On Apr. 8, 2014, Windows XP, Office 2003, and several other products still deployed in many organizations will leave Extended support. Future security vulnerabilities discovered in these product versions will likely remain unpatched, and other forms of product support from Microsoft will be limited. Customers who have not yet begun planning and executing migrations away from these versions should do so in order to minimize the potential of vulnerabilities to their IT infrastructure.

The Microsoft Support Life Cycle

In determining the risk of continuing to run on an aging version of a product, a key consideration is what product support Microsoft will provide in the form of software updates and services such as incident response. These are defined by a set of product support life-cycle phases based on the age of a version of a product. Microsoft's life-cycle phases are guidelines rather than rules, and the benefits available during different phases are at the discretion of Microsoft. Life cycles for consumer versions usually differ substantially from the life cycles for enterprise or business products.

Microsoft generally has two phases of product support for enterprise products: Mainstream support and Extended support. (For a summary of what support is available in each phase, see the chart "What Do Mainstream Support and Extended Support Mean?".)

The first phase, Mainstream support, begins when a new version of a product is released and typically extends for five years. Mainstream support includes the following:

  • Security updates for vulnerabilities
  • Updates or hotfixes for product bugs unrelated to security
  • Some no-charge incident support
  • The ability to purchase paid support agreements such as Premier support
  • The ability to submit design changes and feature request for Microsoft's consideration.

During the second phase, Extended support, Microsoft typically will continue to honor or renew paid product support (such as support on Premier agreements) and provide free security hotfixes. Before a product version enters Extended support, a customer can also sign an Extended Hotfix Support Agreement. These relatively expensive agreements permit a customer to report and request fixes to bugs unrelated to security for a per-request fee, although Microsoft might still decline to fix the reported problems. Customers cannot make requests for unpaid support, design changes, or new features during the Extended support phase.

Beyond the Extended support phase, Microsoft is under no obligation to provide any product updates to that version, whether security related or not. Historically, Microsoft has rarely fixed security vulnerabilities on product versions that have left Extended support; in fact, even vulnerabilities found on product versions in Extended support have sometimes gone unpatched. After the end of Extended support, Microsoft will only provide other product support under paid custom support contracts. These contracts are expensive and are typically available for only selected products. Microsoft also sometimes imposes conditions, such as requiring customers to present a documented migration plan away from the covered version of the product as a condition of honoring a paid custom support contract.

Migration Away from Windows XP Recommended

Microsoft's support policies and practices and Windows XP's place within the life cycle have several implications for customers. Customers should assume that after Extended support ends, Microsoft will not provide security updates for newly discovered vulnerabilities in Windows XP or Internet Explorer 6, 7, and 8 on that OS. Windows XP and versions of Internet Explorer available for it have continued to receive security hotfixes through the past year, indicating that there are likely vulnerabilities yet to be discovered, and as a result, there will be future exploits of the OS and its integrated browser. This could leave critical infrastructure systems and other Internet-connected instances of Windows XP at significantly higher risk for exploitation than systems running current versions of Windows.

Furthermore, other kinds of bugs and support problems with Windows XP will go unresolved. Microsoft has not publicly announced plans to offer custom support contracts for Windows XP nor specified any terms for such contracts. Most likely, those contracts will be available, but they will probably include a high per-desktop charge and require that the customer be already executing a migration away from Windows XP.

As a result, organizations are strongly recommended to examine their Windows XP systems and consider how best to retire them in favor of a version of Windows that can be updated to remediate discovered security vulnerabilities, and one that is eligible for other Microsoft support.

Organizations that have not already started moving from Windows XP to Windows 7 may also want to consider that Windows 7 will exit Mainstream support on Jan. 12, 2015, and Extended support on Jan. 14, 2020. Given the likelihood of these organizations' desire to stay on a single platform for an extended period of time, Windows 8 or Remote Desktop Services connectivity to Windows Server 2012 may be a more appropriate migration path than Windows 7. Windows 8 and Windows Server 2012 will run most of the same applications as Windows 7 and have a longer planned life-cycle: Mainstream support for Windows 8 and Windows Server 2012 does not end until Jan. 9, 2018, and Extended support ends Jan. 10, 2023.

Note that virtualization of Windows XP in general, and Windows XP Mode in particular, does not address the problem. Windows XP Mode, a free download for computers running Windows 7 Professional, Enterprise, or Ultimate editions, also exits Extended support on Apr. 8, 2014. Windows 8 did not include the Windows XP Mode feature.

Availability and Resources

The Windows lifecycle fact sheet is available from windows.microsoft.com/en-US/windows/products/lifecycle.

Microsoft Support Lifecycle Policy FAQ is available from support.microsoft.com/gp/lifepolicy.

For information about products out of Extended support no longer receiving updates, see "Security Fixes Not Assured" on page 8 of the Oct. 2009 Update.

For information about Custom Support Agreements, see "Legacy Software Support Continues" on page 37 of the Nov. 2006 Update.