We're now under one year to go until the end of life date for Windows XP, which Brian wrote about a few weeks ago. The relatively short article opened up a flood of comments talking about whether or not there are elevated security risks for running XP beyond that date, and while nobody can argue that the risks are higher, some, like Jim Moyle and myself, believe that the risks rise significantly, while others (I'm looking at you, Andy Wood!) aren't ready to push the panic button yet.
I wanted to spend a minute or two getting down on paper what I know about Microsoft's paid support for Windows XP. I have two unofficial sources for this information, and it's unlikely we'll get a model that any company can use to create their own estimate. Microsoft is handling this on a per-customer basis, and it depends on the number of machines, your EA and SA status, and so on. Your mileage will more than likely vary.
There are two aspects to paid support for XP. First, organizations must buy into the program. The cost for this, from what I can tell, is around USD $200/desktop for the first year. This jives with information I've received from two sources, one with 5,000 desktops who will have to pay $1 million and another with 8,000 desktops that will have to pay $1.6 million. The second aspect is with regards to hotfixes. Each hotfix created for a company will be done at a cost of $50,000. Let's look at what these costs mean.
With the buy-in program, you're entitled to receive security updates (which don't count as hotfixes). The buy-in fee is per year, and from the source with 5,000 desktops, I've heard that the yearly number goes up significantly each subsequent year. The numbers I've seen suggest that the second year will cost $2 million and the third will cost $5 million. Microsoft doesn't want you to get used to paying for XP support, I guess! If the same linear cost holds up for the 8,000 seat customer, they can expect to pay $3.2 million in year 2, and $8 million for year three.
One can only assume that those numbers don't remain linear. I don't know where the break points are, but suffice it to say that if you have 2,000 desktops, you're probably going to pay more than $200/desktop, and if you have 20,000 desktops, you'll likely pay a little less. Still, it seems that if you want to get an idea of what it will cost you to join Microsoft's paid support program for Windows XP, you can estimate $200 per desktop to help you get started adjusting to the sticker shock.
The hotfix fee is simply for changes to code to fix problems you have with the OS. When is the last time you had Microsoft create a hotfix for you, though? Odds are, you probably won't need to do this very much, but what's another $50k when you're spending a few million dollars a year on program membership? :) (credit Andy Wood for that information)
Is it really that expensive?
Sure, the shock of seeing the budget for software licensing shoot up by an extra million or so dollars per year is horrific, but let's take into account what's happening using our 5,000 seat deployment. We assume that each of those 5,000 seats cannot be upgraded for some reason or another, and because of that there is a relatively large risk involved in running XP unsupported. While we disagree on the amount of risk, I don't think it is debatable that running Windows XP after April 8, 2014 is going to be more risky than running any newer version of Windows.
$200 per computer to prevent some sort of catastrophic security nightmare from happening doesn't sound so bad in that situation. In fact, if that number stayed the same for smaller deployments, I could see organizations building that into their budget. Of course, Microsoft sees that, too, and that's why the raise the fee to $400 per computer for the second year and $1,000 per computer for the third. We'd prefer not to talk about Year 4.
Still, for those that need more time, $200/computer might be an acceptable price to pay for an added year of peace of mind. There are probably situations where this is actually cheaper than upgrading to Windows 7, especially when you factor in new hardware and re-developing applications for Windows 7 (or other platforms).
Bear in mind, I am in no way recommending that you pay for XP support, but I do understand that situations exist where it might make sense. Almost every time I give a presentation and ask who is planning on using Windows XP beyond 2014, the people that raise their hands are doing so because of some sort of specialized equipment or government contract. Replacing the equipment or breaking the contract can be costly, and so paying for XP support could very well be the only way to go.
There's a few other things that have been on my mind regarding the end of XP, so let's get them out of the way while we're on the subject.
Gray Market Patches
Someone once emailed me and asked if I knew of anyone that would be capable of reworking Windows Server 2003 patches for Windows XP, since support for Server 2003 R2 doesn't end until July 14, 2015. I'm not aware of anyone doing that, but it is quite possible that with a small amount of trickery you could get Server 2003 patch code running. I've rolled my own hotfixes in the past when getting the RemoteFX-enabled version of the RDC to run on Windows XP, and as long as there's no drivers involved it should be possible. With drivers, signing becomes an issue, and MS could quite possibly put their own checks into actual patch files to make sure that they only run on a supported OS.
Of course, this way would not be sanctioned by Microsoft, but you're only doing it if you're running XP without support, so what do you care? :)
I still have yet to hear what Microsoft will do about the activation service for Windows XP. Sure, they could keep it running indefinitely, but MS could just as easily turn it off after it's all over. Will they release a key that works for anyone? Will they release a hotfix that turns off the activation requirement? There's enough uncertainty there that you should consider it when you consider running XP without support.