From Windows 10 to 11: Pentest Protects Against Vulnerabilities After Migration

On October 14, 2025, Microsoft stopped supporting Windows 10, forcing many companies to switch to Windows 11. This not only offers new features but also higher security standards - given that the new environment is configured correctly. You should therefore plan the migration holistically and consider not only the technical setup but also the security of your IT landscape.

In this article, we explain what the end of support entails, what steps are necessary now, and why a pentest of your new Windows 11 environment is a key component for a successful and secure transition.

The impact of end-of-support on your IT infrastructure

Devices that have Windows 10 installed will no longer receive security updates or bug fixes. New vulnerabilities will no longer be patched, and vendors will no longer test their software and hardware for compatibility. This makes unpatched vulnerabilities increasingly dangerous for Windows 10 systems, putting not only individual devices at risk but potentially the entire corporate network. The result is not only increased security risks and decreased stability but also potential compliance issues, especially in regulated industries such as finance, healthcare, and critical infrastructure.

Extended Security Updates for Windows 10 (ESU): A Band-Aid, but not a Solution

Microsoft offers a paid ESU program that allows systems to continue receiving critical security updates until October 13, 2026. However, caution is advised: from our experts' point of view, ESUs are not a permanent solution but merely a temporary one.

System requirements for Windows 11 at a glance

Windows 11 requires modern security features. These include UEFI with Secure Boot, a TPM 2.0, and compatible processors. Check your hardware for compatibility and replace it in time.

Your roadmap for secure migration

1. Take inventory of your Windows 10 devices.
2. Identify particularly critical systems, such as those used at central interfaces or security-relevant locations.
3. Check hardware compatibility with Windows 11. TPM 2.0, Secure Boot, and supported CPUs are mandatory. You can find the requirements here.
4. Plan hardware upgrades if necessary.
5. Identify business-critical applications and check whether they are compatible with Windows 11. Involve the respective manufacturer if necessary.
6. Create a prioritized plan for migrating from Windows 10 to Windows 11 that takes into account the criticality of the systems and the effort required for migration.
7. Perform the migration on a series of test systems and test the compatibility of the applications and hardware yourself. During migration, take special care to configure the new Windows 11 installations securely and harden them against attacks.
8. Only use ESU where immediate migration is not possible. Create a plan for how the migration of these systems can be completed by October 2026.
9. If the migration of the test systems has been successful and no problems arise within a reasonable period of time, perform the migration on your remaining Windows 10 systems.
10. Conduct a pentest of your new Windows 11 environment.

Security as value added: Why a pentest after migration pays off

After migrating to Windows 11, we recommend checking the security of your new environment with a targeted pentest. New default configurations, inherited policies, or unnoticed configuration errors can create vulnerabilities that are easily overlooked in everyday use. Our experts test your environment under realistic conditions and with a focus on typical attack vectors in Windows 11 infrastructures.

We check the following areas for you:

• Endpoint hardening: Can WDAC/AppLocker be bypassed? Are ASR rules effective?
• Credential protection: Are login credentials sufficiently protected, e.g., from LSASS, reuse of local admin credentials?
• Lateral movement: Are there vulnerabilities in Intune, GPO, Active Directory, or the EntraID configuration?
• Identity & access: Does conditional access work? Are there MFA gaps?
• Detection & response: Does your SOC reliably detect attacks on Windows 11?

Frequently asked questions from our customers

Can we continue to use Windows 10?

This is possible temporarily, but the risk increases rapidly after support ends. In the short term, you can continue to use Windows 10, especially with ESU. In the medium and long term, however, only migration to Windows 11 will allow secure operation.

Do we need new hardware for Windows 11?

In many cases, yes. Windows 11 requires TPM 2.0, Secure Boot, and supported CPUs. Running Windows 11 on unsupported hardware is not recommended and may compromise security and supportability.

Will our applications operate on Windows 11?

Most modern apps do, but business-critical software must be tested. Older applications or those developed specifically for your own use case are particularly at risk of no longer running on Windows 11. Check with the vendors at an early stage to clarify this.

Ready for the next step?

We support you from planning to securing your new Windows 11 environment. Get in touch with us.