Editorial: Microsoft Should Extend Free Windows 7/2008 Updates Beyond 2020
Microsoft Windows 7, Windows Server 2008 and Windows Server 2008 R2 dropped out of support in January 2020. This meant that patches would no longer be issued for those operating systems unless they have a (paid) licence for Extended Security Updates (ESU).
Of course, Microsoft has been warning about the end of support for some time. Free support ending in January 2020 was done in an orderly way. But now, in light of the issues around the Covid-19 Pandemic, it's time for Microsoft to re-open the updates system so patches start flowing to all systems regardless of their ESU status.
- End of support for Windows 7/2008 in January 2020 was based on business-as-usual. 2020 is not business-as-usual.
- Obtaining ESU is easier said than done. The ESU program is largely for corporations with access to the licencing programs that provide them. Home and small business do not typically have access. Additionally, enabling ESU requires manual intevention on the affected machines and the process of installing ESU keys on systems has not been straight-forward in some cases.
- As with the WannaCry worm which ripped through vulnerable Windows XP systems, the huge numbers of Windows 7 systems in the worldwide Windows ecosystem is ripe for a similar catastrophe. IT helpdesks won't be able to deal with this; they're now extremely busy developing WFH (work-from-home) infrastructure for their businesses and that will be an ongoing administration burden, not simply a one-off configuration. WannaCry was made possible due to a fault in Windows called EternalBlue which was patched for Windows Vista and above but Microsoft issued a manual update for Windows XP some time later.
Additionally, many organisations have staff working from home, including their helpdesk staff. If part of their fleet is wiped out by some worm, they may not be able to go back to the premises to deal with it.
- Companies are bringing old machines back online for employees to use from home, so there are many old Windows 7 laptops, for example, back in production. Some of these might be upgraded to Windows 10 but — assuming organisations can afford the licences — that will take time anyway.
- To accommodate the additional burden, healthcare organisations may be deploying retired equipment with Windows 7 and that creates a security risk in a sector that simply cannot tolerate those risks.
- Worldwide supply of new laptops, desktops and servers will be constrained due to reductions in manufacturing capacity so replacing Windows 7/2008 systems with Windows 10/2019 will slow.
- Microsoft has announced that Education and Enterprise editions of Windows 10 1709 will receive updates for another six months. Thus Microsoft already realises that extending the end-of-life of an operating system relieves an administration burden on IT helpdesks and makes the wider ecosystem safer.
- Beginning May 2020, Microsoft will change their servicing model to concentrate on security updates and will skip the so-called C and D updates which are general-purpose cumulative updates. Thus Microsoft realises the need to focus on security and reduce the burden on IT administrators.
- Microsoft are already building and testing security updates for Windows 7/2008. Making them available to everyone will not require any additional effort.
- If an organisation is wiped out by some malware made possible by a fault in Windows 7/2008 which was patched for ESU users, there will be reputational risk for Microsoft and most likely they will open the patches anyway (as they did to a limited extent with Windows XP).
- Current ESU customers can have their support period extended as appropriate.
The best thing Microsoft can do for the worldwide IT environment is ensure all Windows 7/2008 systems are patched and safe. This is not business as usual and the world doesn't need any more problems.
— Geoff Vass, 21/03/2020 (updated 25/03/2020)