Windows 7 and Server 2008 Retirement

Microsoft ended support for Windows 7 and Server 2008 on January 14, 2020. Unsupported software does not receive security updates, putting your computer at risk. Computers running Windows 7 or Server 2008/2008 R2 are vulnerable to attack and will become increasingly vulnerable over time.

ITS will begin blocking internet access to and from university devices joined to Active Directory (UMROOT) that are still running Windows 7 or Server 2008 on February 14, 2020. Blocking will be done incrementally through February 21.

How Access Will Be Blocked

  • Unmitigated machines will be placed in an Active Directory (AD) computer group in batches beginning February 14.
  • On February 14, ITS will apply a global Group Policy Object (GPO) to the machines in that AD computer group. Blocking will be done incrementally through February 21 by adding machines to the AD group. (Microsoft AD GPOs are a means of applying a collection of settings and configurations to a group of machines.)
  • Access to and from the internet will be blocked. Access within protected U-M networks will remain available.
  • If a threat develops that puts the university at risk, more restrictive blocks may be applied.

Windows 7 Mitigation Options

  • Upgrade the device to Windows 10.
  • Purchase extended support and notify IA. If you purchase extended support for U-M computers, please let us know which machines are covered so we do not block them. Send a list of the machine names to iia.vulnscans@umich.edu.
  • Remove the device from U-M networks and update Active Directory (AD). If you decommission a UM-managed device, be sure to remove the associated object from AD so we know it was decommissioned.
  • Move the devices to a protected network and notify IA (iia.vulnscans@umich.edu). A protected network is one that is in internal IP space behind a firewall.

Windows Server 2008/2008 R2 Mitigation Options

  • Upgrade the servers.
  • Migrate to Microsoft Azure (where Microsoft is offering extended support at no charge).
  • Purchase extended support and notify IA. If you purchase extended support for a U-M server, please let us know which machines are covered so we do not block them. Send a list of the machine names to iia.vulnscans@umich.edu.
  • Remove them from U-M networks and update Active Directory (AD). If you decommission a device, be sure to remove the associated object from AD so we know it was decommissioned.
  • Move the devices to a protected network and notify IA (iia.vulnscans@umich.edu). A protected network is one that is in internal IP space behind a firewall.