
Microsoft Offers Windows 7 Extended Update Support to SMBs - miles
https://borncity.com/win/2019/10/02/microsoft-offers-windows-7-extended-update-support-to-smbs/
======
Jonnax
"ESUs ranges from $25 per device for Windows Enterprise users in the first
year to $100 per device in the third. For per-user users, the ESU price ranges
from $50 per device in the first year to $200 per device in the third year."

Not outrageously expensive. I imagine quite a few businesses will pay.

~~~
Silhouette
_I imagine quite a few businesses will pay._

We'll certainly be at least reading up on this. Small business environment,
running 7 Pro on most of our desktops, zero interest in Windows 10, zero
interest in getting involved with enterprise-level administrative mess, but
still stuck on Windows for at least some of those machines because of a few
business-critical software packages and therefore still interested in getting
security updates for those machines.

That said, given Microsoft's recent track record, half of me is expecting the
other shoe to drop here. In particular, if it turns out that the updates
offered are like the full monthly roll-ups and bundle in things like ambiguous
telemetry and other user-hostile changes, our interest will immediately drop
to zero in this as well. That sort of junk is part of the reason we're
avoiding 10 in the first place.

~~~
slacka
I hope you are not the IT decision maker. It seems all of your knowledge of
Windows is based from experience with their Home edition.

Unlike Home/Pro Edition, telemetry in Windows 10 Enterprise can be disabled
with a single group policy option.[1] With GPO = Secure not more data is sent
to MS than your Windows 7. You also have full control updates through the
group policy(Also found in Pro).

Windows 10 Enterprise is the true successor or Windows 7/8 Pro. If telemetry
is really such a big deal to you, I'm surprised you didn't spend 2 min. on
Google to learn this. I've seen in deployed in several small businesses that
care are concerned with privacy/telemetry implications.

[1] [https://docs.microsoft.com/en-
us/windows/privacy/configure-w...](https://docs.microsoft.com/en-
us/windows/privacy/configure-windows-diagnostic-data-in-your-organization)

~~~
technion
If an IT decision maker researches this, the first thing they'll find is
Microsoft's description here[0], which describes Windows Professional Edition
as being designed for the SMB. It goes onto describe Enterprise as for "medium
and large" businesses, a language they use elsewhere to describe business with
5,000 desktops or more. I get the view this isn't the space the above poster
is in.

If you buy a business computer, it will come with Windows Professional Edition
- it's pointed out in this link that Enterprise Edition is only available to a
Volume Licensing customer (noting there are purchase costs beyond what people
are used to paying).

I don't disagree with you in principle that a conscious person should look in
this direction, but Enterprise is beyond the reach of many users. It's beyond
the reach of a home user, it's beyond the reach of a business small enough
that it doesn't want to buy into a bulk program and it's beyond the reach of a
large enterprise that feels they've already spend enough on Microsoft
licensing by buying "Professional" systems.

They noted they had "zero interest in getting involved with enterprise-level",
I have no reason to believe two minutes on Google would change anything for
them.

[0]
[https://blogs.windows.com/windowsexperience/2015/05/13/intro...](https://blogs.windows.com/windowsexperience/2015/05/13/introducing-
windows-10-editions/#gKtrdwWscfCqDytx.97)

------
userbinator
I often wonder how much of a practical threat the exploits which updates fix
really are; it seems like the majority of them are either local privilege
escalation or exploit a listening service, all of which won't much affect the
typical situation of a single-user PC behind a NAT with no forwarded ports and
a user who won't be downloading and running random binaries from strangers (a
bad idea regardless of how many updates you install...) Fortunately, the truly
scary scenario of an attacker taking control over the Internet of a machine
that is just left on and with no action needed on the part of the user seems
quite rare; in fact, something like that would be very memorable, yet I don't
remember any in at least the decade. The closest to that would be Heartbleed,
and that wasn't specific to Windows.

IMHO Microsoft really alienated users starting with Win8's horrible UI
changes, and the incessant "telemetry" spyware that grew profusely in the
versions after that certainly did not help at all to restore any trust. Using
security updates as an excuse to bundle other unwanted changes is also
aggravating.

~~~
infosack
> _it seems like the majority of them are either local privilege escalation or
> exploit a listening service, all of which won 't much affect the typical
> situation of a single-user PC behind a NAT with no forwarded ports and a
> user who won't be downloading and running random binaries from strangers_

Browser exploit chains often end up attacking the kernel or local services as
part of escaping the sandbox, so it's important to patch these
vulnerabilities.

> _Fortunately, the truly scary scenario of an attacker taking control over
> the Internet of a machine that is just left on and with no action needed on
> the part of the user seems quite rare; in fact, something like that would be
> very memorable, yet I don 't remember any in at least the decade._

EternalBlue, which exploited a vulnerability in SMB, is probably the most
prominent example in recent times. BlueKeep, an RDP exploit, was another
serious threat from earlier this year.

~~~
userbinator
Yes, browser exploits are always worrisome, which is partly the reason I have
JS off by default.

RDP and SMB aren't exploitable from the Internet if you're behind a NAT

~~~
infosack
> _Yes, browser exploits are always worrisome, which is partly the reason I
> have JS off by default._

That is your personal preference of course, but it's highly atypical for any
user to have JavaScript disabled. I was just pointing out that the attack
surface isn't limited to downloading and running random binaries.

> _RDP and SMB aren 't exploitable from the Internet if you're behind a NAT_

Unless they've forwarded the ports. But either way there are millions of hosts
with RDP and SMB exposed (e.g. Shodan reports 5 million of the former and 1.5
million of the latter).

~~~
userbinator
Exploits or not, exposing those services to the Internet is a bad idea. If it
weren't for NAT that number would probably be much higher...

~~~
z3t4
If you are a developer, make sure you make your app secure by default, eg. not
listening on a public IP using a standard password. Don't fall in the trap of
insecurity by convenience. Too many developers expect users to have NAT,
that's why we can never adopt IPv6 for end users, and IoT will never take off
until we get our shit together and make our software secure.

------
icebraining
Seems like there's a company offering those patches to individuals:
[https://blog.0patch.com/2019/09/keeping-windows-7-and-
window...](https://blog.0patch.com/2019/09/keeping-windows-7-and-windows-
server.html)

As a Windows 7 user myself (on a personal computer) for whom upgrading seems
clearly net negative, I'm tempted. Has anyone here used their stuff?

~~~
batiudrami
The minor hassle involved in making Windows 10 a far superior option to
Windows 7 can be completed in about the same amount of time as it would take
to manually install one of these third party "security" updates. It's just
turning off a bunch of ad tracking settings if you're bothered by them, and
uninstalling a bit of preloaded rubbish and you aren't relying on a third
party to inspect code and port patches as best they are able.

~~~
SmellyGeekBoy
This is assuming that the ads and tracking are the things holding people back.
Windows 10 has plenty of other issues compared to 7 - UI sluggishness and
visual glitches being one that I've experienced.

~~~
Krasnol
From my experience it isn't even true for "just" the ads and tracking.
Considering that you have to redo it again after a major patch to be sure it
gets even worse.

------
EvanAnderson
Putting on my MSFT stockholder hat for a moment: I'm glad to see that they're
capitalizing on this market. I don't know how significant the revenue stream
will be, but it's better than leaving money on the table.

------
Causality1
There's some key part of this equation I'm missing.

The premise is that Microsoft wants to focus on Windows 10 but developing
security fixes for Windows 7 isn't any cheaper now than it was when Windows 7
was 90% of the userbase, therefore Microsoft wants to stop developing W7
security fixes. But they'll let you pay them to keep developing security fixes
for your devices and only your devices. If W7 security fix development is so
expensive, how can these fees cover it? Once the fixes exist, why couldn't
they be applied to everyone else's Windows 7 PCs? Would it take only a single
person with access to the new post-sunset security fixes to distribute them to
the rest of the internet in a form of piracy?

~~~
Silhouette
Assuming this is a genuine offer from Microsoft, the strategy could be as
simple as assuming there are going to be very many small businesses reluctant
to move from 7 to 10 by January because of the well-documented concerns about
10, but still wanting to keep a responsible level of security updates applied
on their machines. Businesses in that position seem unlikely to resort to
dubious sources for their security updates. It's just not worth the risk, or
frankly even the time, assuming the costs for getting the updates legitimately
as quoted in the article are accurate.

