What are your options for Windows 7 PCs you haven't upgraded?

It may not be the end of Windows 7 on your network, but its days are definitely numbered.

Windows 7 is now officially end-of-life. Its last official update has been published. At least, that's the case for home users -- enterprises and business users have more options. So what can you do with those Windows 7 PCs and licences you still have?

Keep running with ESU

If you have a large fleet of Windows 7 PCs and are unable to migrate to Windows 10, then you have the option of purchasing Extended Security Updates (ESU) for an additional three years, taking critical issue support out to 2023. ESU isn't an option for home users, as it's only for Windows 7 Professional and Enterprise editions. You don't need a volume licensing agreement, although if you do have one as part of Windows Enterprise Software Assurance or Windows Enterprise E3 there will be a discount to the ESU prices.

You can buy Windows 7 ESU directly from Microsoft or from Cloud Solution Provider (CSP) partners. It's important to remember that ESU is only available for a year at a time; there's no automatic renewal, so you must purchase it again in 2021 and 2022. If Microsoft treats Windows 7 ESU in the same way as previous ESUs, then it's highly likely that prices will rise as we get further away from January 2020.

Put Windows 7 in the cloud

One alternative to running Windows 7 locally is to upgrade the underlying OS and use Remote Desktop to deliver Windows 7 from the Azure-hosted Windows Virtual Desktop service. It's a useful tool for running migrations, as users can be running Windows 10 locally with new applications and services, while applications that have yet to be migrated to Windows 10 can continue running in cloud-hosted Windows 7 instances.

There's an added advantage to using Microsoft-hosted remote machines, as all Windows Virtual Desktop instances are automatically enrolled into ESU at no additional cost and you can bring your existing Windows 7 licenses with you. You still have to pay for the Azure resources your virtual machines use, but you can take advantage of reserved instances to reduce costs significantly. And because reserved instances can be returned to Azure if no longer needed, you can still run a planned draw-down of Windows 7 as you complete your Windows 10 migration without spending money on resources that aren't needed.

If application compatibility is your main issue, then it's worth looking at Microsoft's Desktop App Assure service. Designed for companies making migrations to Windows 10, it's part of the FastTrack service. If you have an eligible Windows subscription, a Microsoft engineer will help diagnose compatibility issues, at no cost to you. That can be a big help, and a big saving, reducing the risks associated with bespoke software and with OS upgrades.

Keeping Windows 7 secure

End of support doesn't stop your PCs getting antivirus updates. Most third-party security vendors will carry on supporting it, and Microsoft's own Security Essentials will still deliver signature updates. It's no panacea, though: the available attack surface will be getting larger every day that Microsoft doesn't deliver a security update for an operating system vulnerability. Antivirus can only protect you from known threats and known delivery methods.

SEE: What to do if you're still running Windows 7 (free PDF) (TechRepublic)

There are ways to improve security beyond antivirus. With all Windows 7 systems inside your firewall, on a separate untrusted VLAN, and with network services locked down to those needed for your current suite of applications, you can minimise that visible attack surface significantly so long as you keep your network protection up to date. Any laptops running Windows 7 should be withdrawn from service and replaced by supported operating systems or assigned ESU licences.

Using the new Edge on old Windows

One final option is an intriguing one. With the new Microsoft Edge available for Windows 7, and likely to be supported until sometime in 2021, you can start treating your older PCs as the Windows equivalent of Chromebooks, using nothing but a modern, secure browser. Switching users to web apps is easier than it used to be, with Office 365 offering web versions of Office's familiar desktop apps. Locking down systems to only antivirus and SSL network ports makes them easier to protect, and with the new Edge getting updates every six weeks or so the risk of compromises via the browser should be low.

The new Edge supports Progressive Web Applications (PWAs), which can work offline. Microsoft is working on a PWA version of its Outlook.com service, and there are plenty of third-party web applications like Twitter that are taking a similar approach. If a web app doesn't offer a PWA you can still run it as a standalone browser application, with websites opening in their own window without the additional browser functions, and accessible from the Windows start menu.

An intriguing option for using Edge for application compatibility is coming with the shift to .NET Core as the basis for .NET applications and the associated move to WinUI 3.0 for user interface components. One component of the new .NET, Blazor, runs .NET code on the Web Assembly runtime in Edge. Using it, and the Uno Platform port of WinUI 3.0, you will be able to take modern .NET apps and run them in the browser, while you finish updating your PCs.

Ending support for Windows 7 doesn't mean the end of Windows 7 PCs on your network. However, it's a clear signal that it's time to move to a newer, supported OS, as keeping Windows 7 secure will become harder and harder, and, even with ESU, more and more expensive. Taking a year of ESU or moving to Windows Virtual Desktop should give you the headroom you need to port apps and test Windows 10 on old and new hardware, while you invest in a migration program.

After all, if you don't start now, when will you? In 2023 when Microsoft ends the Windows 7 ESU program?