It’s the end of the line for Windows 8.1, Windows Server 2012 and Server 2012 R2, and Office 2013.
This year, Microsoft is ending extended support for the products, all of which were released about a decade ago. Extended support includes software updates, patches to fix IT security issues and bugs, and technical support. Microsoft discontinued mainstream support—new releases, enhancements, fixes, patches and more—for all of them in 2018.
Anyone using those products should immediately upgrade to Windows 11, Windows Server 2022, Office 365, or the latest version available from your local IT support, said Dustin Udy, associate director for Security Assurance in the Information Security Office (ISO). After extended support ends, Windows will no longer provide IT security updates or technical support for them.
“Users should keep their systems up to date to minimize [the IT security] risk to themselves and the University of Utah, and comply with university policy,” Udy said.
According to the U’s Information Security Policy, users and IT personnel must protect the university’s IT systems, resources, and assets from compromise, in part by configuring them to reduce vulnerabilities and by installing anti-malware tools and relevant patches to fix IT security issues.
If cybercriminals gain access to the university’s IT systems, resources, or assets through an unsupported product, they could potentially steal confidential information and deploy ransomware. IT security breaches can also harm the U’s finances and reputation, and the privacy of U students, patients, faculty, and staff.
U organizations with mitigating circumstances that require using the Microsoft products after their end-of-life dates, such as specialized instrumentation or hardware configurations critical to a research project, may apply for a policy exception.
“They should work with Governance, Risk, & Compliance (GRC) on the exception process,” Udy said. “Even if they plan to buy some extended support, they still need to tell GRC that they have an unsupported system.”
Approved exceptions last no more than a year. To maintain an exception, GRC must conduct an annual review of the systems or products, circumstances, and risks. Udy said organizations should use that time to upgrade to alternative products that comply with the policy.