Microsoft’s end-of-life support for Windows 7 has run into its first set of issues with its extended security updates (ESUs). End-of-life support for Windows 7 ended on January 14, 2020. The only exception is through purchasing an ESU. However, administrators who paid for the ESU found out their downloads are not applying. A manual patch download is required before the updates will properly apply. The only problem? Microsoft forgot to tell anyone that they need to manually download the patch.
If you do not run the mandatory patch, you will be unable to receive the ESU updates that were purchased. While the patch was released on February 11, 2020, there was no mention of the patch download as a prerequisite to receiving updates and support. The patch package will appear in the Windows Server Update Services – the patch management platform provided by Microsoft – but it will not be automatically updated through the service. Companies who purchased the ESUs but who remain unaware of the necessary patch will not receive any of the patches for February as a result. Customers could potentially never receive their ESUs if they remain unaware of the mandatory patch.
As Susan Bradley, a computer network and security consultant, puts it, “While I’m glad that Microsoft offered Windows ESUs to small business, I’m also concerned that I have now put small business at the mercy of what feels like a less-than-planned implementation. In order to get patched by Windows Update, one must stumble on a brand-new blog post out today and download a patch only on the catalog site. The idea behind paid-for-security patches is to make it easier to be patched while you are still running Windows 7, not make it harder to get updates.”
Windows 7 ESUs are crucial for the security of the enterprises that are still using them. Windows 7 is still one of the most used operating systems among businesses today, at 32.74% of the market share. There are valid security concerns to Microsoft’s approach. First, because Microsoft did not disclose the patch prerequisite, many of its clients have been left unsecured. Microsoft has significantly increased the likelihood that a client’s device is not up to date with the latest version. While this may seem minor, cyberattackers thrive on the complacency of businesses in their patch maintenance to install malware and backdoors onto their networks. Second, the ESUs are a service that business owners have already paid for. Failure to deliver on a promised product erodes trust between businesses and vendors. The ESUs are supposed to make the patching process easier and more secure. When Microsoft’s approach makes users less secure and becomes inconvenient to users, it is perhaps time to examine improvements to the update process.
Microsoft has since updated its procedural notes to include a mention of the mandatory patch, but there has still been little effort to highlight the patch. Without up-to-date support of Windows 7, businesses that use the system will be at risk for external probes. It is especially concerning given the ESUs have already been purchased by businesses for the entire year. Current Windows 7 users should seek to implement the patch if they have not done so already. Furthermore, Windows 7 users should also continue to weigh the fiscal and security consequences of not updating to a newer version of Windows. This includes examining alternative options. Check your systems to see if you require this mandatory patch to make the most of your Windows 7 ESU.