Why Windows 10’s End of Life Matters for Cyber Essentials Plus

Microsoft officially ended support for Windows 10 on 14 October 2025, marking a major shift for organisations working toward Cyber Essentials Plus (CE+) certification. Without free security updates or patches, Windows 10 devices now pose a compliance risk – unless covered by Microsoft’s Extended Security Updates (ESU) programme.

For CE+ applicants, this change is more than a technical footnote. It directly affects your certification status. Devices running Windows 10 are no longer considered secure by default. To remain compliant, organisations must upgrade to Windows 11 version 23H2 or newer (ideally 24H2 or 25H2).

If your CE+ audit is scheduled within the 90-day window following your Cyber Essentials certification, any Windows 10 devices must be upgraded or removed from scope before submitting your asset list to the auditor.

Auditors will now perform technical verification during CE+ assessments.

If Windows 10 devices are detected:

• They must be excluded from scope.
• Failure to do so could result in audit failure or the need to restart both Cyber Essentials and CE+ assessments.

To stay secure and compliant, here are your next steps:

• Audit your device inventory: Identify any machines still running Windows 10.
• Upgrade to Windows 11: Preferably version 24H2 or 25H2. Note that 23H2 reaches end of life on 11 November 2025, so plan accordingly.
• Consider ESU: If upgrading isn’t feasible, explore Microsoft’s Extended Security Updates programme.
• Communicate with your auditor: Be transparent about your upgrade plans and ensure your asset list reflects only compliant devices.

This transition is a critical moment for organisations aiming to maintain Cyber Essentials Plus certification. By acting now, you’ll avoid last-minute surprises and ensure your systems meet the latest security standards.

Need help navigating the upgrade or preparing for your CE+ audit? CyberLab’s team is here to support you.