cr0x.net — Hard Problems. Clean Solutions.
English

Windows 10 End-of-Life Prep: What to Do Before You Panic

February 13, 2026 • February 13, 2026 • Read: 20 min • Views: 0

Was this helpful?

The day Windows 10 hits end-of-life, nothing magical happens to your PCs. They don’t burst into flames. They just quietly stop getting security updates. Which is worse, because now every unpatched hole becomes a standing invitation—especially for endpoints that touch email, VPN, file shares, and your line-of-business apps.

If you’re reading this with a calendar open and a sinking feeling, good. That feeling is useful. We’re going to turn it into an inventory, a plan, a test matrix, and a clean cutover—without treating “upgrade” like a weekend hobby project.

What Windows 10 end-of-life actually means (and what it doesn’t)

End-of-life (EOL) for Windows 10 means Microsoft stops shipping security updates, bug fixes, and general support for that OS release. Your existing machines keep booting. Your apps keep launching. Your printer still prints… until it doesn’t. But from an operational and risk standpoint, EOL flips your security posture from “managed risk” to “compounding debt.”

What changes on day one

  • Security patch cadence ends. Vulnerabilities discovered after EOL remain unpatched on Windows 10.
  • Compliance posture shifts. Many frameworks and audits treat unsupported OS as a policy violation.
  • Vendor support gets slippery. Third-party software vendors start saying “reproduce on a supported OS.”
  • Incident response gets harder. You’ll spend more time compensating (controls, isolation) and less time fixing (patching).

What does not magically change

  • Your endpoints don’t stop working. The OS doesn’t set a self-destruct timer.
  • Your network doesn’t become instantly unsafe. But your margin for error collapses.
  • You don’t have to jump to Windows 11 everywhere. Some machines will be replaced, some reimaged, some moved to VDI, some retired.

Treat this as a production migration, not a desktop refresh. The technical work is straightforward. The failure modes are human: assumptions, incomplete inventories, and “we’ll test after we deploy.”

One paraphrased idea from Gene Kim (reliability/DevOps author): Small, controlled changes reduce risk; big-bang releases create drama.

Quick facts and historical context (so you don’t repeat history)

A little history helps because endpoint migrations are where organizations rediscover the same sharp edges every decade.

  1. Windows 10 launched in 2015 with “Windows as a service” messaging, normalizing frequent updates rather than multi-year gaps.
  2. Windows 7 EOL (2020) triggered a long tail of paid extended security updates (ESU) in many enterprises—because inventories were wrong and app owners were optimistic.
  3. Windows XP’s long afterlife taught attackers a simple lesson: unsupported OS makes a great target because patch gaps are permanent.
  4. UEFI and Secure Boot became mainstream during Windows 8/10 era; older hardware and legacy boot modes still haunt in-place upgrades.
  5. TPM 2.0 adoption accelerated as disk encryption and credential protection became default expectations, not “nice-to-have.”
  6. BitLocker shifted from niche to normal in enterprises, which is great until you discover half your recovery keys aren’t escrowed.
  7. Driver models evolved (think: graphics, storage, Wi‑Fi). A “works on 10” driver stack can behave differently under 11’s security defaults.
  8. Browser and Office support schedules often pressure OS upgrades indirectly; you can be “fine” on Windows 10 until a core app drops support.

Joke #1: Endpoint upgrades are like dieting—you can do it gradually, or you can do it “starting Monday” for three straight months.

The decisions you must make early (or your project will make them for you)

1) Upgrade, replace, or isolate?

Every Windows 10 device ends up in one of three buckets:

  • Upgrade to Windows 11 (if hardware and apps allow).
  • Replace hardware (common for devices missing TPM 2.0, with poor performance, or nearing warranty end).
  • Isolate and contain (for specialty gear, lab systems, kiosk devices, or “it runs the factory” boxes where replacement isn’t immediate).

The third bucket is the danger zone. If you must keep an unsupported OS, you compensate with network segmentation, application allowlisting, no email/web browsing, restricted admin rights, and aggressive monitoring. You don’t “leave it on the corporate LAN and hope.”

2) In-place upgrade vs wipe-and-load

In-place upgrades are faster and less disruptive—until they aren’t. Wipe-and-load (reimage) is more predictable and easier to support long-term, especially if you already have modern management (Intune, Configuration Manager, autopilot-style flows).

My bias: if the device has years of accumulated “creative” software installs, do wipe-and-load. If it’s a clean managed endpoint with standardized apps, in-place is fine.

3) Ownership: who signs off on app compatibility?

Make one uncomfortable rule: every business-critical app has an owner who signs a test result. If nobody owns it, it’s not critical; it’s folklore with a license key.

4) What’s your rollback story?

“Rollback” means one of:

  • restore from full-disk image (rare but sometimes necessary),
  • reimage to the old OS (usually not worth it near EOL),
  • swap device (best),
  • VDI or remote app as a bridge.

If your rollback is “we’ll troubleshoot live on the CEO’s laptop,” you don’t have rollback. You have theater.

Fast diagnosis playbook: find the bottleneck in 30 minutes

When Windows 10 EOL prep goes sideways, it’s usually because one constraint dominates and everything else is noise. Here’s how to find it quickly.

First: hardware eligibility and encryption recovery

  • Can the device run Windows 11? TPM 2.0, Secure Boot, supported CPU, enough RAM/storage.
  • Do you have BitLocker recovery keys? If you don’t, upgrades and firmware changes become a roulette wheel.

Second: application and driver compatibility

  • Which apps are non-negotiable? List them. Test them. Don’t argue with them.
  • Any kernel drivers? VPN clients, security agents, storage encryption, USB redirection—these are where upgrades die.

Third: management and update plumbing

  • Can devices receive policies and updates? If your MDM/WSUS/SCCM plumbing is flaky, migrations will amplify it.
  • Do you have enough bandwidth and cache? Feature updates are large. Your WAN is not a bottomless pit.

Fourth: identity and access controls

  • Local admin sprawl? It will bite you during app reinstalls and troubleshooting.
  • Device compliance conditional access? If you enforce compliance, your cutover can lock users out if policies aren’t staged carefully.

The trick is sequencing: you don’t start with “let’s push Windows 11.” You start with “do we know what we have, can it upgrade, and can we recover it if it bricks?”

Hands-on tasks with commands: evidence, outputs, and decisions

These are practical checks you can run from a Linux admin box that has network access to your Windows fleet (WinRM enabled where needed), your management servers, and your directory services. The commands are intentionally boring. Boring is good. Boring is how you sleep.

Task 1: Count Windows 10 endpoints you can actually see (AD query)

cr0x@server:~$ ldapsearch -x -LLL -H ldap://ad01.corp.local -b "DC=corp,DC=local" "(operatingSystem=Windows 10*)" dn operatingSystem | grep -c "^dn:"
342

What it means: You have 342 computer objects reporting Windows 10 in AD attributes.

Decision: Treat this as a lower bound. Compare it with endpoint management counts; discrepancies mean stale AD objects, unmanaged devices, or both.

Task 2: Find stale Windows computer objects (they still “exist,” but they’re not real)

cr0x@server:~$ ldapsearch -x -LLL -H ldap://ad01.corp.local -b "DC=corp,DC=local" "(&(objectClass=computer)(lastLogonTimestamp<=20240101000000.0Z))" dn lastLogonTimestamp | grep -c "^dn:"
58

What it means: 58 computer accounts haven’t logged on since the timestamp cutoff (depends on your chosen date).

Decision: Don’t waste migration effort on ghosts. Validate with owners; then disable or clean up accounts to reduce noise and risk.

Task 3: Pull a device list from your management source of truth (example: SCCM/ConfigMgr SQL)

cr0x@server:~$ sqlcmd -S sccm-sql01.corp.local -d CM_PRI -Q "select count(*) as win10 from v_R_System where Operating_System_Name_and0 like '%Workstation 10%';"
win10
-----------
401

What it means: SCCM thinks you have 401 Windows 10 workstations.

Decision: AD says 342, SCCM says 401. You have an inventory mismatch. Fix that first: it will wreck your rollout metrics otherwise.

Task 4: Check WinRM reachability to a sample set (remote readiness)

cr0x@server:~$ for h in pc-001 pc-002 pc-003; do echo "== $h =="; timeout 3 bash -c "echo | nc -vz $h 5985"; done
== pc-001 ==
Connection to pc-001 5985 port [tcp/*] succeeded!
== pc-002 ==
nc: connect to pc-002 port 5985 (tcp) timed out: Operation now in progress
== pc-003 ==
Connection to pc-003 5985 port [tcp/*] succeeded!

What it means: pc-002 is not reachable on WinRM HTTP (5985). Could be offline, blocked, or not configured.

Decision: If your plan depends on remote queries or remote upgrades, you need a reachability baseline. For unreachable machines, schedule hands-on or fix network/policy.

Task 5: Query Windows version/build remotely (WinRM + PowerShell)

cr0x@server:~$ evil-winrm -i pc-001.corp.local -u CORP\\svc_audit -p 'REDACTED' -s . -c "powershell -NoProfile -Command \"(Get-ComputerInfo).WindowsVersion; (Get-ComputerInfo).OsBuildNumber\""
10.0.19045
19045

What it means: Windows 10 22H2 build 19045 (typical late Windows 10).

Decision: Devices not on the latest Windows 10 feature update should be treated as higher-risk and harder to upgrade; get them current before major moves.

Task 6: Check TPM presence and version (Windows 11 gating item)

cr0x@server:~$ evil-winrm -i pc-001.corp.local -u CORP\\svc_audit -p 'REDACTED' -c "powershell -NoProfile -Command \"Get-Tpm | Select TpmPresent,TpmReady,ManagedAuthLevel\""
TpmPresent TpmReady ManagedAuthLevel
---------- -------- ---------------
      True     True            Full

What it means: TPM is present and ready.

Decision: This machine likely clears one of the biggest Windows 11 requirements. If you see False, plan for replacement or exception handling (not “we’ll see later”).

Task 7: Check Secure Boot state (another Windows 11 prerequisite)

cr0x@server:~$ evil-winrm -i pc-001.corp.local -u CORP\\svc_audit -p 'REDACTED' -c "powershell -NoProfile -Command \"Confirm-SecureBootUEFI\""
True

What it means: Secure Boot is enabled.

Decision: If False (or the cmdlet errors due to legacy BIOS), you may need a firmware/boot-mode remediation plan. That’s not a one-click fix at scale.

Task 8: Check system disk free space (feature upgrades fail quietly when storage is tight)

cr0x@server:~$ evil-winrm -i pc-001.corp.local -u CORP\\svc_audit -p 'REDACTED' -c "powershell -NoProfile -Command \"Get-PSDrive -Name C | Select Used,Free\""
Used         Free
----         ----
178234961920 21464350720

What it means: ~20 GB free on C:. That’s borderline depending on upgrade method and staging.

Decision: Set a minimum free space policy (I like 30–40 GB for safety). Below that: cleanup, move caches, or plan wipe-and-load.

Task 9: Verify BitLocker status and key protector types (recovery planning)

cr0x@server:~$ evil-winrm -i pc-001.corp.local -u CORP\\svc_audit -p 'REDACTED' -c "powershell -NoProfile -Command \"manage-bde -status C:\""
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Volume C: [OSDisk]
    Size:                 237.87 GB
    BitLocker Version:    2.0
    Conversion Status:    Fully Encrypted
    Percentage Encrypted: 100.0%
    Protection Status:    Protection On
    Lock Status:          Unlocked
    Identification Field: None
    Key Protectors:
        TPM
        Numerical Password

What it means: The disk is encrypted and protected. Key protectors include TPM and a numerical recovery password.

Decision: Confirm the recovery password is escrowed in AD/Azure AD. If not, stop and fix escrow before firmware/OS changes.

Task 10: Check for pending reboot flags (they sabotage upgrades and agent installs)

cr0x@server:~$ evil-winrm -i pc-001.corp.local -u CORP\\svc_audit -p 'REDACTED' -c "powershell -NoProfile -Command \"Test-Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update\\RebootRequired'\""
False

What it means: No Windows Update pending reboot flag detected via this key (not exhaustive, but useful).

Decision: If True, schedule reboot before attempting feature upgrades or major agent changes.

Task 11: Identify installed security/EDR agents (driver-level conflicts are common)

cr0x@server:~$ evil-winrm -i pc-001.corp.local -u CORP\\svc_audit -p 'REDACTED' -c "powershell -NoProfile -Command \"Get-ItemProperty 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*' | Select DisplayName,DisplayVersion | Sort DisplayName | Select -First 10\""
DisplayName                         DisplayVersion
-----------                         --------------
7-Zip 22.01 (x64 edition)           22.01
Contoso Endpoint Protection Agent    5.4.1
Microsoft OneDrive                   24.005.0113.0002
Microsoft Teams                      1.7.00.3653
Microsoft Visual C++ 2015-2022 ...   14.38.33135

What it means: You can see an endpoint protection agent installed, plus common software.

Decision: Build a compatibility matrix for security agents and VPN clients. If your agent vendor requires a newer build, upgrade the agent before the OS change.

Task 12: Check Windows Update source (WSUS vs Microsoft Update vs policy mismatch)

cr0x@server:~$ evil-winrm -i pc-001.corp.local -u CORP\\svc_audit -p 'REDACTED' -c "powershell -NoProfile -Command \"reg query HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate /v WUServer\""
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
    WUServer    REG_SZ    http://wsus01.corp.local:8530

What it means: This endpoint is pinned to WSUS.

Decision: Ensure WSUS (or your update platform) can serve the upgrade content you’re planning. If not, your rollout will stall with “checking for updates” theater.

Task 13: Measure LAN/WAN bottleneck risk (feature updates are bandwidth hogs)

cr0x@server:~$ iperf3 -c branch-fw01.corp.local -p 5201 -t 5
Connecting to host branch-fw01.corp.local, port 5201
[  5] local 10.10.10.50 port 55762 connected to 10.20.30.1 port 5201
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-5.00   sec  34.8 MBytes  58.4 Mbits/sec                  sender
[  5]   0.00-5.00   sec  34.1 MBytes  57.2 Mbits/sec                  receiver

What it means: Roughly 57 Mbps between test host and branch firewall endpoint.

Decision: If you have dozens of devices pulling multi-GB updates over that link, you need caching (Delivery Optimization, local distribution points) or staged scheduling.

Task 14: Check file share capacity for user profile/data migration staging

cr0x@server:~$ df -h /srv/migration-staging
Filesystem                 Size  Used Avail Use% Mounted on
/dev/mapper/vg0-staging    3.0T  2.5T  420G  86% /srv/migration-staging

What it means: Your staging volume is at 86% usage, with ~420 GB free.

Decision: If you’re about to stage profiles or offline data, you’re flirting with “disk full” corruption and failed transfers. Expand storage or prune before rollout.

Task 15: Validate backups are not imaginary (sample restore test)

cr0x@server:~$ restic -r /backups/endpoints snapshots --last
repository 2b1c2b55 opened (version 2, compression level auto)
ID        Time                 Host     Tags        Paths
9f1a8e3c  2026-02-03 23:10:12  pc-001   win10        C:\Users

What it means: You have at least one recent snapshot for pc-001 user data.

Decision: Now do a restore drill for a small subset. If you can’t restore quickly, your backup is a museum exhibit, not a safety system.

Task 16: Check certificate expiration for Wi‑Fi/VPN auth (breaks look like “Windows 11 is broken”)

cr0x@server:~$ openssl s_client -connect vpn01.corp.local:443 -servername vpn01.corp.local /dev/null | openssl x509 -noout -dates -subject
notBefore=Jan 10 00:00:00 2026 GMT
notAfter=Apr 10 23:59:59 2026 GMT
subject=CN=vpn01.corp.local

What it means: The VPN cert expires in April 2026.

Decision: If the cert is near expiry, renew before your migration wave hits. Otherwise you’ll “debug Windows 11” when the real culprit is PKI neglect.

That’s more than a dozen tasks. Use them as probes. The results tell you where the real work is: hardware replacement, policy plumbing, bandwidth, or app owners.

Three corporate mini-stories from the upgrade trenches

Mini-story #1: The incident caused by a wrong assumption

A mid-sized company ran a pilot Windows 11 upgrade with a dozen IT laptops. Clean. Smooth. They called it “validated,” because the laptops all had TPM 2.0, modern CPUs, and the same baseline image. They then scheduled a department-wide in-place upgrade for finance, because “they’re mostly laptops too.”

Finance had a mix: newer laptops, older desktops, and a few “temporary” machines that had been temporary since the last three reorganizations. Several desktops were running in legacy BIOS mode, with Secure Boot off, and one model had a TPM chip that existed physically but was disabled in firmware. Nobody had looked because the pilot machines were shiny.

The upgrade tool refused some devices outright. Others failed mid-upgrade and rolled back. The real incident came later: a subset of machines rebooted into BitLocker recovery mode after firmware changes attempted during remediation. The helpdesk had no recovery keys for a chunk of them because key escrow had never been enforced consistently.

The outage wasn’t “Windows 11.” It was a process failure: a pilot that didn’t represent the fleet, and an assumption that encryption recovery was “handled somewhere.” It took two days to physically touch machines, prove ownership, and reimage the worst cases. Finance missed a closing deadline. The migration paused for a month.

The fix was boring: hardware readiness reporting by model, enforced BitLocker key escrow checks, and a rule that pilots must include the worst hardware you still depend on—not the best.

Mini-story #2: The optimization that backfired

Another organization wanted to “save WAN” during a remote-site rollout. Their idea: preload the Windows 11 feature update onto a central file share in the datacenter, then have endpoints pull it over SMB overnight. One copy on the server, many clients—what could go wrong?

It worked in the lab. In production, hundreds of endpoints in multiple branches began copying multi-GB files from the same share. SMB traffic spiked. The WAN links saturated. Interactive apps lagged. VoIP became a stuttering mess. Then, because users got angry and rebooted or closed laptops, many of the transfers were interrupted and restarted, amplifying the bandwidth burn.

The storage side took damage too. The file server’s cache churned under a read storm. Latency rose. Other workloads on the same VM datastore saw increased I/O wait. Nobody likes learning that “read-only load” can still be destructive when it’s not shaped.

They backed out and did what they should have done first: use proper content distribution (local distribution points, Delivery Optimization peer caching, or staged cloud delivery) and throttle schedules by site. The “optimization” was really just moving the bottleneck to a place that was harder to see.

Mini-story #3: The boring but correct practice that saved the day

A large enterprise had a reputation for slow change. People mocked them for it. Their endpoint team insisted on a “readiness gate” before any OS migration: every device had to report (a) hardware eligibility, (b) encryption key escrow, (c) last check-in time, and (d) critical app set membership. If a device didn’t pass, it didn’t get the upgrade policy.

That gate was enforced automatically through their device management platform. Exceptions were possible, but required an app owner and a security sign-off. People complained it was bureaucracy. But the gate produced something rare: predictable rollouts. Their metrics looked less exciting, which in operations is often a compliment.

During the main rollout wave, a vendor shipped an updated VPN client that broke split tunneling on the new OS build. Because the enterprise had staged rings—IT first, then a few departments, then the rest—they saw the issue early, paused the next ring, and pushed a fixed client version. No company-wide outage, no “everyone can’t connect Monday morning” disaster.

The best part: they didn’t have to be heroes. Their process made it hard to do the wrong thing quickly. That’s the kind of controls you want in production.

Joke #2: The only thing scarier than an unsupported OS is discovering it runs the one machine that makes the labels for your supported OS.

Common mistakes: symptoms → root cause → fix

1) “Upgrade policy applied, but nothing happens”

Symptoms: Devices show targeted; users see no prompt; logs show repeated “checking for updates.”

Root cause: Update source misconfiguration (WSUS missing products/classifications, dual scan blocked, or policy conflicts).

Fix: Verify update source registry keys and management policies; ensure your update platform is configured for feature updates; test on one device with known-good connectivity.

2) “Upgrade fails at 30–70% then rolls back”

Symptoms: In-place upgrade reboots, progresses, then returns to Windows 10.

Root cause: Driver or security agent incompatibility; sometimes disk space or corrupted component store.

Fix: Identify and update/remove problematic drivers/agents; ensure free disk space; run component health checks before retrying. Consider wipe-and-load for chronic offenders.

3) “BitLocker recovery screen after BIOS/UEFI changes”

Symptoms: Users reboot and see recovery key prompt; helpdesk can’t find key.

Root cause: Recovery keys not escrowed; firmware change triggers TPM measurement change.

Fix: Enforce escrow policy, audit key presence, and educate techs: suspend BitLocker before firmware updates and resume after.

4) “VPN works on Windows 10, fails on upgraded devices”

Symptoms: Auth loops, no routes, split tunnel issues, or client won’t start.

Root cause: VPN driver incompatibility, certificate chain issues, or hardened security defaults.

Fix: Validate vendor support for Windows 11 builds; update client; verify certificates and device compliance policies.

5) “Printing is suddenly a political issue”

Symptoms: Printers disappear, prompts for admin, driver installs fail.

Root cause: Print driver policies, point-and-print restrictions, legacy drivers.

Fix: Standardize print drivers via approved packages; use modern print deployment; test with your exact models.

6) “Post-upgrade performance is worse”

Symptoms: Fans screaming, slow logon, disk pegged at 100%.

Root cause: Old HDDs, low RAM, heavy security tooling, or runaway telemetry/indexing after migration.

Fix: Replace HDD with SSD, increase RAM, tune security agent settings, and let devices settle after first boot while monitoring CPU/disk.

7) “Users can’t sign in after the move”

Symptoms: Cached credentials fail, domain trust errors, conditional access blocks.

Root cause: Device identity changes, stale machine accounts, or compliance policy applied too early.

Fix: Stage conditional access changes; validate time sync; ensure device registration and trust are healthy before enforcement.

Checklists / step-by-step plan (the boring part that prevents outages)

Phase 0: Stop guessing

  • Build a real inventory. Reconcile AD, SCCM/Intune, EDR console, and procurement lists. Pick one source of truth for “count.”
  • Classify endpoints. Workstations, laptops, kiosks, lab machines, shared devices, remote-only devices.
  • Tag criticality. Devices tied to revenue operations, manufacturing, exec staff, and call centers get extra care.

Phase 1: Eligibility and risk gates

  • Hardware readiness report. TPM/Secure Boot/CPU/RAM/storage.
  • Encryption readiness. Confirm BitLocker status and that recovery keys are escrowed and retrievable.
  • Network readiness. Branch bandwidth and caching strategy. Don’t DDOS your own WAN.
  • Management readiness. Devices must check in reliably and receive policies.

Phase 2: Application reality

  • Create the “must work” list. VPN, EDR, Office suite, browser, identity tools, printing, and 5–20 line-of-business apps.
  • Assign app owners. Owners sign off on test results and compatibility statements.
  • Build a test matrix. By device model + OS build + key app set. Focus on driver-heavy apps and security tooling.

Phase 3: Pilot with representative pain

  • Ring 0 (IT sacrificial lambs). Include the oldest supported hardware you still depend on.
  • Ring 1 (friendly department). Choose a group with patient users and normal workflows.
  • Ring 2 (broad rollout). Only after you’ve burned down the known issues.

Phase 4: Rollout mechanics that don’t melt production

  • Schedule by site and by time. Stagger updates; throttle; use local caches/distribution.
  • Communicate in operational terms. Expected downtime, what users must leave powered on, what to do if it fails.
  • Have a swap pool. A small inventory of pre-imaged replacement devices is the fastest rollback.

Phase 5: Post-migration hardening

  • Verify security baselines. Credential Guard where appropriate, LSASS protections, firewall rules, and EDR health.
  • Retire exceptions. The “temporary” Windows 10 holdouts need deadlines and isolation controls.
  • Measure outcomes. Upgrade success rate, helpdesk tickets per 100 devices, VPN failure rates, boot time regressions.

A pragmatic weekly cadence

  • Week 1: inventory reconciliation + readiness reporting + key escrow audit.
  • Week 2: app owner assignment + test matrix + pilot ring 0.
  • Week 3–4: ring 1 + fix loop (drivers, agents, policies).
  • Week 5+: staged rollout + exception handling + decommission/segmentation for holdouts.

FAQ

1) Do we have to upgrade everything to Windows 11 immediately?

No. You have to stop running unsupported OS for general-purpose endpoints. That can mean Windows 11, new hardware, VDI, or isolated specialty systems with compensating controls.

2) What’s the single most common blocker for Windows 11 readiness?

Hardware eligibility (TPM/Secure Boot/CPU) and the messy reality of old device models still in service. The technical check is easy; the asset reality is not.

3) In-place upgrade or reimage—what’s safer?

Reimage is more predictable long-term. In-place is faster short-term. If your endpoints are already standardized and healthy, in-place is fine. If they’re “unique snowflakes,” wipe-and-load will save you time overall.

4) Can we keep Windows 10 for a few special machines?

Sometimes. But you must treat them like legacy systems: isolate network access, remove browsing/email, enforce least privilege, and monitor aggressively. Also: have a retirement plan with dates, not vibes.

5) How much free disk space do we need for an upgrade?

It depends on method and staging, but if you’re under ~30 GB free on C:, expect failures and weirdness. Storage is cheap; downtime is not.

6) Why do upgrades trigger BitLocker recovery?

Firmware/boot configuration changes can alter TPM measurements. If BitLocker sees an unexpected change, it asks for recovery. This is normal behavior; the abnormal part is not having the recovery key.

7) How do we avoid saturating WAN links during rollout?

Use content caching and distribution (Delivery Optimization peer caching, local distribution points), throttle schedules by site, and avoid “everyone downloads at 2 AM” if 2 AM is when backups run.

8) What should we test first for application compatibility?

VPN client, EDR/security agent, disk encryption tools, and anything that installs kernel drivers. Then your top 10 line-of-business apps. Printers and smart card middleware deserve early attention too.

9) What does “success” look like operationally?

A measurable upgrade success rate per ring, declining ticket volume, stable VPN/auth performance, and a shrinking exception list. Bonus points: hardware refresh aligns with warranty cycles instead of panic buys.

Conclusion: next steps you can do this week

The clean way through Windows 10 end-of-life is not heroics. It’s evidence. Inventory reconciliation, readiness gates, app owner sign-off, staged rings, and real rollback plans. If that sounds like SRE talk applied to desktops: good. Endpoints are production too; they just run in backpacks.

Do these next, in order

  1. Reconcile your counts across AD, management platform, and EDR until you trust the number.
  2. Run readiness checks (TPM, Secure Boot, disk space, BitLocker escrow) and create replacement lists by model.
  3. Assign app owners and build the “must work” list with a test matrix.
  4. Fix your update plumbing (WSUS/Intune/SCCM policies, reachability, caching) before you push anything big.
  5. Start Ring 0 with representative hardware, not the nicest laptops in IT.
  6. Write the exception policy for unavoidable Windows 10 holdouts: segmentation, restricted use, monitoring, and a retirement date.

Panic is a lousy project manager. Replace it with a checklist, some command outputs, and a plan that assumes reality will be messy. It will. You can still win.

← Previous
Windows Hotspot Not Working: The Service That’s Usually Dead
Next →
Ethernet Stuck at 100 Mbps: The Cable Myth vs the Real Fix

Related articles

Reinstall Windows and Keep Apps? What Actually Works (and What’s Marketing) February 28, 2026 Bypass ‘This PC Can’t Run Windows 11’ Safely (What Still Matters) February 28, 2026 Windows Install: Activation Nightmares — The Clean Fix Without Reinstalling February 27, 2026 Install Windows on NVMe: Why Setup Can’t See the Drive (and the Fix) February 26, 2026 ‘Windows Can’t Be Installed to This Disk’: The Real Reasons (Not the Message) February 26, 2026 OOBE Loop / “Something went wrong”: Quick Fixes for Setup Disasters February 25, 2026 Windows Server 2025 Install Like a Pro: Roles, Updates, and Hardening in 60 Minutes February 24, 2026 Slipstream Drivers into a Windows ISO: Make Setup “Just Work” February 23, 2026 Windows Server 2022 Fresh Install Checklist: The No-BS Setup That Prevents Pain Later February 22, 2026 The Only Correct Way to Make a Windows 11 USB Installer (UEFI + Secure Boot) February 22, 2026

Leave a comment