With less than 35 working days to the end of support for Windows 7, which means that no more updates or fixes, including security fixes after that date.
Many organizations are realizing they will not be able to fully migrate to Windows 10 before January 14, 2020. Perhaps you are one of them, so now the question becomes:
What should we do? What should the mitigation strategy be?
Interest factoid: Did you know that over the course of Windows 7 active and extended maintenance periods, a bit over 10 years, more than 989 security patches were released?
Lets discuss some of the options…
Yep – It is an option that I have heard many times. Some customers are not particularly worried that they will not be completely off an unsupported operating system. some have even stated that they will stick to their planned refresh cycles, which in some cases may be 7 -10 year cycle!
This is a very risky strategy as security updates will not be available to those devices. Security patches as well as device drivers will not be available. I ask , what about your compliance, risk and security team – Are they on board with this?
… compliance requirements, PCI DSS 6.2, requires that “all system components and software must be protected from known vulnerabilities by installing applicable vendor-supplied security patches within one month of release.”
If an Operating System is no longer supported by the vendor, and security patches are not being released, PCI requirement 6.2 cannot be achieved unless potential risk of doing so is mitigated.Windows 7 End of Support – How it affects your PCI compliance, risk and security.
We have more time
We’ve heard it all !
- January 14, 2020 is an arbitrary date.
- I am sure Microsoft will extend the date. Too many enterprises will not be ready
- Who will be targeting us January 15?
- We have a couple more months than that…
It is true that on January 14, 2020 is going to come around and Windows 7 devices will continue to function and operate as normal. It is also true that January 14, 2020 will be the last security patch for Windows 7:
“January 14, 2020 is the last day Microsoft will offer security updates and technical support for computers running Windows 7.”Microsoft: Support for Windows 7 is nearing the end
Theoretically, you would have had another month before the next security patch on February 11, 2020 which you would have to test before releasing, so maybe another 30-45 days. Stretching it, not recommend, you may have another 30 days … so that gives you a couple more months with an unsupported / unpatched Operating System in your production environment.
Let’s pay Microsoft.
We will not be able to migrate all of our devices in the next 2-3 months.
Microsoft has provided an alternative for customers that will not be able to migrate devices to Windows 10 with their Windows 7 Windows Extended Update license. As I wrote in a previous post, customers can opt to get additional security updates / patches on a yearly bases for up to 3 years. Cost depends on the license type you currently have:
The price will depending on the number of devices you will need to keep on “life support” As you are looking at the chart below, keep in mind that the price doubles each year after the first…
Microsoft made this available to all customers early October:
We are now extending the notifications discussed below to Windows 7 Po devices to ensure our customers are aware of the end of support for Windows 7 and can take action to remain productive and secure. Devices that are domain-joined as a part of an IT-managed infrastructure will not receive the notifications.Blog post: Windows 7 ESU Available to All
Speed up the Deployment
Some customer are doing everything they can to speed up their deployment process by buying new devices, increasing their deployment teams by adding more staff, or engaging vendors to manage the logistics and staffing for the deployment efforts for both new and in-place migrations.
How many devices can you deploy per day / week in order to be completed within the next 45 days? A simple chart follows assuming you deploy 4-days a week (1 day for troubleshooting and clean up) at an average of 45 minutes per device shows the level of staff effort needed to speed up the deployment
The BIG question: Applications
Deployment effort is one thing… But if you have critical applications than do not work on Windows 10 then you need to create a strategy that includes:
- Application Remediation / Retirement
- Legacy Operating System support and
- Update plan
More on this soon, but in the meantime, please check out a great post by my friend and co-worker, Colin Sainsbury at Dell Windows 10 Migration: It’s All About the Apps