With Windows 10 officially reaching end of life, organizations face a new visibility challenge: identifying which endpoints are still running Windows 10 and confirming whether they are enrolled in Extended Security Updates (ESU). Even if you are in the free ESU countries in Europe, you still need to know this is active, and that any Windows 10 remaining systems are fully eligible for critical updates.
Failing to do so leaves the door open to unpatched vulnerabilities that can quietly persist across your environment. These systems become silent attack vectors, machines that appear operational but no longer receive critical security fixes.
The good news is that Action1 is here to give you the clarity you need to take action.
Note: ESU licensing occurs at a per endpoint licensing level, once ESU licensing is acquired, applied, and as long as it remains active; Action1 continues to function as it did before the Windows 10 EOL. ESU licensing is an entitlement to updates; it does not change the availability and or mechanism by which they install.
Compliance is not optional
End of life means that Microsoft no longer provides free security updates for Windows 10. Only systems with valid ESU activation will continue to receive monthly patches.
Any system without ESU coverage is now vulnerable to new exploits, even if it appears stable or managed. These machines represent a hidden layer of risk within your network, often running in labs, forgotten virtual machines, or kiosks where endpoint visibility is weakest and detection will be more difficult.
Understanding which systems still run Windows 10, and whether they are receiving updates, is the first step in maintaining a secure baseline, and may well be the most important security audit you do this year.
Step 1: Inventory All Windows 10 Systems
Start by identifying every Windows device in your network. Fortunately if you are using Aciton1 this step is already complete. In you are reading this and not using Action1, now is the perfect time to check it out, Aciton1’s patch management solution is completely free for the first 200 endpoints, no catch, no monetization of clients, or data scraping. Just the exact same product as a paid subscription, perpetually free for 200 or less endpoints. If not using Action1, use whatever endpoint management system you have on hand, query AD, etc.
Step 2: Check for ESU Activation
Once you know which systems are on Windows 10, the next task is confirming whether they have ESU enabled.
For that we provide this simple data source:
The script can be downloaded from our Git Repo using this link Detect_W10_ESU.ps1, and loaded into Action1 to get a site wide analysis on the ESU state of all systems in Action1. Then you can follow the guide Custom Reports from our documentation on how to load it into the system.
Conclusion
As Windows 10 fades from Microsoft’s support lifecycle, unmanaged legacy devices represent a quiet but serious risk. By proactively discovering which systems remain, checking their ESU status, and remediating accordingly, you reduce attack surface and maintain compliance.
Knowing where Windows 10 still lives in your environment is the first step in keeping your network secure, and avoiding the silent threat of unpatched endpoints.
