Mastering the Final Weeks of Windows 10 Support with HCL BigFix

With the October 14, 2025, end of Support for Windows 10 now less than 90 days away, the final countdown for IT leaders has begun. After this critical date, Microsoft will no longer provide free security updates, exposing devices to significant risk. To provide a secure pathway for legacy systems, Microsoft is initiating its paid Extended Security Update (ESU) program, offering a critical lifeline for organizations across the globe. 

This marks a pivotal moment where the focus shifts from planning to execution. The primary challenge is no longer the deadline itself, but how to effectively deploy, manage, and verify these crucial ESU patches at scale to ensure continuous security.

The Three Questions That Matter Right Now

1. Do I have absolute certainty of my ESU exposure? In the final countdown, "mostly accurate" inventory is not good enough. You need to know with 100% certainty which devices cannot be upgraded and must be enrolled in the Extended Security Update (ESU) program. Any missed device becomes a critical vulnerability after October 14th.

2. Can I trust my deployment plan to work under pressure? A plan to deploy Microsoft's ESU patches is one thing; ensuring those patches are successfully applied to every single enrolled device every month is another. How do you de-risk the deployment process for these often-critical legacy systems and prove to auditors that the security you're paying for is the security you actually have?

3. How do I automate the recurring burden of ESU management? The ESU program isn't a one-time fix; it's a multi-year commitment. This introduces a new, high-stakes operational burden on already strained IT teams. The challenge is to manage this process without dedicating significant manual effort each month—effort that should be focused on modernization and future projects.

HCL BigFix: Your Platform for Execution and Certainty, now offers full support for Windows 10 ESU content through the BigFix Windows ESU Patch Add-On.

While some tools focus on visibility, HCL BigFix has always been the platform for action. In this critical moment, BigFix provides the proven, policy-driven automation required to move from a state of uncertainty to one of absolute control. Our platform is designed to answer the three critical questions above not with data points, but with decisive, automated outcomes.

While the ESU program extends coverage, the real challenge lies in effectively managing activation, patch deployment, and compliance at scale—especially in environments with mixed versions, remote users, and strict security requirements.

HCL BigFix bridges the gap with a proven, automated approach that helps IT operations teams move from “awareness” to “execution” with full confidence.

1. Windows 10 ESU Program Eligibility Analysis:

For systems that cannot transition to Windows 11, HCL BigFix identifies which machines qualify for Microsoft’s Extended Security Updates (ESU) program. It ensures all necessary prerequisites—like Windows 10 version 22H2—are in place so IT teams can confidently plan for continued support and security without guesswork or manual auditing.

2. Scalable MAK Key Deployment for ESU:

Deploying Microsoft’s ESU Multiple Activation Keys (MAKs) across thousands of machines can be daunting. HCL BigFix simplifies this with automated, policy-driven activation at scale. Whether you have a handful of devices or a global fleet, BigFix ensures all eligible endpoints are activated quickly and consistently with minimal manual effort.

3. Windows 11 Upgrade Eligibility Assessment:

HCL BigFix provides detailed analysis to identify which endpoints are eligible for a Windows 11 upgrade. This includes checks for key hardware and software prerequisites such as TPM version, memory, disk space, and OS version. The tool also explains why specific machines fail eligibility, empowering IT teams to resolve issues or make informed hardware decisions.

4. In-Place Windows 11 Upgrade Support:

HCL BigFix supports seamless Windows 11 upgrades via two methods: a direct in-place upgrade using fixlets that deploy ISO files, and a full Operating System Deployment (OSD) model for more controlled rollouts. These options allow organizations to modernize endpoints straight from the BigFix console without external tools or scripting.

5. Executive-Ready Reporting:

To support IT leadership and stakeholders, HCL BigFix delivers visual, customizable reports that break down ESU exposure and upgrade readiness across the organization. These reports are designed for CIOs, CISOs, and operational teams, enabling swift decision-making and smooth communication during compliance audits or board-level reviews.

6. Execution-Focused Automation:

Where many tools stop at visibility, HCL  BigFix empowers action. From ESU key deployment to monthly patch enforcement and upgrade orchestration, the platform automates complex workflows end-to-end. This ensures that security and compliance goals are met proactively—with fewer manual processes and lower operational overhead.

Who Should Use This?

• Current BigFix Customers: Simply enable the Windows ESU Patch Add-On to begin ESU deployments seamlessly through your existing infrastructure.
• New to BigFix or Evaluating: HCL BigFix combines patch management with ESU readiness—offering a single platform solution that scales from Windows 10 ESU to long-term endpoint security across your IT estate.

Beyond the 2025 Deadline

The capabilities you use to master the Windows 10 EOL transition are the same ones that will form the foundation of your long-term endpoint management strategy. The investment you make today in gaining control over ESU patching will pay dividends for years in simplified vulnerability remediation, software deployment, and continuous compliance across your entire IT estate.

The Clock is Ticking. Act With Confidence.

There is no more time for ambiguity. The coming weeks demand a solution that offers certainty, automation, and control. HCL BigFix provides the proven platform to not just meet the deadline, but to master it with operational confidence.

Don't leave your security to chance in the final stretch. Contact a BigFix expert today to build your rapid ESU execution plan.

Learn More

• Windows ESU Patch Add-On documentation on HCL BigFix (help.hcl-software.com)
• Microsoft’s Windows 10 ESU program details (learn.microsoft.com)

Secure continuity with BigFix—your partner in endpoint defense and compliance through every lifecycle stage.

Contact us today to activate your Windows ESU Patch Add-On or learn how HCL BigFix can help you stay secure beyond 2025.