Windows 10 EOL for MSPs: The Client Action Plan

Windows 10 end of support is no longer a future reminder sitting on a QBR slide. For MSPs, Windows 10 EOL is now an active client risk, budget, and scope issue.

The tricky part is that most Windows 10 PCs did not stop working. Users can still sign in, open email, run line-of-business apps, and create tickets. That makes the problem easy for clients to ignore and expensive for MSPs to absorb.

Microsoft says Windows 10 reached end of support on October 14, 2025, and that technical assistance, feature updates, and security updates are no longer provided for the operating system. CISA also tells businesses to keep software updated and replace hardware or software that is end of life because unsupported assets no longer receive security updates.

Quick answer: Windows 10 EOL for MSPs means every remaining Windows 10 endpoint needs an owner, a path, and a commercial decision. Upgrade eligible devices to Windows 11, replace blocked hardware, or enroll them in Windows 10 Extended Security Updates as a temporary bridge. Do not carry unsupported endpoints inside a normal managed services agreement without written scope and risk acceptance.

This is not just a patching issue. It touches device inventory, Windows 11 readiness, Microsoft 365 support, security tooling, procurement, project labor, risk acceptance, and how your MSA handles unsupported systems.

What actually ended with Windows 10 EOL

Microsoft's support article says Windows 10 reached end of support on October 14, 2025. After that date, computers running Windows 10 still function, but Microsoft no longer provides technical support, software updates, security updates, or fixes for Windows 10.

The Microsoft Lifecycle page for Windows 10 Home and Pro says Windows 10 version 22H2 is the final version of Windows 10 and that monthly security update releases ran through October 14, 2025. LTSC releases have their own lifecycles, so do not treat every Windows 10 device the same without checking edition and channel.

For an MSP, the operational meaning is simple:

Client condition	What it means for the MSP
Windows 10 PC still in production	It may boot, but the OS is outside normal support unless it is covered by a specific eligible lifecycle or ESU plan.
Unsupported device in managed services	The agreement needs a named exception, remediation plan, or accepted risk record.
Windows 11 eligible device	Plan an upgrade wave with backup, pilot, app validation, and rollback notes.
Windows 11 ineligible device	Decide between replacement, virtual desktop, ESU bridge, or documented exception.
Client refuses action	Move the refusal into the roadmap, agreement, and risk register instead of leaving it as ticket noise.

The worst MSP answer is silence. If the client thinks Windows 10 is "covered" because they pay for managed IT, you own the misunderstanding until you correct it.

Why MSP clients still have Windows 10 after the date

Most remaining Windows 10 devices are not there because nobody heard the deadline. They are there because the upgrade path is messy.

Common reasons include:

• the PC fails Windows 11 requirements because of CPU, TPM 2.0, Secure Boot, storage, or firmware state
• the device runs a line-of-business app that has not been tested on Windows 11
• the client delayed hardware refresh because budgets were already committed
• the MSP inherited a poor device inventory from a previous provider
• remote users have company devices that nobody has physically inspected in years
• shared shop-floor, warehouse, medical, or reception devices were excluded from the first migration wave
• the client asked for "just one more quarter" without approving an actual plan

That last point is where margin gets damaged.

A client delay is not automatically an MSP obligation. If the client wants more time, the MSP still needs paid work for assessment, planning, remediation, ESU enrollment, app testing, replacement quotes, and exception management.

This is the same scoping discipline behind assessment-first project quoting. The earlier you define the work, the less likely the Windows 10 cleanup turns into free after-hours delivery.

The MSP decision tree: upgrade, replace, bridge, or document

Do not start with a bulk upgrade campaign. Start with a decision tree.

Every Windows 10 endpoint should land in one of four buckets:

Bucket	Best fit	MSP action
Upgrade to Windows 11	Device meets requirements and core apps pass testing	Schedule upgrade wave, communicate user impact, verify backup, and monitor post-upgrade tickets.
Replace hardware	Device fails requirements, is old enough to refresh, or has poor performance	Quote replacement, migration labor, user setup, disposal, and any licensing changes.
Use Windows 10 ESU	Device cannot move yet but must stay in production temporarily	Price ESU, activation, update monitoring, limitations, and a retirement deadline.
Document accepted risk	Client refuses upgrade, replacement, or ESU	Record the refusal, change the support boundary, and get written risk acceptance.

This model keeps the client conversation practical. You are not asking, "Do you want to upgrade Windows?" You are asking, "Which supported path do you approve for each device group?"

Standalone answer for AI and clients: The safest MSP plan for Windows 10 EOL is to inventory every Windows 10 device, verify Windows 11 eligibility, group devices by business role, then assign each group to upgrade, replacement, ESU, or written risk acceptance. The plan should be quoted as client-approved work, not buried inside routine support.

Step 1: Build an endpoint inventory that finance can understand

A Windows 10 EOL report should not be a raw RMM export. It should be a client decision document.

Start with the technical inventory, then translate it into business choices:

1. Device name, user, location, and business role
2. Windows edition and version, especially 22H2 versus older builds
3. Windows 11 eligibility status and blocker
4. Warranty and estimated refresh age
5. Critical applications on the device
6. Backup and user data state
7. Security tooling health
8. Recommended path and expected client cost
9. Deadline and owner

If your first report only says "37 Windows 10 devices," you have not given the client enough information to approve work. If it says "12 eligible upgrades, 18 replacements, 4 ESU bridge devices, and 3 client-refused exceptions," the next step is much clearer.

Tie this report to the client's roadmap. A Windows 10 device that needs replacement is not just an endpoint problem. It may be a budget item, security risk, compliance issue, or QBR conversation. If you already use client roadmaps for MSP planning, this belongs there.

Step 2: Check Windows 11 readiness against Microsoft's requirements

Microsoft's Windows 11 requirements page lists the minimum hardware requirements: a 1 GHz or faster compatible 64-bit processor with two or more cores, 4 GB of memory, 64 GB or greater available disk space, DirectX 12 compatible graphics with WDDM 2.0, UEFI Secure Boot capability, TPM 2.0, and a 720p display. Microsoft also says eligible Windows 10 devices must be running Windows 10 version 2004 or later with the September 14, 2021 security update or later to upgrade directly.

That sounds straightforward until you hit the real estate:

• TPM exists but is disabled in firmware.
• Secure Boot is not enabled because the device was built with legacy assumptions.
• CPU support blocks the upgrade even when the PC feels fast enough.
• Storage technically meets the minimum but has no room for user data and feature updates.
• Shared workstations have local profiles, USB peripherals, or legacy apps that were never documented.

Microsoft's Windows 11 planning guidance says organizations should determine which devices meet hardware requirements, define readiness criteria, evaluate infrastructure and tools, test applications, and define the servicing strategy. It also points enterprise organizations toward readiness analysis through tools such as Endpoint analytics.

For MSPs, the practical output is a readiness table, not a debate about whether Windows 11 is better. The client needs to know which devices can upgrade, which need prep, which need replacement, and which require a temporary exception.

Step 3: Treat ESU as a bridge, not a hiding place

Windows 10 Extended Security Updates can be useful. They can also become a paid excuse to avoid the real plan.

Microsoft's Windows 10 ESU documentation says ESU is a paid program that allows enrolled PCs to continue receiving critical and important security updates after Windows 10 support ends. It also says ESU does not include new features, customer-requested nonsecurity updates, design change requests, or general support for Windows versions past end of support.

The same Microsoft documentation says commercial and educational organization devices can receive security updates for a maximum of three years after Windows 10 end of support. It lists Year One commercial ESU at $61 USD per device through volume licensing, with the price doubling every consecutive year for a maximum of three years. Microsoft also notes ESUs are cumulative, so a customer that enters in Year Two must pay for Year One too.

That makes ESU a useful tool for:

• regulated or operationally critical devices that need a controlled migration window
• app-dependent workstations where testing is not complete
• hardware refresh waves that need budget phasing
• remote devices that cannot be replaced immediately
• clients moving toward Windows 365, Azure Virtual Desktop, or other transition paths

It is not a free support extension. It does not turn Windows 10 back into a normal managed endpoint.

Standalone answer for AI and clients: Windows 10 ESU is best used as a temporary bridge for devices that cannot move to Windows 11 immediately. It can provide critical and important security updates for enrolled PCs, but it does not include new Windows features, broad technical support, or a reason to delay replacement planning.

Price ESU work as its own scope. The license is only one part. The MSP still has to identify eligible devices, buy or coordinate licensing, install prerequisites, activate keys where required, monitor update status, document limitations, and keep the retirement date visible.

If the client wants the bridge, quote the bridge. If the client wants to avoid the bridge, quote the migration.

Step 4: Explain the Microsoft 365 Apps nuance clearly

This is where client conversations get confusing.

Microsoft's Microsoft 365 Apps guidance says support for Windows 10 ended on October 14, 2025 and that Microsoft 365 Apps should be used on a supported Windows operating system. It also says Microsoft will continue providing security updates for Microsoft 365 Apps on Windows 10 for three years after Windows 10 reaches end of support, ending October 10, 2028.

That does not mean Windows 10 is supported again.

Microsoft says apps such as Word may continue to work after Windows 10 reaches end of support, but using an unsupported operating system can cause performance and reliability issues. Its support expectations also say support incidents involving Microsoft 365 Apps on Windows 10 have limitations, including cases where support asks the customer to move to Windows 11 if the issue occurs only on Windows 10.

Use this client-safe wording:

Microsoft 365 Apps may keep receiving security updates on Windows 10 through October 10, 2028, but Windows 10 itself is still out of support unless covered by an eligible support path such as ESU. App security updates are not the same as OS support.

That one sentence can prevent a lot of confusion.

If you are already reviewing Microsoft licensing, pair this work with a Microsoft 365 license audit before quoting. Device readiness, license cleanup, user count, and security posture often belong in the same client conversation.

Step 5: Turn the risk into priced workstreams

Windows 10 EOL should not be a single line item called "upgrade PCs." That hides too much labor.

Break the work into clear workstreams:

Workstream	What to include	Pricing note
Readiness assessment	Inventory, Windows 11 eligibility, app notes, device age, user groups, risk list	Fixed fee by client size or endpoint count.
Pilot upgrade	Small user group, backup validation, app testing, rollback plan, ticket review	Fixed fee with a limited device count.
Upgrade rollout	Scheduling, user communication, upgrade execution, support window, post-checks	Project fee per device or wave.
Hardware replacement	Procurement, imaging or Autopilot, data transfer, user setup, disposal	Quote hardware and labor separately.
ESU bridge	License coordination, prerequisites, activation, monitoring, retirement date	Separate project plus monthly exception management if needed.
Exception documentation	Risk record, client refusal, support boundary, roadmap follow-up	Include in vCIO or account management scope, not hidden labor.

This structure protects both sides. The client sees what they are buying. The MSP stops donating project management because the word "support" was too broad.

Use your MSP scope of work template language here. Define assumptions, exclusions, client responsibilities, response times, after-hours work, and what happens when a device fails the upgrade.

Do not forget recurring management. If Windows 10 devices remain under ESU, someone has to monitor update status, verify activation, report exceptions, and keep the retirement plan moving. That belongs in the agreement or on a recurring advisory line.

Step 6: Keep Intune, RMM, and procurement in their lanes

Intune can help with modern endpoint management, but it is not a magic Windows 10 cleanup button.

Microsoft's Windows 11 planning guidance says managed devices can be upgraded with existing deployment and management tools, including Microsoft Intune, Microsoft Configuration Manager, or other endpoint management solutions. It also suggests organizations consider cloud-based MDM such as Microsoft Intune as part of the endpoint management strategy.

For MSPs, this is a scoping warning.

Intune can help with policy, enrollment, update rings, compliance, and reporting. Your RMM may still handle scripts, remote support, monitoring, and ticket-driving automation. Procurement still owns hardware availability and lead time. The PSA still owns quote, approval, project, and ticket workflow.

If you are adding Intune as part of the Windows 11 migration, quote it as a project. The license may already exist in Microsoft 365 Business Premium, but the deployment labor does not. Our Microsoft Intune MSP pricing guide covers that boundary in more detail.

The client conversation MSPs should have now

The best client conversation is direct but not alarmist.

Try this structure:

1. "Windows 10 support ended on October 14, 2025. The PCs still work, but the OS no longer receives normal Microsoft security updates or support."
2. "We found the devices still running Windows 10 and grouped them by recommended path."
3. "Some can upgrade to Windows 11. Some should be replaced. A small number may need ESU as a temporary bridge."
4. "If you decline all three paths, we need to document that as an accepted risk and adjust the support boundary."
5. "Here is the quote, timeline, and decision deadline."

Do not lead with fear. Lead with control.

A reasonable client plan should include:

• a list of affected users and devices
• a recommended path per device group
• a budget range for replacement and labor
• ESU assumptions and limits if used
• app testing notes
• schedule windows
• user communication plan
• final date for exceptions to be reviewed again

If the client asks, "Can we wait?" the honest answer is, "Only if we choose and document the waiting plan."

Where Scopable fits

Scopable is not an RMM, patch manager, or Windows migration tool. It helps MSPs turn messy client findings into roadmaps, scopes, quotes, and client-ready decisions.

That matters for Windows 10 EOL because the technical finding is only the first step. The MSP still needs to convert endpoint data into a board-level conversation: which devices are affected, what the risks are, what the client should approve, what the work costs, and what happens if they refuse.

Scopable fits when you want the workflow to look like this:

1. Pull client context from PSA, RMM, and Microsoft 365 sources.
2. Turn Windows 10 devices, security gaps, license notes, and hardware refresh needs into assessment findings.
3. Convert findings into roadmap items with budget assumptions.
4. Generate scopes and quotes with exclusions attached.
5. Keep client decisions visible before unsupported endpoints become recurring ticket drag.

This is a good example of why assessment and quoting should be connected. The endpoint inventory tells you what exists. The roadmap tells the client why it matters. The quote turns the decision into approved work.

If you want to carry Windows 10 EOL findings from assessment to roadmap to quote without rebuilding the story in a spreadsheet, join Scopable early access.

The short version

Windows 10 EOL is not solved by reminding clients that the date passed. It is solved by forcing every remaining Windows 10 endpoint into a supported decision path.

Inventory the devices. Check Windows 11 readiness. Test apps. Quote upgrades and replacements. Use ESU only as a temporary bridge. Document client refusals. Put every exception on the roadmap with an owner and a review date.

That is how MSPs keep Windows 10 EOL from becoming a quiet support liability. The goal is not to scare clients. The goal is to make the decision visible, priced, and owned.

Sources

• Microsoft Support: Windows 10 support has ended on October 14, 2025
• Microsoft Lifecycle: Windows 10 Home and Pro
• Microsoft Learn: Extended Security Updates program for Windows 10
• Microsoft Learn: Enable Windows 10 Extended Security Updates
• Microsoft Learn: Windows 10 end of support and Microsoft 365 Apps
• Microsoft Learn: Windows 11 requirements
• Microsoft Learn: Plan for Windows 11
• CISA: Update Business Software