You are still running Windows 10. Maybe the hardware cannot handle Windows 11. Maybe you are waiting for the right moment to switch. Maybe you just prefer it. Whatever the reason, millions of machines are in the same position in 2026, and the security landscape has changed since Microsoft stopped issuing free patches in October 2025.
This guide is a practical, no-filler security checklist. It does not lecture you about upgrading - you already know that is an option. Instead, it focuses on concrete steps you can take right now to reduce your attack surface and keep an unpatched (or ESU-patched) Windows 10 installation as safe as reasonably possible. If you want to understand the ESU programme itself, our Windows 10 ESU guide covers eligibility, pricing, and when it makes sense. For broader guidance on older machines, visit our Guides hub.
The Real Risk Landscape in 2026
Let's be specific about what "end of support" actually means in practice. When Microsoft stops patching Windows 10, it does not mean the OS immediately becomes dangerous. What changes is the trajectory: every new vulnerability discovered in Windows 10 from this point forward will remain unpatched for non-ESU users permanently.
The most dangerous vulnerabilities are the ones that require no user interaction - so-called "zero-click" exploits that can be triggered over the network. These are rare but not theoretical; several have been disclosed for Windows in recent years, including vulnerabilities in the SMB file sharing protocol and the print spooler service. On a patched system, these are fixed within weeks. On an unpatched system, they remain open indefinitely.
The practical risk depends on how the machine is used. A laptop that connects to coffee-shop Wi-Fi and browses the open web has a very different exposure profile than a desktop behind a home router that is used primarily for document editing. The checklist below addresses both scenarios by hardening the layers you can still control.
Step 1 - Harden Your Browser
Your browser is the single largest attack surface on any internet-connected PC. On an unpatched OS, keeping the browser fully updated and properly configured is the most impactful thing you can do.
Use a browser that still supports Windows 10
As of early 2026, Google Chrome, Microsoft Edge, Mozilla Firefox, and Brave all still issue updates for Windows 10. Verify this periodically - once a browser drops Windows 10 support, you must switch to one that still provides patches. An outdated browser on an outdated OS is a compounding vulnerability.
Enable automatic updates
Open your browser's settings and confirm that automatic updates are enabled. Chrome and Edge update silently in the background by default, but enterprise policies or third-party tools can disable this. Check chrome://settings/help or edge://settings/help to verify you are on the latest version.
Install uBlock Origin
A content blocker removes malicious ads and tracking scripts before they execute. uBlock Origin is open-source, lightweight, and widely trusted. It does not replace antivirus, but it prevents a large category of web-based attacks from reaching the browser engine in the first place.
Disable unnecessary browser features
Turn off automatic file downloads, disable JavaScript on sites you do not trust (the NoScript extension helps with this on Firefox), and review your installed extensions - every extension is a potential attack vector. Remove anything you do not actively use.
Step 2 - Lock Down the Firewall and Network
The Windows Firewall is still functional on Windows 10, and it is your first line of defence against network-based attacks. On an unpatched system, this layer matters even more than usual.
Verify Windows Firewall is enabled
Open Control Panel > System and Security > Windows Defender Firewall and confirm it is on for both private and public networks. If a third-party firewall is installed instead, ensure it is active and up to date.
Disable SMBv1
SMBv1 is an old file-sharing protocol that has been the vector for major attacks including WannaCry. Open Control Panel > Programs > Turn Windows features on or off, find "SMB 1.0/CIFS File Sharing Support," and uncheck it. Modern file sharing uses SMBv2 and SMBv3, which remain enabled by default.
Disable Remote Desktop if not in use
Open Settings > System > Remote Desktop and turn it off unless you specifically need it. Remote Desktop listening on the network is a common target for brute-force attacks, especially on machines with weak passwords.
Set public Wi-Fi profiles correctly
When connecting to any Wi-Fi network outside your home, ensure Windows treats it as a "Public" network. This disables network discovery and file sharing, reducing your exposure on untrusted networks. Check under Settings > Network & Internet > Wi-Fi > [network name] > Properties.
Step 3 - Choose and Configure Antivirus
Windows Defender (built-in) continues to receive definition updates on Windows 10 for now, and it is a solid baseline. However, you should not rely on it alone when the underlying OS is unpatched.
Keep Windows Defender active and updated
Even on an end-of-life OS, Microsoft continues pushing Defender signature updates. Open Windows Security > Virus & Threat Protection > Protection Updates and verify definitions are current. Enable cloud-delivered protection for faster response to new threats.
Consider a complementary scanner
Malwarebytes Free can run alongside Defender as a second-opinion scanner. Schedule a weekly or bi-weekly manual scan to catch anything Defender might miss. Do not run two real-time antivirus products simultaneously - they will conflict and degrade performance.
Enable Controlled Folder Access
This Windows 10 feature prevents unauthorised applications from modifying files in your Documents, Pictures, and Desktop folders. It is effective against ransomware. Enable it under Windows Security > Virus & Threat Protection > Ransomware Protection. You may need to whitelist specific trusted applications that it blocks.
Step 4 - Sandbox Risky Applications
Sandboxing isolates an application so that even if it is compromised, the damage cannot spread to the rest of the system. On an unpatched OS, this is one of the most effective strategies available.
Use Windows Sandbox for untrusted files
Windows 10 Pro and Enterprise include Windows Sandbox - a disposable virtual environment that resets when closed. Use it to open suspicious email attachments, downloaded installers, or files from USB drives. Enable it under Turn Windows features on or off > Windows Sandbox.
Run daily browsing in a standard user account
Create a non-administrator account for everyday use. This limits the damage any exploit can do - even if malware runs under your user session, it cannot modify system files or install drivers without the administrator password. Reserve the admin account for software installation and system configuration only.
Keep applications updated independently
Every application on the machine - not just the browser - is a potential entry point. Enable automatic updates for PDF readers, media players, office suites, and communication tools. Uninstall applications you no longer use; each one is unnecessary attack surface.
What ESU Does and Does Not Cover
If you have purchased Extended Security Updates, you are in a better position than those running completely unpatched. But ESU is not a complete safety net.
ESU delivers critical and important security patches for the Windows kernel and core components. It does not patch third-party applications, does not update drivers, and does not cover Microsoft applications like Office unless they are separately licensed for extended support. The checklist above still applies even with ESU - browser hardening, firewall configuration, antivirus, and sandboxing are complementary layers that ESU does not replace.
Think of it this way: ESU patches the foundation walls. The checklist in this guide locks the doors and windows. You need both for a defensible position.
When It Is Time to Move On
There is a point where staying on Windows 10 stops being a pragmatic choice and becomes an unnecessary risk. Here are the clear signals.
Your browser drops Windows 10 support
The day your primary browser stops updating on Windows 10, your most important defence layer is gone. At that point, every website you visit is a potential vector. This is the single hardest line in the sand.
A critical unpatched vulnerability is actively exploited
If a zero-day kernel exploit targeting Windows 10 appears in the wild with no patch available (even through ESU), the risk equation changes overnight. Monitor security news feeds or the CISA Known Exploited Vulnerabilities catalogue for Windows 10 entries.
Your essential software requires a newer OS
When the applications you depend on - whether that is Zoom, QuickBooks, or Adobe Creative Cloud - require Windows 11 or later, continuing on Windows 10 means falling behind on both OS security and application security simultaneously.
The hardware is struggling anyway
If the machine is slow, the drive is failing, or RAM is insufficient for your workload, the security discussion is secondary. Address the hardware first, and choose an OS that matches what the hardware can actually deliver. Our secure wipe guide covers preparing the machine for its next chapter.
Quick Security Checklist
- Browser is up to date and still receiving Windows 10 patches
- uBlock Origin or equivalent content blocker installed
- Windows Firewall enabled on all network profiles
- SMBv1 disabled
- Remote Desktop disabled (if not needed)
- Windows Defender active with current definitions
- Controlled Folder Access enabled for ransomware protection
- Daily use on a standard (non-admin) account
- All installed applications up to date
- Unused applications uninstalled
- Public Wi-Fi networks set to "Public" profile
- ESU purchased or migration plan in place
Frequently Asked Questions
The Bottom Line
Running Windows 10 in 2026 is not inherently reckless, but it does require active effort. The checklist above addresses the layers you can still control - browser, firewall, antivirus, user accounts, and application hygiene. None of these measures substitute for OS-level patches, but together they meaningfully reduce the attack surface available to an adversary.
The honest assessment: this is a holding pattern, not a long-term strategy. Each month that passes without OS patches widens the gap between what your system can defend against and what attackers can throw at it. Use the checklist, buy ESU if the cost makes sense, and start planning your transition to either Windows 11 or a Linux distribution that keeps receiving updates. The goal is not to stay on Windows 10 forever - it is to stay safe while you work out your next move.