Three years of security fixes still to come, but OS can't match Windows 10's improvements.

Windows 7's extended support ends on January 14, 2020. The operating system left mainstream support in 2014, meaning that for the last two years—and next three—it only receives security fixes. But Microsoft is telling corporate customers that even with those security updates, the 2009 operating system isn't really cut out for the world of today. According to Redmond, enterprises should plan to move to Windows 10 sooner, rather than later.

The reason, according to Markus Nitschke, head of Windows at Microsoft Germany, is that Windows 7 "does not meet the requirements of modern systems, nor the security requirements of IT departments."

There are two elements to this. Companies buying new hardware using Intel's Skylake or Kaby Lake processors have little choice but to use Windows 10. Installation and driver support for Windows 7 and 8.1 is limited to certain systems since changes in the Skylake platform, such as the integrated USB 3 controllers and processor-controlled power management, aren't supported in Windows 7. PC OEMs can still make the older operating system work, but it requires extra effort on their part. AMD's new Ryzen processors and Windows machines built using the Qualcomm 835 processor will similarly need Windows 10.

With so many companies holding onto their PCs for so long, that may not be a big reason to drop the older operating system. This is where security comes in. Windows 10 includes a wide range of security improvements that aren't found in Windows 7: stronger built-in biometrics with Windows Hello, cloud-based threat analytics with Windows Defender Advanced Threat Protection, built-in sandboxing with AppContainer (used for Store apps, the Edge browser, and certain aspects of font-handling), virtualization-based security to protect against certain kinds of credential theft, and much more. The value of these improvements is not that they address individual security flaws, rather they make whole classes of flaw harder to exploit, protecting the operating system against both known and unknown threats. Microsoft argues that it is these systemic, architectural protections that mean corporations should adopt Windows 10 over Windows 7.

This was demonstrated in a write-up of two zero-day exploits published by Microsoft last week. The Strontium group (aka "Fancy Bear," aka "APT28") is believed to be involved in the hacks of the Democratic National Committee, former Secretary of State Colin Powell, and others. They're believed also to be tied to Russian intelligence. In a spear-phishing campaign conducted in October, the group used then unknown vulnerabilities—one in Windows' windowing subsystem, one in Windows' font management, and one in Adobe Flash—to attack think tanks and non-governmental organizations in the US.

The two Windows flaws that were targeted, however, wouldn't be exploitable in Windows 10 with the Anniversary Update. Windows 10 includes additional validation of internal structures, and it performs certain aspects of font handling in an unprivileged, sandboxed process. The result is that even though Windows 10 had the same underlying bugs, its defense in depth made those bugs harder or impossible to successfully exploit. This kind of protection isn't going to be retrofitted to Windows 7; organizations that want the best available protection against both known and unknown flaws will have to upgrade to Windows 10.

Microsoft has, of course, made this same pitch to corporations before. Windows 7 may be looking long in the tooth today, but it represented a substantial improvement, especially with regard to security, over Windows XP. Windows 8.1 introduced further structural security improvements. In spite of this, many companies stuck with Windows XP for years past its prime. Often, compatibility with legacy browsers or legacy applications made migrating to newer versions of Windows expensive. Nitschke says, "As we saw with Windows XP, companies should take early steps [to move to Windows 10] to avoid future risks or costs" from being trapped on the older operating system. The longer organizations wait, the argument goes, the more institutional knowledge and expertise about those problematic applications leaves the company, and the harder it becomes to upgrade them to work on the new operating system.

Migrating away from Windows 7 should be less problematic than dropping Windows XP was, because Windows 7 applications are less ill-behaved than many Windows XP ones were. Still, Microsoft is clearly keen that customers heed the lessons learned from that migration and not leave upgrades until the last minute.