Don't forget about embedded devices in your Windows 7 migration plans

From point-of-sale terminals to medical devices, embedded systems running unsupported Windows versions pose a unique migration challenge.

Cash desk with computer screen and Credit Card Machine with Barcode Scanner

Getty Images/iStockphoto

For many IT pros, the words "Windows migration" induce more than a slight sense of dread as they consider all the desktops, laptops, servers, virtual machines and maybe even tablets they'll need to upgrade. Windows 10 installations recently passed 825 million, but that likely leaves over 700 million to go. There's another device category that IT departments must also pay attention to...embedded systems. Unfortunately, these devices often slip through the cracks of even well-planned OS migrations. That can be a big problem.

Hardware manufacturers have long used versions of the Windows operating system to run all manner of "non-PCs," such as point-of-sale (POS) terminals, ATMs, self-service kiosks, digital signage, industrial control systems, and even medical devices. As an old-school IT pro, I always get a kick out seeing Windows error messages pop up on the random screens I see as I travel.

windows-error-star-wars-battle-pod-arcade-game.jpg

I took this picture of a Windows operating system screen on a Star Wars Battle Pod arcade game at the company's 2018 holiday party.

ZDNet/Bill Detwiler

Embedded systems running unsupported Windows systems are a security risk

Unfortunately, not all Windows OS problems are as benign as a few lost game tokens. Machines running older versions of the Windows operating systems are a significant security risk. Especially in critical areas like healthcare, where a May 2019 study by Forescout, found that many medical devices still run outdated or soon-to-be-outdated versions of Windows.

SEE: Telemedicine, AI, and deep learning are revolutionizing healthcare (free PDF)

Forescout, a network inventory and management vendor, looked at data collected from 1.5 million devices across 75 healthcare deployments. More than half (59%) were running Windows and of those, 71% were running versions of the operating system for which Microsoft is ending support on January 14, 2020, including Windows 7, Windows 2008, and Windows Mobile. After this date, companies won't be able to get updates or security patches for Windows 7 unless they pay for Extended Security Updates (ESUs).

It's not just Windows 7 systems that are either rapidly running out or have run out of time. Microsoft ended extended support for Windows Embedded POSReady 2009 -- last supported version of Windows based on Windows XP -- this past April.

In the past, Microsoft has issued security patches for unsupported Windows versions. The company issued a patch for Windows XP, Windows Server 2003, and other version in 2017 after the WannaCrypt attacks. Just last week, Microsoft issued security fixes for not just Windows 7, but also Windows XP, Server 2003, and other unsupported versions to try and prevent a 'wormable' flaw in the operating systems Remote Desktop Services feature. As Microsoft may not issue similar patches in the future, relying on the company to issue fixes for unsupported operating systems isn't a solid security strategy.

Likewise, failing to meet software update requirements can even violate regulatory and governance requirements. ZDNet's Steve Ranger explained is his March 2019 article on Windows 7 migrations that the UK government "has told the NHS that it must have Windows 10 upgrades complete by January 2020 or risk missing out on funding for upgrades."

Even embedded systems that aren't directly connected to the Internet are at risk, whether they run Windows or not. During the infamous 2013 Target data breach, attackers used the Trojan.POSRAM malware to scrape credit/debit card information from the RAM of retailer's POS terminals as customers or cashiers swiped/inserted the cards. The sensitive data was dumped on an internal, internet-connected server and then exfiltrated.

SEE: 20 pro tips to make Windows 10 work the way you want (free PDF)

Make embedded system part of your existing Windows 7 migration plan

As the deadline for moving off Windows 7 nears, ZDNet's Ed Bott has a list of options for those still on Windows 7 and fellow contributor Mark Samuels has advice from four tech leaders on making the transition from Windows 7 to Windows 10. The following are a few steps to make sure any embedded system connected to your network are part of your migration plan:

  • Inventory the embedded devices on your network: If you don't already have an accurate, up-to-date list of all the devices on your network, this is the place to start. And even if you do have a recent inventory, there's always a chance a user connected a rogue device to the network since your last scan. If your network management solution doesn't provide this capability, there are plenty of paid and free tools for finding out what's on your network.
  • Determine which Windows versions you have: Many network discovery tools will gather each device's operating system, as part of the scanning process, along with the device name, IP address, MAC address, network adapter manufacturer, etc. It's critical to know which Windows version is on each device as Microsoft is ending support for Windows 7 for Embedded Systems in 2020, but not for Windows Embedded Standard 7.
  • Contact the technology vendor or manufacturer(s): Unfortunately, migrating the operating system on an embedded device can be more difficult than installing Windows on a traditional Windows PC. The devices often have legacy hardware and software dependencies that make upgrading to the latest version of Windows a challenge. In many cases, Microsoft says it's not possible to migrate directly from certain older version of Windows Embedded to Windows 10. Depending on the type of device and the service agreement your company has with the vendor, upgrading the operating system may be a task they must complete. You'll need to account for their migration plans as part of your overall migration strategy.

ZDNET'S MONDAY MORNING OPENER:
The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet's global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.

PREVIOUSLY ON MONDAY MORNING OPENER: