: ESU as a bridge, segmentation around it, and a migration date on the calendar before you spend a cent. And anything you're retiring for good: wipe the drive before it leaves the building.

The headline you read was right that Windows 10 reached the end of its supported life. It was wrong, or at least lazy, in implying that your hardware did too. The operating system has a shelf life. The computer underneath it usually has years left, and most of these machines deserve a second act rather than a landfill. Figure out what each one is for, give it the right path, and put the unpatched ones somewhere they can't hurt you. Then go enjoy the quiet satisfaction of a machine everyone had written off doing useful work again, costing you nothing, and not waking you up at 3 a.m.

← Newer Posts Older Posts →