Reader Survey: The Death of Windows XP
As Microsoft pulls the plug on Windows XP and ends support for the 2003 versions of Office and Exchange, IT faces difficult choices and a variety of options.
Nearly 13 years since Microsoft released its second-most-widely used version of Windows, the official end of life for Windows XP is now days away. Barring an unlikely change in Microsoft's firmly stated plan to retire the venerable PC OS, the April 8 Patch Tuesday will represent the last day of official support for Windows XP. Nevertheless, it will have a long afterlife, thanks to recent changes by Microsoft and help from third parties, which plan to help prop it up after the company pulls the plug. Also fueling its post-mortem existence is a sizable number of steadfast holdouts who have no plans to give up their Windows XP-based systems.
The holdouts are plentiful. Windows XP will remain populated on 23 percent of desktops and laptops indefinitely, according to a Redmond magazine survey of more than 3,000 readers. IT pros will defiantly ignore Microsoft's deadline, while many others who procrastinated are scrambling to migrate to something else. According to the survey, 16 percent are scrambling to migrate while 25 percent plan to migrate at some point but it isn't a major priority and 8 percent haven't decided what they're going to do.
Only 28 percent say there are no Windows XP-based systems within their organizations, a telling sign that the OS remains pervasive. According to last month's Net Applications report, Windows XP accounts for 30 percent of PCs. Gartner Inc. analyst Michael Silver said in a recent Webcast that he believes the share of Windows XP systems in use will drop dramatically. "By end of year we think it will be down to the mid-single digits -- so 5 percent or 10 percent," Silver said.
While the Redmond survey suggests Windows XP will maintain a higher share than Gartner is forecasting, numerous banks, hospitals, schools, government agencies, offices of all sizes and consumers are at some stage of addressing the fact they must either upgrade their systems or find a new way of protecting them.
Sticking with Windows XP
Let's first look at the holdouts who plan to keep their Windows XP systems even though Microsoft and security experts alike strongly advise against it. There are a number of reasons many IT organizations haven't yet (or will never) migrate their Windows XP systems. Compatibility of applications and hardware is a key reason many are loath to see Microsoft pull the plug on the OS. According to our survey, 39 percent haven't migrated due to the fact they have applications that can't run on newer OSes. An additional 20 percent say they can't afford to upgrade. And 7 percent justified the fact their systems aren't connected to the Internet, thereby they don't have to worry about security and malware risks, which experts say are inevitable over time. Overall, more than one-third (35 percent) of the respondents' systems aren't connected to the Internet.
Why are so many organizations sticking to their guns and planning to run an aging OS that Microsoft will no longer support, putting themselves at risk? It has nothing to do with the fact that Microsoft said in January it will continue to offer anti-malware signatures for another year. Microsoft will not be issuing new bug fixes or other security patches, experts warn. Also, the free Microsoft Security Essentials tool will no longer protect Windows XP systems, though third-party endpoint protection software providers such as Bit9, Kaspersky Lab, McAfee Inc., Trend Micro Inc. and Symantec Corp., among others say they will offer some options (though those vendors do advise upgrading).
Even though only 10 percent of respondents said Microsoft's about-face plan to continue offering ati-malware signatures for Windows XP changed their plans, observers say the move has caused confusion. "That will certainly lull people into a false sense of security," says Scott Kinka, CTO of Evolve IP LLC, a Wayne., Pa.-based managed services provider. "Anti-malware signatures assume you've been infected. The [OS] isn't going to be patched, meaning known security holes will not be patched."
Even though providers of antivirus and endpoint security are advising customers to upgrade their Windows XP systems, they realize they're not. Bit9 has become quite vocal that if organizations are going to keep their Windows XP systems they should at least harden them. The company says its Bit9 Security Platform provides added control of systems. McAfee suggests at the very least organizations should remove the default administrative privileges, enable memory and buffer overflow protection, and allow whitelisting for zero-day vulnerability protection.
Piero DePaoli, senior director of product marketing at Symantec, says the company's Endpoint Security offering will do its best to support Windows XP systems. However, he notes Microsoft won't be proactively addressing known issues, which complicates matters and, hence, will be a threat. "The No. 1 risk is all of a sudden the patching you can do on top of Windows XP simply won't be available anymore," DePaoli warns, adding Symantec will continue to support these systems without Microsoft patches.
"Regardless of whether Microsoft is putting patches out there, if we have customers that are still using Windows XP, we at Symantec have to figure out the best way to keep them protected. Because even when patches are made available, not every user or company immediately puts them in place. So regardless of whether there's a patch available, if there's a Symantec customer either not patching or patches aren't made available, we've got to ensure our anti-malware will stop things."
DePaoli says Symantec has two additional layers inside Symantec Endpoint Protection. Called Symantec Insight and Symantec Sonar, these layers are designed to provide a proactive layer of protection, specifically to stop new and unknown threats. "That's what we'll continue to provide, regardless when Microsoft stops issuing patches," he says. "And those proactive layers are what will keep us protected."
Respondents to our survey gave quite a few reasons why they plan to continue running their Windows XP-based systems running after April 8. They include:
- Windows XP suits the needs of existing applications
- Running 16-bit apps and cannot afford to upgrade
- Windows XP is the last "bearable OS" Microsoft has produced
- Hardware cannot run new OSes
- Management isn't ready to deal with the upgrade hassle yet
- Running apps that can't run on any newer OS and they work well now; the physical hosts are never connected to the Internet, therefore neither are the guests; there may come a time to move completely off Windows XP but security isn't a factor in the decision
- Running apps that may not run in later versions; beyond that, some apps have been tuned with settings that would be very difficult and time-consuming to replicate; the anti-malware update extension is a very good thing, and makes the decision that would have been made anyway easier
One university had the most intriguing reason: to teach students what an unprotected system can do. "Indeed -- we are keeping some Windows XP [virtual] machines in order to teach cyber security courses."
Migrating Off Windows XP
Despite a sizeable number of holdouts, most large organizations are at various stages of addressing the situation. "Some enterprises have massive initiatives to try to get off Windows XP as soon as possible," says Andrew Hertenstein, lead architect for datacenter and cloud management at En Pointe Technologies Inc., a national systems integrator based in Gardena, Calif., which specializes in Microsoft-centric IT infrastructure. Beholden to compliance requirements, observers say ignoring the April 8 deadline isn't a viable option.
Hertenstein and others note that while Microsoft offers premium paid support it can cost large organizations millions and the price will double every year, making it an unsustainable proposition. "A lot of these bigger organizations have had to wait until last minute," Herenstein says. "Many clients are in panic mode and they don't have this in their budget."
Organizations can have hundreds or thousands of applications that were developed over a decade ago and no longer can run on newer OSes, while others can run but have some limitations. That requires testing of applications, a process that can take years or more in larger shops. Much of the software might be home grown by developers long gone or in languages no longer or rarely used. Other software might be commercial packages from companies out of business or that would rather sell newer versions of their software than expand resources on supporting an OS that Microsoft isn't supporting.
Ann Maya, a senior product manager for software business at Dell Inc., says if a customer has 1,000 applications it could take anywhere from 18 to 24 months to manually test them all. But using the Dell Software ChangeBASE automated testing tool, it can check against multiple platforms at once. The company also packages those applications so if the customer wants to standardize the format of those installers, or maybe virtualize those installers, they can do that all at once, rather than having separate projects for it. "You can see how that cuts out a lot of manual effort," Maya says. "We see customers do better than 50 percent in reducing the time it takes them to migrate."
Maya says she has noticed an increase in client inquiries in recent months facing the reality of the April 8 deadline. "We've seen a pretty big uptake recently, a lot of activity in our services and professional services team, as well as companies coming directly to us saying they need something to help them get their migrations started," she says. "They might have started the migration awhile back and run into some issues and now they're looking for some automation to help them get over that last bit. They may have some complicated applications to consider, or perhaps they're getting extra applications coming on that they didn't know they needed to modify."
By testing the applications with ChangeBASE, a dashboard will list all the software and display it in green if it's good to go on Windows 7 or later, amber if it will run but may need some modifications and red if it won't work at all. It's not unusual for an organization to have as many as 50 percent of their applications not able to run on a newer OS, especially if they were developed to run on 16-bit systems. While Windows 7 is available in both 32- and 64-bit versions, most applications designed for 16-bit systems are unlikely to work on 64-bit PCs.
Another reason organizations have long been reluctant to give up their Windows XP systems is that older browsers won't run on Windows 7, Windows 8 or even Windows Vista. That's a problem for many of the internal Web apps companies have developed but don't have the time, resources or budget to update the apps, especially if they have limited use.
While Dell Software ChangeBASE deals with native applications, Seattle-based Browsium Inc. offers a remediation tool that helps large organizations with Web apps developed for older versions of Internet Explorer. "More and more the applications that businesses rely on are browser-based," says Browsium President and COO Gary Schare, who worked at Microsoft for 14 years on the Windows team.
In the early 2000s, many enterprises started building Web applications believing they would move to thin-client solutions that would ensure they wouldn't have to deal with a problem like this. "So they wound up building on Microsoft's proprietary browser -- namely Internet Explorer 6 -- that's changed a lot over the years, and most of these enterprises just left those apps behind and kept running them in the old environment," Schare says. The latest browser Windows XP can run is Internet Explorer 8.
It's not uncommon to find shops still standardized on Internet Explorer 6. Each rev of Internet Explorer has differences and they're generally enough to make a good number of complex line-of-business (LOB) applications not work properly, he says. "Enterprises are trying to rationalize their browser strategy, to get something that works well enough for the legacy and the modern apps and what they need is tools to help them keep the legacy apps working and make sure the modern apps work alongside it."
Meter Is Running
When told that only 28 percent of our readers' shops have eliminated Windows XP, Schare wasn't surprised. A similar survey by his company showed 75 percent of organizations still have Windows XP-based systems. According to Schare, the shops opting for the Microsoft premium support are paying $200 per desktop. Large customers, while aware the price will double and then double again, believe they'll be able to work around it, he says. "I think some are playing chicken with Microsoft," he says. "If these guys are buying 100,000 seats of Office 365 and a bunch of other Microsoft products, they're betting it will be lumped into the custom support agreement as part of that." Even if that works out for them, small and midsize customers don't have that leverage.
Windows XP is a victim of its own success but many IT decision makers know they need to migrate, whether to ensure security of their systems, compliance or being able to support newer applications. In tandem with the end of life of Windows XP, Microsoft also will no longer support Exchange Server 2003 and Office 2003, including Outlook 2003. Newer versions of Office won't run on Windows XP as well. So what are IT decision makers doing?
The overwhelming majority of our readers (85 percent) plan to deploy Windows 7 systems while 36 percent will deploy Windows 8 (multiple answers were permitted on this question). Those who are deploying or supporting Windows 8 seem to be doing so in most cases for the handful of executives and power users preferring the touch-based OS that runs on both PCs and tablets. As reported in the recent Remond cover story ("Transforming the Workplace," February 2014), while Delta Air Lines Inc. is deploying 11,000 Windows RT-based tablet PCs in its aircraft, on the ground it's upgrading office workers and gate agents with Windows 7-based PCs. A few hundred execs are getting Surface Pros running Windows 8 Pro.
Given the growing trend by organizations enacting bring your own device policies, as well as shops simply open to alternatives, some Windows XP systems will be replaced by non-Windows systems with 7 percent going to Mac OS X, 4 percent moving to Android-based tablets, 3 percent to iPads and 3 percent to Google Chromebooks. Interestingly, 11 percent say they're going to Linux-based clients, though it isn't clear whether the respondents consider Android and Chrome OS-based Chromebooks in that category.
Virtual Desktops and DaaS
Virtual desktops and Desktop as a Service (DaaS) also represent a small but growing niche, with 9 percent planning some sort of thin client or VDI implementation. Evolve IP's Kinka says a survey it fielded found 63 percent would consider cloud-based virtual desktops for at least a portion of their employees -- welcome news for the company that provides such services with its own VMware View-based offering. TheVDI-as-a-service runs hosted in its own cloud where customers can also host their Active Directory instances to manage users. "It's a good mix for the IT department who needs control, but it's also good because it's not an all-in philosophy."
In some cases, experts say they'll run Windows XP as a virtual instance. En Pointe's Hertenstein says the Citrix Systems Inc. portfolio of Terminal Services and virtual desktops are particularly popular, though when running Windows XP, he considers that a temporary measure. "This gives them some breathing room," he says. "If they can get it to work on these supporting technologies, then the necessity of augmenting or modifying the applications takes on a lesser level of criticality."
Others are looking at keeping Windows XP alive with application management software. One alternative is Applications Manager from Appsense. "We don't modify, we just lockdown and migrate the settings and other things relative to the application," says Jon Rolls, AppSense vice president of product management.
Regardless of where IT organizations and consumers alike stand with Windows XP, the end is near for its support but it doesn't appear we'll see the last of it for many years to come.