"Windows 10 still runs on 16.9 percent of the Windows devices [Lansweeper] monitors, or 'roughly one in six.'"
Lansweeper's dataset: a slow tail of Windows 10
Asset-tracking firm Lansweeper reports that Windows 10 persists on 16.9 percent of the Windows devices it monitors. A year ago the OS made up about half of the machines in its dataset; that share dropped into the low-to-mid 40 percent range by the time Microsoft ended standard support, and slid to 18.6 percent in June before stalling. According to Lansweeper, "the easy migrations are done. What's left is the hard core: devices that haven't moved because they can't or won't."
Patch coverage, ESU timelines, and what Microsoft says
Microsoft continues to offer an Extended Security Updates (ESU) program with finite windows. Consumer devices can receive ESU security updates until October 12, 2027; commercial customers who pay can extend coverage until October 10, 2028. Microsoft describes the program as helping "reduce the risk of malware and cybersecurity attacks by providing access to critical and important security updates."
Lansweeper finds that only 14 percent of Windows 10 assets in its dataset have ESU patches applied. The company cautions that even ESU enrollment is temporary: "installations enrolled in the Extended Security Updates (ESU) program ... will eventually become vulnerable" once Microsoft stops issuing fixes.
Measured exposure: CVEs, sectors, and SMBs
Lansweeper quantifies the gap in vulnerability exposure: "a Windows 10 device carries an average of 1,903 active CVEs against 652 on Windows 11. That's a 2.9x gap." The dataset shows elevated Windows 10 presence in particular sectors and organization sizes. Lansweeper reckons that 21.4 percent of small and medium-sized business (SMB) machines still run Windows 10, with cost usually cited as the constraint. Sector breakdowns include 23 percent in healthcare and pharmaceutical systems, and 22.7 percent in consumer and retail devices.
Patch diffing and the attack surface
Lansweeper highlights "patch diffing" as a practical risk multiplier. In this process, fixes issued for Windows 11 can be reverse-engineered to identify unpatched flaws in Windows 10. As Lansweeper puts it, "The supported OS effectively hands attackers a map into the unsupported one." Lansweeper's principal technical evangelist, Esben Dochy, noted that "the Windows 10 average also includes devices that have ESU patches applied," underlining that the raw CVE gap counts even some patched systems.
What Lansweeper's data means for technologists, SMBs, and vendors
- Technologists and security teams: The dataset stresses the importance of inventory and triage. Lansweeper underlines administrators' need to "know which Windows 10 devices remain in their estates and whether each is fully patched," because the proportion of vulnerable devices will grow over time where migration to Windows 11 is not an option.
- SMBs and procurement leaders: Lansweeper points to cost as a frequent constraint; for many SMBs, budget limits are a major reason Windows 10 persists. The firm suggests that simply enrolling in ESU may not resolve the underlying problem when vendor contracts and certification timelines drive upgrade decisions.
- Vendors and operators of certified equipment: Esben Dochy explained that "many medical devices or industrial systems have their OS tied directly to vendor certification," and in some cases a Windows 11–certified version "doesn't exist yet." Where vendors remain contractually responsible for device maintenance, customer-level ESU enrollment may not be sufficient.
The result is a patchwork risk landscape: some Windows 10 machines are actively maintained with ESU patches, others are deliberately isolated or air-gapped and accepted as an operational risk, and still others are held in place by certification gaps, vendor dependency, or cost. Lansweeper's comparison with other market measures such as Statcounter also shows little recent movement in share between Windows 10 and Windows 11 after the initial surge following the end of standard support.
For organizations that cannot migrate, the options named in the data are limited: pursue vendor-certified upgrade paths, fund hardware or software replacements, enroll eligible systems in ESU while it remains available, or accept and mitigate risk through isolation and compensating controls. Each path carries trade-offs in cost, coverage, and operational disruption.
The widening CVE gap and the finite ESU windows make the coming months consequential for the "hard core" of Windows 10 devices Lansweeper describes. Administrators who do not already have a clear inventory of which endpoints remain on Windows 10—and which of those have ESU coverage—are the ones most likely to see their exposure rise as the calendar advances toward 2027 and 2028.




