The UK's Department for Environment, Food and Rural Affairs (Defra) expended £312 million from 2020 to 2024 to upgrade its systems to Windows 10, only for Microsoft to end support shortly thereafter on 2025-10-14. Despite this substantial investment, Defra still reports that approximately 24,000 of its devices remain outdated or incapable of upgrading to Windows 11, elevating cybersecurity risks.
Challenges in Migration
Defra’s chief digital information officer, Sarah Wilmshurst, labeled the upgrade as a tactical measure. The attempt to switch to Windows 11 was thwarted by procurement delays, budget constraints, and technical limitations, such as many devices lacking TPM 2.0. These factors reflect a broader issue across the public sector where aging IT infrastructure increases vulnerability as Windows 10 becomes obsolete.
To manage risks post-support, Microsoft's Extended Security Updates (ESU) program offers temporary relief but at a rising cost. First-year ESU fees are approximately $61 for businesses. For Defra, the additional expenses, including hardware updates and hidden fees like downtime, further burden the public purse.
Implications and Solutions
The National Cyber Security Centre (NCSC) advised an early transition to Windows 11 to mitigate potential threats like malware and ransomware. Alternatives considered include phased hardware updates, use of Windows 10 IoT Enterprise LTSC, cloud integration, and zero-trust models. However, Defra’s precise migration timeline and budget remain uncertain.
The situation emphasizes the crucial link between policy, procurement, and IT planning within government agencies. It highlights the necessity for proactive measures in procurement, forward compatibility checks, and robust investment to safeguard essential services, such as those provided by Defra.
