UK government departments still running Windows XP are now doing so entirely on their own.
A framework support agreement between the Crown and Microsoft guaranteeing the release of special security patches for PCs still on Windows XP has ended after one year.
That deal - revealed here - expired on April 14 and it’s been decided it will not be rolled into a second year, Microsoft has told The Reg.
Other creaking Microsoft products also covered by the custom support deal were Office 2003 and Exchange 2003.
Government departments and agencies continuing to run these antiques must now cut their own deals with Microsoft or find alternative means of protection.
A Microsoft spokesperson told The Reg:
“It is down to individual customers to evaluate their estates and risk profile, the best option is to upgrade to a modern operating system such as Windows 8.1 ensuring delivery of relevant security patches and updates.
“Individual government departments and agencies are also able to purchase extended support as they see fit.”
The Metropolitan Police is one of those groups.
One year after Microsoft’s official Windows XP support ended, the capital’s police force has 35,910 PCs still running the dated operating system.
Migration – to Windows 8.1 and Internet Explorer 11 - is pencilled in for completion on January 2016, the force has told The Reg.
The Met said:
“The MPS [Metropolitan Police Service] has requested a direct option with Microsoft to continue a Custom Support Agreement for Windows XP for the next 12 months.”
Other government bodies don’t plan on overshooting into 2016 – but are still exposed.
HMRC had 900 PCs of 80,000 to move off Windows XP by a project completion date of end of April 2015 – it’s moving to Windows 7 and Windows 8.1
But the project was “slightly behind” original schedule when last The Reg checked.
Asked what steps HMRC had put in place to protect lagging PCs in the absence of a second year of protection from Microsoft, HMRC refused to provide specifics.
"Microsoft security support was only one of the measures we use within a "defence in depth" strategy," HMRC said. "Other defensive measures remain in place, including the ability to isolate devices from external connections if required."
Other UK government agencies are going it alone without their own custom-support deal.
NHS Scotland, the body that administers health services in Scotland, has 2,600 PCs still running Windows XP with plans to finish its migration to a combination estate of Windows 7 and VDI by September 2016.
To defend against hackers and malware, the body has implemented a series of best practices to protect Windows XP PCs in the interim.
That includes applying existing Windows XP security patches, antivirus updates, “heightened security vigilance,” escalated security procedure and “reinforced staff awareness on security risks,” the body told The Reg.
Further down the health chain things look worse.
NHS Scotland, like NHS England, is not responsible for leading or forcing IT strategy at a grass-roots level.
Hospitals, health boards, trusts, GPs and other bodies that comprise this NHS Scotland and England grass roots, combined, operate more than one million PCs.
One Reg tech-industry source with contracts in the health service said that as of six months ago, 85 per cent of PCs in hospitals, trusts and other bodies still ran Windows XP. It's unlikely to have shifted much since.
NHS England has admitted to The Reg it does not keep records or numbers of PCs still running Windows XP.
The one-year Cabinet Office Support Agreement was signed by Crown Commercial Services to ensure Microsoft continued rolling out bug fixes and patches once Redmond's official Windows XP wrapped up on April 8, 2014.
From that point, Microsoft would not release security fixes and updates as a matter of course. Instead, clingers-on had to negotiate custom support agreements – at considerable cost: $200 a desktop in year one, doubling in year two.
Customers also had to give Microsoft a guarantee that they planned to get off Windows XP in the form of a migration plan.
Microsoft’s deal with No. 10 was a framework that meant government entities didn’t need to enter separate deals – as they are now doing.
It provided civil servants with considerable savings – costing £5.584m for the whole of UK government. Those behind the deal boasted it would lead to “projected savings in excess” of £20m against “standard” pricing.
Now, however, UK government bodies still clinging to Windows XP, those migrating and those which have missed the date to purge Windows XP, get nothing – no protection from Microsoft should fresh malware or attacks appear - unless they cough up their own cash. ®