14th October 2025 is a date everyone running Windows 10 must remember. On that date, your machines will stop receiving any Microsoft security updates, leaving you open to attacks and malware. Get ready for Windows 11.
If your organisation is running Windows 10, now’s the time to start looking at Windows 11 to give yourself plenty of time to review, test and update your machines. First, let’s address the elephant in the room, the hardware requirements. Windows 11 requires a TPM 2.0 security chip and a CPU from the last, ideally five years (8th Generation).
If in doubt, grab the PC Health Check app from Microsoft and run it on your machines.
This is absolutely the first step. You can have everything else in perfect order and ready to go, but if your hardware doesn’t support Windows 11, you can’t upgrade, and we all know procuring new hardware isn’t an overnight task.
The good news is that once done, that’s the most difficult part dealt with. Don’t think of Windows 10-Windows 11 as an upgrade in the sense of XP to 7 or 7 to 10. Those “destroy and rebuild” days are a thing of the past. Windows 11 is an update, not an upgrade, and it builds on top of Windows 10.
With that in mind, you could technically point the machines at Windows Update and download/install Windows 11 onto them – it’s that easy.
View this Windows 11 upgrade as an opportunity to modernise and automate your device infrastructure. Think about it, when was the last time you reviewed your Group Policies and cleaned them up?
Modernising your environment
In the modern, hybrid world, imagine not needing a VPN to access your files stored on a creaky old file server and instead embracing OneDrive and SharePoint. Save yourself the costs and maintenance of looking after a server and let cloud storage do the work for you. Your users can even restore deleted documents themselves!
You could even take things one step further and move entirely to Azure-AD Joined, Cloud-managed devices using Microsoft Intune and Autopilot.
Using these technologies, you can move your policies, settings and applications into the cloud so your end-users can access whatever they need from anywhere in the world. If you need to rebuild a device, as long as it’s connected to the internet, simply click a button within the portal and tell them to return to it in less than an hour!
Do you have a new starter joining tomorrow who HR forgot to tell you about? Traditionally you’d be building on-prem user accounts, file shares, finding an old computer and putting a new build on, then praying they don’t notice it’s used. What if the new starter isn’t even in your country? You now have to ship that machine out to them and somehow give them their login details – not even considering that they need VPN access before logging in.
In your new modern world, you log in to the Microsoft portal, create your new account and assign a license. Call your hardware supplier, who you’ve previously given your Autopilot details, and ask them to enrol and ship a device directly to your new user wherever they are.
You then supply them a Temporary Admin Pass (TAP) to enrol the machine, and they log in and set up Windows Hello for Business. You’ll notice a password hasn’t even been talked about at this point, as this is fully passwordless!
What about my apps?
The good news here is that the vast majority of your apps which work on Windows 10, will work on Windows 11, as long as you’re not switching architecture.
If you’re among the few people running 32-bit x86 for legacy software, you’re out of luck, as Windows 11 is 64-bit only. You do have some options available to you.
The first one is to test it on an x64 machine. First, test on the same OS version but with the 64-bit variant to reduce the number of variables between test machines. Otherwise, you could find an app failing due to something other than the architecture.
If it fails on 64-bit and the vendor doesn’t have a newer version, your best bet is to run the app in a virtualised environment. Some available options you have are:
DOSBox
Great for your really old applications, it does have a learning curve though
VirtualBox
This will run pretty much anything, but it’s a full hypervisor, so you’ll need to build the Windows image
WinBox for 86Box
Similar to VirtualBox, but designed for your old operating systems
Or use a packaging company, like Algiz Technology, to identify what’s blocking the application and resolve it for you.
With the legacy apps out of the way, we can now look at the modern ones. If you manually install apps from a file share/USB and click-click-next, this isn’t a good use of your time. Look at packaging these applications and then deploy them centrally. If you aren’t ready or licensed for Intune, there are alternatives such as PDQ Deploy, or even deploying during an MDT task sequence.
If and when you decide to move to a cloud-managed configuration, having your applications pre-packaged with silent installation parameters will reduce the work required when configuring your new environment.
Now you have your apps packaged, what happens if one of your key line-of-business apps stops working with a future Windows update or release?
Fortunately for that, you can use Microsoft TestBase.
By packaging your applications appropriately or getting a Packager to do them for you, you can upload your essential apps into this service, check for compatibility against all current OS versions as well and tick a box for it to automatically test against future releases! No more worrying when an update comes out. Let TestBase do the hard work for you!
I’m still using App-V, what would you suggest?
App-V has been around in the latest V5 version since 2012 (with older versions going back even further) and was a simple, reliable way to stream applications to devices. I used it regularly, but sadly, it’s now scheduled for end-of-life in April 2026, so if you’re using App-V currently, as with Windows 10, start planning to migrate to a different format.
The natural replacement is MSIX which can directly convert App-V packages without re-packaging them. It’s worth noting that MSIX does require a code-signing certificate to secure the packages. This can be a commercial one, which comes at a cost, or a self-signed certificate. Obviously, if you go down the self-signed route, you’ll need to distribute your certificate and ensure you keep on top of renewals. You won’t be able to package an application with an expired certificate.
During packaging, you can also specify a Timestamp Server URL. By using this, your already packaged applications will continue working after your original certificate expires. To save having to update applications every time your certificate expires, MSIX checks if the certificate was valid at the time of packaging.
Of course, MSIX isn’t your only option here. App-V was often used as a basic application distribution tool, so for your more standard applications, you could simply package into a friendly format and deploy with an off-the-shelf application deployment tool.
What if I’m not ready for fully cloud-managed?
This is absolutely not a problem and certainly not a blocker to moving to Windows 11. Moving to the cloud can be a long journey for some, and this may not be the best time. As mentioned earlier, you could do nothing and just in-place update, or you could make your first steps on your cloud journey and use this as a chance to start cleaning your environment and learning exactly what’s being applied to your devices.
If you’re replacing devices, you could always keep some of the older ones to one side to dip your toe into Intune/Autopilot so you can test everything in a sandbox environment without impacting any of your production users.
Can I test Windows 11 without updating my machine?
This one comes up quite often. You’ve done all of your checks across your policies and are reasonably confident your applications will work, but you don’t want to upgrade your machine in case of issues. Also, you may not be in a position to have spares.
If you have Intune configured, look at using Windows 365, even if it’s just for a month. It’ll give you the full Windows 11 experience but running from your production machine. Pricing is reasonable and cheaper than purchasing a new machine – it doesn’t take up any desk space either.
If you don’t have an Intune presence, using a Virtual Machine would be the other option. Windows 10 supports Hyper-V on any non-home version, and as long as you aren’t running on 4Gb RAM, adding a single Windows VM shouldn’t tax your machine too much.
To make things even easier, if you’re running Windows 10 on your machine, you can use the Hyper-V Quick Create virtual machine option and select Windows 11 dev environment, which will save you from having to download and configure a new Windows build. You can add your apps to that and check everything is working as expected.
Upgrade schedule
Now you’re happy you’ve everything arranged and tested, you need to look at the order to update your machines.
First, NEVER upgrade a department at a time. If you come across an issue, that department is entirely offline. This especially includes your IT department. Not only are they offline, but so is your IT support for everyone else.
For the first batch, try and get a variety of hardware and software. Until now, your tests will have been on restricted device types, so to ensure there aren’t any driver issues, the more different hardware models, the better. Again, these are your ‘test’ users, so don’t pick anyone who doesn’t have a spare machine or can’t do something else whilst issues are fixed.
Next, once you’re happy there aren’t any show-stopping issues, test on some key users across the company. Try and pick the power users of your core applications so they can fully stress test them. As much as IT are expected to be experts in every application ever made, we all know that’s impossible. Also, pick some more vocal users. If they have a great experience, having them on your side is always good.
Now you’ve stress tested your hardware and apps, you can work on everyone else. Split departments into smaller chunks, do a sub-section of each and then keep expanding.
Finally, schedule in your VIP users who’ll need the red carpet treatment; once you’re happy you can dedicate the time they need.
Windows 11 update workflows
Working on the assumption that you’re not just going to click Update on your machines in whatever current state they are in, this is the suggested route I would take when embarking upon your journey:
Check your hardware compatibility and order any required replacement hardware
Review your current Group Policies, clean them up and document what you have
Review your applications and look to re-package them to silent installations for deployment via any of a number of tools (including Group Policy)
Run your newly packaged key applications through Test Base
Build a Windows 11 machine and check everything is working as expected
Plan an upgrade schedule for your users
If you’re using this as a chance to move to Intune:
Review your group policies and re-create them in Intune using best practices
Package and upload your applications
Configure your Autopilot enrolment
Review and configure your user personas
Deploy a cloud-managed machine and test it fully
Plan a migration schedule. Moving from AD to AAD is a full wipe and load, so you can upgrade to Windows 11 at the same time
That’s it. Hopefully, this has been useful and puts your mind at ease when it comes to the upcoming Windows 10 deadline.