Home > Categories > IT Asset Management > Windows 7 End-of-Life Troubles Continue: ESUs Don’t Apply to Enterprises That Purchased Licences

Software Category

IT Asset Management

Write Review

Windows 7 End-of-Life Troubles Continue: ESUs Don’t Apply to Enterprises That Purchased Licences

Microsoft’s end-of-life support for Windows 7 has run into its first set of issues with its extended security updates (ESUs). End-of-life support for Windows 7 ended on January 14, 2020. The only exception is through purchasing an ESU. However, administrators who paid for the ESU found out their downloads are not applying. A manual patch download is required before the updates will properly apply. The only problem? Microsoft forgot to tell anyone that they need to manually download the patch.

If you do not run the mandatory patch, you will be unable to receive the ESU updates that were purchased. While the patch was released on February 11, 2020, there was no mention of the patch download as a prerequisite to receiving updates and support. The patch package will appear in the Windows Server Update Services – the patch management platform provided by Microsoft – but it will not be automatically updated through the service. Companies who purchased the ESUs but who remain unaware of the necessary patch will not receive any of the patches for February as a result. Customers could potentially never receive their ESUs if they remain unaware of the mandatory patch.

As Susan Bradley, a computer network and security consultant, puts it, “While I’m glad that Microsoft offered Windows ESUs to small business, I’m also concerned that I have now put small business at the mercy of what feels like a less-than-planned implementation. In order to get patched by Windows Update, one must stumble on a brand-new blog post out today and download a patch only on the catalog site. The idea behind paid-for-security patches is to make it easier to be patched while you are still running Windows 7, not make it harder to get updates.”

Our Take

Windows 7 ESUs are crucial for the security of the enterprises that are still using them. Windows 7 is still one of the most used operating systems among businesses today, at 32.74% of the market share. There are valid security concerns to Microsoft’s approach. First, because Microsoft did not disclose the patch prerequisite, many of its clients have been left unsecured. Microsoft has significantly increased the likelihood that a client’s device is not up to date with the latest version. While this may seem minor, cyberattackers thrive on the complacency of businesses in their patch maintenance to install malware and backdoors onto their networks. Second, the ESUs are a service that business owners have already paid for. Failure to deliver on a promised product erodes trust between businesses and vendors. The ESUs are supposed to make the patching process easier and more secure. When Microsoft’s approach makes users less secure and becomes inconvenient to users, it is perhaps time to examine improvements to the update process.

Microsoft has since updated its procedural notes to include a mention of the mandatory patch, but there has still been little effort to highlight the patch. Without up-to-date support of Windows 7, businesses that use the system will be at risk for external probes. It is especially concerning given the ESUs have already been purchased by businesses for the entire year. Current Windows 7 users should seek to implement the patch if they have not done so already. Furthermore, Windows 7 users should also continue to weigh the fiscal and security consequences of not updating to a newer version of Windows. This includes examining alternative options. Check your systems to see if you require this mandatory patch to make the most of your Windows 7 ESU.


Want to Know More?

Design and Implement a Vulnerability Management Program

Build a Vendor Security Assessment Service

Other Recent Research in IT Asset Management

IT Asset Management

Qualys and Ivanti Partnership Boasts an Incredibly Robust Vulnerability Management Platform

Qualys VMDR and Ivanti have announced a new partnership dedicated to improving the detection and patching of vulnerabilities. Announced July 30, the Qualys and Ivanti Partnership have already gone live as an integrated component of the VMDR solution.

IT Asset Management

RiskSense Releases a Unified Infrastructure Security Risk Management Program

RiskSense announced on July 13 its new version of the cloud-delivered RiskSense risk management platform. The main draw of the program is its holistic risk calculation across CVEs and CWEs.

IT Asset Management

Address the Root of Your Vulnerabilities in a Resource-Tight Period

Cyberthreats are omnipresent for any enterprise. Monitoring ingress and egress points while still conducting business is a balance security professionals attempt to strike. Couple this with the continued security issues around remote work during the pandemic, and security teams have their hands full.

IT Asset Management

Kenna Security Releases Tool for the Custom Benchmarking of Vulnerability Management Programs

On May 26, Kenna Security released its new Prioritization to Prediction Benchmark Survey. This free tool provides organizations with the ability to compare their vulnerability management programs to industry averages Kenna Security has compiled over the years.