Still on Windows 10 in May 2026? The ESU Year One plan for Hawaii businesses

Published May 25, 2026 · HI Tech Hui · ~6 min read

Where the Windows 10 lifecycle actually stands today

Per the Microsoft lifecycle page, Windows 10 Home, Pro, Pro Education, and Pro for Workstations all reached retirement on October 14, 2025. Version 22H2 is the final feature update; nothing newer was ever shipped. After October 14, Microsoft stopped delivering technical support, feature updates, and quality updates — including security fixes — for devices that are not enrolled in ESU.

The Windows 10 Extended Security Updates program is the only Microsoft-supported path to keep getting critical and important security updates after that date. Per Microsoft Learn, commercial ESU pricing is $61 USD per device for Year One, doubles every consecutive year, and is capped at three years for commercial and educational customers. Consumer ESU is a separate program with a shorter window: it covers individuals and Windows 10 Home customers for roughly one year after October 14, 2025, ending in October 2026.

The implication for Hawaii businesses with mixed personal and company devices — a common pattern at small clinics, law firms, and family-owned operators — is that consumer ESU is a five-month bridge from here, not a long-term plan. Commercial ESU buys time, but the meter is running and the bill is back-dated to Year One.

The 90-day decision matrix

For every Windows 10 endpoint still in production, there are four defensible outcomes by the end of summer 2026. Pick one per device and write it down.

• Upgrade in place to Windows 11. The device passes the Windows 11 hardware check (TPM 2.0, supported CPU, Secure Boot capable) and is on Windows 10 version 22H2. This is the right answer for the largest share of the fleet and the cheapest long-term.
• Replace the hardware. The device fails the Windows 11 hardware check. Plan a refresh cycle aligned with the existing depreciation schedule, not an emergency buy at retail prices. For most Hawaii SMBs, the lead time on business-class laptops shipped to the islands is the real constraint — order earlier than feels necessary.
• Enroll in commercial ESU as a bridge. The device cannot upgrade and cannot be replaced within the window. Confirm it is on Windows 10 version 22H2, purchase ESU through Volume Licensing, and assign a hard exit date before Year Two pricing kicks in.
• Move the workload to a Windows 11 Cloud PC. Some sticky legacy applications run fine when the user is delivered a Windows 365 Cloud PC or Azure Virtual Desktop session. Per Microsoft, Windows 10 endpoints connecting to Windows 365 Cloud PCs are entitled to ESU for up to three years at no additional cost while the Windows 365 subscription is active.

What is not on the list: leaving a Windows 10 endpoint on the network with no ESU and no exit plan. That device is now a known-vulnerable asset and should be treated the same way you would treat an unpatched server — segmented, monitored, and tracked in the exception register, the same way we described in last week’s patch verification playbook.

What ESU does and does not cover

This is where most of the avoidable mistakes happen. Per the Microsoft Learn page on ESU, the program does deliver:

• Critical and important security updates as defined by the Microsoft Security Response Center severity rating system, for up to three years for commercial subscribers.
• Support for the ESU enrollment itself — license activation, installation of the updates, and regressions caused by ESU.

What ESU explicitly does not include:

• New features.
• Customer-requested non-security updates.
• Design change requests.
• General technical support for Windows 10 itself — you need an active Microsoft Unified support plan for that.

Practically: ESU keeps the OS patched against critical and important CVEs, and that is all. Driver issues, application compatibility failures, OEM firmware quirks, and end-user support are out of scope. Plan for those separately, either through your MSP or through an in-house workstation engineering function.

The enrollment prerequisites people miss

Before purchasing licenses or activating multiple activation keys (MAKs), confirm three things on every candidate device:

• OS version is Windows 10, version 22H2. Run winver or Get-ComputerInfo | Select-Object WindowsVersion, OsBuildNumber, OsVersion. Anything older than 22H2 cannot enroll in ESU and must be upgraded to 22H2 first or removed from the fleet.
• The May 2026 cumulative update is installed. Use the verification approach we covered in the day 3–7 patch verification post: pull the installed update history with Get-HotFix, reconcile against the published KB numbers in the Microsoft Update Catalog, and confirm a post-install reboot.
• The device has a usable management path. ESU is operationally easier when Windows Update for Business and Intune are already in place. If the endpoint has never seen a managed update policy, ESU is the time to put one on, not after.

For commercial purchases, the ESU MAK appears in the Microsoft 365 admin center Volume Licensing Product Details panel, but it does not activate until the Windows 10 end of support date — which has now passed, so the keys are usable. The Microsoft Learn enrollment guidance walks through the activation flow.

Migration sequencing for a Hawaii SMB

For most Hawaii businesses on HI Tech Hui managed IT services, the realistic sequencing through the rest of 2026 looks like this:

• Now through June. Finish the inventory. Every endpoint tagged as Windows 11 eligible, Windows 11 ineligible, or ESU bridge. Confirm 22H2 and current cumulative updates on every Windows 10 device. Submit ESU purchase orders for the bridge group.
• July–August. Upgrade the eligible Windows 10 devices to Windows 11 in rings: pilot, broad, then late ring for executives and sensitive workflows. Lean on Windows Autopatch or Intune where possible. Track upgrade success with the same out-of-band verification approach used for monthly patching.
• September–October. Land the hardware refresh orders for Windows 11 ineligible devices. Plan around inter-island shipping and the typical end-of-quarter procurement freeze. Confirm Windows 10 ESU coverage for any device that will still be running Windows 10 on October 14, 2026.
• Before October 14, 2026. Decide and document: which devices renew ESU into Year Two at double the Year One price, which retire, and which move to a Cloud PC. Year Two purchases are cumulative — if a device skipped Year One, Year One must still be paid for to enroll in Year Two.

Compliance and insurance angles

Cyber insurance applications increasingly ask, by name, whether any production endpoint is running an unsupported operating system. The honest answer for an unenrolled Windows 10 device is now “yes,” and insurers are using that answer to adjust premiums, sub-limits, and ransomware exclusions. ESU enrollment is what flips that question back to a defensible “no,” provided the enrollment is documented and the device is patched.

For regulated environments — healthcare under HIPAA, finance and professional services, government contractors, and law firms — running an unsupported, unpatched OS in production typically violates the underlying security rule or framework directly. ESU is the bridge that keeps you compliant during migration, not a permanent state.

The Hawaii-specific reality

Three constraints make this harder for businesses in Hawaii than for mainland peers, and worth planning around explicitly:

• Hardware lead time. Business-class laptops and small-form-factor desktops shipped to Honolulu, Kapolei, Hilo, Kona, Maui, and Kauai regularly take longer than vendor estimates. Order against the migration plan, not against the runout date.
• On-site labor density. Many neighbor-island sites are unstaffed by their MSP between scheduled trips. Sequence the upgrade ring so on-site work clusters around existing visits or remote-first methods like Autopilot reset and Intune Autopilot enrollment.
• Mixed personal-business devices. Family-run operators and small clinics often have personal Windows 10 Home machines doing real work. Consumer ESU ends in October 2026 — that is the realistic decision date for moving those workflows to a managed Windows 11 device or a Cloud PC.

What this looks like for HI Tech Hui clients

For organizations on HI Tech Hui managed IT services, the Windows 10 endgame is part of the standard lifecycle program: a current inventory of every endpoint with OS version and Windows 11 eligibility, an ESU enrollment plan for the bridge devices, a ring-based Windows 11 upgrade schedule executed through Intune and Microsoft 365, and 24/7 monitoring through the Cyberuptive SOC for the remaining Windows 10 assets while they are in flight. If you are not sure where you stand, the right next step is the inventory pass, not another month of drift.

Sources

• Microsoft Learn — Windows 10 Home and Pro lifecycle (end of support: October 14, 2025)
• Microsoft Learn — Extended Security Updates (ESU) program for Windows 10
• Microsoft Support — Windows 10 support ends on October 14, 2025
• Microsoft — Windows 10 Consumer Extended Security Updates program
• Microsoft Security Response Center — security update severity rating system
• Microsoft Update Catalog

Need a Windows 10 exit plan for a Hawaii business before Year Two ESU pricing hits? HI Tech Hui’s managed IT services team handles inventory, ESU enrollment, Windows 11 migration, and hardware refresh planning, with 24/7 coverage through our SOC. Get in touch.