Oscar WhitmarshNavigating the NHS Windows 11 Migration

Introduction

With support for Windows 10 ending on October 14, 2025, NHS organisations face a race against time to migrate to Windows 11. Yet, many NHS trusts and healthcare facilities still rely on the ageing OS. This delay, combined with fixed end-of-support dates, creates a strong sense of urgency for NHS IT teams to act swiftly.

As a Solutions Engineer at ThreatAware, I have witnessed firsthand how NHS IT departments are racing to upgrade thousands of devices before the deadline. Microsoft has made it clear that after the end-of-life date, Windows 10 will no longer receive free security updates. Continuing to run an unsupported OS not only exposes critical healthcare systems to cyber threats but directly violates Data Security and Protection Toolkit (DSPT) requirements. Specifically, the DSPT mandates that all infrastructure must be running operating systems that are within vendor support (assertion 3.3.1), meaning NHS organisations using unsupported Windows 10 would be non-compliant with this essential standard. This could compromise patient data protection, potentially leading to regulatory penalties under UK GDPR. NHS organisations simply cannot afford those risks—or the steep costs of extended support.

The Windows 11 migration is not just a routine upgrade: it's a time-bound imperative for security, patient safety, and operational continuity within the NHS.

Providing Context

Migrating an entire device fleet to a new OS is one of the most complex projects NHS IT teams face. With the Windows 10 end-of-life date fast approaching, the pressure is mounting for NHS organisations to act now or risk running an obsolete platform.

The 2017 WannaCry ransomware attack demonstrated how critical operating system updates are to NHS security. Systems running the unsupported Windows XP lacked necessary patches that could have prevented the attack, leading to significant disruption to patient care and substantial financial impact. This incident underscores why keeping operating systems current is essential for both operational and clinical safety in healthcare environments.

Key challenges include:

Legacy Application Compatibility: Many NHS organisations rely on legacy clinical applications built for Windows 10. Upgrading raises concerns about whether these essential systems will function properly, leading some trusts to delay migration until they are certain critical clinical systems will operate without interruption.

Hardware Requirements: Windows 11 has more stringent hardware prerequisites than Windows 10, requiring 64-bit CPUs, UEFI Secure Boot, and TPM 2.0 chips. For NHS trusts, identifying and addressing these gaps involves a mix of fixes and replacements, requiring careful planning within NHS funding constraints.

Distributed Workforce & Device Visibility: NHS organisations have highly distributed IT estates spanning hospitals, GP practices, and remote workers. Knowing the state of all devices across these settings is challenging, with incomplete inventory data creating blind spots that complicate compliance efforts.

For an NHS migration involving thousands of users, a structured approach is essential:

1. Asset Discovery & Inventory: Gather a comprehensive inventory of all devices across the NHS trust. Consolidate data from Active Directory, endpoint management systems, and other records. An accurate inventory is crucial—overlooked devices create security risks in healthcare settings.

2. Device Assessment: Check hardware and software compatibility for Windows 11. Verify each machine meets the new requirements and review installed software for compatibility issues, focusing on clinical applications. Categorise devices as ready, needing adjustments, or requiring replacement.

3. Upgrade Planning: Plan the rollout considering clinical priorities and care continuity. Decide on deployment methods and schedule phases, starting with pilot groups in non-critical areas before expanding while minimising disruption to patient care.

4. Deployment & Tracking: Execute deployments using enterprise-grade tools. Monitor upgrade status with dashboards and track which devices have transitioned, with special attention to devices in critical care areas.

Challenges and Hurdles

NHS migrations present specific challenges:

Tracking Upgrade Status: In complex healthcare environments, keeping accurate records of upgraded devices is difficult when they're in constant clinical use.

Inconsistent Reporting: Different tools may show conflicting upgrade statuses, making it hard for NHS IT teams to gauge progress, potentially leaving critical systems at risk.

Hardware Limitations: Some devices have hidden issues preventing upgrades. Accurate hardware data is essential to identify these early, especially for specialised clinical equipment.

Lack of Centralised Visibility: In large NHS environments, asset data often exists in silos across different facilities, making it challenging to get an accurate picture of the entire device fleet.

Why Agentless Visibility Tools Matter

For NHS organisations, robust visibility into IT assets is crucial. An agentless cyber asset management platform like ThreatAware provides:

Consolidated Data Collection: These tools pull data from multiple sources to compile a unified inventory, eliminating manual audits and ensuring no devices are missed across distributed healthcare settings. **Real-Time Device State: **Continuous data collection provides current snapshots of asset status, allowing NHS IT teams to detect discrepancies early and address issues before they impact clinical operations.

Deep Asset Intelligence: Beyond basic details, these platforms provide granular information on hardware, software, and online status, helping prioritise critical clinical systems.

Smooth Migration Workflow: A consolidated dashboard supports every stage of the migration process, reducing uncertainty in multi-department healthcare environments where service continuity is paramount.

Best Practices

Start Early: Begin well ahead of the end-of-support date, breaking the project into phases with timelines that account for clinical priorities.

Conduct a Thorough Inventory Audit: Use automated discovery tools to compile an accurate inventory of all endpoints across all NHS facilities. This approach aligns directly with DSPT assertion 3.3.2, which requires organisations to maintain a comprehensive and accurate register of all IT assets. Ensure that every device is accounted for and reconcile the data across all systems to prevent any gaps. The costly impact of the 2017 WannaCry attack on the NHS might have been mitigated with better asset visibility, as the National Audit Office report on the incident specifically identified poor asset management as a contributing factor.

Engage Stakeholders: Involve IT operations, clinical application owners, security teams, and clinical leaders to ensure critical healthcare applications receive proper testing.

Prioritise Compatibility Testing: Establish a testing environment to validate key clinical applications before deployment to prevent disruption to patient care.

Address Hardware Gaps: Identify non-compliant devices early and align hardware upgrades with NHS budgeting processes.

Use Deployment Rings: Start with non-clinical areas to refine the process before expanding to critical care settings.

Ensure Backups: Protect patient data with solid backups and clear rollback plans, particularly for systems directly supporting patient care.

Leverage Monitoring Tools: Use dashboards to maintain real-time visibility throughout the migration for timely interventions in a healthcare setting.

Conclusion

Migrating from Windows 10 to Windows 11 in NHS organisations is challenging but achievable with the right approach. By addressing tracking, hardware compatibility, and visibility challenges, NHS IT teams can ensure a smoother transition while maintaining patient care. Beyond ensuring operational continuity, this migration is a critical compliance requirement under the Data Security and Protection Toolkit (DSPT), specifically addressing the mandates in assertions 3.3.1 (supported operating systems) and 3.2.1 (timely application of security updates).

In my experience, an agentless cyber asset management platform like ThreatAware transforms the migration process by providing comprehensive, real-time insights into your IT landscape. With the deadline approaching, the message for NHS organisations is clear: act now. Start assessing your environment, plan your upgrades, and implement the right tools to make a confident transition to Windows 11. The future of your organisation's security, operational efficiency, and ultimately patient safety depends on it.

See the ThreatAware technology here.