Welcome to the Windows 7 Extended Security Updates era
Patch Tuesday, Jan. 14, 2020, was the last scheduled general release of security updates for Microsoft Windows 7. As you have read here and elsewhere, Microsoft volume license customers get the privilege of paying $25 per seat and $50 per seat for Windows 7 Pro to continue to get updates, now called Extended Security Updates (ESUs). In 2021, they get to pay twice as much and twice that number in 2022.
Initially, Microsoft was going to sell ESU only to enterprise customers with volume licensing. But businesses of any size can buy ESU for Windows 7 Professional or Windows 7 Enterprise from a Microsoft Cloud Solution Provider. Here are some useful Microsoft links:
- How to get Extended Security Updates for eligible Windows devices
- FAQ about Extended Security Updates for Windows 7
- Microsoft's Cloud Solution Provider program
The inevitability of this situation has been plain, essentially since Microsoft released Windows 7 itself in 2009 and announced the lifecycle details for it, following a policy it had for all its products. And yet, there are a lot of Windows 7 users still out there, including consumers, small businesses, enterprises, and governments.
We know the most about governments: According to The Verge, citing a German newspaper report, the German government will be spending $887,000 on ESUs. At $25 per seat, that would be 35,480 computers, a number too large to upgrade quickly. And a December 2019 report in The Inquirer claimed that the National Health Service trusts in the U.K. were still running Windows 7 on more than half of their devices. In both cases, the organizations will have to be paying for either ESUs or upgrades, even though, as Computerworld reported, "in April 2018, the Department of Health and Social Care announced a deal with Microsoft that would give NHS organisations free access to Windows 10, but the migration has nonetheless proved challenging for many of them."
What's an organization to do? We addressed that problem directly, in a recent story titled "Security after the Windows 7 end of life." Other than upgrading to Windows 10 or paying for ESUs, your options include:
- Move your desktops to virtual machines with Azure Virtual Desktop. This platform will continue to get updates for three years.
- Lock down Windows 7, meaning make changes in settings that will make the system harder to use but decrease the attack surface of the system, cutting the number of Internet access points.
It's not a policy change, so don't make too much of it. But don't be surprised if there is still a security update or two to go for Windows 7. There are historical precedents.
On Jan. 17, Microsoft reported an unpatched vulnerability affecting Internet Explorer on both Windows 10 and Windows 7. Microsoft may issue a patch for this vulnerability for Windows 7 users, even though the end-of-life date has passed. Fifteen years ago, Microsoft issued a patch for a critical vulnerability in Windows NT 4 Server just a few weeks after that product's end of life. On May 1, 2014, it issued an IE patch for Windows XP less than a month after XP's funeral.
But there's an even more recent precedent: On Sunday, Jan. 26, 2020, Microsoft issued an update to the monthly update rollup that had included the final updates for Windows 7. The first version of that update may cause wallpaper to display as black when set to Stretch (the other options are Fill, Fit, Tile, and Center). The company says it is working on a fix for all Windows 7 users (i.e., not just the ones who are paying) and, in the meantime, suggests you choose one of the other image options.
This new vulnerability is complicated by the fact that Microsoft (and every other responsible party in the world) has been urging users for many years not to use Internet Explorer anymore. And yet they continue to do so, with it accounting for 7.44 percent of users in one popular survey.
The IE fixes Microsoft creates for Windows 7 and Windows 10 will likely be identical, or nearly so, and the company will have to create it for ESU customers. So the fact that the attack was launched so soon after Windows 7's end of life may lead Microsoft to release the fix for Windows 7 customers generally, as it did with Windows NT 4 and Windows XP, shortly after they reached end of life.
There are few forces in IT as powerful as inertia. It is only reasonable to expect that in January 2021, there will still be large organizations with large numbers of Windows 7 systems still in operation.
- Security after the Windows 7 end of life
- Updating Windows 7 is getting harder and more expensive
- How not to get ransomware
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.