Windows 10 End of Life & Windows Server 2016 Extended Support Expiry — ESU, Upgrade, and Lifecycle Compliance

Indicators

• Windows 10 devices no longer receiving Patch Tuesday security updates after 14 October 2025
• Windows Update reports no available updates on Windows 10 without ESU enrolment
• Compliance dashboards or vulnerability scanners (e.g. Qualys, Nessus, Defender Vulnerability Management) flag Windows 10 or Server 2016 as end-of-life / unsupported OS
• Defender for Endpoint or SCCM/Intune compliance policies report non-compliant OS version
• Audit findings citing Windows Server 2016 as approaching end of extended support (12 January 2027 deadline)
• slmgr /dli on a Windows 10 machine post-EOL shows no ESU licence description in output
• No Microsoft technical support available for Windows 10 incidents raised after end-of-support date without active ESU entitlement

Likely causes

• Windows 10 support lifecycle ended 14 October 2025 — no further security patches issued outside the ESU programme
• Windows Server 2016 extended support end date of 12 January 2027 creates a finite compliance window requiring immediate upgrade planning
• Delayed hardware refresh or application compatibility constraints preventing migration to Windows 11 or Server 2019/2022
• No ESU licence procured or activated, leaving end-of-life systems fully unpatched post-EOL
• Lack of visibility into the full estate of affected endpoints and servers running impacted OS versions

Diagnostic steps

1. Identify all Windows 10 and Server 2016 systems in the environment. In SCCM/ConfigMgr, query device collections filtered on OperatingSystemNameandVersion. In Intune, navigate to Devices > All Devices and filter by OS version. Against Active Directory: `Get-ADComputer -Filter * -Properties OperatingSystem | Where-Object { $_.OperatingSystem -like '*Windows 10*' -or $_.OperatingSystem -like '*Server 2016*' } | Select Name, OperatingSystem | Export-Csv C:\eol_audit.csv`
   Establish the full scope of affected systems requiring ESU enrolment, upgrade, or migration before the compliance deadline.
2. For each Windows 10 machine, confirm whether ESU has been activated. Run: `slmgr /dli` — examine the output 'License Description' field. A valid ESU entitlement will explicitly reference Extended Security Update in the description. For detailed entitlement information, also run `slmgr.vbs /dlv`. If ESU is not present, the device is completely unpatched post-EOL.
   Determine which end-of-life Windows 10 devices are covered by ESU and which are wholly unpatched, to prioritise remediation urgency.
3. For Windows 10 devices targeted for Windows 11 upgrade: run the Microsoft PC Health Check tool on a representative sample, or use WhyNotWin11 for bulk scripted fleet assessment. Verify TPM 2.0 readiness programmatically: `Get-Tpm | Select-Object TpmPresent,TpmReady,TpmEnabled,TpmActivated`. Also check via WMI: `Get-WmiObject -Namespace 'root\CIMv2\Security\MicrosoftTpm' -Class Win32_Tpm | Select SpecVersion` (must be 2.0). Confirm Secure Boot capability in BIOS/UEFI and cross-reference CPU against Microsoft's Windows 11 supported processor list.
   Identify which Windows 10 endpoints can be upgraded in-place to Windows 11 versus those requiring hardware replacement, and quantify the hardware refresh cost.
4. For Server 2016 systems: document each server's role, installed applications, and current patch level. Calculate days remaining until 12 January 2027. For Azure-hosted Server 2016 VMs, confirm whether free Extended Security Updates are being applied automatically (Azure provides ESU at no charge for VMs in Azure). For on-premises Server 2016: assess whether in-place upgrade to Server 2019 or 2022 is feasible, or whether workload migration to a new build is required. Also assess Azure Arc onboarding eligibility for on-premises instances requiring an ESU bridge.
   Prioritise Server 2016 remediation workstreams and ensure upgrade or migration completes before 12 January 2027 to maintain continuous support coverage and regulatory compliance.
5. Export vulnerability scanner output (Defender Vulnerability Management, Qualys, Nessus) filtered for CVEs affecting Windows 10 and Windows Server 2016 with no available patch (i.e., CVEs published post-EOL with no fix for EOL platforms). Compile a risk exposure report quantifying open CVEs, CVSS scores, and EPSS/exploitability ratings for stakeholder escalation.
   Communicate the tangible security risk of remaining on unsupported platforms to drive upgrade prioritisation and budget approval for hardware refresh or ESU procurement.
6. Retrieve last installed hotfix/update date on target Windows 10 or Server 2016 systems: `Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10`. Look for absence of updates dated after 14 October 2025 on Windows 10 machines without ESU.
   Provides direct evidence of a patching gap — confirms whether security updates stopped arriving post end-of-support, quantifying unpatched exposure duration.
7. Assess installed roles and features on Server 2016 systems: `Get-WindowsFeature | Where-Object {$_.InstallState -eq 'Installed'} | Select-Object Name,DisplayName`. Cross-reference against supported configurations on Server 2022/2025.
   Identifies role or feature dependencies that may block or complicate in-place upgrade or workload migration before the 12 January 2027 deadline.
8. Verify TPM 2.0 readiness on Windows 10 devices for Windows 11 eligibility via: `Get-Tpm | Select-Object TpmPresent,TpmReady,TpmEnabled,TpmActivated`. Use WhyNotWin11 for bulk scripted compatibility assessment across the fleet.
   Provides a scriptable, fleet-scale alternative to PC Health Check for identifying Windows 11-ineligible devices requiring hardware refresh or ESU.

Resolution path

• Option A — ESU bridge (Windows 10, short-term): Procure Extended Security Updates for Windows 10 via Microsoft Volume Licensing or Microsoft 365 subscription (where eligible). Activate ESU by running: `slmgr /ipk <ESU product key>` on each device, then verify with `slmgr /dli` or `slmgr.vbs /dlv`. ESU provides up to three years of continued security patches post-EOL but does not restore full product support or feature development.
• Option B — In-place upgrade Windows 10 to Windows 11: For compatible hardware (TPM 2.0, Secure Boot, supported CPU), deploy Windows 11 via Windows Update (feature update policy), SCCM/ConfigMgr Task Sequence, or Intune feature update ring policy. For incompatible hardware, schedule hardware replacement and image new devices with Windows 11 from the outset.
• Option C — In-place upgrade Server 2016 to Server 2019 or 2022: Mount Server 2019 or 2022 installation media on the target Server 2016 system. Run upgrade in a controlled, non-interactive manner: `setup.exe /auto upgrade /dynamicupdate disable`. Test application compatibility in a staging environment first. Take a VM snapshot or full backup immediately before initiating. Allow 2–4 hours per server including validation.
• Option D — Migrate Server 2016 workloads to new builds or Azure: Deploy new Windows Server 2022 VMs or physical servers, migrate workloads (applications, roles, data), decommission Server 2016 instances. For Azure migrations: Azure-hosted Server 2016 VMs receive free Extended Security Updates automatically — no additional licence action required.
• Option E — Azure Arc ESU bridge (Server 2016, on-premises): For on-premises Server 2016 workloads that cannot be migrated before the 12 January 2027 deadline, onboard servers to Azure Arc. Azure Arc-enabled Server 2016 instances qualify for free Extended Security Updates, providing a compliance bridge without requiring Azure VM migration.
• Option F — Hardware refresh with Windows 11 new deployment: For Windows 10 devices ineligible for in-place upgrade and where ESU is not cost-effective, accelerate hardware procurement and deploy Windows 11 on replacement hardware. Migrate user profiles and data via USMT or Windows Autopilot.
• Rollback — Windows 11 in-place upgrade failure: Roll back using Settings > System > Recovery > Go back within 10 days of upgrade (Windows retains the previous installation for this window).
• Rollback — Server 2016 in-place upgrade failure: Restore from a pre-upgrade VM snapshot (VMware/Hyper-V) or backup taken immediately before upgrade initiation.
• Rollback — ESU patch issue: ESU patches are additive (security only); remove a specific patch via `wusa.exe /uninstall /kb:<KBID>` following standard Windows Update rollback procedure. ESU activation itself does not alter OS functionality.
• Verification: Run `winver` on upgraded Windows 11 devices and confirm build is 10.0.22631 or later (23H2+). Run `slmgr.vbs /dlv` on ESU-covered Windows 10 devices and confirm licence description includes Extended Security Update. Re-run compliance/vulnerability scan and confirm EOL findings are resolved or mitigated.
• Update CMDB/asset register and compliance dashboard for all systems transitioned to a supported OS or confirmed ESU-covered, and re-run compliance scans to clear EOL findings.

Prevention

• Establish and enforce an OS lifecycle policy mandating that migration planning begins no later than 24 months before a product's end-of-support date — Server 2016 planning should already be fully scoped and funded given the 12 January 2027 deadline.
• Integrate OS lifecycle end dates into the organisation's vulnerability management and compliance dashboards so approaching EOL dates automatically trigger risk escalation tickets and budget requests at the 24-month and 12-month marks.
• Enrol eligible Windows 10 devices in Extended Security Updates immediately post-EOL to maintain patch coverage during the hardware refresh cycle rather than leaving devices unprotected during procurement lead times.
• Default all new server deployments to the current Long-Term Servicing Channel (LTSC) release — Windows Server 2022 or later — to maximise supported lifespan and reduce the frequency of major upgrade cycles across the fleet.
• Adopt a hardware refresh cycle aligned to OS lifecycle — target a 3–4 year client device refresh cadence to ensure hardware is Windows 11-capable before the next client OS end-of-support date.
• Enforce a policy that no new workloads are deployed to Windows Server 2016; all new server deployments must target Windows Server 2022 or later.
• Subscribe to Microsoft Lifecycle Policy announcement notifications and review annually as part of IT governance and risk management — reference https://learn.microsoft.com/en-us/lifecycle/
• Note compliance framework applicability: running unsupported OS versions constitutes a finding under PCI-DSS, ISO 27001, HIPAA, and Cyber Essentials — factor this into risk escalation and audit reporting.

Tools

• slmgr.vbs — Windows licence management; used to verify ESU activation status (`slmgr /dli`, `slmgr /dlv`, `slmgr /ipk`)
• PC Health Check tool — Microsoft tool for Windows 11 hardware compatibility assessment per device
• WhyNotWin11 (open source) — bulk scriptable Windows 11 hardware compatibility assessment across the fleet
• Get-Tpm (PowerShell) — verify TPM 2.0 presence and readiness for Windows 11 upgrade eligibility
• Windows Setup (setup.exe) — initiates in-place OS upgrade from Server 2016 to Server 2019/2022
• Microsoft Endpoint Configuration Manager / SCCM — fleet OS version inventory and upgrade task sequence deployment
• Microsoft Intune — compliance policy reporting and feature update deployment for Windows 11
• Microsoft Deployment Toolkit (MDT) / Windows Autopilot — orchestrate Windows 11 deployment at scale
• USMT (User State Migration Tool) — migrate user profiles and data during hardware refresh to Windows 11
• Azure Arc — onboard on-premises Server 2016 to Azure Arc for access to free Extended Security Updates as a migration bridge
• winver — confirm OS version post-upgrade (run from Run dialog or PowerShell)
• Get-ComputerInfo (PowerShell) — OS version verification on servers post-upgrade
• Get-ADComputer (PowerShell / AD module) — enumerate OS versions across domain-joined fleet

References

• Microsoft Support — Windows 10 and Windows Server 2016 Lifecycle
• Microsoft Lifecycle Policy — all product lifecycle dates