Microsoft will sell Windows 7 security updates after the operating system reaches end of service, but it's going to cost you. Pushing the deadline is a bad idea.

Do you still have desktop systems running Windows 7? Then you surely know by now that Jan. 14, 2020—a Patch Tuesday—is the last day Microsoft issues security updates for the operating system. (While you are marking your calendar: January 2023 is the scheduled end of security support for Windows 8.1.)

Recently, Microsoft announced its policy for Extended Security Updates, as part of a larger announcement about product lifecycles. The days of 10-year support lifecycles are mostly behind us, and we’ll all be better off for it. But, in the meantime, what about those Windows 7 systems? Microsoft will continue to create security updates for Windows 7 Professional and Enterprise through January 2023, and if you are a Volume Licensing customer, you can pay for access to them. These updates will be sold on a per-device basis (i.e., no site licenses), and the price will increase each year.

The message from Microsoft is clear: Sticking with Windows 7 will get expensive very soon. And it also serves as a reminder that the cost of upgrading to Windows 10 is comparatively affordable. For desktop systems, this is a process we have a lot of experience with. Fortunately, going from Windows 7 to Windows 10 is easier than most Windows updates you’ve done in the past.

On schedule

The schedule for embedded systems running Windows 7-based operating systems is different. There are a few editions. The support expiration dates are:

Oct. 13, 2020 : Windows Embedded Standard 7 Service Pack 1. This is the mainstream edition, which more complex products run, such as ATMs, medical devices, and gaming machines.

: Windows Embedded Standard 7 Service Pack 1. This is the mainstream edition, which more complex products run, such as ATMs, medical devices, and gaming machines. April 13, 2021 : Windows Embedded Compact 7. This is for small, limited-purpose devices, such as handheld scanners.

: Windows Embedded Compact 7. This is for small, limited-purpose devices, such as handheld scanners. Oct. 12, 2021: Windows Embedded POSReady 7. This is based on Standard, with special features targeting point-of-sale systems.

Notice that the dates are later than those for desktop Windows 7—but not a lot later. Microsoft has made no announcements of Extended Support Updates for any embedded version. The implication is that there will be none, and so the embedded versions will completely expire before the desktop ones.

All software products have limited support lives, and Microsoft’s are longer than most. But every time a major version of Windows reaches its expiration date, there are stragglers (well, maybe not Windows 8…). Recent research shows that most large organizations are running Windows 10 on most of their systems. Some 14 percent of organizations are running Windows 10 on fewer than 10 percent of their systems. That’s a lot of work to do in a relatively short amount of time.

A change in the model

Many organizations are no doubt more nervous than usual with this transition. Windows and its business model are going the way of the world—that is, to the cloud and, it seems, software as a service. Windows 7 will have been the last of the conventional, pre-cloud Windows versions. As of Windows 10, updates are cumulative, taking away any meaningful ability for administrators to pick and choose updates. Feature updates are regularly scheduled, and the old ones have limited life spans themselves. Microsoft Office is even further along this path to a subscription model, with updates happening whether you ask for them or not.

Many embedded and desktop systems need to comply with regulatory requirements, and it is typical for those requirements to include updated security patches for all systems. PCI-DSS for retail and ATM systems and HIPAA for healthcare systems both require this. Failure to comply could result in fines and reputation damage. And if you’re actually compromised as a result of your failure to comply on time, the sky’s the limit on the potential fiduciary damage to your organization.

Innovation in your in-box. Sign up for our weekly newsletter. Subscribe now

ATMs are a high-visibility case in the security story. The costs of the systems themselves and the security necessary to protect them is substantial, and many banks have struggled to keep up with the latest software. Back in 2015, the ATM Industry Association (ATMIA) recommended skipping Windows 8 and 8.1 and moving straight to Windows 10, which probably generated confusion among the many banks and other service providers that were still running ATMs on Windows XP and even Windows CE—well past the date Microsoft stopped providing support and updates for them.

My focus so far has been on the danger of staying with Windows 7 much longer, meaning the stick Microsoft is wielding. But it’s only fair to point out that there is a substantial carrot as well. Windows 10 contains numerous features of great advantage to enterprises and customers of embedded devices. If you’re the kind of IT shop that wants to avoid major updates as much as possible, Microsoft has modified the Windows support model to better appeal to you.

The other upside to the cost equation is that the hardware requirements for Windows 10 are essentially the same as those of Windows 7. It’s common for Windows 7 systems to run Windows 10 without a problem.

Future support

Many systems, including most embedded systems, have a much greater need for stability, and so Microsoft created the Windows 10 Enterprise Long-Term Servicing Channel (formerly Long-Term Support Branch, or LTSB). Regular updates to this version will contain only security updates. Whereas normal Windows 10 updates contain feature updates every six months (semiannual channel, or SAC), with each update supported for 18 months, LTSC updates will contain feature changes only every two or three years. The idea is that you will need to perform more involved testing for these updates, so they should not be so frequent. The LTSC itself will be supported until 2026. Beware: LTSC has numerous limitations compared with the SAC.

Undoubtedly many IT administrators are wondering if, given that they are being told they must spend a lot of money on a complicated transition, they should take a step further and move away from Windows. This, too, happens with every major Windows version change, but few actually migrate. The enterprise desktop market is still overwhelmingly dominated by Windows, and technical limitations leave mobile platforms (iOS, Android) as still more of a supplement than a replacement.

Many users' needs can be fully met by web-based applications served through a browser on a system, but that is not necessarily as powerful as a real desktop PC. You might be able to move some desktop systems this way, but it’s unlikely you could replace all of them. And many organizations prefer to move halfway in this direction by using a browser on a Windows PC or perhaps a virtual desktop PC rather than some simpler platform. The end result is that you still need to keep Windows up to date.

Not surprisingly, the same move off Windows is being explored in embedded markets, according to the ATMIA paper "Jumping Off the Microsoft Merry-Go-Round by Embracing Vendor-Agnostic ATM Architecture." While the medical embedded market is based on a variety of open source operating systems as well as Windows, the ATM market is dominated by Windows to the tune of 99 percent of the worldwide installed base, though competition is developing. Linux ATMs are already in operation on a large scale in India and Brazil. There is an industry project to get a proof of concept for running Windows 10-based ATMs on a virtualized Linux hypervisor environment. The advantage of the VM architecture is that newer Windows-based ATM software could be made to work on older Windows ATM hardware, according to the ATMIA, which also says big banks are very interested in this alternative, but it’s not an actual market yet.

So many devices, so little time

Running vulnerable software on a medical device may well have more downsides than that for a bank with its ATMs. Devices that may be running Windows, or a similarly complex operating system, are the larger ones. Such devices cross a wide range of healthcare technologies, with some fixed in place like an MRI system or on a cart like a ventilator, or even a smart bed. Many of these technologies need to be plugged in or operate by battery. They communicate with monitoring and control at the nurses station, and take input from various sensors and buttons for tasks as simple as adjusting the bed, calling for help, or changing the TV channel.

These are critical and complex devices, with a lot of software in them, and they need to be rigidly secured. As a customer, you have to rely on the vendor to provide secure devices, but the vendor can do that only if the software the product is based on is itself up to date.

It may seem like just a few years since banks completed their ATM upgrades from Windows XP to Windows 7. That’s because it was just a few years ago, because banks put off the upgrade. Many enterprise migrations from Windows XP were similarly deferred, and such failures sow the seeds of future failure.

As time goes on, migration will just get more and more expensive. Nobody can credibly claim that any of this caught them by surprise.

If you think updating to a current operating system is too expensive, wait till you see what it will cost in a couple years.

Updating Windows 7: Lessons for leaders