Six months from now, on 8 April 2014, Microsoft will stop pushing out security updates for Windows XP – and that's going to be a big deal.
At time of writing a whopping one-third of the world’s millions of PCs were still running Microsoft’s 13-year-old client operating system.
More ReadingNot sure if you're STILL running Windows XP? AmIRunningXP.com to the rescue!Whitehall and Microsoft negotiate NHS Windows XP hacker survival planFine! We'll keep updating WinXP's malware sniffer after April, says MicrosoftTHOUSANDS of UK.gov Win XP PCs to face April hacker storm... including boxes at TAXMAN, NHSInside Steve Ballmer’s fondleslab rear-guard action
According to Gartner, the global installed base of PCs at the end of 2013 will be 1.63 billion units. By that reckoning, Windows XP is currently installed on at least 500 million computers and almost certainly used by over a billion people.
It's going to cost you
The Reg understands at least 10 major UK and US organisations with more than 5,000 seats that are currently mid-migration will miss next April’s deadline.
And that’s likely going to cost them. Rather than go naked, large companies have the option to pay Microsoft for dedicated support, but it comes at eye-watering prices: $200 per desktop for year one, $400 for year two and $800 for a third year.
This is only available to the biggest of the big: you have to be a premier level Microsoft customer. The message is clear: Microsoft doesn’t want your business - so get off Windows XP.
Big companies risk paying in other ways, too.
Viruses, ransomware, worms, Trojans, keystroke-loggers and anything else written to hack, infect, snoop or steal from users on Windows XP on or after 9 April will soon live without fear of a Patch Tuesday squashing.
Running vulnerable systems that could potentially expose customer data could in regulated markets could land businesses with a big-fat compliance bill, privacy lawsuit or a slap on the wrist from regulators.
And chances are that six months from now the number will not have been reduced to a non-worrying size, based on how slowly Windows XP’s market share is falling.
But why aren't they moving on?
The reason such large numbers of users are clinging to XP are varied.
Quite a few, of course, are simply living in denial – a stunning one in seven claimed to have no idea of the approaching end-of-support date earlier this year.
Of those who are planning to migrate to another operating system, some lack budget for a wholesale update, while others appear to view the matter as "a hardware problem". The latter plan to replace XP with something new – such as Windows 7 – only when they buy new computers.
Others are simply flummoxed by the scale and complexity of a move off of their organisation’s legacy computing platform and the strategic onion-peeling exercise typically involved when one manages a software migration.
The problem affects everybody, from the biggest corporate giant to the smallest firm, and stretches across governmental bodies and the private sector. Nobody is immune.
Eighty-five per cent of PCs in Britain’s National Health Service are still running Windows XP. The NHS in England is one of the world’s largest employers, with 1.7 million staffers on its books.
Even large companies in the top league of Microsoft customers – supposedly well-resourced and with plenty of IT staff on tap to manage a move – are struggling.
Stuck in the past - Bill Gates presides over Windows XP's launch, October 2001. Photo: Jeff Christensen
Small and mid-sized businesses (SMBs) are a huge problem. These are organisations with just enough PCs to be dangerous – between 25 and 250 according to Microsoft – but lacking the IT budget, infrastructure and people to run a massive platform switch.
Cough it up, beancounter
Often, it’s the businesspeople in side organisations holding things up because they don’t appreciate the impending problem and they aren’t freeing up the necessary budget.
After all, it’s not like Y2K – the PCs won’t just stop running at midnight. Machines will still work. But slowly – over time – they’ll become more vulnerable to attack.
Y2k saw government-led campaigns to patch and upgrade systems combined with a rising tide of national news coverage that helped scare and motivate people based on the fact nobody knew exactly what to expect at midnight on 1 January, 2000.
The result is that nobody – not even the normally happy-clappy Microsoft – expects everybody will have moved their PCs off of Windows XP six months from now.
That’s despite the fact Microsoft has worked across the whole organisation and ploughed cash into programmes to drive XP migrations – Microsoft has been offering a 20 per cent discount for customers buying Windows 8 and Office 365 through partners.
“We have been working on this for a long time – in the enterprise sales group, in the government sales group, in the SMB group,” Jay Paulson, director of product marketing for SMBs in Windows, told The Reg. "In my role in product marketing, we measure every country and try to drive everybody forward.
“When you’ve got as many people running Windows there will be some people who don’t make it – certainly. We haven’t set any firm targets... there will be some who don’t do it.”
Where did all the upgraders go?
Adrian Foxall, chief executive of application migration specialist Camwood, whose survey earlier this year found one in seven Windows XP users are in denial, told, The Reg the numbers still hold up.
“I’m not sure the percentage has massively changed in the last few months,” he said.
But how did it get so bad?
Microsoft’s Paulson reckons awareness is picking up – he claimed a "15 per cent increase in awareness" over the summer, but it’s been a long time coming and it’s late.
Mark Corley, chief technology officer at Avanade UK and Ireland, is working on Windows XP migrations for the utility sector. He told The Reg the migration work has been steady but he has not seen a rush. “I thought there would be a tsunami of this 18 months ago,” he told The Reg. “I’d like to think none of my customers are unaware of it, but I’m sure ignorance is still high,” Corley said.
Avanade has moved 100,000 seats in two years, he noted.
“We definitely need to get the word out,” Microsoft's Paulson told us. He reckoned the answer would have been a public service announcement in the mainstream news.
Others reckon only now, with April clearly in sight and no further option to postpone the inevitable, are customers moving. Browsium, a software start-up helping migrate legacy IE apps, told The Reg September has been “intense” following a summer pick-up. Browsium says it’s now working with hundreds of customers at "various stages".
Corley: the XP migration tsunami didn't hit
Gary Schare, president and COO, said: “No one seems to budget for this sort of migration until they’re almost out of time and it becomes a crisis.”
Still stuck on you
The biggest problem is that Windows XP has become invisible and forgotten about as it’s become a kind of de facto industry standard.
The reason isn’t that Microsoft gave up shipping new versions of Windows to supplant Windows XP, it is that what it offered failed to budge people. Windows Vista was the successor to Windows XP, but was such a dog on performance and compatibility that customers stayed where they were.
Only now is the successor to Windows Vista, Windows 7, really seeing massive adoption momentum. In October 2011, it finally overtook Windows XP in the market-share stakes – but even that was two years after Windows 7 was released.
Those who have clung onto Windows XP have made larger problems for themselves, as now moving is no longer just a simple upgrade. Such is the gap in hardware needed for Windows 7 or Windows 8 that it requires a massive spend on new PCs.
But there’s an even bigger problem: applications – this has had a range of effects on Windows XP migrations, from slowing things down to applying the hand brake.
It’s normal for companies to buy and build apps and macros for Windows on their PCs. What has become a problem in the case of Windows XP is it has been in the market for so long it’s become an industry standard.
Organisations now have so many of their business-critical apps, and therefore their companies' operations, riding the Windows XP train that it’s difficult to know when – or how – to bring the train to a stop without hurting business.
And then here’s the other problem: “business-critical” depends on who you are. It can be some standard desktop app or something you’ve built or it can be in a browser.
It can be complex enterprise applications like Siebel or SAP; or homegrown, line-of-business applications; it can be payroll, HR, manufacturing, CAD and CRM.
Standard apps might be CRM, ERP or design but it really gets complicated if you’ve got Office that you’ll have probably tailored with all sorts of plug-ins and macros for Excel or Word.
If you’re running a browser and you’re on Windows XP there’s also the healthy chance you’ll still be running Windows XP’s default browser – Explorer 6 – or IE 7 and 8 several versions behind the state of the art.
Often big and complex enterprise apps like SAP or Siebel run using IE.
The challenge is knowing which apps to migrate first and then which, if any, to leave behind.
Corley reckons on one app per five people in an organisation – so 1,000 apps at least in a company the size of those 10 pressing Microsoft for paid support next year.
“The more you uncover, the more you have to plan, and then sometimes if there are custom-built applications that tend to be large because they give business and competitive advantage they take the most effort to move across,” Corley said.
I'm an XP user, get me out of here!
Paulson thinks the apps problem is the psychological roadblock preventing many from proceeding.
“Sometimes we see customers slowed down by the fear of application compatibility – they have all these applications on their machines and they feel none of it will go forward. By and large we find it applies to 98 per cent of the cases out there,” Paulson said.
“We find customers think everything is mission-critical on the box but after you do the analysis and a pilot with a few machines you find out what is important, and really mission-critical and then you will need to find a version that’s compatible or you find a solution that is compatible.”
At the heart of this is an even bigger, more fundamental problem: it has been so long between upgrades, most people will have lost track of the apps they have. Not knowing what’s in your application estate has made it hard to know what to move.
Schare said he’s found application and IT estates have become under-funded and are not well maintained as a result.
“IT pros managing a Windows migration don’t typically have a good grasp on their web applications. They don’t keep an inventory and don’t routinely test for compatibility. They may suspect they’ll have problems but aren’t sure what to do about it. Many even assume the applications will just work when they upgrade, since that was the promise of web apps from the beginning,” he said.
“It’s far easier and cheaper to keep using what works and defend against what’s new for as long as you can. But the longer you do that, the more painful the migration when you eventually have to do it.”
With six months left, then, what’s next – especially for those who haven’t started to move – we’ll assume those already migrating have contingency.
Start planning and involve the business. Why? Even if the plan leads to nothing because the business decides against migrating off of Windows XP then at least you’ll have raised the prospect of security lapses and breaches. “If the business says we are not going to do it because of X, then you are covering your back,” Corley said.
Another reason is that – should you get the green light – the plan provides a blueprint.
What’s next is cataloguing your apps – what software you’ve got running on Windows XP, and which apps need to move because they’re business-critical. Rather than a wholesale move, which you’ll never achieve before next April, it’s better to lop off individual apps and groups of apps based on their importance.
Foxall: Customers want tools to automate migration
Here things can get complicated – and you can see why even those migrating will miss the April 8, 2014 date.
Avanade and Camwood, for example, will assess what’s in your application estate – something many people don’t actually know – and advise businesses on what to move. But they are are on their own when it comes to next steps. What next steps? That depends.
Retire and re-write applications running on Windows XP as you move to Windows 7 – as most are doing rather than go to Windows 8 – are two options. Corley reckons if you’re “on top” of your application estate and working “well” with the business you will probably only need to retire a small number of apps – about 20 per cent – that are surplus to requirements for various reasons. These could be apps you don’t use because the business has changed or because staff have gone, or apps where you’ve bought too many licences. The number of re-writes, he says, would be down in the “low, single-digits”.
But who’s “on top” of their application estate and what IT department works “well” with the business?
The worst scenario is a policy called attrition. This is replacing PCs with systems running Windows 7 or Windows 8 on a case-by-case basis. This will confuse the IT picture even further over the long term while still leaving vulnerable PCs on your network.
An alternative to re-writing is to remediate – but this only works for web apps, so software dependent on the version of Microsoft’s browser tied to Windows XP. Here, Browsium offers a piece of software that lets you run IE6-dependent apps unmodified in IE8 and IE9. The Browsium code tells IE8, 9 and – since Ion 3 was just released – IE 10 to behave like IE6, to fool the application’s code into thinking its still running on IE6.
If IE6 is your only problem, you have options
Browsium’s been a lifesaver for some big operations, who’d otherwise have had to re-write their business-critical apps tied into Windows XP via its IE6 browser.
HM Revenue & Customers installed Browsium on its 85,000 PCs that were running Windows XP with its IE6 browser and move that browser to IE8. The move saved time and money – costing £1.28m versus a reported bill of £35m for a traditional application re-write of the Windows XP and IE6 set up quoted by systems integrator giants Cap Gemini and Fujitsu who’d been working with HMRC.
The departments had spent two years looking at re-writes before Browsium, dabbing in pilots and re-writes that had failed one after the other.
Other Browsium customer wins include Unilever and Transport for London.
UK partner Camwood reckons software tools from companies like Browsium address the IE browser problem in Windows XP quickly and at a low price.
“Customers are looking to tools to automate,” Foxall said.
Is remediation a long-term fix? It’ll certainly get you past April’s deadline – then you’ve at least got time to breathe and make further changes.
Schare reckoned remediation serves a long-term solution, too – just depends on what you mean by “long-term.” The apps will be upgraded or replaced with a Software-as-a-Service (SaaS) offering, eventually. In that case, this you could call this “long-term.”
“But those projects take years to fund and implement so many of our customers expect to keep running these legacy apps for another three to five years. There are some who bite the bullet and upgrade (if it’s an off-the-shelf app) or rewrite (if they have people to do it and it’s not overly complex). But touching those servers is dangerous as all users are affected at once,” Share said.
“Remediation with Browsium Ion is done on the client so modifications are only made on clients who are actively upgrading. When you have 100,000 PCs spread around the world, that’s critical. No one can move everyone at once.”
HMRC: IE6 is gone, just 85,000 PCs to go
The final option is to go Windows 8 all the way. This is the route Microsoft would like you to take. The official party line from is you need the latest and newest of everything – Windows 8 or 8.1, Office 2013 and Office 365 a package Microsoft is cheerily calling “modern” in it’s Get2Modern campaign – don’t forget that 20 per cent discount I mentioned at the start is going to Windows 8 and Office 365.
The reality is, though, the huge majority of Windows XP converts are going to Windows 7. The reason is that Windows 8 needs to much new hardware, the Metro interface is too radical and Windows 7 would at least still a familiar desktop.
If you want to go Windows 8 later you can, given Microsoft claims it’s easy for Windows 7 apps to be moved to the newer version of its client operating system.
If Windows 8 is the future, Microsoft hedges on the subject of rewrites and remediation. “It becomes a case-by-case basis,” Paulson carefully told us.
The advice is clear: if you’ve not done anything about Windows XP – start now. But even if you don't make it in time, you’ll be in the company of the great and good in missing next April’s end-of-support deadline, when Microsoft finally turns of the security fixes.
“There’s no silver bullet on this thing,” Paulson said. “You need to just go in there and do the work.”
If there’s a glimmer of hope, it’s that you’re unlikely to be on your own on 9 April, 2014. Plenty of companies, even those upgrading, will miss the date. Share reckons his company will be busy for at least another 24 months, working with companies which missed the deadline or which have the money to pay Microsoft’s custom support at least for year one, when they hope to get the work finished.
Among the laggers-behind are large sections of the British government. HMRC might have switched browsers – from IE6 to IE8 – but the taxman’s 85,000 PCs still run Windows XP – not Windows 7.
And don't even mention the NHS.
Another positive: your PCs won’t suddenly stop working on 9 April, 2014. “If they are not planning it now… I’d be very impressed if they hit the deadline," Corley reflected. “On April 9 is the world going to stop if a patch comes out prior to that? After all, how many organisations have already applied the critical patches from the last Patch Tuesday?”
To answer Corley’s question: not everybody.
In some ways, 9 April, 2014, will be business as usual – at least for a short time. After that, whether you are an end-of-support denier or midway through migration, it’ll be a case of finding your level of comfort against a rising tide of security problems and managing the risk. ®
Speak your brains and pick the lobes of our Windows XP and IE migration experts in an end-of-XP Live Chat, October 11 at 3pm UK time. Joining us will be Avanade UK and Ireland chief technology officer Mark Corley, Browsium co-founder, chief operating officer and president Gary Schare and - following a last minute switch from Camwood - Dave Martin, head of project services for the application portfolio management specialist Camwood. Mark your calendars: the Live Chat starts at 3pm UK time on October 11.