Two of Canberra’s largest agencies are forking out millions to ensure devices and systems still running Microsoft’s end-of-life operating systems, Windows 7 and Server 2008, are secure.

The Department of Defence and the Australian Taxation Office recently entered into contracts with the government’s exclusive Microsoft licence reseller, Data#3, to extend support until at least 2021.

The contracts, together worth $8.7 million, provide extended security updates (ESU) for the OS, which no longer automatically receives important patches for any new security vulnerabilities.

Windows 7, along with Windows Server 2008/2008 R2, reached end-of-life on January 14, though ESU are still available to enterprise customers through Microsoft volume sourcing arrangements.

Comprising the bulk of the $8.7 million is Defence’s $6.1 million contract with Data#3, which will keep its instances of Windows 7 supported until 12 January 2021.

Although the department migrated its 105,000 devices from Windows XP to Windows 10 last year, a spokesperson told iTnews the contract would cover Defence’s “remaining Windows 7 environment”.

However, for commercial in confidence reasons, Defence said the number of devices covered by the contract could not be disclosed.

“Full migration of the remaining Windows 7 environment is planned over the next 12-24 months,” the spokesperson said.

“Defence is continuing to support Windows 7 to mitigate risk across the remaining infrastructure.”

The ATO, on the other hand, paid just under $1 million for its ESU contract, which will almost extend Windows 7 support for another year.

The ATO, which is currently planning its shift to Windows 10, told iTnews that the contract covers all devices running Windows 7 at the agency, though – like Defence – would not disclose the specific number.

“The ATO is not able to provide further information (number of devices, unit cost etc) as it is commercial in confidence,” a spokesperson said.

There are currently just over 18,000 employees at the ATO. The ATO purchased 12,000 new Dell devices last year that it plans to deploy between 2019 and 2022.

While none of the agency’s devices have yet transitioned from Windows 7 to Windows 10, the ATO said there around 555 staff are already using devices that run Windows 10.

“The ATO expects to complete its transition to Windows 10 by the end of December 2020,” the spokesperson said.

Alongside continuing Windows 7 support, the ATO also recently spent another $1.6 million for a year of ESU for Windows Server 2008, which also reached end-of-life on January 14.

“A number of ATO application systems are still running on Windows Server 2008/2008 R2, but ESU is paid for according to Microsoft’s licensing model, rather than the number of applications,” the spokesperson said.

ATO also confirmed that work to migrate its remaining five percent of business applications running Windows Sever 2003 was “largely completed” last month – more than a year later than first planned.

The upgrade project was concerned with shifting the agency applications to Server 2012, before a future jump to Server 2016.

The spokesperson said that “only some work to decommission the old server instances [was now] remaining”.

The ATO had previously extended customer support for the OS at a cost of $5.3 million to allow itself more time for the migration.

Updated advice provided by Australia’s cyber spy agency this week warns that by failing to upgrade to a newer operating system like Windows 10, organisations would expose users to “unpatched security vulnerabilities”.

Other agencies to enter into contracts with Data#3 for Windows 7 extended security support recently include the Australian Securities and Investments Commission.