Windows 10 Holdouts Carry Three Times the Risk of Windows 11 Lansweeper

Eight months ago, Microsoft ended support for Windows 10. Today, one in six Windows devices still runs it. Those machines now carry nearly three times as many active vulnerabilities as their Windows 11 counterparts.

When Microsoft ended support for Windows 10 on 14 October 2025, the deadline did what deadlines do: it pushed most of the fleet to migrate to Windows 11. Lansweeper’s HVMND Collective Intelligence data, drawn from a subset of millions of assets across tens of thousands of active customer sites, shows that Windows 11 now accounts for 78.8% of Windows devices.

Windows 10 still runs on 16.9% of Windows clients. That’s roughly one machine in six, and the longer they remain, the more dangerous they become. Every one of those devices is accumulating unpatched vulnerabilities that will never see an official fix.

Windows OS distributionWindows OS distribution

The Estate That Won’t Migrate

Windows 10’s share of fell from roughly 50% of the all Windows machines in mid-2025 to the low-to-mid 40s when support was cut off. It kept dropping through the first half of 2026 to about 18.6% by June.

But now migration has slowed to a crawl. Windows 10 still runs on 16.9% of Windows clients and they are proving stubborn. The easy migrations are done. What’s left is the hard core: devices that haven’t moved because they can’t, or won’t. Independent trackers see the same pattern from the other side. StatCounter put Windows 11 above 70% of desktop share by February 2026.

Windows 10 share evolutionWindows 10 share evolution

There’s a temporary bridge that we need to consider when looking at these numbers. Microsoft’s consumer Extended Security Updates program keeps eligible Windows 10 devices patched for one extra year, until October 12, 2027. But this is a paid extension, a temporary solution, not a destination, and it excludes most enterprise, LTSC, and domain-joined configurations.

Who Is Still on Windows 10 and Why?

Windows 10 holdouts by company sizeWindows 10 holdouts by company size

The remaining estate isn’t evenly spread. By company size, smaller businesses lag furthest behind: 21.4% of SMB Windows machines still run Windows 10, compared to 16.6% at enterprise scale.

That tracks with what analysts expected. Omdia found that roughly two-thirds of enterprises had completed their Windows 11 migration by the deadline, since large organizations tend to treat an unsupported OS as an unacceptable security risk. For smaller firms, cost is usually the constraint, and it could keep some systems on Windows 10 well into 2027.

By industry, the pattern is even sharper.

Windows 10 holdouts by industryWindows 10 holdouts by industry

The highest concentrations of Windows 10 devices can be found in those industries that are built on long-lived, certified, and physically embedded hardware where an operating system is welded to a machine that cannot simply be reimaged on a Tuesday.

  • Healthcare and pharmaceuticals (23.0%)
  • Consumer and retail (22.7%)
  • Manufacturing (18.0%)

Technology, telecom and logistics predictably sit at the bottom near 11–12%.

The explanation lies in operational technology. In TXOne’s 2026 survey of European industrial operators, six in ten organizations said legacy Windows builds make up at least half their OT environment. 43% had suffered a security incident on those systems in the past year.

As Lansweeper’s own analysis has noted via The Register, legacy operating systems cluster in special-purpose, kiosk and retail deployments where upgrades get blocked by vendor certification and hardware constraints, not just IT preference.

The Risk Gap in Numbers

For years, “you should upgrade off an end-of-life OS” was accepted as an obvious best-practice, without much data behind it. That data now exists thanks to Lansweeper’s HVMND. It shows that a Windows 10 device carries an average of 1,903 active CVEs, against 652 on Windows 11. That’s a 2.9x gap, and it widens with every Patch Tuesday that fixes Windows 11 and leaves Windows 10 untouched.

number of CVEs per device Windows 10 vs Windows 11number of CVEs per device Windows 10 vs Windows 11

And the problem isn’t just volume. There is also exploitability. Of the active CVEs on Windows 10 devices, 66.6% are rated high or critical, and 2.4% are known to be exploited in the wild. This is, again, roughly 1.7× the rate of exploitable vulnerabilities on Windows 11.

Part of the reason for this difference is patch-diffing, where attackers reverse-engineer Windows 11 fixes to locate the same unpatched flaw in Windows 10, then weaponize it. The supported OS effectively hands attackers a map into the unsupported one.

There is one caveat worth mentioning when interpreting this data: not every Windows 10 install is unsupported. LTSC editions still retain support on their own lifecycles, which is precisely why knowing which Windows 10 build you are running matters.

When “Unsupported” Becomes an Insurance and Compliance Headache

The exposure doesn’t stop at technical risk. For IT and security leaders it is now a compliance, liability, and insurability problem. Compliance frameworks are very clear in their requirements.

  • PCI DSS 4.0 requires every system in a card-data environment to be actively vendor-supported.
  • ISO 27001:2022 treats unsupported systems as a failure of its technical vulnerability management control.
  • NIS2 requires documented vulnerability-handling measures and backs them with fines and personal accountability for senior management.

These are just a few examples, but the list goes on. “We have hardware we can’t upgrade” is not a defense. Regulators expect the risk to be identified, documented, and mitigated with compensating controls.

Cyber insurers have moved the same way. “Do you run any unsupported operating systems in production?” is now a standard question, and a yes can disqualify a policy outright. Self-attestation is no longer enough. Carriers verify, and a false answer voids coverage. A growing share of policies carry an explicit exclusion for end-of-life systems, meaning a claim tied to a Windows 10 CVE can be denied on those grounds alone. Coalition’s 2025 claims data shows roughly a quarter of claims are declined in whole or part on exclusions, with unsupported systems among the leading reasons. You can’t truthfully attest to controls on machines you can’t see.

When the OS Just Can’t Be Upgraded

Not every Windows 10 holdout can be fixed with a free upgrade. Across the estate, 2.8% of Windows 10 devices sit on hardware that doesn’t meet Windows 11’s requirements at all. For these machines, the only path is physical replacement. In other words: new hardware, budget, and lead time. Until that happens, they’re not just unpatched. They’re unpatchable.

These unpatchable machines are largely concentrated in the same sectors built on special-purpose hardware:

  • Consumer and retail (7.8% of their Windows 10 fleet can’t move)
  • Transport and logistics (6.1%)
  • Manufacturing (3.0%)
Share windows 10 devices that cannot be migrated due to hardware constraints, by industryShare windows 10 devices that cannot be migrated due to hardware constraints, by industry

Point-of-sale terminals, rugged handhelds, and embedded controllers welded to a function – all these systems have specific requirements that prevent easy upgrades.

The healthcare industry stands out here: while it carries one of the highest Windows 10 shares, only 1.1% of that base is immovable. Its problem is migration that hasn’t happened, not hardware that can’t.

Healthcare is the exception worth flagging. Despite carrying one of the highest Windows 10 shares overall, only 1.1% of its base is genuinely immovable. Its problem is a migration that hasn’t happened yet, not hardware that physically can’t move.

By organization size, enterprises show the highest can’t-move rate at 3.8%. A side effect of having migrated the easy machines first is that what remains is disproportionately hard-wired.

The distinction matters for planning. A movable Windows 10 device is a project; an immovable one is a purchase.

What Permanently Unpatched Looks Like at Scale

Windows 10 is the largest piece of this problem, but not the whole of it. Counting every Windows device on an end-of-life OS, including Windows 7, 8.1, and XP, 18.7% of the estate is unsupported today. Add the devices whose OS will lose support within the next six months, and that figure reaches 40.9%.

There’s a date attached to that jump. The consumer Extended Security Updates that are holding much of the remaining Windows 10 base together expire on 12 October 2027. When it lapses, the devices that it is holding up do not migrate on their own. They will roll straight into the unsupported count. This means two in five Windows machines are either already out of support or about to be.

percentage windows devices running unsupported operating systems.percentage windows devices running unsupported operating systems.

Find Your Windows 10 Devices Before They Becomes a Breach

The migration deadline has passed and the extended security updates, while recently extended by another year, won’t last forever. It’s time to face the hard question: Do you know which of your devices sit in that risky 16.9%, and how exposed is each one?

Lansweeper can show you the answer today. It gives IT and Security one continuously validated view of every asset across IT, OT, cloud, and IoT, managed and unmanaged alike.

  • See: Discover and identify every Windows device that exists, including the unmanaged and transient ones that hide in the gap between migrations.
  • Know: Enrich each one with lifecycle and risk context, what’s still on Windows 10, what’s already past end-of-support, what carries CVEs known to be exploited in the wild, and benchmark it against the patterns above.
  • Act: Turn that into prioritized remediation, focused on the small share of devices carrying the lion’s share of risk.

The deadline moved the easy machines. The risky ones are the ones you can’t see.

Report

Find your Windows 10 Holdouts

Similar Posts

Leave a Reply