Windows 7 and Server 2008 end of support: What will change on 14 January?
Businesses have many options, but with 25% of Windows users still on 7, security is a worry
This is down from 35 per cent in December 2018 but still substantial. Windows has a share among desktop users of around 77 per cent, so that is around 20 per cent of active desktop PCs.
"End of support" means no technical support, software updates or security fixes from Microsoft. Of these, the significant piece is the security fixes. Without regular patches, flaws that are discovered in the operating system will put users at greater risk from things like ransomware attacks, perhaps triggered by an email attachment or malicious web link.
Windows Server 2008 and 2008 R2 also go out of support on the same day. Although it is less likely that users will be browsing the web or clicking attachments on Server 2008, it is still risky if these servers are exposed to the internet – as appears to be the case with Travelex, currently suffering a ransomware attack – or if they are used for remote desktop services.
To be clear: Windows 7 and Server 2008 will get security patches, if needed, on January 14 as usual for Patch Tuesday; it's after that date that things will be different.
Another curious feature of this "end of support" is that Microsoft will still be providing security updates for both operating systems, for three further years. So the real end of support date is in 2023. That said, you can only get these "extended security updates", or ESU, in certain ways:
- Windows Virtual Desktop (WVD) users get free ESU until January, 2023
- You can purchase Windows 7 ESU by subscription from Microsoft Cloud Solution Providers, which means most IT support companies signed up as authorised Microsoft suppliers.
- Windows 7 ESU is free for a year to customers who subscribe to Windows E5 or Microsoft 365 E5. Details are here
- Only Windows 7 Professional and Enterprise are covered by ESU.
- Windows 7 embedded can be supported through an "Ecosystem Partner Offering" support contract.
- The scenario for Windows Server 2008 ESU is similar to that for Windows 7.
If you read the FAQ for Windows 7 ESU and the documentation for Server 2008 and 2008 R2, it is apparent that this works through the normal Windows update mechanisms – including Windows Server Update Services [WSUS], widely used in businesses – but that after January 14th, the update service will look for an ESU activation key, which must be renewed each year. On Azure or WVD, the activation key appears not to be necessary.
It would therefore be just as accurate to say that Microsoft is blocking security updates for Windows 7 and Server 2008 after January 14th for most users, as that it is enabling them for select customers.
Although it is not unreasonable for Microsoft to stop updating a decade-old iteration of Windows, there is no doubt that the company is also using this as a marketing opportunity. A booklet on "Preparing for Windows Server end of support" turns out to be mostly marketing for Azure rather than technical help. "Take the opportunity to transform," it says. Ahem.
Why are so many old versions of Windows still in use?
Windows 7 is a special case, since it is the last of its line before the upheaval that was Windows 8. Even in Windows 10 today, you can assign inconsistency between Microsoft's old and new approaches to the operating system. Windows 7 is in some ways more coherent, despite its age.
The reality in business, though, is more to do with inertia and application compatibility. Users who spend most of their time in, say, Google Chrome, Microsoft Office, and some custom internal applications, may find the benefits of upgrading to Windows 10 hard to see, while the cost of change is considerable.
What about the cost of not upgrading? "The threat is very simple to understand. If you continue to run Windows 7 in your organisation after next week you are putting your company, its staff, and data at risk because there simply won't be any more security patches made available … of course, many folks *will* continue to use Windows 7, presenting opportunities galore for criminals to take advantage of poorly secured systems," security professional Graham Cluley told The Register.
There is a degree of artificiality about this key "end of support" date and ways to keep old stuff patched, but the security risks are real. ®